CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:

  • Articles 6 to 16 of the Mexican Constitution;
  • The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
  • The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
  • The Federal Consumer Protection Law governs certain aspects concerning marketing activities.    

Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.

  • Act CXII/2011 on the Right of Informational Self-Determination and the Freedom of Information (Info Act) – general rules on personal data processing (including processing for law enforcement, national security and national defence purposes, implementing the EU Law Enforcement Directive) and freedom of information - Act CXII of 2011 (njt.hu)
  • The Info Act – which was the general privacy act before the GDPR – supplements the GDPR with certain minor, mainly procedural rules and contains freedom of information provisions not regulated by the GDPR.

The main sectoral rules regulating specific areas of data protection law are the following:  

  • Act LXVI/1992 on Personal Data and Address Records of Citizens
  • Act CXIX/1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing (Hungarian Direct Marketing Act) 
  • Act XLVII/1997 on Processing and Protection of Medical and Other Related Personal Data (Medical Data Act)
  • Act CXX/2001 on Capital Markets
  • Act C/2003 on Electronic Communications (E-Communications Act) – implementing the EU E-Privacy Directive
  • Act CXXXIII/2005 on Security Services and the Activities of Private Investigators (Security Services Act)
  • Act XLVIII/2008 on Advertising (Advertising Act) 
  • Act XXI/2008 on the Protection of Human Genetic Data (Human Genetic Info Act)
  • Act I/2012 on the Labour Code
  • Act CCXXXVII/2013 on Credit Institutions and Financial Enterprises
  • Act LIII/2017 on Avoiding and Battling Money Laundering and Terrorist Financing (Money Laundering Act)
  • Act CLXV/2013 on Complaints and Notifications of Public Interest (Complaints Act)
  • Act LXXXVIII/2014 on Insurance Institutions and the Insurance Business
  • NMHH Decree 4/2012. (I. 24.) on the Rules concerning Data Protection and Confidentiality in relation to Public Electronic Communications Services, Special Conditions for Data Processing and Confidentiality, Security and Integrity of Networks and Services, Processing of Traffic and Billing Data, Identification and Call Forwarding Rules – implementing the EU E-Privacy Directive. 

2. Data protection authority

The Federal Institute for Access to Information and Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales or "INAI"), is responsible for overseeing the Data Protection Legislation. Its aim is to encourage access to all public information about governmental activities, and budgets, as well as seeking the protection of personal data and the right to privacy.
The INAI, if requested by a data subject, may carry out an investigation to ensure compliance with the Data Protection Legislation of a specific undertaking and sanction those found to be in breach the Data Protection Legislation.

National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság; NAIH): https://www.naih.hu/

3. Anticipated changes to local laws

There are no anticipated changes. Notwithstanding, the President of Mexico suggested in January that the INAI would be replaced by a State-controlled body. No additional details or timelines have been provided.

A number of laws (including the Advertising Act) are expected to be further amended with regard to the GDPR at a later stage.

As regards sector-specific main derogations, please see our summary below.

Derogations concerning employment law:

  1. Data protection notices to employees. Employers should inform their employees of any restriction of their personal rights. Notification may also be made in the workplace using a customary and generally known method (e.g. in writing, or publication on intranet and email)
  2. No copies. The Labour Code clarifies that employers should take notes on information that has been requested from employees and avoid copying actual documents as possible. 
  3.  Biometric identification. Employers may use biometric identification to prevent unauthorised access to information, if such access seriously or irreversibly jeopardises the life, health or significant interests of individuals (e.g. information regarding classified data, explosives, hazardous substances, assets with a value exceeding HUF 50m or EUR 138,890).
  4. Background checks. An employer is permitted to establish exclusion or restriction criteria for a particular position and can process an applicant’s criminal data to verify his/her background. Such criteria are legitimate only if the employee's position poses a potential threat to the employer's financial interests, is privy to secrets (e.g. trade secrets) or exercises significant interests protected by law and defined by the Labour Code (e.g. safe storage of firearms, ammunition, explosives, poisonous, hazardous or biological substances and nuclear materials).

Derogations concerning CCTV and entry systems:

Companies using entry systems, security cameras or security-related sensors must document in their data protection notices the legitimate interest for using these systems and include detailed specifications of the purpose of the processing (e.g. protection of classified information, storage of dangerous substances). If access has been made to data or recordings stored by such system, the company must take minutes on the specific circumstances of each case.

Derogations concerning the operation of condominiums:

CCTV monitoring in the territory of condominiums. Condominium operators must inform people entering and staying in a building of any CCTV use and include the data protection notice and contact details of the operator. When providing copies of the recordings, operators must identify the recorded image, the name of the person authorising the copies, and the reason and time for viewing the data.

Derogations concerning the health sector:

  1. If additional copies of health data (i.e. after the first copy of the same data request) are required, a fee can be levied by the health organisation reflecting the costs of processing. The first copy is however free of charge.
  2. Genetic data. Companies may transfer only anonymised, encoded or pseudonymous genetic samples or data to a third country for human genetic testing. They should also use the appropriate safeguards required by the GDPR (e.g. BCRs, EC Model Clauses, etc). It is not permitted to transfer the coding key. The same applies for importing genetic samples or data. The local health administration should be notified of the transfer of genetic samples and data to a third country and the transfer should be made in a manner where personal identification is impossible.
  3. Deceased persons’ data. A number of laws in Hungary expand data protection to deceased persons’ data in certain aspects, which generally would not be covered by the GDPR. This affects health documentation and insurance-related data of deceased persons. In addition, under Hungarian law, the person designated by the deceased person or his/her close relatives may also exercise data protection rights after five years of the death of such person.

Derogations concerning the financial sector:

The service providers subject to AML requirements may copy personal documents specified by law for the following purposes: preventing and combatting money laundering and terrorist financing, fulfilment of obligations under the Money Laundering Act, fulfilment of customer identification obligations and effective supervision of client-monitoring activities. Copies cannot include personal identification numbers.

Derogations concerning trading activities:

When a customer makes a complaint or suggestion in a merchant's customer comment book (vásárlók könyve), the merchant must remove the page containing the complaint or suggestion, keep it in a secure place and hand it over to the authority if requested.

4. Sanctions & non-compliance

The INAI has the has the authority to impose the following administrative fines:

  • 100 to 160,000 units of measure 1 1 unit of measure = MXN 86.88 (Mexican Pesos)  for:
    • Acting negligently or fraudulently in processing and responding to requests for personal data access, rectification, cancellation or objection;
    • Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the databases of the Data Controller;
    • Processing personal data in violation of the principles established in the Data Protection Law;
    • Omitting from the Privacy Notice any or all of the information it requires;
    • Maintaining inaccurate personal data when such action is attributable to the Data Controller, or failing to perform legally due rectifications or cancellations where the data subject’s rights are affected; and
    • Failure to comply with the notice warnings issued by the INAI.
  • 200 to 320,000 units of measure 2 1 unit of measure = MXN 86.88 (Mexican Pesos) for:
    • Breaching the duty of confidentiality set out in the Data Protection Law;
    • Materially changing the original data processing purpose in contravention of the Data Protection Law;
    • Transferring data to third parties without providing them with the Privacy Notice containing the limitations to which the data subject has conditioned data disclosure;
    • Compromising the security of databases, sites, programmes or equipment;
    • Carrying out the transfer or assignment of personal data outside of the cases where it is permitted under the Data Protection Law;
    • Collecting or transferring personal data without the express consent of the data subject where required;
    • Obstructing verification actions of the INAI;
    • Collecting data in a deceptive and fraudulent manner;
    • Continuing with the illegitimate use of personal data when the INAI or the data subjects have requested such use be ended;
    • Processing personal data in a way that affects or impedes the exercise of the rights of access, rectification, cancellation and objection set;
    • Creating special data databases in violation of the Data Protection Law.   

In the event that the infractions mentioned in the preceding paragraphs persist, an additional fine of 100 to 320,000 units of measure 3 1 unit of measure = MXN 86.88 (Mexican Pesos)  can be imposed.

Sanctions may be doubled for any of the above infractions committed in the treatment of sensitive data.

Administrative sanctions:

The administrative sanctions are set forth in the GDPR.

Criminal sanctions:

The Hungarian Criminal Code regulates and sanctions the misuse of personal data, which is punishable with one year of imprisonment - or two years, in case special categories of data were involved.

Others: 

Based on the GDPR and in compliance with Hungarian Civil Code, the data subject may claim compensation of its damages suffered as a result of processing that infringed the GDPR.

5. Registration / notification / authorisation

The Data Protection Legislation does not require prior notification or registration for any data processing activities.

Data controllers shall no longer had to register their data processing activities with NAIH as of 25 May 2018 with regard to the fact that each data controller and data processor must record its data processing activities internally in line with Article 30 of the GDPR. In addition to that, the notification and registration obligations prescribed by the GDPR (e.g. concerning data protection officers or data breaches) apply in Hungary as of 25 May 2018.

6. Main obligations and processing requirements

The Data Protection Law recognises two parties who deal with personal data:

  1. Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
  2. Data Controller: the subject or legal entity that decides on the processing of personal data.

Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.

According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:

  1. Legitimacy: Personal data must be collected and processed in a lawful manner;
  2. Consent: The data subject must give its consent for the processing of its personal data;
  3. Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
  4. Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
  5. Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
  6. Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
  7. Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.

Additionally, the following legal requirements should be taken into account when processing personal data:

  1. Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
  2. Personal data must not be obtained through deceptive or fraudulent means;
  3. In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
  4. Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.   

There are no derogations from the GDPR. 

As regards data processing for crime-fighting, national security and national defence purposes, the provisions of the Info Act apply. These are similar in many aspects to the GDPR requirements (e.g. data subject rights, data breach management, data protection impact assessment, etc.).

7. Data subject rights

All data subjects are entitled to exercise rights of access, rectification, cancellation and objection regarding their personal data (collectively known as ARCO rights). These rights are not mutually exclusive.

Right of Access

The data subject is entitled to access its personal data held by the Data Controller, as well as information regarding the conditions and generalities of the processing.

Right of Rectification

Data subjects may request, at any time, that Data Controllers rectify personal data if it is inaccurate or incomplete.

Right of Cancellation

Data subjects have the right to cancel (i.e. seek erasure of) its personal data. There are certain situations where Data Controllers have the right to object to such erasure (e.g. if required by applicable law or public interest).

Right of Objection

Data Subjects may, at any time, oppose the processing of their personal data for legitimate purposes.

There are no derogations from the GDPR.

The Info Act provides that individuals can seek effective judicial remedy at the court when their data protection rights are infringed and without prejudice to any available administrative or non-judicial remedy (e.g. complaint to NAIH). In Hungary, the competent court is the tribunal (törvényszék) of the domicile or habitual residence of the claimant. In addition to the payment of the individual’s direct and indirect damages, the court can also impose a general compensation fee for the infringement of the individual’s right to data protection as personality right (sérelemdíj). The court can also publish its judgment with the identification of the data controller or the data processor if the infringement is affecting a large scale of individuals, the infringer is carrying out public tasks, or the gravity of the infringement requires the publication. The Info Act authorises NAIH to join any litigation to facilitate the winning of an individual.

8. Processing by third parties

According to the Data Protection Law, if the Data Controllers intend to transfer personal data to third parties, it must provide them with a Privacy Notice and the purposes to which the data subject has limited data processing. The data subject must consent to such transfer via the Privacy Notice.

Subcontracting

Data Processors must obtain permission from Data Controllers if subcontracting may involve the subcontractor processing personal data. Once consent is obtained, the Data Processor must enter into a contract with the subcontractor.

The subcontractor will assume the same obligations required for Data Processors under the Data Protection Legislation and other applicable law.

The Data Processor’s right to subcontract processing activities should be outlined in the contract between the Data Controller and Data Processor. If this right is not covered in that contract, the Data Processor must seek specific consent from the Data Controller in order to subcontract processing activities.

There are no derogations from the GDPR.

9. Transfers out of country

International transfers of personal data must be consented to by the data subject and the purposes of such transfers must be included in the Privacy Notice. Such consent is not required where the transfer is:

  1. pursuant to a Law or Treaty to which Mexico is party;
  2. necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
  3. made to holding companies, subsidiaries or affiliates under common control of the Data Controller, or to a parent company or any company of the same group as the Data Controller, operating under the same internal processes and policies;
  4. necessary by virtue of a contract executed or to be executed in the interest of the data subject between the Data Controller and a third party;
  5. necessary or legally required to safeguard public interest or for the administration of justice;
  6. necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
  7. necessary to maintain or fulfil a legal relationship between the Data Controller and the data subject.

There are no derogations from the GDPR.

10. Data Protection Officer

Data Controllers must appoint a Data Protection Officer (or equivalent role) to deal with data subjects’ requests and promote data protection compliance within the Data Controller’s organisation.

There are no derogations from the GDPR. Data controllers and data processors shall publish the contact details of their data protection officers and communicate them to NAIH through the Data Protection Officer Reporting System

11. Security

Data Controllers and Data Processors are required to establish and maintain administrative and physical, security and, if applicable, technical measures for the protection of personal data.

In developing security measures, the data controller should take at least the following into account:

  1. the inherent risk given the type of personal data;
  2. the sensitivity of the personal data;
  3. technological developments;
  4. the potential consequences of a breach for data subjects;
  5. the number of data subjects;
  6. prior vulnerabilities in the processing systems;
  7. value of the data for an unauthorised third party; and
  8. other factors that may impact the level of risk or that result from other applicable laws and regulations.

The Data Protection Regulation also sets out actions that Data Controllers can take in order to comply with the security requirements:

  1. prepare an inventory of personal data;
  2. determine the functions and obligations of the person(s) who will process personal data;
  3. conduct a risk analysis of personal data consisting of identifying dangers and estimating the risks;
  4. establish the necessary security measures;
  5. identify gaps between existing security measures and those required for each type of data and each processing system;
  6. prepare a work plan based on the gap analysis in (v) above;
  7. carry out revisions and/or audits;
  8. train personnel who process personal data; and
  9. keep a record of the methods of processing personal data.

There are no derogations from the GDPR.

12. Breach notification

There are no requirements for Data Controllers to notify the INAI in the event of a data breach (other than Data Controllers which are government entities). However, Data Controllers must notify data subjects if their personal data is subject to a breach with at least the following information:

  1. nature of the breach;
  2. the personal data compromised;
  3. recommendations of actions that may be taken by the data subject to protect its interests;
  4. immediate measures being taken by the data controller; and
  5. any means by which the individual can find further information regarding the matter.

The provisions of the GDPR apply. Data controllers shall notify personal data breaches to NAIH through the Personal Data Breach Reporting System. The reporting form is also available on NAIH’s website in paper form, if a company wants to report the breach on paper.

Bearing in mind that the language of the administrative procedures in Hungary is Hungarian, organisations shall report data breaches in Hungarian language to NAIH.

13. Direct marketing

Personal data can be processed for advertising and marketing purposes in accordance with the Data Protection Legislation, provided that these purposes are made clear in the Privacy Notice and in any other medium required for communicating the processing purposes.

Direct marketing    Before 25 May 2018, Hungary clearly operated an “opt-in” regime for direct marketing communications. Currently, the rules of the GDPR apply, meaning that in certain cases, the data controller may send direct marketing messages on an “opt-out” basis. However, the Advertising Act has still not been amended to guarantee harmonisation with the GDPR, causing uncertainty in this matter.

With regard to the above, under the current rules of the Advertising Act, data controllers may send advertisements to private individual end-users in Hungary by email or similar electronic channels only with the express prior consent of the addressee.

Consents for individual marketing activities must contain the name, place and date of birth (if the marketing can be targeted only for people above a certain age), and the list of the consumer’s personal data which are processed in relation to the marketing.

Consent must also state that it is provided voluntarily, on the basis of adequate information provided to the consumer.

In all cases, end-users must be expressly informed in all individual marketing communications of the opportunity to freely opt-out of the communications and be given the relevant contact details (e.g. postal and email address) where they can do so. This statement is usually inserted in the footer of marketing communications.

If the consent is provided in a contract or in general terms, it must be provided separately from the main text – e.g. via the acceptance of a separate consent box. It cannot be a precondition to the contracting or receipt of a service, such as an online shop.

If the advertiser offers added value, provided that the addressee consents to receiving direct marketing messages, no separate consent box may be needed – e.g. if the addressee is given the opportunity to participate in a game or use free email services.

The sending of a direct mail message is lawful and can be based on the legitimate interest of the sender in general if the private individual addressee is an employee of a legal entity, the advertiser obtained the contact details lawfully (e.g. via the company's website or public sources), and the advertisement is targeted to a company (i.e. B2B marketing messages).

Direct marketing consents for benefits. According to NAIH, when organisations provide some benefit for subscribing to a newsletter, they must assess on a case-by-case basis how such benefit influences the free nature of the consent. In particular, it is important to examine whether the denial or withdrawal of consent (e.g. opt-out) causes any disadvantage for the individual. The provision of a service or a benefit shall not be conditional on a consent to data processing for additional purposes (e.g. direct marketing). Such practice is allowed only if the benefit is inseparable from the newsletter, e.g. the newsletter contains an exclusive content or offer.

14. Cookies and adtech

When the Data Controller uses remote or local mechanisms for electronic, optical or other forms of technological communication which allow collection of personal data automatically and simultaneously to the time the data subject has contact with such communications mechanisms, the data subject must be informed about the use of these technologies, at the time the data subject makes contact with the technology and must be informed of the obtention of personal data as well as the way in which the cookies can be disabled.

The storing of information, or the gaining of access to information already stored in the electronic communications terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his/her consent and has been provided with clear and comprehensive information on the use of cookies, including information on the purpose of the data processing. In case of cookies strictly necessary for the operation of the website (especially concerning the application of session cookies), a data controller operating a website may process personal data of subscribers or users for technical and operation purposes based on its legitimate interest without the need of any consent.

In any other cases the legal basis of using cookies is consent. The above rules concerning requiring a consent further do not prevent any technical storage or access for the sole purpose of carrying out the transfer of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

Cookie notices must contain:
  • The cookie’s name, type, function, purpose, necessity and lifespan.
  • The data the cookie can access
  • Third parties for whom the cookie collects data and the purpose of such collection, as well as a link on how to find the cookie management menu and the functions in the most commonly used browsers (Mozilla, Firefox, Google Chrome, Internet Explorer).
Cookies and GDPR

In line with NAIH’s practice concerning data processing with regard to cookie management under the GDPR, we highlight the following:

  1. The website operator may process the relevant personal data on the basis of its legitimate interests, without the consent from the users, when the placement of the cookies or any server-side IP address logging solely takes place for the purpose of the operation of the website, in order to ensure its operability or its essential functions, as well as the security of the computer system. The consent of the user for the cookie placement may be required when it is possible to use the webpage without the cookie.
  2. As regards the usage of cookies for statistical purposes (e.g. collecting technical data which are not necessary for the ongoing operation or required only for the future development of a service or for visitor counting, etc.), as well as for marketing purposes (following the user linked to advertisements, etc.), the website operator may rely on its legitimate interests for the data processing only in exceptional cases in accordance with the GDPR. The website operator may rely on legitimate interest, for example, where there is a relevant and appropriate relationship between the user and the operator (e.g. the user is an existing customer). In case of third-party cookies, usually there is no such relationship.

Website operators must differentiate between first-party cookies applied for statistical or development purposes and marketing cookies (which are also third-party cookies many times in practice), bearing in mind that the user may want to consent to one of the cookies, but does not intend to provide consent to the other one. Bundling such consents may lead to unlawful data processing.

15. Risk scale

Moderate

Moderate

Cybersecurity

1. Local cybersecurity laws and scope

There is currently no specific federal cybersecurity law in force in Mexico.

Cybersecurity is regulated in the Federal Criminal Code, the Data Protection Legislation and other sector-specific legislation applicable to entities operating within those sectors (e.g. the Fintech Law). Specific cybersecurity measures are normally regulated through tertiary regulatory instruments such as manuals, official operating parameters and guides.

Electronic information security in the public sector:
  • Act L/2013 on the Electronic Information Security of National and Self-Governmental Organisations (Electronic Information Security Act)
  • Government Decree 187/2015 (VII. 13.) on the Responsibilities and Powers of the Authorities Responsible for the Security Oversight of Electronic Information Systems and the Information Security Supervisor, as well as the Definition of Closed Electronic Information Systems.
Protection of critical infrastructures:
  • NIS Directive is implemented by Act CLXVI/2012 on the Identification, Designation and Protection of Critical Systems and Infrastructure (Critical Infrastructures Act).
  • Government Decree 65/2013 (III. 8.) on the Execution of the Critical Infrastructures Act (Critical Infrastructures Government Decree)
  • Sectoral governmental decrees appointing the competent authorities, which can identify and appoint national and European critical infrastructures (e.g. Government Decree 249/2017. (IX. 5.) on the Identification, Designation and Protection of Critical Systems and Infrastructure in the Information Communications Sector)
Electronic information security in the private sector:
  • Act CVIII/2001 on Certain Matters concerning Electronic Commerce and Information Society Services (E-Commerce Act)
  • Government Decree 270/2018 (XII. 20.) on Monitoring Electronic Information Security of Information Society Services and Procedures concerning Security Incidents (Information Security Decree) -
  • Government Decree 271/2018 (XII. 20.) on the Roles and Responsibilities of Event Management Centres, as well as on the Rules for Handling and Investigating Security Incidents and Conducting Vulnerability Analysis (Security Incident Decree)

2. Anticipated changes to local laws

A National Cybersecurity Strategy document was published in 2017, but since the change in government in December 2018, there has not been much progress in terms of actual regulation.

In February 2020, a Mexican Senator submitted a bill proposing amendments to the Data Protection Law (the “DP Bill”).

The DP Bill proposed implementing best practices with respect to cybersecurity but made no specific recommendations.

There have been no developments regarding the DP Bill since it was announced in February 2020.

A proposal for the NIS2 directive has been published by the Commission on 16 December 2020. No changes are expected on local level before adoption of NIS2 on EU level.

3. Application 

There is no indication of when (or if) the DP Bill will be passed into law or if the National Cybersecurity Strategy will be progressed.

Main requirements: 
  • The Electronic Information Security Act sets out security obligations for national and self-governmental organisations, for entities performing data processing for those organisations, as well as for European and national critical infrastructure operators and for data processors of national registers (e.g. the national tax or social security register).
  • The Critical Infrastructures Act identifies operators of essential services (OESs), national and European system components with key sectoral importance and sets out designation rules and safety obligations.
  • The Government Decree 270/2018 specifies obligations for guaranteeing electronic information security of digital service providers (including online marketplaces, online search engines and cloud-based IT service providers) (DSPs) and intermediary service providers (including access providers, cache providers, host providers, search engines and application service providers) (ISPs).
  • The Government Decree 271/2018 contains provisions on the tasks and competence of computer security incident response teams, on managing and mechanical testing of security incidents and on conducting vulnerability testing. The Government Decree covers both DSPs and ISPs, as well as OESs and operators of critical infrastructure. 
  • The E-Commerce Act sets out obligations for electronic services providers, including security obligations and the protection of consumer rights by technical means. The E-Commerce Act also sets out the main responsibilities of ISPs.
Obligation to designate a representative: 

The NIS Directive and Hungarian laws implementing the NIS Directive also apply to companies based outside the EU whose services are available within the EU. These companies are obliged to designate an EU-based representative to act on their behalf in ensuring NIS Directive compliance.

Cybersecurity registration obligations and designation of entities in the public sector:

Operators of critical infrastructures: an entity becomes an operator of critical infrastructure if the competent authority (which is different from sector to sector) designates the entity as such. The list of such critical infrastructure operators has not been made public for security reasons. However, it is certain that state-owned power plants, power transmission companies, system operation companies, major district heating works and other such entities fall into this category.

OESs: an operator of critical infrastructure is also designated as an operator of an essential service by the authority in its decision designating the entity as a critical infrastructure operator if:

  • Its corresponding sector or subsector corresponds with the one specified by the NIS Directive (according to an annex to the Critical Infrastructures Act). Operators of services in the energy sector (e.g. energy transmission and distribution system operators) and operators of most transport, health and finance services (e.g. air operators, traffic management control operators, hospitals and private clinics and credit institutions), as well as operators of information communications (internet infrastructure and internet access services) and water supply services (drinking water supply and distribution operators) may be designated as OESs
  • Its service depends on network and information systems; and
  • A security incident affecting the service would have a significant disruptive effect on the safe provision of such a service.

In addition an operator of non-critical infrastructure that fulfils the above criteria may also be an OES based on the identification process carried out by a competent authority.

DSPs: in line with the NIS Directive, DSPs must register at the Special Service managing the registry of DSPs in Hungary. It is noted that the Special Service for National Security’s practice considers online retailers as “online marketplaces”, a sub-category of DSPs (e.g. an online shop selling technical components or retail products), which are also required to register.

4. Authority

The primary authority in charge of responding to any issue regarding cybersecurity is the National Guard (previously Federal Police, now formally though not materially fully integrated into the National Guard) and the Ministry of Public Security. Additional to this, there are other local authorities in some regions, such as the Police for the Prevention of Cybercrimes in Mexico City.

The INAI is responsible for overseeing data security breaches in general.

There are other authorities that could have jurisdiction regarding sector-specific cybersecurity breaches e.g. the Mexican Securities and Exchange Commission or Mexico’s Central Bank in case of cybersecurity breaches in the banking and financial sector. 

  • The Special Service for National Security (Nemzetbiztonsági Szakszolgálat) (Kezdőlap - Nemzetbiztonsági Szakszolgálat (gov.hu), as the National Competent Authority under the NIS Directive, oversees and manages the register of DSPs and acts as the event management centre (computer security incident response team), which manages security incidents with significant impact on the services of DSPs and ISPs. The Special Service also has broad controlling rights under the Security Incident Decree, which states that organisations affected by a security incident must cooperate with the Special Service.
  • National Disaster Management Authority (Országos Katasztrófavédelmi Főigazgatóság) (BM Országos Katasztrófavédelmi Főigazgatóság (katasztrofavedelem.hu)) is a general authority suggesting appointment of OES and also oversees the electronic information systems of national and European critical infrastructure with the exception of state and municipal bodies and assists the sectoral authorities during the designation procedure of OESs. Sectoral rules specify the entities acting during the designation of the OESs.
  • Authorities designating entities as national critical infrastructure operators and deciding on their registration as OESs. Examples include NMHH overseeing OESs providing information communication services, while the minister responsible for the health sector oversees health service providers and the minister responsible for finance, capital and insurance market regulation oversees financial services

5. Key obligations 

Given there is no legislation specifically regulating cybersecurity, companies operating in sectors that do not have their own cybersecurity requirements are not subject to any particular obligations. Similarly, there is no obligation to report cyber incidents to the authorities. However, gaining access or trying to access a protected system is considered a crime in Mexico and therefore the offended party has the capacity to report the crime to Federal Prosecutors. 

With respect to personal data, under the Data Protection Legislation, every organisation must implement corrective and preventive measures to improve security and avoid the violation personal data rights.

Operators of critical infrastructures: the operators of critical infrastructures and certain public entities specified by the Information Security Act should report to the Special Service – without delay – any security incident in their electronic information systems.

OESs: OESs are required to take appropriate and proportionate technical and organisational measures to protect their network and information systems and to assure a level of protection against the potential risks (including cyberattacks, system downtime or other incidents leading to disruptions of essential services). Appropriate measures to respond to such risks include logical, physical and administrative measures to eliminate or diminish their effects, such as appropriate software solutions, mechanical equipment and measures and internal rules assuring security.

OESs should report security incidents that have a significant effect on the continuity of their essential services to the competent national CSIRT (the Special Service in Hungary) without unreasonable delay. The report should specify the number of users affected by the disruption of the essential service, the duration of the security incident and the geographical extent of the territory affected by the incident.

In addition to the above, the annexes of the Critical Infrastructure Act specify other infrastructure in other key sectors or subsectors (including agriculture, public safety and home defence), which may be designated as critical infrastructure.

It is noted that operators of national and certain European infrastructure and OES are designated by the competent authorities, however companies that may fall under the category “OES” must prepare an identification report and submit it to the government body competent for designating OES in the relevant sector. The report helps the competent authority to assess the necessity of designating the given operator as operator of national or European infrastructure or OES.

DSPs: besides registration, DPSs are also required to implement minimum security measures, including establishing a risk management methodology and assigning security roles within their organisation, as well as arranging appropriate training and internal policies, third party contract management, and physical and environmental security.

ISPs: ISPs have limited liability specified by the E-Commerce Act. Like DSPs, ISPs must report – without delay – any security incident in their electronic information systems to the Special Service.

6. Sanctions & non-compliance 

Even though there is no definition of “cybercrime”, the Federal Criminal Code sanctions some behaviours that can be identified as cybercrimes, such as hacking, phishing, infections of IT systems with malware, identity theft or fraud. These illegal behaviours can be punished with prison sentences and a range of fines, depending on the severity of the crime. 

Administrative sanctions:

The administrative sanctions depend on the sector and type of operator.

In connection with OES and operators of critical infrastructure, the maximum fine that can be imposed in case of non-compliance is HUF 10m (EUR 27,800).

In connection with non-compliance of state organisations and their data processors with cybersecurity requirements, the Special Service for National Security may demand the relevant organisation to comply with applicable law, perform certain acts or implement measures to remedy the non-compliance. The competent authority may request immediate action, as well as the cooperation and provision of data, and may also initiate disciplinary actions before the employer.  The Special Service for National Security may impose maximum HUF 5m (EUR 13,900) administrative fine. 

Criminal sanctions:

The Hungarian Criminal Act punishes breach of information system or data. The unlawful access to information systems is punishable with imprisonment up to two years, the unlawful hindering of information systems or unlawful deletion or modification of data with imprisonment up to three years. In aggravated cases the above acts may be punished with imprisonment up to five or eight years.

The Hungarian Criminal Act also punishes the compromising or defrauding the integrity of the computer protection system or device with imprisonment up to two years.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The authority responsible for the prevention and response of any cybersecurity issue is the National Response Centre for Cyber Incidents of the Federal Police (now formally incorporated to the National Guard) or CERT-MX. This body is in charge of preventing and mitigating any threat to technological infrastructure and operability in Mexico. Additionally, the INAI is responsible for supervising compliance with legislation regarding personal data protection.

Yes, the Special Service.

8. National cybersecurity incident management structure

The CERT-MX is responsible for dealing with any cybersecurity incidents, but only after a specific request, complaint or demand is submitted. The INAI can also initiate investigations regarding the protection of personal data.

Yes, incidents must be reported to the Special Service.

9. Other cybersecurity initiatives 

In the private sector, the Mexican Association for Cybersecurity offers services and products regarding cybersecurity and data protection. It also encourages the protection of information and proper information handling. 

The Commission published a proposal for the NIS2 directive was on 16 December 2020. No changes are expected at the local level before the adoption of NIS2 at the EU level.

Portrait of Héctor González Martínez
Héctor González Martínez
Senior Associate
Mexico City
Portrait of Dóra Petrányi
Dóra Petrányi
Partner
Budapest