The first draft of the amendment of the Hungarian regulation related to the EU's general data protection regulation has finally been released. The proposal for the amendment of Act CXII of 2011 on the right to information self-determination and freedom of information (the “Hungarian Data Protection Act”) is now open for commenting by interested parties until September 8, 2017. According to the plans, the bill will be submitted to the Hungarian Parliament in October and the approval by the Parliament is expected in December this year. The published draft contains, firstly, the necessary rules regarding the “implementation” of the EU General Data Protection Regulation (GDPR) and the necessary amendments for the implementation of Directive 2016/680 / EU on criminal data.
- In the case of data processings covered by the GDPR, the specific provisions of the Hungarian Data Protection Act (in particular, the rules regarding the Hungarian Data Protection Authority and the rules of its procedures) which complement the rules contained in the GDPR should be taken into account. ,
- The Hungarian Data Protection Act as amended with respect to Directive 2016/680/ EU will be applied to the processing of personal data for law enforcement, national security and defense purposes.
- The majority of the provisions of the GDPR and the specific provisions of the Hungarian Data Protection Act will be applicable together for data processing activities that are not covered by the GDPR, but which are not classified as activities related to law enforcement, national security or defense.
Regarding territorial scope, in case of data processings covered by the GDPR, the draft stipulates that the provisions of the Hungarian Data Protection Act and other statutory provisions on the protection of personal data and the conditions under which personal data are processed will apply if:
(a) the controller’s main establishment is in Hungary, or
(b) if the controller’s main establishment is not in Hungary, but the data processing operation performed by the controller or by a data processor acting on his or her behalf or on the basis of his or her mandate or provision is related to:
(ba) the offering of goods or services, irrespective of whether a payment by the data subject is required, to such data subjects in Hungary; or
(bb) the monitoring of the data subject’s behavior as far as the behavior takes place within the territory of Hungary.
The draft seeks to extend its scope of data processing activities beyond those that are covered by the GDPR. These may include, for example, processing of paper-based documents that are not structured according to specific criteria.
In the draft, a bit confusingly, certain definitions that are used in the GDPR are presented with slightly different wording. However, an important step towards ensuring consistency with EU law is that the draft does not separately define the activities of data processors as “data processing” and the activities of data controllers as “data controlling” anymore but, rather, in line with 95/46/EC Directive and the GDPR only the concept of data processing is used and any data processors’ activities are clearly handled as part of processing activities.
The draft contains additional obligations towards controllers if the period or the periodic review of the need for data processing is not determined by law or a mandatory legal act of the European Union. In such cases, the controller must review at least every 3 years from the commencement of the data processing whether the personal data processed is necessary for the purpose of data processing or not. The circumstances and results of this review must be documented by the controller, and such documentation must be retained for 10 years and submitted to the Hungarian Data Protection Authority (the "Hungarian DPA") if requested.
The draft also deals with the issue of the enforcement of personal data rights after the death of a data subject. This issue is not properly regulated and the Hungarian DPA issued guidelines on this matter a few years ago, which were taken into account by the legislators. According to the planned new rules, certain rights (right of access, right of rectification, right to restriction of processing, right to erasure or right to object) may be enforced, within 5 years after the demise of the data subject, by a person who is authorized by the data subject in a declaration submitted to the controller. In some cases, close relatives of the data subject may also act in the absence of such a declaration.
It is also apparent from the draft that data protection incidents will have to be reported via the Hungarian DPA's dedicated electronic interface.
According to the draft, the annual meeting of Data Protection Officers will be retained, which will be convened by the President of the DPA.
The draft also includes a number of provisions concerning the DPA's procedures. With respect to the processing of personal data, the DPA may conduct an investigation ex officio (currently only for notification) and, at the request of the person concerned ex officio, a data protection authority procedure (currently only ex officio). The authority's procedure may include the use of sanctions set out in the GDPR, including the fines.
A new procedure is also introduced: the data processing authorization procedure is performed at the request of the data controller or the data processor. In this framework, codes of conduct or binding corporate rules may be adopted, and verification of compliance with approved code of conduct and authorization of transfers subject to appropriate guarantees under Article 46 of the GDPR may take place.
The data protection register will be preserved but will be significantly changed. After May 25, 2018, the following information should be included:
- Decisions taken in the data protection authority procedure - the disclosure of which is ordered by the DPA if the decision concerns a wide range of persons - if the decision is related with the activity of a public service organization or if the weight of the infringement occurred justifies disclosure.
- The most important data of the decisions specified in the data processing authorization procedure.
- The contact details of DPOs and the names of data controllers or data processors represented by them.
The draft includes rules on the participation of NAIH in international co-operation and on the conduct of certification procedures.
In addition to the Hungarian Data Protection Act, the draft also includes provisions for amending a number of other laws. As well as the deregulation, it is worth highlighting that, by modifying the Duty Act, the procedures for breach of the right to the protection of personal data are subject to duty exemption.
Overall, based on the draft, it can be stated that the legislator has essentially limited the “implementation” of the GDPR to the minimum. However, it seems that the legislator will not use this possibility to address those data protection issues that have caused difficulties for data controllers and processors in the course of their activities for a long time.