Legal Background

In Hungary, privacy and data protection are governed by a combination of the national constitution, specific laws, EU regulations, and guidelines. The Hungarian legal framework for data protection is primarily influenced and governed by the EU’s General Data Protection Regulation (GDPR), but it also includes national and sectorial laws that complement or specify the GDPR’s provisions.

Constitutional laws

The Fundamental Law of Hungary, which is the country’s constitution, provides the basis for privacy and data protection rights. Article VI guarantees the respect for and protection of private and family life, communication, and the protection of personal data.

GDPR

As a member of the EU, Hungary is subject to the GDPR, which applies directly in Hungary and has significantly influenced national laws and practices.

GDPR and Law Enforcement Directive implementation

The Act No CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (the “Information Act”) is the main piece of national legislation supplementing the GDPR in Hungary and it also implements Directive (EU) 2016/680 of the European Parliament and of the Council (the “Law Enforcement Directive”). The scope of the Information Act applies broadly to any data processing activity covering automatic as well as manual data processing, even if the personal data is not contained or intended to be contained in a filing system.

Sector-specific regulations

Various other laws and regulations address data protection in specific sectors, such as employment, healthcare, genetic data, as well as criminal liability, including:

• Act XLVII of 1997 on the Processing and Protection of Health and Related Personal Data (the “Health Data Act”), which lays down detailed rules for processing and professional secrecy obligations of medical personnel;
• Act No XXI of 2008 on the Protection of Human Genetic Data and the Regulation of Human Genetic Studies, Research and Biobanks, which regulates the processing of human genetic data, including the transfer of such data to other countries;
• Act I of 2012 on the Labour Code (the “Labour Code”), which states that:
1. employers must respect the personal rights of workers;
2. employers may monitor the behaviour of workers only to the extent pertaining to the employment relationship;
3. monitoring measures must respect human dignity; and
4. employers cannot monitor the private lives of workers;
• Act C of 2012 on the Criminal Code (the “Criminal Code”) penalises the breach of privacy (Section 219) and the breach of privacy of correspondence and communications (Section 224), which apply to illegal wiretapping and eavesdropping of electronic communications;
• Act V of 2013 on the Civil Code (the “Civil Code”); Sections 2:42 and 2:48 thereof establish the general protection of personality rights, including the right to a recorded image and voice; and
• Act LIII of 2018 on the Protection of Privacy; Section 8(1) thereof protects the right to respect private life, including voice recordings, and it establishes the right to bring civil law claims if this right is violated, while Section 11 generally protects the privacy of communications.

Enforcement Environment in Hungarian Data Protection Law

In the realm of data protection in Hungary, the enforcement environment encompasses various types of sanctions to ensure compliance with data protection regulations. These sanctions are designed to address different aspects of non-compliance and are critical in maintaining the integrity of data protection practices. The key types of sanctions are outlined below.

Administrative fines

Administrative fines are the primary sanction under the GDPR framework. In cases of non-compliance, organisations may face substantial fines, which can amount to up to EUR20 million or 4% of their annual global turnover, whichever is higher. This severe financial penalty underlines the importance the EU places on data protection. The fine that may be imposed on a state budget authority is capped at a maximum of HUF20 million (approximately EUR52,000).

Civil law sanctions

Hungarian law enables individuals to initiate private legal actions against data controllers and processors for breaches of data protection rules. This right empowers data subjects to seek redress directly, including pecuniary (financial) and non-pecuniary (such as emotional distress) damages.

Criminal sanctions

In more severe instances, where the abuse of personal data is driven by financial gain or causes significant harm to individuals, criminal penalties can be imposed by Hungarian criminal courts.

The National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, or NAIH), Hungary’s chief data protection authority, serves as the independent overseer of the country’s data protection rights. Its core role is to ensure the lawful and secure processing of personal data by enforcing data protection laws.

The NAIH’s responsibilities include setting and implementing regulations and guidelines, and compelling organisations to maintain stringent data security standards. It conducts investigations and audits to verify compliance with data protection laws, focusing on organisations’ data security measures. Additionally, the NAIH regulates data breach notifications, ensuring timely reporting of breaches and implementation of risk mitigation strategies. The authority also educates and advises data controllers on best practices for data protection and security. The NAIH holds the power to enforce penalties and legal actions against entities that breach data security and privacy regulations.

The NAIH conducts two main types of procedures in data protection cases: investigation procedures and administrative procedures for data protection.

An investigation procedure can be initiated by complaints from data subjects, third parties, data controllers/processors, or by the NAIH itself. Its purpose is to gather evidence and ascertain if there has been a breach of data protection laws. If no breach is found, the case is closed. However, if unlawful data processing is identified, the NAIH may instruct the data controller to rectify it within 30 days. Failure to comply or severe breaches can lead to an administrative procedure.

An administrative procedure serves as the primary enforcement mechanism, allowing the NAIH to impose fines or other corrective measures. It can be initiated independently of an investigation procedure.

Both procedures can be triggered ex officio or through complaints. For administrative procedures, complaints can only be filed by the directly affected data subject. The NAIH has extensive investigatory powers, including on-site inspections and access to data processing equipment. Controllers are often required to provide GDPR-compliant documentation swiftly, highlighting the importance of GDPR’s accountability principle.

In response to NAIH decisions, controllers and processors can seek judicial review at the Budapest Regional Capital Court. Filing for this legal remedy does not automatically suspend the enforcement of such decisions, underscoring the urgency of complying with data protection regulations and the gravity with which such matters are treated in Hungary.

Hungary adheres to a singular legislative privacy regime without any regional variations in data protection laws. The national framework, integrating the GDPR and Hungarian law, is consistently enforced throughout the country. This legal structure showcases a significant interplay between national regulations and multinational frameworks, especially those established by the European Union. Hungary is also a participant in international data protection agreements, including the Convention for the Protection of Individuals with Automatic Processing of Personal Data and its amending Protocol.

Key aspects of Hungary’s data protection law in relation to multinational systems include:

• GDPR implementation: Hungary has aligned its national laws with the EU’s GDPR. In instances of conflict between GDPR and Hungarian privacy rules, GDPR takes precedence, as confirmed by the NAIH.
• Law Enforcement Directive implementation: The Information Act in Hungary serves as the primary legislation embodying the EU’s Law Enforcement Directive.
• E-Privacy laws: Hungary has incorporated the EU Directive on privacy and electronic communications into its national law, primarily through the Act on Electronic Commerce and Information Society Services and the Act on Electronic Communications.

In the EU’s cross-border data protection framework, the NAIH collaborates with authorities in other member states under the GDPR’s one-stop-shop mechanism. This system allows a lead supervisory authority, typically in the country where a company’s main EU establishment is located, to primarily enforce GDPR, with the NAIH providing support when needed.

In Hungary, the influence of NGOs and self-regulatory bodies in data protection is relatively limited. The main NGOs contributing to data protection compliance include the Hungarian Association for Privacy Awareness (Magyar Adatvédelmi Tudatosságért Társaság Egyesülete, or MADAT), the Hungarian Corporate Compliance Society (Magyar Vállalati Compliance Társaság, or MVCT) and the American Chamber of Commerce in Hungary. The International Association of Privacy Professionals (IAPP) also has a dedicated Hungary Chapter. While NGOs and organisations contribute to the landscape of privacy awareness and advocacy in Hungary, their role remains comparatively small against the backdrop of the national regulatory framework and enforcement. As public awareness and concern for privacy issues continue to grow, the influence and involvement of these bodies may become more pronounced.

Hungary’s data protection framework, mirroring the EU’s strong focus on individual rights and privacy, offers robust protection for personal data. As an EU member, Hungary adheres to the EU’s comprehensive model of data protection. This model combines overarching privacy legislation with sector-specific rules, with the GDPR as its central element. Unlike the United States, where data protection laws vary by sector and state, Hungary maintains a consistent legal structure across all sectors and regions as a unitary state. The country’s data protection laws are well-developed and closely aligned with GDPR standards. However, like many EU nations, Hungary is continually evolving in public awareness and the practical application of these laws.

Hungary is known for its assertive enforcement of data protection regulations, with the NAIH taking a proactive and stringent approach. In comparison to some other EU states, Hungary’s enforcement, including the imposition of administrative fines and other corrective actions, is considered particularly rigorous.

Since the GDPR’s implementation, the NAIH has adopted a proactive approach, issuing numerous decisions that address various data protection issues, including CCTV surveillance, cookie usage, debt enforcement, compliance with data subject rights, and transparency.

CCTV Monitoring in Public Areas

The NAIH clarified the lawful circumstances for public area CCTV surveillance. It emphasised the need for data controllers to differentiate between public areas (like pavements, roads, and parking areas) when assessing the necessity and proportionality of surveillance for protecting legitimate interests.

Employee File Copying Practices

Reversing its earlier stance, in 2023 the NAIH permitted employers to copy physical IDs and employee files containing personal data, provided the employer legally processes such data. Previously, the NAIH disallowed copying employee files unless legally required (eg, for payroll) and rejected the adequacy of consent for copying for HR purposes. The new guidance states that copying is not a new processing purpose but a means of processing existing data, but employers must redact non-essential personal data in copied documents.

Cookies Use

The NAIH fined a leading Hungarian media service provider HUF10 million (about EUR25,000) for failing to comply with lawful, fair, and transparent data processing in cookie management, based on the Interactive Advertising Bureau (IAB) Europe’s Transparency and Consent Framework. The NAIH identified that cookie usage and assigning identifiers is personal data processing. The controller must clearly define, describe, and justify processing purposes and legal bases, ensuring cookie banners meet fairness and transparency standards. The authority criticised the provider’s lengthy, confusing banner text, the complex process for selecting data transfer partners, and the misleading presentation of consent and legitimate interest. The NAIH highlighted the need for easy consent withdrawal, critiquing the design where the “Reject All” option was less accessible than “Accept All Cookies”. The decision aligns with the Belgian Data Protection Authority’s ruling against IAB Europe’s framework.

Throughout these actions, NAIH has shown its commitment to enforcing GDPR and enhancing data protection practices in Hungary. The authority’s decisions reflect its focus on ensuring the lawful, necessary, and proportionate processing of personal data across various sectors, aligning with EU data protection standards. NAIH’s proactive and meticulous methods serve as a clear example of its role in the protection of personal data rights. The authority not only enforces regulations but also provides guidance to entities, helping them to adopt data processing practices that are compliant with GDPR.

Significant topics and enforcement priorities include the data protection aspects of the use of artificial intelligence and use of CCTV surveillance in public areas and the management of data subject rights.

In Hungary, data privacy and protection are primarily governed by the EU GDPR. The GDPR provides a comprehensive legal framework outlining the responsibilities of organisations processing personal data and the rights of individuals. Alongside the GDPR, Hungary’s national data protection laws complement and specify certain aspects of the GDPR.

Data Protection Officer (DPO) Requirements

Under the GDPR, certain organisations must appoint a DPO. This requirement applies to public authorities or bodies, organisations that systematically monitor data subjects on a large scale, or process special categories of data on a large-scale or data related to criminal convictions and offenses. Hungarian law aligns with the GDPR on DPO appointment thresholds, requiring notification of the appointment and contact details to the NAIH. DPOs in Hungary are also subject to a secrecy obligation indefinitely, even after their appointment ends.

Legal Bases for Data Processing

The GDPR mandates that all data processing must have a legal basis, such as consent, contract necessity, legal obligation, vital interests, public interest, or legitimate interests pursued by the data controller or a third party. In Hungary, processing of personal data from criminal records is restricted to government authorities for specific purposes. The Information Act requires a legislative act or local government decree for processing based on a legal obligation or public interest, detailing data types, processing purpose, accessibility, controller, and processing duration.

“Privacy by Design” and “Privacy by Default”

The GDPR introduced the “privacy by design” and “privacy by default” principles into data protection laws, integrating data protection measures from the very start of data processing activities and limiting personal data processing to only what is necessary. Hungarian law upholds these principles without alteration.

Privacy Policies

Organisations must implement technical and organisational measures to comply with data privacy and security under the GDPR. This includes internal policies for data privacy and security compliance, encompassing broader accountability, governance, employee training, and supervising data processors. Hungarian laws mirror the GDPR requirements in this respect.

Data Protection Impact Assessments (DPIAs)

The GDPR requires DPIAs for high-risk data processing operations. The NAIH has listed operations requiring DPIAs, such as employee monitoring and credit scoring. If risks identified in a DPIA cannot be mitigated, controllers must consult the NAIH. Controllers can choose their DPIA methodology, with the NAIH recommending the Hungarian adaptation of the French Data Protection Authority’s privacy impact assessment tool (PIA software).

Data Subject Rights Management

Under the GDPR, data controllers must secure and facilitate the exercise of data subject rights, including access to information, rectification, objection, erasure, processing restriction, and data portability. The Information Act extends the right of erasure and processing restriction to relatives of deceased persons within five years of death.

Anonymisation, De-identification, Pseudonymisation

The GDPR and the Information Act apply to personal data that can identify an individual. The NAIH considers pseudonymisation a security measure but maintains that data protection rules continue to apply to such data. Anonymisation is recognised as a tool and practice that is practically impossible to implement in real-life scenarios.

Private Right of Action

The Information Act allows individuals to bring private actions against data controllers and processors for GDPR violations, claiming damages and exemplary damages. The burden of proof for compliance rests with the data controllers and processors.

Overall, Hungary’s approach to data privacy and protection aligns closely with the GDPR, reflecting a commitment to safeguarding individual rights while providing clear guidance to organisations on their data processing responsibilities.

The GDPR particularly emphasises protection for special categories of personal data. This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, health information, and data concerning an individual’s sex life or sexual orientation. Sectorial laws define further categories of data that may qualify as “sensitive”.

Health Data

The Health Data Act outlines specific rules for processing and retaining personal data concerning health and professional secrecy obligations for medical personnel. It specifies lawful purposes for processing personal data concerning health, such as health preservation, patient care, health monitoring, public health interests, patient rights enforcement, patient journey tracking, and evaluating medical effectiveness in human reproduction procedures. If processing purposes are not covered by the Health Data Act, explicit documented consent from the data subject is required.

Human Genetic Data

The Genetic Data Act governs the processing of human genetic data, demanding transparent information provision to data subjects and imposing additional restrictions for data transfer to third countries. It mandates written informed consent for processing human genetic data, either for genetic research or medical examination.

Biometric Data

Processing of biometric data in Hungary is strictly regulated. The NAIH’s blacklist requires a DPIA for biometric data processing that involves systematic monitoring or concerns vulnerable data subjects, including children, employees, and mentally ill individuals. In the employment context, biometric identification measures are allowed under the Labour Code to prevent unauthorised access to sensitive information or assets.

Financial Data

The Act CCXXXVII of 2013, or the Banking Act, regulates personal data processing by financial institutions. It defines bank secrets, authorises outsourcing of data processing activities, and imposes secrecy obligations akin to those for insurance companies.

Communications Data

The Act C of 2003, aligned with the EU Privacy and Electronic Communications Directive (the “ePrivacy Directive”), requires electronic communication network operators and service providers to maintain the security and confidentiality of communications. This includes data retention for traffic and billing purposes, calling line identification restrictions, subscriber directory guidelines, and mandatory data breach notification requirements.

Children’s Data

Under the GDPR and the NAIH’s practice, children are considered vulnerable individuals and are accorded stricter data processing requirements. In Hungary, the digital age of consent for information society services is 16 years. Below this age, parental or guardian consent is necessary for lawful data processing.

Employment Data

Employees are also seen as members of a vulnerable group under the GDPR and the NAIH’s practice. The Labour Code in Hungary establishes rules for protecting employees’ personal data, applicable notice requirements, and limits on privacy rights within the employment context.

Internet-Related Issues

Data processing in the context of information society services, including cookie use and similar technologies, is regulated by the E-Commerce Act. This Act allows service providers to process data essential for billing and technical service provision, while other forms of data processing – including the application of any type of technology that stores data on end user devices – require explicit user consent.

Online Content Removal

The E-Commerce Act also addresses the protection of minors and the removal of online terrorist content and other infringing online material. Since January 2022, the NAIH can instruct platform providers to remove online content that infringes on data protection, particularly concerning children’s privacy or special categories of personal data.

In summary, Hungary’s implementation of the GDPR and national laws provides comprehensive protection for various categories of personal data, emphasising explicit consent, transparency, and special care for members of vulnerable groups like children and employees. The laws cover a wide range of data types, from health and genetic information to financial and communication data, ensuring robust data privacy and protection standards.

The Advertising Act

In Hungary, online marketing is regulated by the provisions of the Act XLVIII of 2008 on Business Advertising Activity (the “Advertising Act”) and by the E-Commerce Act. Direct marketing is permissible only based on the explicit opt-in consent of the targeted individual and this consent requirement is independent from the B2B or B2C standing of the recipient. The relevant legal requirements are summarised below.

Consent to direct marketing communications

The Advertising Act requires the natural person recipient’s explicit consent to any direct marketing communications. The Advertising Act requires that the opt-in consent language for direct marketing communications:

• be explicit;
• contain the name of the person providing the consent;
• identify the scope of personal data for which consent is being provided; and
• state that the consent is being given voluntarily in possession of the information about the data processing (this means that the sign-up language should provide a reference to the privacy notice providing information about data processing relating to sending email marketing messages by the sender); and

• also contain the place and date of birth of the person providing the consent if the consent is sought for sending electronic marketing messages that may be addressed only to persons of a specific age.

It should be noted that these consent requirements are equally applicable to electronic marketing messages and communications with social or societal aims.

Soft opt-in

The explicit consent requirement for electronic direct marketing is general, because the soft opt-in exemption (as provided by Article 13 (2) of the ePrivacy Directive) has not been implemented into Hungarian law. Accordingly, if a merchant obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or service, this merchant may not target the relevant customers with direct marketing communications, unless the customer consented to such communications.

Withdrawal

Under the Advertising Act, the natural person recipient of the marketing message must be able to withdraw his/her consent or unsubscribe from such communications without any restrictions, free of charge and without providing any explanation.

Record-keeping obligations

The Advertising Act states that the advertiser must maintain a record about the personal data of individuals who provided opt-in consent to direct marketing communications. The data contained in these records – relating to the person to whom the advertisement is addressed – may be processed only for the purpose defined in the statement of consent, until withdrawn, and may be disclosed to third persons only with the explicit consent of the data subject.

Disclosure requirements

Under the Advertising Act, the body of the marketing message must clearly and visibly disclose the opt-out instructions along with an electronic and postal address to which opt-out requests may be sent. Also, pursuant to the E-Commerce Act, the following disclosure requirements apply with regard to electronic marketing messages:

• (i) the message must clearly reflect the commercial/marketing nature of the message as soon as it is accessible to the data subject (in practice, the email header must transparently reflect that the email is an advert);
• (ii) the sender must be clearly identifiable;
• (iii) promotional offers, such as discounts, premiums and gifts, must be clearly identifiable as such, including the conditions which must be met to qualify for them; and
• (iv) promotional competitions or games must be clearly identifiable as such, including the conditions for participation; the electronic message must also include a link to the conditions of the offers and games indicated in (iii) and (iv).

Employment Privacy

Act I of 2012 on the Labour Code lays down the general rules governing workplace privacy. Sections 9 to 11 thereof stipulate the conditions for the processing of employee data as follows:

Data collection limitation

Employers can only request data from employees that is essential for the establishment, fulfilment, or termination of the employment relationship, or for the enforcement of claims arising from the Labour Code. The data requested from the employee must be directly related to these specific purposes and the employer can only collect only the relevant and necessary information.

Privacy rights limitation

An employee’s privacy rights can be limited only if this is strictly necessary for reasons directly related to the purpose of the employment relationship and if the limitation is proportional to the objective pursued.

Surveillance and monitoring restrictions

Monitoring of employees is permissible only in relation to work-related activities. The methods used must respect human dignity (no harassment, intimidation, or disturbance), be limited in time and space, and conducted only by authorised personnel. Personal life and private correspondence shall be excluded from such monitoring.

Transparency and information duty

The Employer must inform the employees in advance about the nature, conditions, and expected duration of any limitations on their privacy rights. Employers must provide written notification about data processing activities and use of technical monitoring tools.

Processing of documents

The employer can only ask for the presentation of documents (identification cards, certificates, diplomas, etc) from the employee, but copying is restricted unless legally permitted.

Biometric access control measures

Biometric identification measures can be used to prevent unauthorised access to sensitive information or assets, considering the potential serious or irreversible consequences.

Processing of criminal data

Employers may process criminal personal data of job applicants and employees for vetting purposes, particularly to protect financial interests, safeguard information protected by law, or in relation to the handling of hazardous materials.

Prohibition of private use of company IT equipment

The Labour Code restricts private use of company IT equipment, unless explicitly agreed otherwise between employer and employee.

Consultation requirement

Consultation with the works council is required for implementing any measures and internal regulations affecting large number of employees. This requirement extends to, inter alia, the processing and protection of personal data of employees as well as the use of technical measures used for employee monitoring.

Employee Whistle-Blowing

Hungarian Act No XXV of 2023, known as the Complaints Act, aligns with EU Directive 2019/1937, and governs employee whistle-blowing. It requires employers with 50 or more employees, including certain sectors like financial services, banks, and airlines, to implement an internal whistle-blowing system. The Act covers a wide range of reportable issues, such as illegal activities or suspected illegalities, and includes the ambiguous category of “other abuses”, which it does not specifically define. While anonymous reporting is allowed, investigations for such reports are not legally mandated. The Act sets procedural deadlines, obliging employers to acknowledge reports within seven days and complete investigations within three months. It also restricts smaller employers (those with 50 to 249 employees) from forming joint internal whistle-blowing systems with other employers.

In the context of Hungarian civil and administrative procedures, there are no specific legal standards for alleging infringements of privacy or data protection laws, including those involving Artificial Intelligence (AI). However, it is crucial to adhere to the Hungarian evidentiary rules as specified in the relevant procedural acts.

In relation to enforcement:

• The NAIH primarily relies on obtaining evidence from data controllers. This involves requesting pertinent documents and information from them, in line with accountability requirements. Under the GDPR, data controllers bear the onus of proving their compliance with data protection laws.
• The NAIH’s practice in enforcing the GDPR has been evolving towards more stringent penalties. This is evident from the increasing magnitude of fines, with many nearing the GDPR’s upper limits.

In relation to private litigation for alleged violations of privacy or data protection laws:

• Individuals or entities seeking to initiate private litigation due to alleged privacy or data protection violations must align their claims with the general principles of civil law. This includes proving the breach, causation, and damages.
• The Hungarian legal system does not traditionally support class action lawsuits as seen in some other jurisdictions. However, collective legal actions might be possible under certain circumstances, following specific procedures.

Regarding notable enforcement cases and major resolutions in the past year, see 1.7 Key Developments. These cases highlight the NAIH’s focused areas and enforcement trends.

Private Litigation

In Hungarian legal proceedings, specific standards for alleging data protection violations are not defined, but adherence to the established evidentiary rules in procedural legislation is required. Litigation often incorporates a variety of evidence, including documents, witness statements, and expert insights. The Information Act enables individuals to initiate private legal actions against data controllers or processors for violating data protection laws. From June 2023, it is also possible to file class actions for GDPR infringements. These class actions allow competent authorities and representative organisations to represent a broad consumer base adversely affected by unlawful data protection practices and seeking civil law remedies in court. Aligning with GDPR guidelines, the Information Act clarifies that in legal disputes, the burden of proof to demonstrate compliance with data protection regulations rests on the data controller or processor who is the defendant. The courts can award both damages and injunctive relief.

In Hungary, law enforcement access to data is regulated by Act XC of 2017 on the Criminal Procedure Code. The Act on Electronic Communications regulates data retention for law enforcement purposes.

The Criminal Procedure Code (Act XC of 2017) in Hungary regulates how law enforcement authorities can access data and conduct surveillance in the context of criminal investigations. Under this framework, law enforcement authorities may gather information without prior approval, except in cases of highly intrusive information gathering. Such cases include requests for information from financial organisations, postal services, electronic communication service providers, and health service providers, which require prior approval from the public prosecutor. Furthermore, certain covert surveillance activities, such as surveillance of information systems, covert searches, surveillance of specific locations, opening mail, and interception, necessitate prior judicial approval.

The Information Act delineates detailed rules and guarantees on how law enforcement authorities can process personal data for law enforcement purposes. These applicable guarantees essentially mirror the requirements of the GDPR. However, the fines that can be imposed by the NAIH are capped at HUF20 million.

The Act CCXV of 1995, known as the National Security Services Act in Hungary, provides the legal basis for government data access for intelligence, anti-terrorism, and national security purposes. It details the necessary procedures and authorisations for various surveillance activities, particularly in the realm of national security and criminal investigations.

For surveillance linked to criminal probes, the Act mandates a judicial warrant and ministerial authorisation for surveillance conducted for non-criminal investigation purposes. National security surveillance, conducted by the National Security Services or the Counter Terrorism Centre, requires authorisation from the Minister of Justice.

The Act also introduces “exceptional authorisation” for urgent situations, allowing the National Security Services’ general directors to authorise covert operations for up to 72 hours without prior external approval, although external authorisation must be sought simultaneously. This provision is typically limited to a single use per case, barring new, direct national security threats.

Notably, the Act does not require a balance test to ensure national security measures do not disproportionately infringe on personal rights, implying that the assessment of potential privacy and personal rights violations is not explicitly required.

The request of a foreign government for access to personal data does not automatically establish a legal ground under the GDPR. When a foreign government requests access to personal data held by an organisation, the organisation must carefully assess the request considering its legal obligations. This assessment includes considering any applicable data protection laws, international treaties, and the legal basis for processing and transferring such data. If there is no mutual legal assistance treaty with Hungary, personal data may be transferred based on Article 49(1)(e) of the GDPR if the transfer is occasional and necessary for the establishment, exercise, or defence of legal claims. This derogation can apply to activities carried out by public authorities in the exercise of their public powers. If this derogation under the GDPR cannot be invoked, data transfer may be permissible on the “compelling legitimate interests” legal basis under Article 49(1)(2) of the GDPR, provided the data exporter demonstrates that it was neither possible to frame the data transfer with appropriate safeguards nor applicable to use any other derogations.

The cases of Szabó and Vissy, and Hüttl, before the European Court of Human Rights, concerned the violation of the right to respect for private and family life and correspondence due to Hungarian legislation on secret surveillance measures for national security purposes. The Hungarian legislation lacked precise, effective, and comprehensive safeguards for ordering, executing, and redressing such measures.

The court highlighted the overly broad scope of these measures, the absence of strict necessity assessment, the ease of mass data interception, and the lack of effective remedial measures. As of the last examination in March 2023, the Committee of Ministers noted that the applicants in these cases had not been subjected to secret surveillance, hence no further individual measures were necessary. However, the Committee expressed serious concerns regarding the legislative process in Hungary to address the court’s findings. It strongly called for urgent adoption of measures to align Hungarian legislation with the requirements of the Convention. The NAIH, with limited power in national security matters, was deemed incapable of conducting adequate external, independent scrutiny. This inadequacy remains unaddressed.

The European Parliament, in response to the “Pegasus scandal”, recommended that Hungary restore safeguards and comply with ECtHR judgments. Despite these developments, almost seven years after the Szabó and Vissy judgment, the legal situation remains largely unchanged. The Committee of Ministers emphasised the urgent need for legislative reform and encouraged Hungarian authorities to closely co-operate with the Council of Europe to ensure Convention-compliant reforms. An updated action plan is expected by September 2023, with a decision to resume consideration of the case in June 2024.

In Hungary, international data transfers of personal data are primarily regulated under the GDPR. The GDPR imposes specific restrictions and requirements on the transfer of personal data outside the European Economic Area (EEA) to ensure that the level of data protection afforded within the EEA is not undermined. When using adequacy measures, such as standard contractual clauses (SCCs) or binding corporate rules (BCRs), organisations are required to conduct a Transfer Impact Assessment (TIA) to evaluate the level of data protection in the recipient country, especially considering the recent Schrems II judgment of the CJEU. This assessment should consider the laws and practices of the third country, particularly those that may impact the effectiveness of the chosen transfer mechanism.

Regarding the mechanisms or derogations that apply to international data transfers, the key restrictions and requirements are outlined below:

• Adequacy decisions: Personal data can be freely transferred to countries outside the EEA that have been deemed by decision of the European Commission to provide an adequate level of data protection. These adequacy decisions are based on a comprehensive assessment of the data protection framework and practices in the non-EEA country.
• Appropriate safeguards: In the absence of an adequacy decision, transfers are permitted if appropriate safeguards are in place. These safeguards may include tools such as SCCs, BCRs, or specific conditions met under Article 46 of the GDPR.
• Derogations: The GDPR also allows for data transfers in certain specific situations under Article 49, such as when the data subject has explicitly consented to the proposed transfer after being informed of the possible risks, or for the performance of a contract between the data subject and the data controller, or for important reasons of public interest.

Data controllers are required to document these assessments and decisions as part of their accountability obligations under the GDPR. They may also need to consult with or obtain authorisation from the NAIH in certain cases.

Transfers of personal data within the EEA and to adequate countries are generally permitted and no government notifications or approvals are required. Under the GDPR, certain adequacy measures (such as approval of ad-hoc contractual clauses) will require authorisation from the NAIH or the derogation on the “compelling legitimate interests” legal basis under Article 49(1)(2) of the GDPR requires notification of the data transfer.

The Genetic Data Act requires data exporters to notify the Chief Public Health Officer of Hungary in connection with the international transfer of genetic data and genetic samples for the purpose of human genetic research or human genetic testing and the relevant notification must also indicate a reference to the appropriate adequacy safeguards provided by the data exporter and the data importer.

Localisation and residency requirements in Hungary, as they pertain to the provision of data processing services for certain institutions, are governed by the Act L of 2013 on Electronic Information Security. This includes governmental bodies, the National Bank, and local municipalities. According to this Act, such services must be provided from the territory of Hungary. Furthermore, under the Act XCI of 2021 on National Data Assets, more stringent rules have been established for the handling of state databases belonging to national data assets, including criminal records, land registry records, company registry records, and ID records. This law stipulates that data processing activities may only be performed within the territory of Hungary.

The E-Commerce Act includes provisions on the obligations of application service providers offering services related to the information society, particularly those that facilitate encrypted communication among users. These provisions specifically apply to services that do not rely solely on the user's end device for the content of communication or the construction of communication channels, thereby emphasisng the focus on end-to-end encrypted communication. Providers are required to hand over the contents of messages and communications transmitted through their application when requested by an authorised authority for secret information collection, provided this request is subject to external permission. Furthermore, providers are also obligated to store and, upon request, hand over metadata related to the use of the encrypted communication application.

See 3.3 on Invoking Foreign Government Obligations.

See 3.3 on Invoking Foreign Government Obligations.

In Hungary, the legal landscape surrounding emerging technologies is continuously evolving.

Big Data Analytics

The NAIH has not issued specific guidelines on big data. Nevertheless, the DPIA blacklist includes data combination from various sources for matching and comparison – a common big data use. This aligns with GDPR principles, emphasising transparency, data protection by design and data minimisation.

Automated Decision-Making

Post-GDPR, companies in Hungary engaging in automated decision-making, including profiling, must adhere to strict rules. Individuals are entitled to avoid decisions based solely on automated processes and have the right to detailed information about the decision-making logic. The NAIH has added certain automated decision-making processes to the DPIA blacklist due to their significant impact.

Profiling

When performing profiling, data controllers must ensure adherence to general data protection principles, including transparency, data minimisation and securing data subject rights. The NAIH has included specific profiling activities in its DPIA blacklist, like scoring and large-scale evaluation of personal data.

Artificial Intelligence

AI is not specifically regulated by law in Hungary. However, the Coalition on Artificial Intelligence was established to develop legal frameworks for AI. At the EU level, the April 2021 AI Act proposal signifies the importance of a unified regulatory approach, which Hungary is expected to align with.

Internet of Things (IoT)

There are no specific IoT regulations in Hungary. Sectorial laws regulate generic information security and cybersecurity requirements in high-risk industries where IoT use is widespread. The NAIH issued guidance on smart energy metres in 2019. The data protection impact assessment blacklist mandates a DPIA for public utilities using smart metres.

Biometric Data

Such data is classified as a special category and requires lawful grounds and an additional condition under Hungarian law. Guidelines emphasise the necessity, efficiency, proportionality, and privacy considerations. The use of biometric data for employee monitoring is generally not considered lawful by the case law of the NAIH. The rules applicable to biometric data extend to facial recognition, following the same principles and guidelines.

Geolocation Data

The NAIH’s opinions, aligned with former WP29 guidance, address employee monitoring via geolocation. Employers can track vehicles for specific legitimate interests such as logistics needs or to protect high-value property but must not monitor employees outside working hours. Employees must be informed about GPS tracking including its purpose.

Drones

Government Decree 38/2021 (II. 2.) (the “Drone Regulation”) prohibits unauthorised recording of private property but lacks explicit data protection-related provisions. The DPIA backlist includes drone operation over public spaces, and the NAIH provided comprehensive recommendations on drone use in 2014.

Disinformation, Deepfakes, or Other Online Harm

The Hungarian Criminal Code defines and penalises conduct such as the creation of false audio or visual recordings capable of tarnishing someone’s honour and the publication of false audio or visual recordings capable of tarnishing someone’s honour. Further, broader EU initiatives and the Digital Services Act (DSA) aim to address these issues. Hungarian platforms and services would be expected to comply with these regulations.

“Dark Patterns” or Online Manipulation

The GDPR’s requirements for transparent and lawful processing implicitly counteract dark patterns. Hungary, under EU consumer protection laws, also addresses deceptive practices that could include dark patterns. The practice of the NAIH and the Hungarian Competition Authority also address these requirements under fairness standards.

Fiduciary Duty for Privacy or Data Protection

The concept of a fiduciary duty in the context of data protection is not explicitly defined in Hungarian law. However, the GDPR’s principles of accountability and responsibility implicitly impose a fiduciary-like duty on data controllers and processors.

In summary, Hungary’s approach to these technological and digital issues is largely framed within the context of EU law, particularly the GDPR, which provides a comprehensive framework for data protection, privacy, and consumer rights. This framework demands transparency, accountability, and ethical considerations in all aspects of data processing and digital technology use.

In Hungary, there are currently no established digital governance or fair data practice review boards.

Recently, there have been no published enforcement decisions from the NAIH in the emerging digital and technology area, nor has Hungarian court practice recently addressed this area.

In Hungary, there is a limited amount of specific case law directly addressing due diligence processes. Data protection-related due diligence in corporate transactions requires strict compliance with the GDPR and local legislation. This process includes verifying the lawful processing of personal data, closely examining data handling practices, especially for sensitive information, and ensuring compliance with data subjects’ rights. Under NAIH case law, legitimate interest is generally accepted as a legal basis for the transfer or disclosure of client personal data in asset transfer transactions, provided that such data transfer is ancillary to the asset transfer itself. In addition, the merging of databases between the target and the acquirer in a transaction may require a data protection impact assessment.

This is not applicable to the Hungarian jurisdiction.

In Hungary, recent regulatory developments in the technology sector, encompassing digital technology and data practices, are influenced by broader European trends. These include key areas such as privacy, competition, and consumer protection laws. These developments are being shaped by the imperative to address the challenges posed by AI, data handling practices, and the dynamics of the digital market. Notably, the Hungarian government adopted its Artificial Intelligence Strategy in September 2020.

In late 2023, the Hungarian National Bank conducted its first thematic investigation on the IT, privacy, and other risks associated with artificial intelligence and machine learning in the banking and insurance sectors. These technologies are increasingly being utilised in a broad spectrum of activities, ranging from account opening to marketing and campaign management. While no breaches were identified by the MNB, there are risks that need to be addressed.

Moreover, the Hungarian Competition Authority has been actively investigating the market impacts of AI. In early 2024, it launched a market analysis focusing on how AI might distort competition, particularly in digital sectors, and potentially expose consumers to vulnerabilities. The Authority is expressing concerns regarding the monopolisation of AI technology by large tech giants, potentially leading to unfair market competition. Furthermore, the integration of AI in business practices, especially in data collection and advertising, is under close scrutiny. This includes concerns about consumer vulnerability due to practices like the use of dark patterns in design and personalised advertising.

In 2023, Hungary integrated the EU’s NIS2 Directive and Whistleblowing Directive into its national legislation. In 2024, specific requirements are expected to be outlined in a ministerial decree and a decree from the president of the Supervisory Authority for Regulatory Affairs Hungary.

The Hungarian Parliament enacted Act XXV of 2023, addressing complaints, public interest disclosures, and abuse reporting, which aligns with EU Directive 2019/1937, safeguarding individuals who expose violations of union law. The initial compliance deadline for large organisations (over 249 employees) was 24 July 2023, while smaller entities (50-249 employees) had until 17 December 2023 to comply.

Act XXIII of 2023, pertaining to Cybersecurity Certification and Supervision, was introduced to incorporate the NIS2 Directive’s provisions. This Act broadly defines sectors impacted by the new law and sets various deadlines for compliance, with the final one being 18 October 2024.

The Hungarian Parliament passed Act CI of 2023 on the National Data Assets Utilisation System and Certain Services, in line with EU Regulation 2022/868 on European Data Governance. This aims to create a state-backed system for managing national data assets.

Lastly, the Hungarian Parliament passed the Act CIII of 2023 on the Digital State and Digital Services Provision, laying the groundwork for the Digital Citizenship Program. By 2026, a digital mobile application is expected to be operational for Hungarian citizens, featuring identity verification, secure electronic signatures, and administrative functionalities, including birth registration processes.