Contributed By PROVARIS Varga & Partners
Hungary adheres to a singular legislative privacy regime without any regional variations in data protection laws. The national framework, integrating the GDPR and Hungarian law, is consistently enforced throughout the country. This legal structure showcases a significant interplay between national regulations and multinational frameworks, especially those established by the European Union. Hungary is also a participant in international data protection agreements, including the Convention for the Protection of Individuals with Automatic Processing of Personal Data and its amending Protocol.
Key aspects of Hungary’s data protection law in relation to multinational systems include:
In the EU’s cross-border data protection framework, the NAIH collaborates with authorities in other member states under the GDPR’s one-stop-shop mechanism. This system allows a lead supervisory authority, typically in the country where a company’s main EU establishment is located, to primarily enforce GDPR, with NAIH providing support when needed.
Legal Background
In Hungary, privacy and data protection are governed by a combination of the national constitution, specific laws, EU regulations, and guidelines. The Hungarian legal framework for data protection is primarily influenced and governed by the EU’s GDPR, but it also includes national and sectorial laws that complement or specify the GDPR’s provisions.
The NAIH, Hungary’s chief data protection authority, serves as the independent overseer of the country’s data protection rights. Its core role is to ensure the lawful and secure processing of personal data by enforcing data protection laws. The NAIH’s responsibilities include setting and implementing regulations and guidelines, and compelling organisations to maintain stringent data security standards. It conducts investigations and audits to verify compliance with data protection laws, focusing on organisations’ data security measures. Additionally, the NAIH regulates data breach notifications, ensuring timely reporting of breaches and implementation of risk mitigation strategies. The authority also educates and advises data controllers on best practices for data protection and security. The NAIH has the power to enforce penalties and legal actions against entities that breach data security and privacy regulations.
Enforcement Environment in Hungarian Data Protection Law
In the realm of data protection in Hungary, the enforcement environment encompasses various types of sanctions to ensure compliance with data protection regulations. These sanctions are designed to address different aspects of non-compliance and are critical in maintaining the integrity of data protection practices. The key types of sanctions include:
Data Protection Procedures of the NAIH
The NAIH in Hungary conducts two main types of procedures in data protection cases: investigation procedures and administrative procedures for data protection.
Both procedures can be triggered ex officio or through complaints. For administrative procedures, complaints can only be filed by the directly affected data subject. The NAIH has extensive investigatory powers, including on-site inspections and access to data processing equipment. Controllers are often required to provide GDPR-compliant documentation swiftly, highlighting the importance of GDPR’s accountability principle.
Fine Calculation
Regarding the calculation of fines, the EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR generally apply.
According to the Information Act, the NAIH shall consider all circumstances of the case to decide whether imposing a fine is justified and to determine the amount of the fine. In particular, the NAIH takes into account:
Under the Act on the Sanctions for Administrative Violations, when imposing a fine, the NAIH must evaluate all relevant circumstances of the case, including but not limited to the criteria set forth in the Information Act. Specifically, the NAIH shall also consider the following factors in determining the amount of the fine:
The Hungarian government has adopted Resolution No 1301/2024 (IX. 30.) on the implementation of the European Parliament and Council Regulation (2024/1689/EU) on artificial intelligence in Hungary. The resolution provides that the domestic implementation of the AI Act shall be overseen by a specialised organisation established by law under the supervision of the Minister for the National Economy. This responsibility was not assigned to the NAIH. This organisation ensures a one-stop shop for administrative procedures, performs market surveillance tasks, and operates a regulatory sandbox, providing opportunities for the preliminary testing of artificial intelligence developments. Additionally, the Resolution provides that the Hungarian Artificial Intelligence Council will be established, with members delegated by the NAIH, as well as the NMHH (National Media and Infocommunications Authority), MNB (Hungarian National Bank), GVH (Hungarian Competition Authority), SZTFH (Supervisory Authority for Regulated Activities), and DMÜ Zrt. (Digital Government Agency). The Council may issue guidelines and opinions regarding the implementation of the Regulation.
The Bill No T/10011 was submitted to the Hungarian Parliament by the Hungarian government on 19 November 2024, proposing measures necessary for implementing the European Parliament and Council Regulation on artificial intelligence. This draft law aimed to designate the Hungarian Minister of Justice as the authority responsible for ensuring the protection of fundamental rights in connection with the implementation of Article 77 of the AI Act. However, the legislative proposal was later withdrawn before reaching the Parliamentary Legislative Committee upon the recommendation of members of the governing party, without any justification being provided for the withdrawal.
The intersection of AI regulation and data protection laws in Hungary reflects the broader European Union regulatory framework, primarily shaped by the GDPR and the EU’s AI Act. These two frameworks aim to address different aspects of technological innovation but are closely interlinked, particularly when AI systems process personal data. The NAIH is the primary body overseeing GDPR compliance in Hungary. Although the NAIH will likely play an advisory role in AI regulation, the implementation of the AI Act is set to involve a specialised organisation under the supervision of the Minister for the National Economy or the Minister of Justice, as outlined in Hungary’s recent governmental decisions. This suggests a separation of oversight responsibilities between general data protection and AI-specific risks.
In Hungarian legal proceedings, specific standards for alleging data protection violations are not defined, but adherence to the established evidentiary rules in procedural legislation is required. Litigation often incorporates a variety of evidence, including documents, witness statements, and expert insights. The Information Act enables individuals to initiate private legal actions against data controllers or processors for violating data protection laws.
Under Section 2:52 of the Hungarian Civil Code, individuals whose personality rights have been infringed may claim grievance awards (sérelemdíj) for non-pecuniary damages. The law presumes that harm occurs automatically when a violation is established, eliminating the need for claimants to prove actual damage. Courts can determine the amount of the award in a lump sum, considering the severity of the infringement, its recurrence, the degree of fault, and the impact on the claimant and their environment. The Budapest Court of Appeal in case Pf.20300/2024/7 emphasised the distinct nature of the sanctioning systems under the Hungarian Civil Code and the Information Act. It held that a violation of data protection regulations does not automatically amount to an infringement of personality rights under the Civil Code. The consequences of unauthorised data processing under the Information Act differ from those under the Civil Code, and claims for grievance awards for data processing violations must primarily rely on the Information Act’s framework. The Curia (the Supreme Court), in decisions Pfv.IV.20.927/2020/7 and Pfv.IV.21.084/2020/4, also confirmed that not all data protection breaches result in violations of personality rights. The Civil Code and Information Act protect personality differently, with separate legal standards and scopes of protection.
The New Civil Code Advisory Board has opined that the occurrence of non-pecuniary harm is a prerequisite for awarding a grievance award. Therefore, even if an infringement is established, the claim for a grievance award may be denied if no actual harm is demonstrated. Article 82 of the GDPR establishes that any person who suffers material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor responsible for the damage. The provision aims to protect individuals’ data rights and ensure accountability for GDPR violations.
The Curia, in decision Pfv.20003/2024/13, provided clarity on the interpretation of GDPR Article 82 in Hungary. It ruled that the mere occurrence of a GDPR violation does not automatically entitle a data subject to compensation. Claimants must demonstrate actual damage – whether material or non-material – and establish a direct causal link between the infringement and the harm suffered. The judicial practice underscores the nuanced relationship between the Civil Code grievance awards and the GDPR compensation mechanism. Under the Civil Code, the presumption of harm simplifies the claimant’s burden in personality rights cases, but judicial scrutiny still considers the specific circumstances of the case. In contrast, Article 82 of the GDPR requires proof of actual damage and a causal link, focusing on the material or non-material harm caused by data protection violations.
From June 2023, it is possible to file class actions for GDPR infringements. These class actions allow competent authorities and representative organisations to represent a broad consumer base adversely affected by unlawful data protection practices, seeking civil law remedies in court. Aligning with GDPR guidelines, the Information Act clarifies that in legal disputes, the burden of proof to demonstrate compliance with data protection regulations rests on the data controller or processor who is the defendant. The courts can award both damages and injunctive relief.
Hungary does not have specific regulations governing IoT. Instead, sector-specific laws establish general information security and cybersecurity requirements in high-risk industries where IoT is widely used. The NAIH issued guidance on smart energy metres in 2019. The data protection impact assessment (DPIA) blacklist mandates a DPIA for public utilities using smart metres.
The GDPR establishes stringent standards for the processing of personal data, emphasising principles such as lawfulness, fairness, transparency, data minimisation, and purpose limitation. These principles take precedence over other data-related regulations to ensure the fundamental rights of individuals are upheld. The Information Act complements the GDPR by addressing specific national concerns, including data processing for purposes of law enforcement, national security, and defence, which may fall outside the direct scope of the GDPR. Certain sectors, such as healthcare and finance, are subject to additional data protection obligations under Hungarian law. For instance, the Health Data Act governs the processing of health-related personal data, implementing a comprehensive regulatory framework for entities in the healthcare sector. These sectoral laws often impose more stringent requirements to address the unique nature of data processing activities within these fields.
IoT providers and data processors in Hungary must ensure lawful data processing based on legal grounds such as consent, contractual necessity, or legal obligations. Transparency is required through clear privacy notices, and data subjects’ rights (access, deletion, correction, etc) must be respected. Strong technical and organisational measures, such as encryption, are necessary to protect data security. High-risk processing requires a DPIA, and data breaches must be reported to the NAIH within 72 hours. Data processing agreements are mandatory for third-party processors, and a Data Protection Officer (DPO) must be appointed for large-scale or sensitive data processing.
The NAIH oversees compliance with data protection laws, including the GDPR and the Information Act. Other regulatory bodies, such as the Hungarian Competition Authority (GVH), the National Media and Infocommunications Authority (NMHH), may also play roles in enforcing data protection and cybersecurity regulations within their respective sectors. The Supervisory Authority for Regulated Activities (SZTFH) and the Special Service for National Security (NBSZ) also play a pivotal role in enforcing cybersecurity regulations, particularly concerning the implementation of the NIS2 Directive. Established to oversee compliance with cybersecurity standards, the SZTFH and NBSZ ensure that organisations adhere to national and EU-level cybersecurity requirements.
The use of cookies in Hungary is primarily governed by the ePrivacy Directive as implemented through the E-Commerce Act (Act CVIII of 2001 on Electronic Commerce and Information Society Services) and complemented by the GDPR for personal data processing. Hungarian regulations require that cookies be categorised based on their purpose, with explicit user consent necessary for all non-essential cookies. Essential cookies, such as those facilitating communication or strictly required for the provision of services explicitly requested by users, are exempt from the consent requirement. However, even in these cases, transparency is mandatory, requiring clear notice to users about the cookies in use, their functions, and the scope of data processing.
Consent for cookies must be voluntary, informed, and obtained through a clear affirmative action by the user. Practices such as pre-ticked checkboxes or ambiguous consent mechanisms are considered non-compliant under both the GDPR and the ePrivacy Directive. Cookie banners must provide an “Accept All” and “Reject All” button with equal prominence, ensuring users have an easy and straightforward option to refuse cookies. Consent must also be specific and granular, meaning users should be able to decide individually on different cookie categories. Importantly, once consent is withdrawn, cookies must be securely deleted or rendered inoperative on the user’s device. This reinforces the requirement for data controllers to ensure technical solutions that respect user preferences and maintain compliance throughout the lifecycle of cookie use.
Transparency plays a critical role in cookie management. Websites must provide clear, detailed, and accessible information about each cookie, including its name, purpose, expiration date, and any third parties involved in data collection or processing. Multi-layered approaches to informing users, such as brief notices linked to more comprehensive details, are generally considered effective. Social media plugins and similar technologies that involve data sharing with third-party platforms must be set to inactive by default and activated only after obtaining explicit user consent. These plugins should include detailed notices explaining the scope of data collection, including any potential data transfers outside the EU, ensuring users are fully informed about the implications of their consent.
Regulatory authorities in Hungary, including the NAIH, the NMHH, and the HCA, actively enforce compliance with these requirements. Non-compliance risks include significant fines, reputational damage, and operational disruptions. Recent enforcement actions have highlighted the importance of avoiding manipulative practices, such as “dark patterns”, which could mislead users or undermine genuine consent. These practices, including cookie walls, hidden rejection options, or deceptive banner designs, may be deemed unfair commercial practices, leading to additional scrutiny under consumer protection laws.
In Hungary, online marketing is regulated by the provisions of the Act XLVIII of 2008 on Business Advertising Activity (the “Advertising Act”) and by the E-Commerce Act. Direct marketing is permissible only based on the explicit opt-in consent of the targeted individual and this consent requirement is independent from the B2B or B2C standing of the recipient. The relevant legal requirements can be summarised as follows:
Permission-based electronic marketing messages and communications with social, societal aims are subject to the same consent requirements as applicable to direct marketing communications.
Employment Privacy
The Act I of 2012 on the Labour Code lays down the general rules governing workplace privacy under its Sections 9 to 11, and these lay down the following conditions for the processing of employee data:
Employee Whistle-Blowing
The Hungarian Act No XXV of 2023, known as the Complaints Act, aligns with the EU Directive 2019/1937 to govern employee whistle-blowing. It requires employers with 50 or more employees, including certain sectors like financial services, banks, and airlines, to implement an internal whistle-blowing system. The Act covers a wide range of reportable issues, such as illegal activities or suspected illegalities, and includes the ambiguous category of “other abuses”, which it does not specifically define. While anonymous reporting is allowed, investigations for such reports are not legally mandated. The Act sets procedural deadlines, obliging employers to acknowledge reports within seven days and complete investigations within three months. It also restricts smaller employers, those with 50 to 249 employees, from forming joint internal whistle-blowing systems with other employers.
In Hungary, there is a limited amount of specific case law directly addressing due diligence processes. Data protection-related due diligence in corporate transactions requires strict compliance with the GDPR and local legislation. This process includes verifying the lawful processing of personal data, closely examining data handling practices, especially for sensitive information, and ensuring compliance with data subjects’ rights. Under NAIH case law, legitimate interest is generally accepted as a legal basis for the transfer or disclosure of client personal data in asset transfer transactions, provided that such data transfer is ancillary to the asset transfer itself. In addition, the merging of databases between the target and the acquirer in a transaction may require a DPIA.
In Hungary, international data transfers of personal data are primarily regulated under the GDPR. The GDPR imposes specific restrictions and requirements on the transfer of personal data outside the European Economic Area (EEA) to ensure that the level of data protection afforded within the EEA is not undermined. When using adequacy measures, such as standard contractual clauses (SCCs) or binding corporate rules (BCRs), organisations are required to conduct a Transfer Impact Assessment (TIA) to evaluate the level of data protection in the recipient country, especially considering the recent Schrems II judgment of the CJEU. This assessment should consider the laws and practices of the third country, particularly those that may impact the effectiveness of the chosen transfer mechanism.
Regarding the mechanisms or derogations that apply to international data transfers, the key restrictions and requirements are outlined below:
Data controllers are required to document these assessments and decisions as part of their accountability obligations under the GDPR. They may also need to consult with or obtain authorisation from the NAIH in certain cases.
Transfers of personal data within the EEA and to adequate countries are generally permitted and no government notifications or approvals are required. Under the GDPR, certain adequacy measures (such as approval of ad-hoc contractual clauses) will require authorisation from the NAIH or the derogation under the “compelling legitimate interests” legal basis of Article 49(1)(2) of the GDPR requires notification of the data transfer.
The Genetic Data Act requires data exporters to notify the Chief Public Health Officer of Hungary in connection with the international transfer of genetic data and genetic samples for the purpose of human genetic research or human genetic testing, and the relevant notification must also indicate a reference to the appropriate adequacy safeguards provided by the data exporter and the data importer.
Data localisation and residency requirements in Hungary are governed by Act LXIX of 2024 on Hungary’s Cybersecurity. These requirements apply to administrative bodies, state-owned enterprises, and entities designated as essential or important. Such organisations must conduct a data classification process in accordance with Annex I of Government Decree 418/2024 (XII. 23.). Depending on their criticality, certain data classes may only be stored within the territory of the EU or specifically within Hungary. Furthermore, under Act XCI of 2021 on National Data Assets, more stringent rules have been established for the handling of state databases belonging to national data assets, including criminal records, land registry records, company registry records, and ID records. This law stipulates that data processing activities may only be performed within the territory of Hungary.
Article 48 GDPR provides that: “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter”. The request of a foreign government for access to personal data does not automatically establish a legal ground under the GDPR. When a foreign government requests access to personal data held by an organisation, the organisation must carefully assess the request considering its legal obligations. This assessment includes considering any applicable data protection laws, international treaties, and the legal basis for processing and transferring such data.
The NAIH emphasises concerns regarding data sovereignty and national security risks associated with the international transfer of personal data. This issue has been brought into focus due to political parties storing Hungarian citizens’ personal data abroad without sufficient justification. NAIH president, Attila Péterfalvi, has publicly stated that the authority will continue to prioritise investigations into improper data processing practices by political organisations to safeguard individuals’ rights. This stance emerged following complaints received by the NAIH during the 2022 election campaign, where 112 Hungarian voters reported the unauthorised use of their personal data. The investigation highlighted the complexities of enforcing data protection standards when processing is carried out by third-country service providers. Transparency and accountability were found to be compromised due to convoluted contracting chains. The President underlined the risks of storing and processing large volumes of sensitive data, such as political opinions, in jurisdictions outside Hungary. He emphasised that such data should ideally be processed domestically to ensure compliance with national and EU data protection laws. Moreover, the NAIH president warned that controllers cannot circumvent their responsibilities through contractual arrangements, stressing that accountability under the GDPR remains with the data controller regardless of where processing occurs. He urged political parties and organisations to strictly adhere to data protection regulations, ensuring clear accountability and transparency in their practices. The NAIH’s position highlights the need for robust safeguards, local processing where possible, and a commitment to upholding GDPR principles to mitigate risks associated with international data transfers.
1053 Budapest
Károlyi utca 9
CENTRAL PALACE
5th floor
+36 70 605 1000
info@provaris.hu www.provaris.hu