A bill regarding the amendment of the Hungarian Data Protection Act was submitted to the Hungarian Parliament on June 19. The bill aims at the implementation of Directive 2016/680 and the amendment of the Hungarian Data Protection Act regarding the application of the General Data Protection Regulation (GDPR).
The bill is mainly based on the draft bill that was published for public consultation almost a year ago, in last August. It is worth noting that another bill is also in front of the Hungarian Parliament regarding the GDPR implementation (that was submitted on May 29). The bill of May 29 contains only a few articles regarding the designation of the Hungarian Data Protection Authority as the competent data protection authority responsible for the enforcement of the GDPR. The Parliament will vote on the bill of May 29 very soon (probably on June 20).
1. As far as the material scope of the Hungarian Data Protection Act is concerned, it covers, besides data processing activities related to law enforcement, national security or defense, the following data processings:
- In the case of data processings covered by the GDPR, the specific provisions of the Hungarian Data Protection Act (in particular, the rules regarding the Hungarian Data Protection Authority and the rules of its procedures) which complement the rules contained in the GDPR should be taken into account.
- The majority of the provisions of the GDPR and the specific provisions of the Hungarian Data Protection Act will be applicable together for data processing activities that are not covered by the GDPR, but which are not classified as activities related to law enforcement, national security or defense. (These may include, for example, processing of paper-based documents that are not structured according to specific criteria.)
2. Regarding territorial scope, in case of data processings covered by the GDPR, the draft stipulates that the provisions of the Hungarian Data Protection Act and other statutory provisions on the protection of personal data and the conditions under which personal data are processed will apply if:
(a) the controller’s main establishment is in Hungary, or
(b) if the controller’s main establishment is not in Hungary, but the data processing operation performed by the controller or by a data processor acting on his or her behalf or on the basis of his or her mandate or provision is related to:
(ba) the offering of goods or services, irrespective of whether a payment by the data subject is required, to such data subjects in Hungary; or
(bb) the monitoring of the data subject’s behavior as far as the behavior takes place within the territory of Hungary.
3. The draft contains additional obligations towards controllers if the period or the periodic review of the need for mandatory data processing is not determined by law or a mandatory legal act of the European Union.
In such cases, the controller must review at least every 3 years from the commencement of the data processing whether the personal data processed is necessary for the purpose of data processing or not. The circumstances and results of this review must be documented by the controller, and such documentation must be retained for 10 years and submitted to the Hungarian Data Protection Authority (the "Hungarian DPA") if requested.
It is an important novelty compared to the former draft bill that such obligation is limited to mandatory data processing activities.
4. The bill also deals with the issue of the enforcement of personal data rights after the death of a data subject. According to the planned new rules, certain rights (right of access, right of rectification, right to restriction of processing, right to erasure or right to object) may be enforced, within 5 years after the demise of the data subject, by a person who is authorized by the data subject in a declaration submitted to the controller. In some cases, close relatives of the data subject may also act in the absence of such a declaration.
5. According to the bill, the annual meeting of Data Protection Officers will be retained, which will be convened by the President of the Hungarian Data Protection Authority.
6. The bill also includes a number of provisions concerning the Hungarian Data Protection Authority's procedures.
The bill does not cover the sectoral laws regulating data processing activities, which means that a third set of rules can be expected in connection with the GDPR-implementation in Hungary.