In the past months, one of the most relevant news and legal topic has been that of data processing. And alas the regulation of data processing in Hungary has arrived to a new milestone on July 17th 2018, when the Hungarian Parliament adopted an amendment of Act 113 of 2011 on the Right of Informational Self-Determination and on the Freedom of Information („Info Act”). The amendment of the Info Act is supposed to implement the rules of the General Data Protection Regulation 2016/679 (April 27th 2016.) of the European Union.
The main purpose of GDPR and the amended Infoact is to provide relevant protection to the data of european citizens, by adopting new acts, rules and regulations regarding data protection. By harmonising the national and European laws, Hungary is fulfilling it’s duties arising from the country’s EU membership.
Before the GDPR came into force, there have not been any laws in Hungary that could thoroughly prepare the legal system for the implementation of the new regulation, but Info Act has been considered one of the strictest as per data processing in Europe. By adopting the new amendment, the Hungarian Parliament aims to solve the uneasiness and uncertainty resulting from the GDPR in force and the lack of proper local legislation to pair with.
Despite all the effort and the legal steps towards an effective data protection regulation, the legal basis of data protection in Hungary is still incomplete and difficult to oversee. Because of these reasons, a more thorough revision of the data protection laws is expected to follow the amendment, with the purpose of a better implementation of European standards. The lack of certainty concerning the legal basis of data protection creates a need for professional legal help regarding data controllers.
We have collected the most important changes in the amended Info Act:
- The supervisory authority regarding the compliance with GDPR is the Hungarian Data Protection and Freedom of Information Agency (locally: NAIH), with the exception of courts, over which the NAIH has no authority.
§ If the data controllers or data processors fail to comply with the law, the NAIH may fine the data controller or data processor for an amount of up to 20 million HUF.
- The data subject is entitled to bring private actions against the data controllers and data processors for violations. The data subject is entitled to make claims for any damages and also exemplary damages. The data controller or data processor may prove that they comply with the law.
- The scope and application of the Infoact has been substantially extended to better comply with GDPR. If the controller’s main establishment or place of business is located in Hungary, or if the processing operations relate to the offering of goods or services to data subjects located in Hungary, the infoact is applicable. The scope of the act is also extended to manual data processing.
- According to the new law, mandatory data processing must be settled by an act and no lesser legal source may suffice . The data controller must revise after 3 years and maintain any and all data for at least 10 years.
- The amended Info Act aims to protect the data of deceased as well. The relatives of the deceased have the right to erasure and restriction on processing within five years of death. The age of consent applicable to a child’s consent regarding information society services is 16 years.
- Criminal records may only be processed with the data subject’s explicit consent or if the data processing is necessary for the exercise or defense of a legal claim. Health data may only be processed with the data subject’s explicit written consent.