Important changes to Hungarian data protection law (BCRs, data breach regulations and increased fines)
As of 1 October 2015, Hungarian companies transferring personal data to third countries may rely on BCRs, all data controllers are required to maintain a detailed data breach registry, and those found falling foul of data protection requirements are now looking at higher penalties.

On 1 October 2015, the following major amendments enacted earlier by the Hungarian Parliament in respect of Hungary’s main piece of data protection legislation (Act CXII of 2011 on Informational Self-determination and Freedom of Information) took effect:

 

(1)          Reliance on Binding Corporate Rules (BCRs) now possible

 

By way of providing a one-stop shop solution, BCRs are an effective tool to ensure adequate protection to personal data transferred to non-EEA countries within a company group. BCRs are basically intra-group company global privacy policies which set out standard internal procedures and comply with EU data protection requirements. Rather than having to obtain the prior consent of all affected individuals, or maintaining model contracts with all non-EEA based group members, Hungarian companies, as well as multinational company groups having Hungarian subsidiaries may, subject to completing the approval procedure before the Hungarian Data Protection Authority (NAIH), finally rely on BCRs when transferring personal data within their group.

 

The approval procedure and the standard document forms are closely modelled on the recommendations and other documents adopted by the Article 29 Data Protection Working Party. The NAIH may act in one of the three following roles in relation to BCRs:

 

(a) as a lead authority, in cases where a company group selects the DPA as such in line with the criteria set out in WP107;

(b) as a consulting authority, when another EU data protection authority takes the lead; and

(c) as an approving authority, when it formally approves BCRs that had already been approved by other data protection authorities.

 

The procedure takes 60 days in all of the above cases, and the administrative fee is HUF 266,000 (approx. EUR 900).

 

Recommendation: company groups relying on BCRs which have already been approved by another EU data protection authority may now apply to the NAIH for the recognition of such BCRs in respect of data transfers from Hungary.

 

(2)          Detailed data breach regulations

 

To help keep individuals up-to-date on any wrongdoings relating to their data, and to facilitate NAIH-investigations, all data controllers will now be required to maintain a registry of data breaches (e.g. unauthorized access, disclosure, accidental loss to personal data) for at least five years. Interestingly, unlike under the existing regulations relating to electronic communications service providers, the new rules do not require that data controllers actually notify the regulatory authority of such breaches.

 

Recommendation: with a view to ensuring compliance with the newly adopted rules and to manage the relevant risks, companies that so far have not done so should set up a data breach registry and consider revising their data processing contracts.

 

(3)          Increased monetary fines

 

The upper limit of monetary fines that may be imposed by the NAIH has now been increased to HUF 20 million (approx. EUR 65,000).


more blogs
Coronavirus and Competition Law
continue reading
National security screening introduced for foreign investors in Hungary
continue reading
Hungarian Competition Authority - draft commitment guidelines published for consultation
continue reading
The Hungarian Competition Authority used its new powers to obtain information in merger cases
continue reading
M&A Insights – Due Diligence from the Buyer’s Perspective
continue reading
M&A Insights – a new blog series
continue reading
power search
search

search alphabetically
by last name
a|b|c|d|e|f|g|h|i|j| k|l|m|n|o|p|q|r|s|t| u|v|w|x|y|z


quick tips
Call us
Ask a Question




follow us
LinkedIn RSS