Artificial Intelligence and Data Protection in Hungary: The EU AI Act Impact

Introduction

The regulation of artificial intelligence (“AI”) has become one of the most consequential areas of EU law. With the EU Artificial Intelligence Act (Regulation (EU) 2024/1689, the “AI Act”) entering into force in stages from August 2024, and full applicability of the high-risk provisions from August 2026, businesses and public authorities in Hungary must now navigate a complex interplay between the AI Act and the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”). This article analyses how these two legal instruments interact to regulate AI systems, automated decision-making, and profiling in Hungary, and examines the role of the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, “NAIH”) in enforcement.

The EU AI Act: Key Provisions

Risk-Based Classification

The AI Act introduces a risk-based regulatory framework with four tiers:

1. Unacceptable Risk (Prohibited AI Practices)

Certain AI practices are entirely prohibited under Article 5 of the AI Act because they pose an unacceptable risk to fundamental rights. These include:

• Social scoring by public authorities or on their behalf — systems that evaluate or classify individuals based on their social behaviour or personal characteristics, leading to detrimental treatment disproportionate to the context;
• Real-time remote biometric identification in publicly accessible spaces for law-enforcement purposes, except in narrowly defined emergency situations;
• Subliminal manipulation — AI systems that deploy techniques beyond a person’s consciousness to materially distort behaviour in a way likely to cause harm;
• Exploitation of vulnerabilities — AI targeting specific groups (children, persons with disabilities) in ways that distort their behaviour and are likely to cause harm.

These prohibitions apply directly in Hungary from 2 February 2025.

2. High Risk

High-risk AI systems are subject to extensive regulatory requirements. Under Annex III of the AI Act, these include AI used in:

• Biometric identification and categorisation of natural persons;
• Management and operation of critical infrastructure (energy, transport, water);
• Education and vocational training — systems that determine access to education, assess learning outcomes, or assign educational tracks;
• Employment, workers management, and access to self-employment — systems used in recruitment, performance evaluation, task allocation, or termination decisions;
• Access to essential private and public services — including creditworthiness assessment and insurance pricing;
• Law enforcement — risk assessment, polygraph analysis, evidence evaluation;
• Migration, asylum, and border control — risk assessment of irregular migration, examination of visa or residence permit applications;
• Administration of justice and democratic processes — systems assisting judicial decisions or influencing elections.

Providers and deployers of high-risk AI must comply with requirements for risk management, data governance, technical documentation, transparency, human oversight, accuracy, robustness, and cybersecurity, and conformity assessments before placing the system on the market or putting it into service.

3. Limited Risk (Transparency Obligations)

AI systems with limited risk — including chatbots, emotion-recognition systems, and deep-fake generators — are subject to transparency obligations under Article 50 of the AI Act. Users must be informed that they are interacting with an AI system, and deep-fake content must be labelled as artificially generated.

4. Minimal Risk

AI systems that do not fall into the above categories (e.g., AI-enabled spam filters, AI in video games) are considered minimal risk and are not subject to specific regulatory obligations under the AI Act, although providers are encouraged to voluntarily adopt codes of conduct.

Interaction With the GDPR

Automated Decision-Making Under Article 22 GDPR

Article 22(1) of the GDPR provides that data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This provision has direct relevance to AI systems that make or materially influence decisions affecting individuals.

Key elements of Article 22:

• Solely automated: The prohibition applies only where the decision is made without any meaningful human involvement. If a human reviews the AI’s recommendation and exercises genuine discretion before the final decision, the process may fall outside the scope of Article 22.
• Legal or similarly significant effects: Examples include denial of a credit application, rejection of a job application, determination of insurance premiums, or refusal of a public benefit.
• Exceptions: Automated decision-making is permitted in three circumstances: (a) it is necessary for the performance of a contract; (b) it is authorised by EU or Member State law; or (c) the data subject has given explicit consent. Even where an exception applies, the controller must implement suitable safeguards, including the right to obtain human intervention, express a point of view, and contest the decision.

Profiling

Profiling is defined in Article 4(4) of the GDPR as any form of automated processing of personal data to evaluate certain personal aspects of a natural person — including analysis or prediction of work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements. Many AI systems inherently involve profiling, and controllers must ensure compliance with all applicable GDPR principles — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality — when deploying such systems.

Data Protection Impact Assessments (DPIAs)

Under Article 35 of the GDPR, controllers must carry out a Data Protection Impact Assessment when processing is likely to result in a high risk to the rights and freedoms of natural persons. The use of AI systems for profiling, automated decision-making, or large-scale processing of sensitive data almost invariably triggers this requirement. NAIH has published guidance identifying specific processing activities that require a DPIA, and AI-based processing is prominently featured.

A DPIA must include:

1. A systematic description of the processing operations and their purposes;
2. An assessment of the necessity and proportionality of the processing;
3. An assessment of the risks to the rights and freedoms of data subjects;
4. The measures envisaged to address those risks, including safeguards, security measures, and mechanisms for ensuring compliance.

Transparency and Explainability

Both the GDPR and the AI Act impose transparency obligations, although their scope and purpose differ:

• Under the GDPR (Articles 13–14), controllers must inform data subjects about the existence of automated decision-making, including profiling, provide meaningful information about the logic involved, and disclose the significance and envisaged consequences of such processing.
• Under the AI Act, providers of high-risk AI must provide detailed technical documentation and instructions for use that enable deployers to understand the system’s capabilities, limitations, and intended purpose.

In practice, these obligations are complementary. Data controllers deploying AI systems must be prepared to explain both how the system works (AI Act transparency) and why a particular decision was made in a specific case (GDPR individual transparency).

NAIH’s Role in AI Regulation

Current Enforcement Powers

NAIH is Hungary’s supervisory authority for data protection under the GDPR and the Infotv. NAIH has the power to:

• Conduct investigations into data-processing activities, including those involving AI;
• Issue binding orders requiring controllers to bring processing into compliance;
• Impose administrative fines of up to EUR 20 million or 4% of annual global turnover, whichever is higher, for GDPR violations;
• Publish guidance and recommendations on data-protection issues, including AI-related processing.

AI Act Enforcement

Under the AI Act, each Member State must designate one or more national competent authorities and a national supervisory authority for the purposes of the regulation. Hungary is in the process of designating these authorities. It is expected that NAIH will play a significant role in enforcing the AI Act provisions related to data protection, while other authorities (such as sector-specific regulators) may oversee AI systems in their respective domains.

The AI Act also establishes the European Artificial Intelligence Board, composed of representatives of national supervisory authorities and the European Data Protection Supervisor, to ensure consistent application of the regulation across the EU.

NAIH Guidance on AI

NAIH has issued recommendations and opinions on the use of AI in several contexts, including:

• Workplace monitoring: NAIH has cautioned employers against deploying AI-based employee monitoring systems (e.g., keystroke logging, emotion recognition) without a thorough DPIA and a clear legal basis;
• Automated creditworthiness assessment: NAIH has emphasised that financial institutions using AI for credit scoring must comply with Article 22 GDPR and provide meaningful explanations to applicants who are denied credit;
• Facial recognition: NAIH has taken a restrictive position on the use of facial-recognition technology in public spaces, aligning with the AI Act’s prohibitions.

Practical Implications for Hungarian Businesses

Compliance Checklist

Businesses deploying AI systems in Hungary should consider the following steps:

1. Classify your AI system under the AI Act risk categories. Determine whether your system is prohibited, high-risk, limited-risk, or minimal-risk.
2. Conduct a DPIA under the GDPR if the AI system processes personal data and the processing is likely to result in high risk.
3. Ensure a valid legal basis for processing personal data in connection with the AI system (consent, legitimate interest, contractual necessity, etc.).
4. Implement Article 22 safeguards if the AI system makes solely automated decisions with legal or similarly significant effects — including meaningful human review, the right to contest, and transparent information.
5. Document compliance through technical documentation, risk assessments, and records of processing activities.
6. Monitor regulatory developments — the AI Act enforcement landscape is evolving, and NAIH’s guidance is expected to become more detailed as the regulation’s provisions become fully applicable.

Sector-Specific Considerations

Certain sectors face heightened scrutiny:

• Financial services: AI used for credit scoring, fraud detection, and insurance pricing is subject to both the AI Act (as high-risk) and sector-specific regulations enforced by the MNB;
• Healthcare: AI diagnostic tools are classified as medical devices and are subject to additional regulation under the EU Medical Devices Regulation;
• Employment: AI-driven recruitment tools, performance-evaluation systems, and workforce-management platforms are high-risk under the AI Act and must comply with both data-protection and labour-law requirements.

Conclusion

The intersection of the EU AI Act and the GDPR creates a multi-layered regulatory environment for AI in Hungary. Businesses and public authorities that deploy AI systems must ensure compliance with both instruments, taking into account the AI Act’s risk classification, the GDPR’s rules on automated decision-making and profiling, and NAIH’s evolving enforcement practice. Proactive compliance—through DPIAs, transparency measures, and human-oversight mechanisms—is essential to mitigate legal risk and maintain public trust.

For tailored advice on AI regulation, data-protection compliance, or automated decision-making in Hungary, contact Dr. Ildikó Nagy’s law office.