GDPR implemented in Hungary
Albeit rather late, the amendments to the Data Protection Act are now in force in Hungary. The amendments basically implement and complement the GDPR and regulate processing situations where the GDPR is not applicable. Besides GDPR, controllers situated in Hungary and controllers of data subjects located in Hungary must take into consideration the provisions of the Hungarian Data Protection Act of which we highlight the following:
- Reducing the administrative burden: in the future data processing need not be reported to the authority, i.e. this register has been terminated.
- We should already put a reminder into our calendar for 25 May 2021. If the law does not specify the term for processing in the case of mandatory processing (e.g. payroll, tax declaration), the controller must review the need for processing every three years, unless the law regulates revision. Preparing appropriate documentation for revision is vital, as the outcome must be preserved for 10 years and must be presented to the authority upon request.
- If a data protection officer (DPO) has been appointed, do not forget to register this at the webpage of the authority and publish the DPO’s name and contact data as well. So if a group of companies appoint a joint DPO and one of the companies is a controller in Hungary, the joint DPO must be reported to the Hungarian authority as well. Hungarian law requires DPOs to keep secret personal data, classified information and trade secrets which they acquire during their appointment and also after they leave. The Hungarian authority is proactive and organizes professional conference for DPOs at least once a year.
- The most sympathetic provision of the Hungarian regulation is that in cases of minor first time offences the authority ‒ instead of imposing fines up to a max. of 20 million EUR or 4% of annual turnover ‒ primarily only issues a warning. In the warning the authority instructs the errant controller on the practice to be followed and the actions to be taken.
Although the amendment regulates several issues, in many cases great uncertainty remains. We still have to wait for a solution to the most delicate problem: for the revision of sectoral rules to be in line with the GDPR.
Source: Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information