Szecskay Attorneys at Law
  October 18, 2011 - Hungary

New Data Protection Act in Hungary
  by Zoltan Kovacs



The Hungarian Parliament enacted Act no CXII of 2011 on Information Rights and the Freedom of Information ("New Data Protection Act"), which will replace the currently effective Act no LXIII of 1992 on the Protection of Personal Data and the Publication of Data of Public Interest ("Old Data Protection Act") from 1 January 2012. Below, we briefly summarize the main changes brought about by the New Data Protection Act.



The Old Data Protection Act applied to all data management and data processing operations performed in the territory of the Republic of Hungary that pertain to the data of natural persons or to public information or information of public interest. It also stated that it applied to data management and data processing operations whether performed in full or in part by an automated process or by manual processing. The scope of the Old Data Protection Act does not cover data managed by a natural person exclusively for his own purposes.



In addition to governing scope provisions almost identical with those of the Old Data Protection Act, the New Data Protection Act declares that it also applies to data controllers located outside of the European Economic Area that retain a data processor for the purposes of personal data management, having a seat, site, branch or residence in Hungary, or who use a device for data management, except if the said device is used exclusively for the purposes of data transfer through the European Union. Such a data controller is required to appoint a representative in Hungary.



One of the new provisions is that pursuant to the New Data Protection Act, personal data may also be managed if it would be impossible to obtain the concerned person's consent or would result in exorbitant costs and the management of personal data



a)         is necessary in order for the data controller to fulfil any of its legal obligations or



b)         is necessary for the assertion of the rightful interests of the data controller or a third party and the assertion of such interest proportionately restricts the right to have personal data protected.



Another new aspect is that if the personal data have been collected based on the concerned person's consent, the data controller may - in the absence of any provision to the contrary - manage the data without consent from or even following withdrawal of the concerned person’s consent if



a)         it is necessary for the data controller to fulfil any of its legal obligations or



b)         it is necessary for the assertion of the rightful interests of the data controller or a third party and the assertion of such interest proportionately restricts the right to have personal data protected. 



As for the security of data management, the New Data Protection Act contains rules that are a bit more detailed than those of the Old Data Protection Act. For example, during the automated processing of personal data, the data controller and the data processor are required to ensure that e.g. 



a)         no unauthorized data entry takes place;



b)         no unauthorized use of automated data processing systems occurs; 



c)         to which bodies personal data have or may have been transferred can be tracked and recovered; 



d)         who entered the data into the automated data processing system and when such entry took place can be tracked. 



Pursuant to the New Data Protection Act, data controllers are required to keep records of data transfers, which records must contain the date of data transfer, the legal ground and addressee of data transfer, the description of personal data transferred and any and all data as required by applicable laws. 



Based on the New Data Protection Act, a new authority named National Data Protection and Freedom of Information Authority ("Authority") will be set up from 1 January 2012. The Authority will replace the currently existing Data Protection Commissioner. The Authority will have a president and a vice-president. 



Pursuant to the New Data Protection Act, anyone may initiate an investigation by the Authority. An investigation conducted by the Authority may have the following main outcomes:



i)         the Authority calls upon the data controller to remedy unlawful data management and, respectively, terminate the situation threatening with unlawful data management;



ii)        the Authority may prepare a report (which is open to the public) if it does not initiate an administrative or court procedure; 



iii)       the Authority may initiate a so-called data protection administrative proceeding; 



iv)       the Authority may initiate a so-called secret supervision administrative proceeding; 



v)         the Authority may initiate court proceeding and 



vi)        the Authority may decide to terminate the investigation. 



The Authority initiates a data protection administrative proceeding if - based on the investigation conducted previously or otherwise - it can be substantiated that the management of personal data is unlawful and 



a)         affects a larger group of persons; 



b)         affects sensitive data or 



c)         may cause a serious infringement of interests or damages. 



Within the framework of the data protection administrative proceeding, the Authority may



a)         order the data controller to correct the false data; 



b)         require that the data managed unlawfully be blocked, deleted or destroyed; 



c)         prohibit the unlawful management or processing of personal data; 



d)         prohibit the transfer of personal data to a country other than an EEA county; 



e)         require that the person concerned be informed if the data controller has previously unlawfully refused to give information to the person concerned and 



f)          impose a fine.



The amount of fine may range between HUF 100,000 (about EUR 365) and HUF 10 million (approx. EUR 36,500). When data controllers are required to register their data management with the Authority, a fee will be payable for registration. The amount of said fee will be determined in a separate law. 



Finally, it is worth noting that the provisions of the New Data Protection Act will be applicable to all ongoing investigations, i.e. even to those initiated before 1 January 2012. Whether the Authority will apply the practice developed by the Data Protection Commissioners in the last nearly two
decades remains to be seen.
 



The contents of this article are intended to provide only a general overview of the subject matter. Specialist advice should be sought for specific matters. Queries relating to this article should be addressed to the author at [email protected]