Data Protection and GDPR Compliance for Businesses in Hungary

Introduction

Since 25 May 2018, the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) has been directly applicable in all EU Member States, including Hungary. The GDPR is complemented at the national level by Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.), which provides additional rules on data processing, the powers of the supervisory authority, and sector-specific requirements.

For businesses operating in Hungary—whether Hungarian-owned or international—GDPR compliance is not optional. The potential consequences of non-compliance include substantial administrative fines, reputational damage, and civil liability. This article provides a structured overview of the key obligations and practical steps for achieving and maintaining compliance.

Key Concepts

Personal Data

Personal data means any information relating to an identified or identifiable natural person (the “data subject”). This includes names, email addresses, identification numbers, location data, IP addresses, and any information that can be linked to a specific individual—directly or indirectly.

Special Categories of Data

Certain types of data receive heightened protection under the GDPR, including data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic and biometric data, health data, and data concerning a person’s sex life or sexual orientation. Processing such data is prohibited unless one of the specific exemptions in Article 9 applies.

Data Controller and Data Processor

• The data controller determines the purposes and means of processing personal data. This is typically the business that collects data from customers, employees, or users.
• The data processor processes personal data on behalf of the controller, such as a cloud hosting provider, payroll service, or marketing agency.

Both controllers and processors have distinct obligations under the GDPR, and their relationship must be governed by a data processing agreement (adatfeldolgozói szerződés).

Legal Bases for Processing

The GDPR requires that every instance of personal data processing be based on one of six legal bases enumerated in Article 6:

1. Consent (hozzájárulás): The data subject has given clear, informed, specific, and freely given consent.
2. Contractual necessity (szerződés teljesítése): Processing is necessary for the performance of a contract with the data subject.
3. Legal obligation (jogi kötelezettség): Processing is required by EU or Member State law (e.g., tax reporting, employment law record-keeping).
4. Vital interests: Processing is necessary to protect someone’s life.
5. Public interest or official authority: Processing is necessary for a task carried out in the public interest.
6. Legitimate interests (jogos érdek): Processing is necessary for the legitimate interests of the controller or a third party, provided these interests are not overridden by the data subject’s rights and freedoms. This basis requires a documented balancing test (érdekmérlegelési teszt).

Choosing the correct legal basis is critical—it determines the data subject’s rights and the conditions under which processing may occur.

The Rights of Data Subjects

Under the GDPR, data subjects have extensive rights, including:

• Right to information (Articles 13–14): Data subjects must be informed about how their data is processed, typically through a privacy notice.
• Right of access (Article 15): Data subjects may request a copy of their personal data.
• Right to rectification (Article 16): Data subjects may request correction of inaccurate data.
• Right to erasure (“right to be forgotten”, Article 17): Data subjects may request deletion of their data under certain circumstances.
• Right to restriction of processing (Article 18).
• Right to data portability (Article 20): Data subjects may receive their data in a structured, machine-readable format.
• Right to object (Article 21): Data subjects may object to processing based on legitimate interests or for direct marketing purposes.
• Right not to be subject to automated decision-making, including profiling (Article 22).

Businesses must be able to respond to these requests within one month (extendable by two months in complex cases).

Data Protection Officer (DPO)

When Is a DPO Required?

A business must appoint a Data Protection Officer (adatvédelmi tisztviselő) if:

• It is a public authority or body
• Its core activities involve regular and systematic monitoring of data subjects on a large scale (e.g., online behavioural tracking)
• Its core activities involve large-scale processing of special categories of data or data relating to criminal convictions

Even when not legally required, appointing a DPO is strongly recommended as a best practice measure.

The DPO’s Role

The DPO advises the organisation on GDPR compliance, monitors adherence to data protection policies, serves as the contact point for data subjects and the supervisory authority, and conducts or oversees data protection impact assessments. The DPO must be given sufficient resources, independence, and direct access to senior management.

Data Breach Notification

What Is a Data Breach?

A personal data breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Common examples include cyberattacks, ransomware, lost laptops, misdirected emails, and unauthorised employee access.

Notification Obligations

• To the supervisory authority (NAIH): The controller must notify the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, “NAIH”) within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to data subjects’ rights and freedoms.
• To the data subjects: If the breach is likely to result in a high risk to data subjects’ rights and freedoms, the controller must also inform the affected individuals without undue delay.

Breach Register

Every controller must maintain an internal breach register (adatvédelmi incidens-nyilvántartás) documenting all breaches, their effects, and the remedial measures taken—regardless of whether notification to the NAIH was required.

Data Protection Impact Assessment (DPIA)

A DPIA is mandatory before undertaking processing activities that are likely to result in a high risk to data subjects’ rights and freedoms. The NAIH has published a list of processing operations requiring a DPIA, which includes:

• Large-scale profiling
• Systematic monitoring of public areas (CCTV)
• Processing of special categories of data on a large scale
• Innovative use of new technologies

The DPIA must describe the processing, assess its necessity and proportionality, evaluate the risks to data subjects, and identify measures to mitigate those risks.

Records of Processing Activities

Every controller and processor must maintain records of processing activities (adatkezelési nyilvántartás) as required by Article 30 of the GDPR. These records must include the categories of data processed, the purposes, the legal bases, the recipients, data transfers to third countries, and the retention periods. The records must be made available to the NAIH upon request.

International Data Transfers

Transferring personal data outside the EU/EEA requires specific safeguards:

• Adequacy decisions: Data may flow freely to countries deemed to have adequate data protection (e.g., Japan, South Korea, the UK post-Brexit).
• Standard Contractual Clauses (SCCs): The most common mechanism for transfers to non-adequate countries, particularly the United States.
• Binding Corporate Rules (BCRs): For intra-group transfers within multinational corporations.
• Derogations: In limited circumstances, such as explicit consent or contractual necessity.

Following the Schrems II judgment and the EU-US Data Privacy Framework, businesses must conduct a transfer impact assessment to verify that the legal framework of the receiving country provides adequate protection.

Enforcement and Penalties

The NAIH

The NAIH is Hungary’s independent data protection supervisory authority. It has the power to:

• Conduct investigations and audits
• Issue warnings and reprimands
• Order controllers and processors to comply with GDPR requirements
• Impose administrative fines

Fines

Under the GDPR, administrative fines can reach up to:

• EUR 10 million or 2% of global annual turnover (whichever is higher) for breaches of certain obligations (e.g., records of processing, breach notification)
• EUR 20 million or 4% of global annual turnover (whichever is higher) for more serious infringements (e.g., unlawful processing, failure to respect data subject rights)

The NAIH has actively exercised its enforcement powers, imposing notable fines on Hungarian and international businesses operating in Hungary.

Civil Liability

Data subjects may also bring civil claims for damages under Article 82 of the GDPR. Hungarian courts have jurisdiction over such claims, and both material and non-material damage are recoverable.

Practical Compliance Steps

1. Map your data processing activities: Identify what personal data you collect, why, and on what legal basis.
2. Update your privacy notices: Ensure they are clear, comprehensive, and accessible in the languages used by your data subjects.
3. Review and execute data processing agreements with all processors (IT providers, cloud services, marketing agencies).
4. Establish procedures for handling data subject requests, breach notifications, and DPIAs.
5. Train your employees: Data protection awareness training should be regular and role-specific.
6. Appoint a DPO if required—or consider appointing one voluntarily.
7. Review international transfers and implement appropriate safeguards.
8. Conduct regular audits and update your compliance programme as regulations evolve.

Conclusion

GDPR compliance is a continuous process, not a one-time project. For businesses operating in Hungary, understanding the interplay between the GDPR and the Infotv., the expectations of the NAIH, and the practical steps needed to protect personal data is essential. Proactive compliance not only reduces legal risk but also builds trust with customers, employees, and business partners.

This article is for informational purposes only and does not constitute legal advice. For advice tailored to your specific data protection needs, please contact our office.