International Transfer of Personal Data – Hungary

In our global and digital age, international transfers of personal data became an integral part of everyday life and same also gained significant importance in the Hungarian jurisdiction.

”Transfer” has been defined in the Hungarian Data Protection Act, the domestic implementation of the EU Privacy Directive 95/46/EC as “making data accessible to particular third parties other than the data subject, the data controller or the technical data processor”.

In compliance with the Directive, data transfer within the Member States of the European Economic Area is treated as a domestic data transfer in Hungary. Section 8 of the Hungarian Data Protection Act applies to such transfer which provision lays down that the consent of the data subject shall be obtained or a legislative act shall permit same.

If the transferee is located outside of the European Economic Area (namely, in a third country), additional requirements must be fulfilled in connection with the data transfer abroad. As a rule, personal data may not be transferred to third countries, unless any of the following conditions of the Hungarian Data Protection Act are fulfilled:

(a) the data subject gave his/her  informed, voluntary express consent to the data transfer abroad;
(b) a legislative act permits the data transfer and adequate (EU) level of protection would be ensured in line with Article 25 of the Data Protection Directive; or
(c) if data transfer would be undertaken within the framework of an international (mutual) legal assistance treaty.

Notably, if an adequacy mechanism has been introduced by the data exporter/data importer, this can be considered only as a prerequisite to the transfer under Hungarian laws. Thus, data exporters cannot solely rely on an adequacy mechanism to legitimize the transfer of personal data abroad, but a Hungarian legislative act must also expressly permit the transfer/disclosure of the data. It follows that the personal data of workers (where data processing is based on employment laws) cannot be transferred abroad without the express (preferably written) consent of the employees, even if an adequacy mechanism has been introduced, since the Hungarian Labour Code does not permit such transfer. The same applies to data transfer to data processors (e.g. server operators) located abroad.

The Hungarian Data Protection Commissioner (the DPA) may conduct an individual assessment of the circumstances as to whether any of the following conditions of “adequate level of protection” would be fulfilled:

(1) Adequate level of protection is given, if the European Commission recognised that the third country where the data should be transferred ensures adequate level of protection. The European Commission has already recognised an adequate level of protection for the following countries: Switzerland, Canada, Argentina, the United States (if the recipient of the data in the United States has accepted the ”Safe Harbor Principles” or regarding the Transfer of Air Passenger Name Record (PNR) Data), Guernsey, the Isle of Man, Jersey and recently Uruguay.

(2) Data transfer undertaken within the framework of an international treaty in force between the third country and Hungary, if such treaty ensures adequate protection. The treaty shall guarantee, in that regard, the legal remedies and independent control of data processing, further the rights of the data subjects in line with the Data Protection Act. This may apply to data transfer subject to Mutual Legal Assistance Treaties or in case of the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters concluded in March 18, 1970 also promulgated is Hungary.

(3) Finally, the data controller or the data processor could demonstrate (and provide evidence upon request) that the rules applied by him for data processing in the third country would ensure adequate safeguards of protection in line with the provisions of the EU Directive. In that regard, the data controller assumes the burden of proof on this. Adequate safeguards are given according to the Data Protection Act, if the data controller performs data processing according to the legal act of the European Commission, thus, if the data processor applies the European Model Clauses according to Commission decision 2001/497/EC and 2004/915/EC, or the recently adopted decision 2010/86/EU, or if Binding Corporate Rules have been incorporated in case of intra-group transfers.

Specifically within the context of employee data processing, the Data Protection Commissioner released guidance on March 5, 2007 concerning the transfer of employee data to third countries located outside the European Economic Area. The Commissioner articulated that the transfer of employee personal data to the mother company or to any other subsidiary qualifies as ”data transfer” under the provisions of the Act which should be expressly consented by the employee if not expressly permitted by law. Regarding the consent requirement, the Commissioner pointed out that the consent obtained by employers is not always unambiguous or freely given, therefore, the Commissioner recommended—besides obtaining the consent— reliance on an adequacy mechanism, otherwise the employee’s consent could not be recognized as freely given. Notably, this standpoint conforms to opinion WP 48 of the Article 29 Data Protection Working Party also advising employer not to rely solely on consent in case of data transfers to third countries.