DPA Guidance on the Authorization of Binding Corporate Rules in Hungary

Under Hungarian data protection laws, Binding Corporate Rules (BCR) were earlier completely omitted from the list of instruments guaranteeing adequate level of protection in the context of international data transfers. Accordingly, it was a long awaited step to recognize the use of BCRs also in the Hungarian jurisdiction. Due to the recent amendment of the Hungarian Information Act, on 1 October 2015, an authorization procedure will be introduced regarding the implementation and extension of BCRs in Hungary. In this context, the Hungarian Data Protection Agency (the Hungary DPA) has now released a guidance (the Guidance) explaining the steps necessary for the formal authorization of the use of BCRs in Hungary:

1. Extension of approved BCRs

Any company for which the EU BCR cooperation procedure is closed must file an application to the Hungary DPA in order to recognize the use of its BCR in Hungary. In that regard, the applicant must
• complete the Hungarian BCR application form containing the description of the transfers, data categories, purposes and recipients;
• submit to the DPA the application form along with the English version and Hungarian translation of the BCR;
• provide details / copies of BCR approvals issued by other DPAs;
• pay the BCR approval fee (HUF 266,000,- that is ca. EUR 850) upon the submission of the approval request to the DPA.

As the subject BCRs are already approved by other DPA’s, the Guidance explains that the Hungary DPA will only make formal checking of the BCR and the application form without any further scrutiny or comment on the BCR itself.

2. BCR approvals

Regarding BCR approval procedures conducted after 1 October 2015, the Guidance states that Hungary DPA participates in the mutual recognition procedure (MRP). The Hungary DPA may either act as a lead authority or act as a DPA not involved in the mutual recognition process as a “lead” (or “co-lead”). Under the EU co-operation procedure, the applicant is in contact with the lead authority (one-stop-shop) who liaises with fellow DPAs who may comment on and ask for amendments of the BCR.

Once the EU co-operation procedure and MRP is closed, the applicant must turn to the Hungary DPA if it wishes the extension of its BCR to Hungary. In this case, the applicant must complete the Hungary DPA’s application form (containing the description of the transfers, data categories, purposes and recipients), translate its BCR to Hungarian, pay the BCR approval fee and submit a completed WP133 application form (in English) to the Hungary DPA in order to obtain the national approval of the Hungary DPA.

The Hungary DPA has 60 days to issue the approval of the BCR. Once the approval procedure is complete, the Hungary DPA will publish on its website the name of each applicant whose BCR authorization request is granted.

About Adam Liber

Dr. Ádám Liber, LLM, CIPP/E, CIPM is a senior IT/Com, Privacy and Intellectual Property Lawyer in cooperation with the Budapest office of Baker & McKenzie. He has been a tech-savvy advisor to several multinational clients on issues relating to international data transfers, data security, privacy protection and complex outsourcing transactions. Ádám represents clients in connection with authorizations, investigations and audit procedures of the Hungarian Data Protection Authority (DPA), as well as concerning administrative court actions against decisions of the DPA. He holds a Certified Information Privacy Professional/Europe (CIPP/E) certification from the International Association of Privacy Professionals. Ádám is a frequent speaker on conferences and he regularly publishes articles concerning European and Hungarian data protection issues, freedom of information, direct marketing, unfair competition and IP. He is admitted to the Budapest Bar since 2010. Ádám is the General Secretary of the Hungarian Competition Law Association. He is fluent in English and German. E-mail: liber@dataprivacy.hu