Data protection - Changes in legislation in Hungary

BCR, Binding Corporate Rules

The amendment introduces new longawaited binding corporate rules (“BCR”) into the Hungarian legal system, which facilitates data transfer within groups of companies. BCR facilitates multinational companies’ members registered in the European Economic Area (“EEA”) to transfer data to a group company, which mostly operates in a state located outside of the EEA area, where an adequate level of protection of personal data is not ensured. The Info Act does not prescribe the mandatory content of BCR. However, it must be approved by the Hungarian National Authority for Data Protection and Freedom of Information (“Nemzeti Adatvédelmi ésInformációszabadság Hatóság” – “NAIH”) after it is accepted by the group companies. The procedure for the approval of BCR may be different depending on whether BCR is already approved by another European authority. The data controller can request the approval from NAIH, which decides on the application within 60 days. The application must contain (i) detailed data regarding the data controller and the given data processing operation, or the relevant registration number, (ii) the draft of BCR, (iii) evidence confirming the binding nature of the BCR and (iv) if the BCR was approved by the authority of any other EEA member state, the documents proving this approval. After examination of BCR, the NAIH approves it, proposes amendments thereto or rejects it. When filing the application, an application fee of HUF 266,000 (approx. EUR 855) is payable.

Data protection incident register

The Info Act also defines a data protection incident, which means the breach of personal data for any reason, particularly gaining unauthorized access to and unlawful alteration, transfer, disclosure, deletion or destruction of personal data as well as the accidental destruction of and damage to such data. Following this amendment, data controllers are obliged to keep a register of data protection incidents, an obligation previously imposed on telecommunication service providers only.

Content of the register

The register must include (i) the scope of personal data concerned, (ii) the scope and number of data subjects affected, and (iii) the date, circumstances and effects of the incident, and the measures taken to eliminate the incident. It is important to highlight that data protection incidents occurring not only at the data controller but also at the data processor must be recorded in the register. If the data controller has a data protection officer, then the data protection officer is obliged to keep the register, if not, the keeper of the register may freely be appointed.

Information obligation

The purpose of the data protection incident register is to inform persons affected and control measures taken in connection with the data protection incident. Upon the data subject’s request, the data controller must provide information immediately but within 30 days at the latest, on the circumstances, effects of the data protection incident and the measures taken to prevent the incident.

Data retention period

The duration of retention of the data kept in the data protection incident register is at least 5 years in respect of personal data and at least 20 years in respect of special (sensitive) data.

Involvement of data processing agreements

Despite the fact that the data controller must directly keep the register, data processors are also affected, since data protection incidents which occur at them must also be recorded in the register as mentioned above. Consequently, it is advisable to review the data processing agreements to include detailed provisions regulating the data protection incident register.

Higher fines

The amount of fines which may be imposed by the NAIH, has also increased with the amendment of the Info Act. The NAIH is now entitled to impose a fine of HUF 20 million (approx. EUR 65,000) instead of the fine applied until now of maximum HUF 10 million.