Data Advocacy for Hungary

The EU Data Protection Directive 95/46/EC is currently implemented in Hungary by Act No. CXII of 2011 on Informational Self Determination and Freedom of Information which came into force on 1 January 2012 (‘Act’). Enforcement is through the National Authority for Data Protection and Freedom of Information (‘Authority’).

Changes in legislation

Amendments to the Act CXII of 2011 on Informational Self-Determination and Freedom of Information (the “Information Act”), effective from January 1, 2016, have set shorter response deadlines in relation to the exercise of certain Data Subject rights.

Under the new amendments, the Data Controller must now respond in 25 days (as compared to the prior 30) to a Data Subject’s (i) access request, or (ii) request for rectification, blocking or erasure of data.

If the Data Controller refuses to comply with the Data Subject’s request for rectification, blocking or erasure, the factual or legal reasons on which that refusal is based must be communicated in writing, or – subject to the Data Subject’s consent – electronically.

New online services available from the Hungarian DPA

On October 1, 2015, the Hungarian DPA introduced several new online services via its website, to reduce the administrative burdens on Data Controllers. These services include:

  • the submission of electronic data processing notification filings;
  • the notification of the identity of a company’s data protection officer;
  • the submission of complaints in relation to the Schengen Information System; and
  • the scheduling of consultations with the Hungarian DPA.

The Hungarian DPA has also made its Data Protection Register permanently available to the public online. (The online register shows filings made with the Hungarian DPA since January 1, 2012.)

Hungarian DPA recommendation concerning prior notice content

The Hungarian DPA has issued a comprehensive recommendation on Data Subject privacy notice requirements. The recommendation consolidates the Hungarian DPA’s practice to date. In the recommendation, the Hungarian DPA asked Data Controllers to update their privacy notices to comply with the recommendation.

The recommendation’s issuance signals that the Hungarian DPA saw the need to develop a uniform practice on information provisions to ensure Data Subjects’ rights.

The Information Act specifies only the minimum information that must be provided to Data Subjects when Personal Data is collected. The recommendation builds on the Information Act’s provisions by indicating both general and specific additional matters that must be addressed in the notice to Data Subjects to ensure that they receive appropriate information concerning the processing of their Personal Data.

The recommendation’s general requirements address the quality of the information provided – which must be given in plain, understandable text, without the use of jargon, and in conspicuous form – and the transparency of that information. As a best practice, the Hungarian DPA recommends the use of layered notices, whereby each layer offers Data Subjects the information needed to understand their position and make decisions. The Hungarian DPA expects that the privacy notice must be accessible on the Data Controller’s main website. If data processing is likely to apply to foreign nationals, the controller must ensure as a minimum that the information is provided in English. This implies that, otherwise, the information is expected to be provided in Hungarian.

The Hungarian DPA has also specified certain detailed information that must be included in the notice. The Hungarian DPA expects that the identity of all Data Controllers and data processors – including their contact information (with full address, e-mail contact, telephone and website address) – will be completely disclosed in the privacy notice. When providing information on the purpose of the data processing, the Hungarian DPA articulated that processed data types and applicable data retention periods must be stated separately, for each data processing purpose.

When disclosing the scope of the processed data types, the use of general language such as “personal identification information” or “contact information” is not acceptable; the privacy notice must detail the individual data types which are processed. When identifying the legal basis for the data processing, the Hungarian DPA expects the controller specifically to reference the applicable legal provisions (such as “Section 5(1)(a) of the Information Act” or “Section 6 (1)-(2) of the Act on Basic Advertising Restrictions”) that govern the data processing. That same disclosure obligation applies even if the data processing is compulsory for the controller. The privacy notice also must include information on the security measures which the controller takes to protect the Personal Data.

Moreover, the Hungarian DPA expects the privacy notice to include full disclosure concerning the rights and remedies of Data Subject, including the actions which may be taken and the applicable deadlines. The information on remedies must indicate the name, address, e-mail address and telephone number of the Hungarian DPA. The information about judicial remedies must state that court action may be filed with the court having jurisdiction over the Data Subject’s place of domicile or habitual residence.

The Hungarian DPA called on Data Controllers to review and amend their privacy notices in line with the recommendation. So, it is not surprising that in its enforcement priorities published for 2016, the Hungarian DPA indicated that it will focus on compliance with Data Subject notice requirements.

Law Applicable:

Act No. CXII of 2011 on Information Rights and the Freedom of Information (“Information Act”), implementing the Data Protection Directive

Act No. I of 2012 on the Labor Code (“Labor Code”), which applies to employee related data processing

Act C of 2003 on Electronic Communications (“Electronic Communications Act”)

Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators

Act CVIII of 2001 on Electronic Commerce and on Information Society Services (“E-Commerce Act”)

Act No. C of 2012 on the Criminal Code (“Criminal Code”)

Act No. CXIX of 1995 on the Handling of Names and Addresses for the Purposes of Scientific Research and Direct Marketing

Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities

Act No. XLVII of 1997 on the Protection of Personal Data Regarding Healthcare and Related Issues (“Healthcare Data Protection Act”)

Act No. CCXXII of 2015 on the General Rules on Electronic Administration and Trust Services

Act No. CLXV of 2013 on Complaints and Public Interest Disclosure (“Whistleblowing Act”)

Further, sector-specific legislation, such as banking laws, social security laws, tax laws, etc., contain additional data protection rules, particularly relating to the legality of data processing and the data retention obligation of Data Controllers.

Although the recommendations of the previous Data Commissioners and those of the new Hungarian DPA do not qualify as law, they are generally followed in practice. Further, the Hungarian DPA tends to consider and follow the recommendations of the Article 29 Data Protection Working Party, established under the Data Protection Directive.

National Authority for Data Protection and Freedom of Information

Address: H-1125 Budapest, Szilágyi Erzsábet fasor 22/c.

T +36 1 391 1400

F +36 1 391 1410

http:\\www.naih.hu

ügyfélszolgá[email protected]

The following data controllers and data processors shall appoint or commission an internal data protection officer (‘DPO’) (holding a law degree, a degree in economics or computer sciences or an equivalent degree in higher education) who is to report directly to the head of the organisation:

Authorities that control or process personal data in respect of nationwide registers, or authorities that control or process employment or criminal records

  • Financial institutions, and
  • Telecommunications service providers and public utility companies

Although the Act does not specify, it is strongly recommended to appoint a Hungarian resident as a DPO, because the various tasks of the DPO require continuous presence and availability of the DPO at the above mentioned organisations.

If a DPO is required, but the data controller or processor fails to appoint one, the Authority may take enforcement actions as detailed below.

As a new institution effective from 1 January 2012, the head of the Authority will convene a conference of the DPOs at least once a year to discuss data protection related matters.

There is no mandatory requirement in the Act to report data security breaches or losses to the Authority or to data subjects.

As an exception, however, electronic communication service providers must immediately report data security breaches to the National Media and Infocommunications Authority under Act No. 100 of 2003 on Electronic Communications.

There is no obligation under Hungarian laws for organizations that are involved in a data breach situation to inform the Data Subjects or authorities about the breach, except for a specific regime applicable only to electronic communications services providers as regulated in the Electronic Communications Act. The organization may be required to gather information about the breach, assess the potential risk of harm to the Data Subjects, take steps to prevent future similar breaches and assist authorities with any investigation relating to the breach.

If, during a data protection audit, a security breach is discovered by the Hungarian DPA, the Data Controller could be subject to various sanctions for non-compliance with the processing rules. If the Data Subject discovers such a breach, he or she may claim damages as a result of the breach.

An organization that is involved in a data breach situation may be subject to suspension of business operations, closure or cancellation of the file, register or database, an administrative fine, penalty or sanction, or civil actions and/or class actions.

Data Controllers must keep a register of data breaches, including any measures introduced by the Data Controller to remedy such breaches. This new provision applies only to Data Controllers. But existing data processing agreements will need to be amended because Data Processors also will be required to register data breaches on behalf of the Data Controller. Thus, the processing agreement should contain detailed provisions regulating how the Data Processor should comply with such obligations relating to the recordal of data breaches.

Opt-in regime: no direct marketing electronic mail can be legally sent without the express consent of the receiver, unless a pre-existing business or commercial relationship exists. (Consent is however not mandated for marketing to legal persons.)

Also, a specific opt out must be offered with each message. Disguised sender identities are prohibited, and a valid return address must be provided.

The term “Opt-Out Rule” means that the sending of e-marketing to the recipient is permitted on an opt-out basis if:

the recipient’s details were originally collected “in the context of a sale”.

the entity sending the marketing is the same legal entity that collected the recipient’s details initially.

the marketing relates to “similar” products and/or services for which the recipient’s details were originally obtained.

the recipient is given the opportunity free of charge to object to the e-marketing, both at the time their details were collected and in each subsequent communication.

Applicable Legislation:

Act XLVIII of 2008 on Business Advertising Activity

Act CVIII of 2001 on certain issues of electronic commerce services and information society services

Act CXIX of 1995. on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing

First party e-marketing

(entity that collects the data will send the e-marketing itself)

B2C: Opt-in

B2B: Opt-in.

Third party e-marketing

(entity that collects the data will share with third party partner for e-marketing)

B2C: Opt-in

B2B: Opt-in.

freemail.hu  893329

citromail.hu  608671

vipmail.hu  71053

t-online.hu  46913

indamail.hu  27849

mailbox.hu  23364

chello.hu  18755

hotmail.hu  17474

gmail.hu  15761

invitel.hu  13657

index.hu  10008

t-email.hu  9405

upcmail.hu  8339

c2.hu  8209

postafiok.hu  7411

freestart.hu  6256

tvn.hu  5274

axelero.hu  5075

fibermail.hu  4522

enternet.hu  3802

pr.hu  3582

lajt.hu  3562

hdsnet.hu  3146

vnet.hu  3018

totalcar.hu  2589

fleckens.hu  2518

mail.datanet.hu  2494

gportal.hu  2412

tvnetwork.hu  2249

digikabel.hu  2184

velvet.hu  1966

fremail.hu  1794

nincsmail.hu  1675

monornet.hu  1551

externet.hu  1502

dunaweb.hu  1250

pannonmail.hu  1227

kabelnet.hu  1156

euromail.hu  1150

globonet.hu  1125

freemai.hu  1029

interware.hu  960

mpp.hu  908

maffia.hu  906

telekom.hu  854

vivamail.hu  825

ajkanet.hu  776

zelkanet.hu  700

rubicom.hu  644

altavizsla.hu  630

posta.hu  618

juropnet.hu  618

mail.tvnet.hu  615

feemail.hu  600

fw.hu  573

cellkabel.hu  558

citromai.hu  551

citrommail.hu  544

pannongsm.hu  539

vodafone.hu  536

citomail.hu  531

tonline.hu  529

yahoo.hu  526

dravanet.hu  517

outlook.hu  478

freemil.hu  457

page.hu  436

atw.hu  433

ciromail.hu  432

kapos-net.hu  429

inmail.hu  420

uni-corvinus.hu  419

freemal.hu  411

szarvasnet.hu  404

extra.hu  404

ent.hu  398

parisat.hu  396

freemial.hu  396

freeamil.hu  396

pro.hu  394

freeweb.hu  394

egon.gyaloglo.hu  392

emitelnet.hu  386

uw.hu  382

mol.hu  375

mail.hu  373

mail.globonet.hu  361

richter.hu  351

freeemail.hu  348

lab.hu  346

fbi.hu  346

easymail.hu  337

zalaszam.hu  331

gylcomp.hu  320

estmail.hu  311

mtv.hu  308

keszthelynet.hu  304

heroin.hu  297

net-tv.hu  292

frremail.hu  291

citormail.hu  291

webmail.hu  285

kh.hu  283

netra.hu  279

actel.hu  277

ing.hu  273

raiffeisen.hu  266

g-mail.hu  262

icedsl.hu  256

djuice.hu  251

sch.bme.hu  248

dh.hu  243

dpg.hu  242

cirtomail.hu  238

datatrans.hu  237

businesstel.hu  235

mkb.hu  232

ceu.hu  232

citromil.hu  228

citrmail.hu  228

anet.hu  228

citromal.hu  219

itromail.hu  217

primposta.hu  216

aok.pte.hu  216

warrior.hu  214

mav.hu  214

npp.hu  213

levele.hu  211

koroskabel.hu  208

nexus.hu  205

email.hu  202

airplanet.hu  202

fraktal.hu  199

bad.hu  198

kabelszat2002.hu  197

nordtelekom.hu  196

tanet.hu  195

fotnet.hu  195

root.hu  194

invitel.co.hu  194

sztgnet.hu  192

reemail.hu  190

comunique.hu  186

citroamil.hu  186

mail.kabelnet.hu  184

jakuza.hu  184

generali.hu  183

szitu.hu  181

skizo.hu  177

piszkenet.hu  177

malev.hu  176

kum.hu  173

ibs-b.hu  171

ak47.hu  170

kgb.hu  169

hello.hu  168

uni-miskolc.hu  166

startadsl.hu  165

sanomabp.hu  165

beltav.hu  164

upc.hu  163

cia.hu  163

biatv.hu  163

minimail.hu  162

irj.hu  162

elte.hu  162

orosnet.hu  160

hu.hu  160

rlan.hu  159

emailstudio.hu  158

torzsasztal.hu  156

allianz.hu  154

ludens.elte.hu  153

im-net.hu  153

dote.hu  152

unicreditgroup.hu  151

euroweb.hu  151

kpmg.hu  150

ipmedia.hu  150

erstebank.hu  150

sniper.hu  149

t-mobile.hu  148

profinter.hu  146

jobbik.hu  146

oc.hu  142

starjan.hu  141

mnmail.hu  141

haninet.hu  139

csinibaba.hu  137

pannon.hu  136

sze.hu  135

oritelnet.hu  135

tv2.hu  133

mailmax.hu  133

deltanet.hu  132

allamkincstar.gov.hu  131

oo.hu  129

bkv.hu  129

fazekas.hu  128

freenail.hu  124

citromial.hu  124

mm.hu  123

inf.elte.hu  123

cib.hu  123

supraktv.hu  122

mku.hu  122

matavnet.hu  122

mir.hu  120

vizslamail.hu  118

ektf.hu  118

citroail.hu  118

dd.hu  116

telenormail.hu  115

net-portal.hu  115

ar.hu  114

facebook.hu  113

rtlklub.hu  112

pantelweb.hu  111

mvh.gov.hu  111

csokolom.hu  111

otpbank.hu  110

eqnet.hu  110

rt.dunaferr.hu  109

netquick.hu  109

freemeil.hu  109

nyf.hu  108

m-kabel.hu  108

mail.eol.hu  108

legnet.hu  108

netform.hu  107

elmu.hu  106

boly.hu  106

szigetnet.hu  105

freeail.hu  104

partymail.hu  102

freemaill.hu  102

message.hu  100

colonial.hu  100

sgmail.hu  99

tisser.hu  98

ctromail.hu  98

asd.hu  98

ahrt.hu  98

vazsonykom.hu  97

ovb.hu  97

mailpont.hu  97

gamma.ttk.pte.hu  97

tar.hu  96

send.hu  96

hvg.hu  96

electrolux.hu  96

sznet.hu  94

freemali.hu  94

eposta.hu  94

elender.hu  94

parlament.hu  93

mmm.hu  93

mail.bme.hu  93

kevenet.hu  93

fogaz.hu  92

dielnet.hu  92

auchan.hu  92

radio.hu  91

pickup.hu  91

metro.co.hu  91

audi.hu  91

aotk.szie.hu  91

theend.hu  90

sztaki.hu  90

khb.hu  90

borsodweb.hu  90

soldier.hu  89

nextra.hu  89

mkk.szie.hu  89

is.hu  89

pte.hu  88

jgypk.u-szeged.hu  88

inform.hu  88

flynet.hu  88

teva.hu  87

no-spam.hu  87

med.unideb.hu  87

ella.hu  87

bardiauto.hu  87

axelspringer.hu  87

nkh.gov.hu  86

nefmi.gov.hu  86

ksh.hu  86

drotposta.hu  86

anonym.hu  86

agr.unideb.hu  86

xnet.hu  85

telenor.hu  85

it-services.hu  85

inext.hu  85

fremmail.hu  84

caracom.hu  84

wla.hu  83

teleline.hu  83

ktvzirc.hu  83

kalocsakom.hu  83

ringier.hu  82

apu.hu  81

hfcnetwork.hu  80

bonet.hu  80

mpk.hu  79

kapulan.hu  79

freeamail.hu  79

citromaill.hu  79

omail.hu  78

mobilposta.hu  78

dunatv.hu  78

mentok.hu  77

kfkizrt.hu  77

c3.hu  77

budapest.hu  77

cracker.hu  76

axa.hu  75

windowslive.hu  74

repcenet.hu  74

mad.hu  74

brc.hu  74

pasztonet.hu  73

ozdkabel-net.hu  73

mert.hu  73

vipmai.hu  72

ko.hu  72

manynet.hu  71

gomortel.hu  71

naracom.hu  70

infornax.hu  70

almos.vein.hu  70

z-net.hu  69

na.hu  69

lutheran.hu  69

vizmuvek.hu  68

net.sote.hu  68

nanaskabel.hu  68

frreemail.hu  67

fidesz.hu  67

t-mail.hu  66

stud.u-szeged.hu  66

hab.hu  66

eik.bme.hu  66

citromali.hu  66

bud.hu  66

bbnet.hu  66

autopalya.hu  66

aplusnet.hu  66

anonymail.hu  66

lauder.hu  65

gigalan.hu  65

egis.hu  65

aegon.hu  65

tilos.hu  64

kodo.hu  64

isiscom.hu  64

hungarocontrol.hu  64

amiga.hu  63

railcargo.hu  62

pazmanykabel.hu  62

osi.hu  62

mvm.hu  62

last-mile.hu  62

kallonet.hu  62

intermail.hu  62

100.hu  62

postino.hu  61

pgsm.hu  61

langauto.hu  61

ktk.pte.hu  61

fuzestv.hu  61

c1.hu  61

almasi.hu  61

abn-mail.hu  61

tvnmail.hu  60

temail.hu  60

gline.hu  60

coder.hu  60

canet.hu  60

bicomix.hu  60

zmne.hu  59

satrax.hu  59

oep.hu  59

mti.hu  59

gtk.szie.hu  59

chemres.hu  59

bkf.hu  59

wdsl.hu  58

uniqa.hu  58

student.ceu.hu  58

repules.hu  58

oszk.hu  58

mavrt.hu  58

latsat.hu  58

kondorosiktv.hu  58

kesz.hu  58

yelloo.hu  57

petecom.hu  57

jg.hu  57

netroller.hu  56

mnb.hu  56

koki.hu  56

hbo.hu  56

freemel.hu  56

freamil.hu  56

yandex.hu  55

szivarvanynet.hu  55

microsystem.hu  55

lapker.hu  55

kite.hu  55

ke.hu  55

egomnet.hu  55

caesar.elte.hu  55

zhnet.hu  54

tolnanet.hu  54

tessloff-babilon.hu  54

pszaf.hu  54

contactnet.hu  54

bjg.hu  54

vati.hu  53

nepszabadsag.hu  53

neplakszov.hu  53

mnvzrt.hu  53

mail.index.hu  53

kisalfold.hu  53

fabinet.hu  53

evk.hu  53

csongrad.hu  53

arrabonet.hu  53

y2k.hu  52

tigaz.hu  52

optanet.hu  52

mav-start.hu  52

ecity.agria.hu  52

con.hu  52

asz.hu  52

007.hu  52

szucsnet.hu  51

orfk.police.hu  51

mail.opticon.hu  51

itd.hu  51

gyer1.sote.hu  51

gpinet.hu  51

drv.hu  51

aam.hu  51

wap.hu  50

t-com.hu  50

pronet.hu  50

mikroweb.hu  50

lamer.hu  50

freemail.c3.hu  50

dunanet.hu  50

szerencsejatek.hu  49

rejtett.hu  49

nav.gov.hu  49

mail.battanet.hu  49

georgikon.hu  49

delta.hu  49

cs.elte.hu  49

citrimail.hu  49

asdasd.hu  49

wigner.bme.hu  48

t-systems.hu  48

tmit.bme.hu  48

tamasinet.hu  48

swietelsky.hu  48

satelit-kft.hu  48

mit.bme.hu  48

gysev.hu  48

edf.hu  48

szekesfehervar.hu  47

selcom.hu  47

poli.hu  47

oai.hu  47

kzs.hu  47

kszf.gov.hu  47

ji.hu  47

ivancsa.hu  47

heineken.hu  47

dr.hu  47

digitalvac.hu  47

brokernet.hu  47

anonymous.hu  47

alfaamore.hu  47

t.online.hu  46

t-emil.hu  46

takarnet.hu  46

sanet.hu  46

rkt.hu  46

occhun.hu  46

leoburnett.hu  46

budapest.police.hu  46

btk.pte.hu  46

szolf.hu  45

szentes.hu  45

skylan.hu  45

satnet.hu  45

remyinc.hu  45