HUNGARY

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Az információs önrendelkezési jogról és az információszabadságról szóló 2011. évi CXII. törvénynek az Európai Unió adatvédelmi reformjával összefüggő módosításáról, valamint más kapcsolódó törvények módosításáról szóló

Status: Adopted

SME EXCEPTION

No Deviation

LAWFULNESS OF PROCESSING (ART 6)

SPECIFYING PROVISION:

 

Data may be processed (1) when necessary for the performance of a task carried out in the public interest based on an Act of Parliament or a municipal decree; (2) in the absence of (1), when strictly necessary for the controller to carry out its legal responsibilities and when the individual has given explicit consent; (3) in the absence of (1), when necessary and proportionate for protecting the vital interests of individuals; or (4) in the absence of (1), when processing relates to data manifestly made public by the individual and it is necessary and proportionate. Furthermore, controllers must review the processing activities at least once every three years unless otherwise required by law, document such review, and maintain such documentation for 10 years (Sec 5 Hungarian Act).

CHILD'S CONSENT (ART 8)

No Deviation

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

No Deviation

CCTV (Art 6)

No Deviation

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

No Deviation

INFORMATION OBLIGATION (ART 13 & 14)

No Deviation

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

SPECIFYING REQUIREMENT: Automated individual decision-making, including profiling, may be conducted when expressly permitted by law and when (1) it does not violate the principle of equal treatment; (2) upon an individual’s request, the controller and/or processor provides information regarding the method and criteria used; (3) upon an individual’s request, the controller and/or processor reviews the outcome of the decision with human involvement; and (4) no sensitive data is involved unless permitted by law (Sec 6 Hungarian Act). 

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

SPECIFYING REQUIREMENT: If an individual submits another request in the same year in the same data categories, and based on that request the controller or processor lawfully declined the rectification, erasure, or restriction of processing, then the controller may charge a fee for the expenses incurred with a repeated and unfounded request (Sec 15 Hungarian Act).

The controller may delay, restrict, or omit the provision of information under Sec 16 Hungarian Act if necessary for (1) carrying out or partaking in investigations and other proceedings, in particular criminal proceedings, effectively and efficiently; (2) preventing and investigating criminal offenses effectively and efficiently; (3) prosecuting criminal offenses or the execution of criminal penalties; 

(4) protecting public security effectively and efficiently; 

(5) protecting internal and external security effectively and efficiently, in particular for defense and national security; or (6) protecting individuals’ fundamental rights (Sec 16 Hungarian Act).

VARYING REQUIREMENT: A controller must provide information in response to a data subject’s request within 25 days (Sec 15 Hungarian Act). 

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

SPECIFYING REQUIREMENT: Records of data controllers must contain the use of profiling, where applicable; an indication of the legal basis for processing; and matters of law and fact in response to the restriction or refusal of an individual’s right of access request (Sec 25/E Hungarian Act).

VARYING REQUIREMENT: For electronic personal data processing, controllers and processors must carry out processing operations in automated processing systems—electronic logs—that must record a description of personal data categories, the purpose of processing, the date and time of processing, the individual carrying out the processing, and, if applicable, any recipients (Sec 25/F Hungarian Act).

SECURITY OF PROCESSING (ART 32)

No Deviation

DATA BREACH (ART 33 & 34)

No Deviation

Data protection impact assessment (Art 35)

VARYING REQUIREMENT: Where the SA is of the opinion that the intended processing would infringe the Act, the SA shall provide advice within six weeks of receipt of the request for prior consultation. This period may be extended up to one month (Sec 25/H Hungarian Act).

Data protection officer (Art 37(4))

No Deviation

Certification (Art 42)

No Deviation

Data transfer derogations (Art 49(5))

SPECIFYING REQUIREMENT: Before a data transfer, a controller and/or processor must assess how accurate, complete, and current the personal data is. If such assessment finds the data to be inaccurate, incomplete, or no longer current, the data may still be transferred if strictly necessary for the purposes of processing and the controller notifies the individual at the time of the transfer how accurate, complete, and current the data is. The transfer recipient must be immediately notified if a transfer was not made pursuant to the Hungarian Act, international agreement, or otherwise as permitted by law (Sec 8 Hungarian Act). 

In the absence of an adequate level of protection or an individual’s explicit consent to transfer personal data internationally, a transfer may take place under certain conditions such as if the transfer is necessary for the controller to carry out assessments and other procedures effectively and efficiently, and it does not entail any unreasonable restriction of individuals’ fundamental rights (Sec 11 Hungarian Act). 

POWERS SUPERVISORY AUTHORITIES (ART 58)

SPECIFYING REQUIREMENT: The SA may refuse an individual’s initiation of an inquiry to the SA via notification without examining the merits if the infringement alleged is considered minor or the notification is made anonymously. The SA must refuse notifications without examining the merits if (1) court proceedings are in progress or a final court ruling has been rendered for the issue in question; (2) an anonymous notifier will not disclose his/her identity; (3) the notification is manifestly unfounded; (4) the notification has been re-submitted and it contains no new facts or information about the merits; (5) the notification was submitted after the required deadline; (6) the notification fails to comply with the requirements of the Act; or (7) the SA conducts an administrative inquiry or administrative proceedings regarding the notification (Sec 53 Hungarian Act).

CLASS ACTIONS (ART 80 (2))

No Deviation

ADMINISTRATIVE SANCTIONS (ART 83)

No Deviation

PENALTIES (ART 84)

No Deviation

Freedom of expression and information (Art 85)

No Deviation

HR PROCESSING (ART 88)

No Deviation

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

No Deviation

OBLIGATIONS OF SECRECY (ART 90)

No Deviation

Remarks

No Deviation