Forming a New Standard for Data Privacy in Hungary

Forming a New Standard for Data Privacy in Hungary

Act CXII of 2011 on the Right to Informational Self-determination and on the Freedom of Information, as amended by Act XXXVIII of 2018 or the Act for short is a data privacy law that was recently passed in Hungary in 2018. The Act was passed for the purposes of implementing the provisions of the EU’s General Data Protection Regulation or the GDPR for short into Hungarian law, as Hungary is a member state within the EU. As such, the Act sets forth the legal basis upon which personal data may be collected, processed, and ultimately used within the country of Hungary, the fundamental rights that Hungarian citizens have as it pertains to data protection and personal privacy, and the penalties that data controllers and processors within Hungary stand to face should they violate said rights.

How are data controllers and processors defined under the Act?

Under Act CXII of 2011 on the Right to Informational Self-determination and on the Freedom of Information, as amended by Act XXXVIII of 2018, a data controller is defined as “the natural or legal person, or organization having no legal personality, which, within the framework laid down in any Act or in a binding legal act of the European Union, alone or jointly with others, determines the purposes of data processing, makes decisions concerning data processing (including the means used) and implements such decisions or has them implemented by a processor.” Conversely, a data processor is defined as “a natural or legal person, or an organization not having legal personality which, within the framework and under the conditions laid down in an Act or in a binding legal act of the European Union, acting according to a mandate or instructions given by the controller, processes personal data.”

What are the variations between the Act and the EU’s GDPR law?

Most of the provisions of Act CXII of 2011 on the Right to Informational Self-determination and on the Freedom of Information, as amended by Act XXXVIII of 2018 remain largely unchanged when compared with the EU’s GDPR law. For example, the Act mandates that data controllers and processors within Hungary conduct data processing activities in accordance with the same data protection principles that are established by the EU’s GDPR law. These principles include but are not limited to accountability, integrity and confidentiality, and purpose limitation. However, the two laws do vary as it concerns the collection and processing of special categories of personal data.

For example, the Act states that “access to data of public interest, the publication of which is rendered mandatory under this Act, shall be made available to the general public, without personal identification, on the internet website without any restriction, in digital format, capable of being printed or copied without any partial loss or distortion of data, free of charge, including accessing, downloading, printing, copying and transmitting through a network (hereinafter “electronic publication”). Access to published data shall not be made subject to the provision of personal data.” Furthermore, the Act contains similar provisions concerning other categories of sensitive personal data, such as personal data that is collected or processed in the context of scientific or research-related purposes, as well personal data that is used for journalistic purposes.

What are the penalties for violating the Act?

Act CXII of 2011 on the Right to Informational Self-determination and on the Freedom of Information, as amended by Act XXXVIII of 2018 is enforced by Hungary’s National Authority for Data Protection and Freedom of Information or the NAIH for short. To this point, data controllers and processors within Hungary who violate the provisions of the Act are subject to a variety of sanctions and penalties. Such punishments include legal notices from the NAIH to correct violations, legal decisions on behalf of a Hungarian court to “order the controller to act in accordance with the notice issued by the Authority”, and ordering a data controller or processor to cease their operations altogether. Individuals and organizations who violate the Act also are subject to monetary penalties ranging from a fine of up to €10 million or up to 2% of the total global annual turnover for a business’s previous financial year, whichever amount is higher, to a fine of up to €20 million or up to 4% of the total global annual turnover for a business’s previous financial year, whichever amount is higher.

As the provisions of the EU’s GDPR law allow for member states to implement the provisions of the law into the legislation of their own countries, albeit with certain exceptions in many cases, EU member states are able to provide the highest level of data protection possible to their respective citizens. In Hungary, Act CXII of 2011 on the Right to Informational Self-determination and on the Freedom of Information, as amended by Act XXXVIII of 2018 fulfills this requirement, as the law effectively implements the provisions of the General Data Protection Regulation into Hungarian law, and also makes certain changes to the law as it concerns the specific data protection needs of the country. Through these legal means, Hungarian citizens can have the peace of mind that their personal data is being protected at all times.