Home / Publications / Data Law Navigator | Hungary

Data Law Navigator | Hungary

Information on Data Protection and Cyber Security laws from CMS experts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security
 

Data Protection

Last updated 11 July 2019

Risk scale

Risk Scale Red

Laws

  • Act LXVI of 1992 on Personal Data and Address Records of Citizens
  • Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing (Hungarian Direct Marketing Act)
  • Act XLVII of 1997 on Processing and Protection of Medical and Other Related Personal Data (Medical Data Act)
  • Act CXX of 2001 on Capital Markets
  • Act C of 2003 on Electronic Communications (E-Communications Act) – implementing the EU E-Privacy Directive
  • Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators (Security Services Act)
  • Act XLVIII of 2008 on Advertising (Advertising Act)
  • Act XXI of 2008 on the Protection of Human Genetic Data (Human Genetic Info Act)
  • Act CXII of 2011 on the Right of Informational Self-Determination and the Freedom of Information (Info Act) – general rules on personal data processing (including processing for law enforcement, national security and national defense purposes, implementing the Law Enforcement Directive) and freedom of information
  • Act I of 2012 on the Labour Code
  • Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises
  • Act CLXV of 2013 on Complaints and Notifications of Public Interest (Complaints Act)
  • Act LXXXVIII of 2014 on Insurance Institutions and the Insurance Business
  • NMHH Decree No. 4/2012. (I. 24.) on the Special Conditions of Data Processing by Electronic Communications Service Providers, the Data Security of Electronic Communications Services, and the Rules of Identifier Presentation and Call Diversion – implementing the EU E-Privacy Directive

Authority

Hungarian Authority for Data Protection and Freedom of Information (NAIH – Nemzeti Adatvédelmi és Információszabadság Hatóság): www.naih.hu/ 

Anticipated changes to law

Sector-specific issues: as of 26 April 2019, a number of sector-specific laws were amended to guarantee harmonisation with the GDPR, including the Labour Code, the Medical Data Act and Human Genetic Info Act, as well as acts concerning the finance markets and the Act on Personal Data and Address Records of Citizens. A number of sector-specific laws, however, are still anticipated to be revised in the second half of 2019, including the E-Communications Act and other legal provisions concerning data processing through electronic communications and the Advertising Act.

We summarised the main amendments to the Info Act and Hungarian sector-specific laws (as of 25 May 2018), which were made with regard to the GDPR as follows.

Amendments to the Info Act and the practice of NAIH for the post-GDPR era until full harmonisation

Guideline for the post-GDPR era: NAIH issued an information notice in 25 May 2018 on the relationship between the GDPR and the local Hungarian data protection legislation (the Info Act and sectoral Hungarian laws with data protection provisions). The purpose of the information notice was to clarify the situations where local laws regulate a data protection issue differently than the GDPR until those laws are fully harmonised with the GDPR.

NAIH’s main statements were as follows:

  • The GPDR may permit the passing of local data protection legislation in certain areas. For example, local laws may lay down rules on data processing to comply with a legal obligation, data processing for journalistic purposes, data processing in the context of employment, data processing and public access to official documents, etc. The existing local rules on these topics shall be applicable within the framework of the GDPR.
  • Certain Hungarian laws remain necessary to enforce the GDPR. For example, local laws shall lay down procedural rules for the operation of NAIH. The existing local rules shall be applicable in accordance with the GDPR.
  • The provisions of the Info Act and the applicable sectoral Hungarian data protection provisions shall apply to any other areas not regulated by the GDPR.

1. Additional requirements for data processing necessary for compliance with a legal obligation or for public tasks

Art. 6 1. c) and e) of the GDPR (Lawfulness of processing) enable data processing if (i) it is necessary for compliance with a legal obligation to which the controller is subject; or (ii) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The Info Act defines these kind of data processing operations as “mandatory data processing operations” and provides that organisations can rely only on laws and municipality decrees in these cases.
Such laws and municipality decrees shall define the following:

  • the identity of the data controller;
  • the purpose, term and conditions of the data processing;
  • the type of data;
  • the access rights to the data; and
  • when it is necessary to revise the data processing purpose.

In case of “mandatory data processing operations”, data controllers shall periodically assess whether a particular data processing is necessary for achieving its purpose. The Info Act also addresses the case when the relevant law / municipality decree does not define the time for this. In such a case, the data controller shall revise the purpose itself at least every 3 years, calculated from the commencement of the processing. The data controller shall (i) document the circumstances and results of such revision; and (ii) keep such documentation for 10 years and present it to NAIH at its request. Data controllers shall revise pre-GDPR data processing operations on 25 May 2021 at the latest.

NAIH clarified that even though the rules of the Info Act on mandatory data processing operations provide that processing must be based on laws or municipality decrees, this obligation only burdens the legislator and not the data controllers in general. This also means that data controllers may base their processing operations necessary for complying with legal obligations on Art. 6 (1) c) of the GDPR, even, when such legal obligation is prescribed by another legal instrument besides laws or municipality decrees (e.g. by a government decree or a ministerial decree) 1 For more information, please see the link (in Hungarian only) .

2. Processing of personal data relating to criminal convictions and offences

The Info Act provides that data controllers can process personal data relating to criminal convictions and offences in accordance with the rules on the processing of special categories of personal data. The practical implication of the above is that companies may process such data mainly (i) based on the explicit consent of the individual; (ii) for carrying out the obligations and exercising specific rights in the field of employment and social security and social protection law; or (iii) for the establishment, exercise or defense of legal claims. Organisations shall revise the legal basis of their data processing operations accordingly.

NAIH clarified in respect of the processing of moral certificates (erkölcsi bizonyítvány) that in case of processing criminal data, the data controller also has to refer to a condition under Art. 9 (2) of the GDPR concerning the processing of special categories of personal data besides relying on a legal basis under Art. 6 (1) of the GDPR. NAIH further clarified that for employers processing moral certificates of new employees, the applicable legal basis would be Art. 6 (1) f) of the GDPR (legitimate interest of the employer) besides Art. 9 (2) b) of the GPDR (processing necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law) 2 For more information, please see the link (in Hungarian only) .

3. Data protection rights of the deceased people

Before this modification, Hungarian law did not regulate the data protection rights pertaining to deceased people. Since 26 July 2018, the Info Act ensures that within five years of the death of an individual, the person designated by the individual – in an administrative declaration, public document or in a private document with full probative force – may exercise the data protection rights of the deceased. In the absence of such provision, the close relative of the deceased may exercise the right to rectification, as well as the right to object to the data processing, the right to be forgotten and the right to the restriction of the processing.

Besides such rules, a number of sectoral laws also stipulate that for the processing of certain type of data of deceased people, the rules of GDPR apply (e.g. health records of deceased persons, insurance data).

4. Other significant provisions in the Info Act

  • The Info Act established specific and permanent confidentiality obligation for DPOs. Organisations should revise the confidentiality clauses of the contracts with their DPOs to ensure harmonisation with the Info Act;
  • NAIH will convene and set the agenda of the “conference of data protection officers” each year. This conference shall serve as a regular interaction point between data protection officers and NAIH;
  • In accordance with the GDPR, organisations shall not register their data processing operations with the NAIH anymore and shall record their own data processing operations in line with Art. 30 of the GDPR;
  • The Info Act does not provide for further significant deviations from the GDPR. For example, in relation to the offer of information society services directly to a child and based on consent, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

5. Subsequent amendment to the Info Act.

With the effect of 26 April 2019, the Hungarian Parliament further amended the Info Act. In line with the new amendment, a notary of the local government may also assist NAIH to audit the data processing operations of a company. The new amendment increases the procedural deadline of NAIH from 120 days to 150 days. The NAIH, in principle, issues warnings for the first time. However, this does not exclude the issuance of fines.

The aim was to relieve NAIH's burden and facilitate mapping of local conditions by the local government – is likely to raise further practical issues. In practice, some local authorities and the notarial apparatus of several settlements may have different potential.

6. Harmonisation of sectoral laws with the GDPR

As of 26 April 2019, a wide number of sectoral laws were amended (in the so-called GDPR Omnibus Act amending more than 80 acts) to provide harmonisation with the GDPR. The main amendments are as follows.

Main amendments to employment law:

a) Data protection notices to employees. Employers should inform their employees in a data protection notice of any restriction of their personal rights. Notification may also be made in the workplace using a customary and generally known method (e.g. in writing, or publication on intranet and e-mail).

b) No copies. The GDPR Omnibus Act clarifies that employers should take notes on information that has been requested from employees, instead of copying the actual documents).

c) Biometric identification. Employers may use biometric identification to prevent unauthorised access to information, if such access seriously or irreversibly jeopardises the life, health or significant interests of individuals (e.g. information regarding classified data, explosives, hazardous substances, assets with a value exceeding HUF 50 million or EUR 160,000).

d) Background checks. An employer is permitted to establish exclusion or restriction criteria for a particular position and can process an applicant’s criminal data to verify his background. Such criteria are legitimate only if the employee's position poses a potential threat to the employer's financial interests, is privy to secrets (e.g. trade secrets) or exercises significant interests protected by law and defined by the GDPR Omnibus Act (e.g. safe storage of firearms, ammunition, explosives, poisonous, hazardous or biological substances, and nuclear materials).

Employers are advised to review the employment agreement and introduce provisions for the private use of devices (if relevant).

e) Whistleblowing. The GDPR Omnibus Act clarifies the profile of people who can be classified as whistleblowers. As a new rule, companies are permitted to process special categories of data (i.e. sensitive data) and criminal data in the reporting system and transfer this information to the employer organisation’s lawyer or an external organisation. Companies should revise their reporting systems, transfer mechanisms and data protection documentation accordingly.

f) CCTV and entry systems. Companies using entry systems and/or security cameras (CCTV) must document in their data protection notices the legitimate interest for using these systems, and include detailed specifications of the purpose of the processing (e.g. protection of classified information, storage of dangerous substances). The GDPR Omnibus Act also repeals former restrictions on the data-retention period. Companies can rely on their own discretion to determine the retention time of the relevant data and recordings, keeping in mind the GDPR’s principle on storage limitation. If access has been made to data or recordings, the company should take minutes on the specific circumstances of each case. Companies must reflect the above changes in their data protection notices and internal security procedures.

Changes concerning the operation of condominiums

a) Changes to rules for condominium camera monitoring. Condominium operators must inform people entering and staying in a condominium building of any CCTV use, and provide them the relevant data protection notice and contact details of the operator. When providing copies of the recordings, operators must identify the recorded image, the name of the person authorising the copies, and the reason and time for viewing the data. Condominiums should revise their data protection notices, internal security procedures, and record keeping practices accordingly.

Health sector

a) Health and personal identification data – including the promotion of health preservation, improvement and maintenance, and enforcement of patient rights – may be processed for purposes not prescribed by law with the non-written consent of affected persons, which makes electronic health services, personalisation and health cloud services easier to maintain.

b) If additional copies of health data (i.e. after the first copy of the same data request) are required, a fee can be levied by the health organisation reflecting the costs of processing. (These cost elements will be specified in an upcoming ministerial decree).

c) Genetic data. Companies may transfer only anonymised, encoded or pseudonymous genetic samples or data to a third country for human genetic testing. They should also use the appropriate safeguards required by the GDPR (e.g. BCRs, Privacy Shield, EC Model Clauses etc). It is not permitted to transfer the coding key. The same applies to importing genetic samples or data. The local health administration should be notified of the transfer of genetic samples and data to a third country and the notification should be made in a manner where personal identification of the affected data subjects is impossible. Companies should revise their data transfer mechanisms accordingly.

Marketing activities

a) Organisations are not entitled to collect and use names and addresses for direct marketing purposes from official public databases of citizens, publicly available databases (e. g. lawfully published official name-and-address registers, phonebooks, directories, statistical lists), and organisations with the same activity. Additionally, organisations must not use the data of clients, supporters or persons with whom they have contact for marketing purposes. Data requests for scientific research, opinion polling and market research purposes are permitted and have not been affected by the Act. The “opt-in” system for direct marketing messages under the Hungarian Advertising Act and Hungarian e-commerce law remain unchanged, as does the legal uncertainty regarding the legal basis for data processing (i.e. consent versus legitimate business interest).

b) Organisations performing direct marketing, market research or polling activities must revise their marketing operations (for both opt-in or opt-out systems), data protection notices, databases and consent management policies.

Amendments to money laundering and financial institutions laws

a) The amendments in the GDPR Omnibus Act stipulates that service providers subject to money laundering legislation may copy personal documents specified by law for the following purposes: preventing and combatting money laundering and terrorist financing, fulfilment of obligations under the Money Laundering Act, fulfilment of customer identification obligations and effective supervision of client-monitoring activities. Copies cannot include personal identification numbers.

b) Financial service providers and other organisations subject to money laundering obligations (e.g. real estate managing enterprises, trusts, auditors, etc.) should revise their document management and copying practices and reflect such changes in their data protection notices and internal documents.

Trading activities

a) When a customer makes a complaint or suggestion in a merchant's customer comment book (vásárlók könyve), the merchant must remove the page containing the complaint or suggestion, keep it in a secure place, and hand it over to the authority if requested.

If applicable: stage of legislative implementation of GDPR

Partial implementation. A number of laws (including: the Advertising Act and telco laws) are expected to be further amended with a view to the GDPR in the second half of 2019.

If applicable: local derogations as permitted by GDPR

No derogations in the amendment to the Info Act. As regards sector-specific laws, please see our above summary.

In the case where NAIH states in its public communication that a specific type of data processing involves high risk and the data controller intends to perform the same or a similar activity, the data controller shall carry out a data protection impact assessment. NAIH also published on its webpage the open source software developed by the French Data Protection Authority (CNIL), which assists data controllers in the preparation of data protection impact assessments.

Scope

The Info Act applies to all kind of data processing operations, except to the processing of personal data by a natural person in the course of a purely personal or household activity. This is an addition to the GDPR, and covers manual data processing operations as well. (The GDPR applies only to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system).

The Info Act is applicable if:

  • the data controller’s (i) main establishment; or (ii) only place of business in the EU is in Hungary; or
  • the data processing operations of a data controller or its data processor are related to (i) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in Hungary; or (ii) the monitoring of the data subjects’ behaviour as far as their behaviour takes place within Hungary.

Penalties/enforcement

Penalties/enforcement The provisions of the GDPR apply with the exception of the public sector, where the maximum penalty is HUF 20,000,000 or EUR 62,100.

NAIH’s statement on imposing fines

In Hungary, GDPR compliance seems challenging for a wide range of SMEs. Pursuant to a specific provision in the Info Act, NAIH will usually warn a data controller or processor at the first infringement of the GDPR or local data protection laws in lieu of imposing a fine. Such a rule, however, only provides orientation to NAIH, which may also use other measures in case of a first breach, if it deems such measures necessary and fitting for the circumstances of the case. In the case of continuous breaches, NAIH may impose fines even on private persons, individual entrepreneurs or SMEs.

https://www.naih.hu/files/Adatved_allasfoglalas_NAIH-2018-4283-V-birsagkiszabas-szempontjai.pdf

Notable cases (under the GDPR):

6.5% fine - HUF 1,000,000 (EUR 3,135) - for breaching the access right:

An individual visited the company’s office and asked to inspect certain documents related to a dispute. The company refused the request, and after that the individual requested a copy of relevant CCTV recordings as evidence in the litigation. The company refused this request as well, arguing that the recordings did not support the individual’s claims, but only proved that he was present in a given place at a given time.

NAIH found that the company infringed the individual’s access rights, and clarified the following principles on the right to access:

  • the company cannot request any justification from an individual making a subject access request;
  • the data controller is not in a position to determine whether the required data would be necessary for the individual’s litigation purposes.

The NAIH imposed a fine of HUF 1,000,000 (EUR 3,135) against the company, which represents 6.5% of its annual net sales revenue. It considered the following circumstances when determining the amount of the fine:

  • the nature of the breach;
  • the fact that the deleted recordings could not be recovered;
  • the fact that this was the company’s first infringement under the GDPR;
  • the net sales revenue of the data controller company in the preceding year was HUF 15.3 million (EUR 48,000);
  • Hungarian rules on CCTV operation are currently not in line with the GDPR because they stipulate that if an individual requests a company not to delete a CCTV recording, he must prove that the recording affects his rights or legal interests.

As a result, Hungarian companies are advised to update their subject access rights (SAR) procedures to reflect the GDPR.

https://www.naih.hu/files/NAIH-2018-5559-H-hatarozat.pdf 

No fine for unlawful data disclosure: 

NAIH determined that a bank breached a debtor’s privacy by providing information on his unpaid debts to the co-mortgagor of an underlying loan. The reason for the unlawful data disclosure was a data-entry error conducted at the conclusion of the initial mortgage agreement more than ten years before.

The bank fully cooperated with the NAIH, conducted an internal investigation, immediately communicated its results to the NAIH, and also corrected the error without delay.

Ultimately, the NAIH did not impose a fine because the bank did not breach the GDPR and the incorrect entry had taken place more than a decade before. The NAIH’s findings, however, emphasise the importance of the “accuracy” principle under the GDPR. Companies must always ensure in day-to-day operations that the personal data they are processing are accurate and up-to-date. Companies must also take every reasonable step to ensure that inaccurate personal data are erased or corrected without delay.

https://www.naih.hu/files/NAIH-2018-5573-H-hatarozat.pdf 

Fine on a bank for failing to comply with the principle of accuracy under the GDPR:

NAIH issued a fine of HUF 500,000 (EUR 1,560) on a bank for failing to comply with the principle of accuracy under the GDPR. The procedure was initiated on the request of an individual after the bank mistakenly sent SMS messages about its client’s credit card debt to the telephone number of another person.

After receiving an incorrect telephone number from the client at the time of contracting, the bank did not comply with the individual’s request to erase the data and continued to send SMS message to the incorrect telephone number.

In its decision, NAIH made the following findings:

  • The bank does not have to delete a telephone number processed by mistake if the error is reported by a third person who is not properly identified.
  • As soon as the inaccuracy of a telephone number becomes certain, however, the bank must erase the given data. It should also review the contract of the complaining individual, which can confirm whether an error has taken place.
  • The bank should have restricted the processing of the data in question until the accuracy of the telephone number was confirmed.

Companies shall revise their measures for assuring the accuracy of data and regularly ask clients to revise their data and report any changes. It is important to make the relevant revisions to the internal policies concerning the accuracy of data and to the management of data subject requests.

https://www.naih.hu/files/NAIH-2019_363_hatarozat.pdf 

Fine on a debt collector for breaching the principles of transparency and data minimisation:

NAIH imposed a fine of HUF 500,000 (EUR 1,560) on a debt collector for breaching the principles of transparency and data minimisation. An individual satisfied its claim to the debt collector and afterwards, according to the GDPR, requested information on his processed data, and requested that his e-mail address and other personal data be erased.

The debt collector stated that it could not identify the individual and requested his name, place and date of birth, mother’s maiden name and address. The individual declined and consequently the debt collector rejected the above request, stating it was unable to identify the individual.

After more correspondence, the individual was successfully identified, but the debt collector refused to erase the personal data, claiming it must retain it to comply with legal obligations, including the obligation to retain backup copies under accountancy-related legal requirements. The debt collector also cited its internal policy concerning backup copies.

The NAIH stated that the debt collector breached the principle of transparency by not appropriately informing the individual on the rules of backup copies and by referring to an internal policy, which is not public and not accessible to the individual.

In its decision, the NAIH highlighted the right to erasure and made the following findings:

  • assignment contracts do not have to be deleted even at the request of the individual and, according to accountancy-related legal requirements, must be retained for a period of eight years;
  • making and retaining backup copies are mandatory according to a government decree concerning information security of financial institutions, and this data cannot be deleted even on request;
  • a complaint does not have to be deleted, even on request, since the financial institution must retain it for a period of five years in line with the Act on Credit Institutions.

Companies should minimise the data required for client identification, make all internal company policies on data processing fully transparent to clients, and revise their policies on making backup copies to assure compliance with the GDPR.

In arriving at fines of HUF 500,000 (EUR 1,560) for the concerned data controllers specified above, NAIH did not take into account the companies' worldwide annual turnover or income – as it had in previous decisions based on the GDPR – and instead focussed on the results of their business activities. This discrepancy suggests that there is still no unified practice in Hungary for assessing fines.

In both cases, the fines were symbolic. For the bank, the fine represented only 0.0016% of its profit of HUF 31 billion. In case of the debt collector, the fine represented only 0.0025% of its profit of HUF 20 billion.

https://www.naih.hu/files/NAIH-2019-1841_hatarozat.pdf 

Fine for unsatisfactory balancing test:

A financial institution failed to delete the telephone number of its client at his request for possible claim enforcement purposes. Following the client’s complaint, NAIH determined that:

  • The balancing test was too broad and covered more than one data processing purpose, which would have necessitated the preparation of separate balancing tests. The balancing test specified only economic and convenience aspects and failed to prove the priority of the data controller’s interests over that of the individual and contained irrelevant findings (e.g. the data controller complies with data security requirements). The balancing test also referred to standards and recommendations concerning claim enforcement but did not detail them.
  • The telephone number in itself is not necessary for claim enforcement. Written form correspondence is sufficient for communication with the debtor or client.
  • Regarding the fine, the NAIH took into account both the income and the profits of the data controller company. It is highlighted that in previous cases, the NAIH took into account such indicators separately, meaning that there is still no solid practice for this in Hungary.

https://www.naih.hu/files/NAIH-2019-2526-2-H-hatarozat.pdf 

Unlawful disclosure of a whistleblower’s name:

An employee of an institution supervised by the local government lodged a whistleblowing report to the local government itself drawing its attention to unlawful management of the institution. As a result of the misinterpretation of law by the acting employees of the local government, the identity of the whistleblower was revealed to his employer (i.e. the supervised institution in question), which resulted in the termination of his employment without delay. Following the incident, the local government conducted an internal investigation, cooperated with the NAIH and informed the affected person about the data breach.

When assessing the breach and considering a fine, the NAIH took into account the facts that the breach resulted in a high risk to the rights and freedoms of the individual, that the maximum amount for fines is limited to HUF 20,000,000 (EUR 62,100) in Hungary for budgetary organisations (such as a local government) and that the breach arose concerning the data controller’s activity while pursuing the public interest.

https://www.naih.hu/files/NAIH-2019-596-hatarozat.pdf 

Data breach concerning the database of a political party:

The NAIH imposed a fine of HUF 11,000,000 (EUR 34,375) on a Hungarian political party for failing to notify the NAIH and relevant individuals about a data breach, and failing to document the breach according to GDPR Article 33.5. As mandated by law, the fine was based on 4% of the party's annual turnover and 2.65% of its anticipated turnover for the coming year.

The breach was the result of a cyberattack by an anonymous hacker who accessed and disclosed information on the vulnerability of the organisation’s system – a database of more than 6,000 individuals – and the command used for the attack. The system was vulnerable to attack because of a redirection problem with the organisation's webpage. After the attacker published the command, even people with low IT knowledge were able to retrieve information from the database.

Although this case concerned a political party, the NAIH's findings contain useful takeaways for all companies, such as:
The encryption technology for a database and passwords should contain sufficient levels of protection against malicious decryption techniques. In this particular case, however, the NAIH found the applied MD5 algorithm to be inadequate.

Companies should be aware that data breaches pose risks to individual rights and freedoms (even if the information compromised is not up-to-date or part of a test database), and the disclosure of the identification data of users (e.g. names, emails, user names, passwords) poses a high risk to them.
Companies should use password complexity validation algorithms, which suggest password length and special characters. In this case, however, the NAIH found passwords that consisted of only lower-case characters.

https://www.naih.hu/files/NAIH-2019-2668-hatarozat.pdf 

Data protection fine for sending mails to wrong recipients:

The NAIH imposed a fine of HUF 100,000 (EUR 310) on a social and child welfare institution for a data breach concerning sending letters to wrong recipients. The nine letters affected 18 data subjects and included sensitive information, including data on children and criminal records.

In response, the institution performed a risk analysis and informed the NAIH about the breach more than 20 days after becoming aware of it, which enhanced the risk to the affected data subjects.

Besides imposing a fine, the NAIH highlighted the importance of proper and immediate risk analysis and the adoption of breach management guidelines to minimise or terminate the negative consequences of a breach on the data subjects and to re-assess data security measures applied by the institution.

https://www.naih.hu/files/NAIH-2019-3854_hatarozat.pdf 

Highest data protection fine in Hungary for unlawful processing of data of festival visitors:

The NAIH also issued its highest data protection fine (HUF 30,000,000 or EUR 100,000, representing 2.3% of the company’s net revenue) for “Sziget”, one of Hungary's largest multicultural music and arts festivals. The violation concerned the festival organiser's procedure for the security screenings of hundreds of thousands of festival guests by photocopying IDs and taking photos at the entry gate.

The NAIH disputed whether individuals voluntarily consented to such screenings since this data processing was necessary for each guest to obtain services and attend the festival. In other similar cases, primary services cannot be subject to consent for the underlying data processing, and companies must rely on another legal basis to justify it.

The NAIH also found the scope of the data that was processed (e.g. citizenship, type, number and expiration date of ID, date of birth and gender) to be excessive and the retention period of one year to be too long. Although the NAIH considered some of the company's actions to be legitimate (e.g. financial measures implemented to prevent the misuse of tickets), the company could not appropriately prove its legitimate interest in processing this data in question.

The newly prepared “balancing test” did not contain a list or an explanation of the specific rights of the individuals that were restricted by the data processing. Nor did it contain the relevant risks brought on by the processing. According to the NAIH, the screening process was both incapable of reaching its goal of averting the misuse tickets, preventing crimes and addressing exceptional situations such as health and safety problems, which are considered rare.

The NAIH stated that preventing acts of terrorism and other crimes is the responsibility of the competent authorities, and companies should implement security measures that do not necessarily include the processing and retention of personal data. Acceptable security measures include physical screenings, metal detectors, appropriate vigilance by trained security personnel, and cooperation with authorities.

In light of the above two decisions, CMS recommends that companies protect themselves from similar GDPR-related issues by ensuring that it notifies authorities about personal data breaches in a timely fashion, and that it employs proper legitimate interest tests when considering the processing of personal data. When implementing security, companies are advised to consider methods that do not include data processing.

https://www.naih.hu/files/NAIH-2019-55_hatarozat.pdf 

Registration / notification

Data controllers shall no longer register their data processing activities with NAIH with regard to the fact that each data controller and data processor will record its data processing activities internally in line with Article 30 of the GDPR. In addition to that, the notification and registration obligations prescribed by the GDPR (e.g. concerning data protection officers or data breaches) apply in Hungary as of 25 May 2018.

Main obligations and processing requirements

The provisions of the GDPR apply, with the following specific local practice:

Information (data protection notices)

  • NAIH guidance on data protection notices is stricter than the requirements of the Info Act and the GDPR. In line with the above guidance, data protection notices must contain detailed information on each processing purpose, with a full list of the relevant data, the legal basis of the processing in each case, the data retention period, and the people who may access the data internally.
  • Individuals must receive detailed information on their data protection rights and remedies, and the data security measures applied by the company.
  • The data protection notice must contain a full list of each data processor and data transferee, tasks regarding the data, and the term of their processing.
  • We note that the above guidance of NAIH was adopted pre-GDPR, therefore some of the requirements set out by it could be questioned under the new rules (including specifying the persons having access to the data internally and the data security measures in the data protection notice). The upcoming practice of NAIH will decide, whether any additional requirements would be enforced by NAIH besides those laid down in the GDPR.
  • Organisations shall formulate their data protection notices in a language understandable to the affected persons. In case of an application also addressed to individuals living/residing in Hungary, the data protection notice of such application shall (also) be in Hungarian language. https://www.naih.hu/files/NAIH-2018-3878-allasfoglalas.pdf 

Consent

For employment-related data processing, NAIH considers that consent has a proper legal basis only if it provides benefits for employees. Otherwise, employers must rely on another legal basis, such as processing necessary for compliance with a legal obligation or legitimate interest of the employer.

Data subject rights

The provisions of the GDPR apply.

The Info Act provides that individuals can seek effective judicial remedy at the court when their data protection rights are infringed and without prejudice to any available administrative or non-judicial remedy (e.g. complaint to NAIH). In Hungary, the competent court is the tribunal (törvényszék) of the domicile or habitual residence of the claimant. In addition to the payment of the individual’s direct and indirect damages, the court can also impose a general compensation fee for the infringement of the individual’s right to data protection as personality right (sérelemdíj). The court can also publish its judgment with the identification of the data controller or the data processor if the infringement is affecting a large scale of individuals, the infringer is carrying out public tasks, or the gravity of the infringement requires the publication. The Info Act authorises NAIH to join any litigation to facilitate the winning of an individual.

Processing by third parties

The provisions of the GDPR apply.

Transfers out of country

The provisions of the GDPR apply.

Before 25 May 2018, data controllers had to keep an internal data transfer registry for the verification of the legitimacy of data transfers and for providing information to the data subject. The internal data transfer registry must contain the date, legal basis and addressee of the data transfer, together with the scope of the data transferred and any other data required by law.

Data Protection Officer

The provisions of the GDPR apply. Data controllers and data processors shall publish the contact details of their data protection officers and communicate them to NAIH through the Data Protection Officer Reporting System.

Security

The provisions of the GDPR apply.

Breach notification

The provisions of the GDPR apply. Data controllers shall notify personal data breaches to NAIH through the Personal Data Breach Reporting System. The reporting form is also available on NAIH’s website in paper form, if a company wants to report the breach on paper.

Bearing in mind that the language of the administrative procedures in Hungary is Hungarian, organisations shall report data breaches in Hungarian language to NAIH. https://www.naih.hu/files/NAIH-2018-2601-2-K.pdf

In line with the Commission Regulation (EU) No 611/2013, electronic communications service providers have specific mandatory data security breach notification obligations.

In line with the above, electronic communications service providers also have to comply with their reporting, documentation and information obligations required by electronic communication laws besides their obligations under the GDPR. 

Direct marketing

Before 25 May 2018, Hungary clearly operated an “opt-in” regime for direct marketing communications. Currently, the rules of GDPR apply, meaning that in certain cases, data controller may send direct marketing messages on an “opt-out” basis. However, the Advertising Act has still not been amended to guarantee harmonisation with the GDPR, causing uncertainty in this matter.

With regard to the above, under the current rules of the Advertising Act, data controllers may send advertisements to private individual end-users in Hungary by e-mail or similar electronic channels only with the express prior consent of the addressee.

Consents for individual marketing activities must contain the name, place and date of birth (if the marketing can be targeted only for people above a certain age), and the list of the consumer’s personal data which are processed in relation to the marketing.

Consent must also state that it is provided voluntarily, on the basis of adequate information provided to the consumer.

In all cases, end-users must be expressly informed in all individual marketing communications of the opportunity to freely opt-out of the communications and be given the relevant contact details (e.g. postal and e-mail address) where they can do so. This statement is usually inserted in the footer of the marketing communications.

If the consent is provided in a contract or in general terms, it must be provided separately from the main text – e.g. via the acceptance of a separate consent box. It cannot be a precondition to the contracting or receipt of a service, such as a webshop.

If the advertiser offers added value, provided that the addressee consents to receiving direct marketing messages, no separate consent box may be needed – e.g. if the addressee is given the opportunity to participate in a game or use free e-mail services.

The sending of a direct mail message is lawful and can be based on the legitimate interest of the sender if the private individual addressee is an employee of a legal entity, the advertiser obtained the contact details lawfully (e.g. via the company's website or public sources), and the advertisement is targeted to a company (i.e. B2B marketing messages).

In all cases, an internal register must be kept of the persons who provided opt-in consent for individual marketing activities. This register must include the data given in the consent.

Direct marketing consents for benefits. According to NAIH, when organisations provide some benefit for subscribing to a newsletter, they must assess on a case-by-case basis how such benefit influences the free nature of the consent. In particular, it is important to examine whether the denial or withdrawal of consent (e.g. opt-out) causes any disadvantage for the individual. The provision of a service or a benefit shall not be conditional on a consent to data processing for additional purposes (e.g. direct marketing). Such practice is allowed only if the benefit is inseparable from the newsletter, e.g. the newsletter contains an exclusive content or offer.

https://www.naih.hu/files/NAIH_2018_3581.pdf

Cookies

The storing of information, or the gaining of access to information already stored, in the electronic communications terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, including information on the purpose of the data processing. In certain cases (especially concerning the application of session cookies) and in case of cookies strictly necessary for the operation of the website, a data controller operating a website may process personal data of subscribers or users for technical and operation purposes based on its legitimate interest.

In any other cases the legal basis of using cookies is consent. The above rules concerning requiring a consent further do not prevent any technical storage or access for the sole purpose of carrying out the transfer of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

Cookie notices must contain:

  • the cookie’s name, type, function, purpose, necessity and lifespan
  • the data the cookie can access
  • third parties for whom the cookie collects data and the purpose of such collection, as well as a link on how to find the cookie management menu and the functions in the most commonly used browsers (Mozilla, Firefox, Google Chrome, Internet Explorer).
Cookies and GDPR

NAIH gave a detailed opinion on the legal basis of data processing pertaining to cookies.

a) The website operator may process the relevant personal data on the basis of its legitimate interests, without the consent from the users, when the placement of the cookies or any server-side IP address logging solely takes place for the purpose of the operation of the website, in order to ensure its operability or its essential functions, as well as the security of the computer system. The consent of the user for the cookie placement may be required when it is possible to use the webpage without the cookie.

b) As regards the usage of cookies for statistical purposes (e.g. collecting technical data which are not necessary for the ongoing operation or required only for the future development of a service or for visitor counting, etc.), as well as for marketing purposes (following the user linked to advertisements, etc.), the website operator may rely on its legitimate interests for the data processing only in exceptional cases. The website operator may rely on legitimate interest, for example, where there is a relevant and appropriate relationship between the user and the operator (e.g. the user is an existing customer). In case of third party cookies, usually there is no such relationship.

c) Website operators must differentiate between first party cookies (applied for statistical or development purposes) and marketing cookies, bearing in mind that the user may want to consent to one of the cookies, but does not intend to provide consent to the other one. Bundling such consents may lead to unlawful data processing.

https://www.naih.hu/files/NAIH_2018_3567_V_20180713.pdf 

Useful links

 

Cyber Security

Last updated 10 October 2018

Risk scale

Rick Scale Green

Laws and regulations

Electronic information security in the public sector:

  • Act No. L/2013 on the Electronic Information Security of National and Self-Governmental Organisations (Electronic Information Security Act)
  • Government Decree No. 187/2015 (VII. 13.) on the responsibilities and powers of the authorities responsible for the security oversight of electronic information systems and the information security supervisor, as well as the definition of closed electronic information systems

Protection of critical infrastructures:

  • Act No. CLXVI/2012 on the Identification, Designation and Protection of Critical Systems and Infrastructure (Critical Infrastructures Act)
  • Government decree No. 65/2013 on the Execution of the Critical Infrastructures Act (Critical Infrastructures Government Decree)
  • Sectoral governmental decrees appointing the competent authorities, which can identify and appoint national and certain European critical systems and infrastructures (e.g. Government decree No. 249/2017 (IX. 5.) concerning the info communication sector)

Electronic information security in the private sector:

  • Act No. CVIII/2001 on Electronic Commerce and Information Society Services (E-Commerce Act)
  • Government Decree No. 270/2018 (XII. 20.) on monitoring electronic information security of information society services and procedures concerning security incidents (Information Security Decree)
  • Government Decree No. 271/2018 (XII. 20.) on the roles and responsibilities of event management centres, as well as on the rules for handling and investigating security incidents and conducting vulnerability analysis (Security Incident Decree)

New National Cybersecurity Strategy:

The Hungarian government has adopted the New National Cybersecurity Strategy (Hungary’s Strategy for Network and Information Systems Security) by December 2018 which is accessible (in Hungarian only) at: https://www.kormany.hu/download/2/f9/81000/Stratégia%20honlapon%20közzétételre-20180103_4829494_2_20190103130721.pdf

Anticipated changes to law

No changes are anticipated as at last update.

Application

  • The Electronic Information Security Act sets out security obligations for national and self-governmental organisations, and for entities performing data processing for those organisations and for data processors of national registers.
  • The Critical Infrastructures Act identifies national and European system components with key sectoral importance and sets out designation rules and safety obligations.
  • The government decree No. 270/2018 specifies obligations for guaranteeing electronic information security of digital service providers (including online marketplaces, online search engines and cloud-based IT service providers) (DSP) and intermediary service providers (including access providers, cache providers, host providers, search engines and application service providers) (ISP).
  • The government decree No. 271/2018 contains provisions on the tasks and competence of computer security incident response teams, on managing and mechanical testing of security incidents and on conducting vulnerability testing. The government decree covers both DSPs and ISPs, as well as operators of essential services (OES) and operators of critical infrastructure.
  • The E-Commerce Act sets out obligations for electronic services providers, including security obligations and the guarantee of consumer rights by technical means. The E-Commerce Act also sets out the main responsibilities of ISPs.

Obligation to designate a representative:

The NIS Directive and Hungarian laws implementing the NIS Directive also apply to companies based outside the EU whose services are available within the EU. These companies are obliged to designate an EU-based representative to act on their behalf in ensuring NIS Directive compliance.

Cybersecurity registration obligations and designation of entities in the public sector:

Operators of critical infrastructures: an entity becomes an operator of critical infrastructure if the competent authority (which is different from sector to sector) designates the entity as such. The list of such critical infrastructure operators has not been made public for security reasons. However, it is certain that state-owned power plants, power transmission companies, system operation companies, major district heating works and other such entities fall into this category.

OESs: an operator of critical infrastructure is also designated as an operator of an essential service by the authority in its decision designating the entity as a critical infrastructure operator if:

  • its corresponding sector or subsector corresponds with one specified by the NIS Directive (according to an annex to the Critical Infrastructures Act). Operators of services in the energy sector (e.g. energy transmission and distribution system operators) and operators of most transport, health and finance services (e.g. air operators, traffic management control operators, hospitals and private clinics, and credit institutions), as well as operators of info communications (internet infrastructure and internet access services) and water supply services (drinking water supply and distribution operators) may be designated as OESs;
  • its service depends on network and information systems; and
  • a security incident affecting the service would have a significant disruptive effect on the safe provision of such a service.

DSPs: in line with the NIS Directive, DSPs must register at the Special Service managing the registry of DSPs in Hungary. The authority’s practice considers online retailers as “online marketplaces”, a sub-category of DSPs (e.g. a webshop selling technical components or retail products) which are also required to register.

Authority

  • The Special Service for National Security, as the National Competent Authority under the NIS Directive, oversees and manages the register of DSPs and acts as the event management centre (computer security incident response team), which manages security incidents with significant impact on the services of DSPs and ISPs. The Special Service also has broad controlling rights under the Security Incident Decree, which states that organisations affected by a security incident must cooperate with the Special Service. The Special Service comprises the National Electronic Information Security Authority (Nemzeti Elektronikus Információbiztonsági Hatóság or NEIH), the Single Point of Contact (SPoC), and the national CSIRT.
  • The competent disaster management organ within the disaster management authority (a katasztrófavédelem szervezetén belül működő illetékes szerv) oversees the electronic information systems of national and European critical infrastructure with the exception of state and municipal bodies and assists the sectoral authorities during the designation procedure of OESs. Sectoral rules specify the entities acting during the designation of the OESs.
  • Authorities designating entities as national critical infrastructure operators and deciding on their registration as OESs. Examples include NMHH overseeing OESs providing infocommunication services, while the minister responsible for the health sector oversees health service providers and the minister responsible for finance, capital and insurance market regulation oversees financial services.

Key obligations

Operators of critical infrastructures: the operators of critical infrastructures and certain public entities specified by the Information Security Act should report to the Special Service – without delay – any security incident in their electronic information systems.

OESs: OESs are required to take appropriate and proportionate technical and organisational measures to protect their network and information systems and to assure a level of protection against the potential risks (including cyber-attacks, system downtime or other incidents leading to disruptions of essential services). Appropriate measures to respond to such risks include logical, physical and administrative measures to eliminate or diminish their effects, such as appropriate software solutions, mechanical equipment and measures, and internal rules assuring security.

OESs should report security incidents that have a significant effect on the continuity of their essential services to the competent national CSIRT (the Special Service in Hungary) without unreasonable delay. The report should specify the number of users affected by the disruption of the essential service, the duration of the security incident, and the geographical extent of the territory affected by the incident.

The annexes of the Critical Infrastructures Act specify other infrastructure in other key sectors or subsectors (including agriculture, public safety and home defense), which may be designated as critical infrastructure.

It is noted that operators of national and certain European infrastructures and OES are designated by the competent authorities, however companies who may fall under the category “OES” must prepare an identification report and submit it to the government body competent for designating OES in the relevant sector. The report helps the competent authority assess the necessity of designating the given operator as operator of national or European infrastructure or OES.

DSPs: besides registration, DPSs are also required to implement minimum security measures, including establishing a risk management methodology and assigning security roles within their organisation, as well as arranging appropriate training and internal policies, third party contract management, and physical and environmental security (for further information, please see the relevant ENISA guideline: https://www.enisa.europa.eu/publications/minimum-security-measures-for-digital-service-providers/).

ISPs: ISPs have limited liability specified by the E-Commerce Act. Like DSPs, ISPs must report – without delay – any security incident in their electronic information systems to the Special Service.

Penalties/enforcement

In case of any failure to comply with the obligations of DSPs, the Special Service can impose a minimum fine of HUF 50,000 (approx. EUR 157) and a maximum fine of HUF 5,000,000 (approx. EUR 15,720). The exact minimum and maximum fine is prescribed by law according to the nature of the breach. The following chart specifies the fines for each breach by a DSP or ISP (the latter is responsible for non-coordination with the authority in case of a security incident) Government Decree 270/2018 (XII. 20.) contains the list of penalties. :

Type of breach

Minimum amount of fine

Maximum amount of fine

Failure to register as a DSP

HUF 50,000 (EUR 158) 

HUF 100,000 (EUR 315) 

Failure to report a change in organisational and contact data (including name, address, email, service provided, etc.) 

HUF 50,000 (EUR 158)

HUF 500,000 (EUR 1,577)

Failure to prepare a risk analysis concerning possible risks threatening the electronic information system of the DSP

HUF 200,000 (EUR 631)

HUF 500,000 (EUR 1,577)

Failure to implement and apply safety measures proportionate to the risks identified by the risk analysis of the DSP

HUF 300,000 (EUR 946) 

HUF 5,000,000 (EUR 15,773)

Failure to revise the risk analysis and safety measures in a documented way and without delay after a security incident or on a yearly basis in other cases

HUF 200,000 (EUR 631)

HUF 2,000,000 (EUR 6,309) 

Failure to report a security incident

HUF 300,000 (EUR 946) 

HUF 5,000,000 (EUR 15,773)

Failure to comply with an obligation prescribed by a final, enforceable decision of the Special Service

HUF 400,000 (EUR 1,262)

HUF 5,000,000 (EUR 15,773)

As regards operators of critical infrastructures, the amount of fine for non-compliance with its obligations prescribed by law may be minimum HUF 100,000 (approx. EUR 310) and maximum HUF 3,000,000 (approx. EUR 9,315).

In such cases, when the non-compliance constitutes a breach of other legal provisions (e.g. a data breach under the GDPR), the respective legal provisions will also apply (including possible further penalties).

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

Yes, the Special Service for National Security.

Is there a national incident management structure for responding to cyber security incidents?

Yes, incidents must be reported to the Special Service for National Security.

Other cybersecurity initiatives

As at last update, there is no other cyber security initiative.

Useful links

 

< back to Overview 

Authors

Dóra Petrányi
Partner
Budapest
Picture of Marton Domokos
Márton Domokos
Co-ordinator of the CEE Data Protection Practice, CMNO
Budapest