Section 158 (1) of the Act LX of 2003 on Insurance Institutions and the Insurance Business (Insurance Act) lays down particularly strict requirements for the transfer of insurance secrecy data to third countries (outside the European Economic Area). The Act provides that “it shall not constitute a violation of insurance secrecy when an insurance company transfers data to a third-country insurance company or to a third-country data processor (third-country data controller) if the client to whom such information pertains (data subject) has given his written consent to the transfer and the third-country data controller complies with the requirements prescribed by Hungarian law in connection with processing of transferred data, and the country where the third-country data controller is established has data protection laws that conform to the requirements prescribed by Hungarian data protection laws.” Thus, the Insurance Act currently requires the written consent of the data subject for the data transfer, furthermore the transferee shall also be established in a third country which ensures an adequate level of protection by reason of its domestic law. Notably, these provisions cause several problems in practice, since there are common situations where clients (such as claimants or beneficiaries) have no connection with the insurance company and it is impossible to obtain written consent to the transfer. Moreover, the Hungarian Act also requires the existence of general data protection legislation in the transferee’s country, therefore it is also unclear whether transfers of insurance secrecy data to the United States could be legitimized by Safe Harbor (which is a self-certification adequacy instrument as the US has no general data protection legislation).
It seems that the above situation will change in the near future:
The Hungarian Government has recently submitted a Bill to the Parliament which should implement the Solvency II Directive (Directive 2009/138/EC) into Hungarian domestic laws. The Bill would also change the data transfer provisions of the Insurance Act by replacing Section 158 (1) of the Act with the following language:
“It shall not constitute a violation of insurance secrecy when an insurance company transfers data to a third-country insurance company or a third-country data processor (third-country data controller)
a) if the client (data subject) has given his written consent to the transfer, or
b) without consent of the data subject, provided that the scope of data, purpose and legal basis of the data transfer is specified by an act of legislation and adequate level of protection of personal data is ensured pursuant to Section 8 (2) of the Act 2011 of CXII on Information Self-Determination and Freedom of information.”
Notably, the above provision would set aside the requirement for obtaining the consent of the data subject / client to the data transfer, provided that adequate level of protection of personal data is also ensured. The latter may include the use of Model Clauses between the transferor and transferee, or the parties may rely on an adequacy decision in relation to the country of the data recipient. Data controllers should consider that the use of BCR’s are not recognized as an adequacy instrument under Hungarian data protection laws.
Once the Bill is adopted, the above new provision is scheduled to enter into force on the fifteenth day following its promulgation in the Official Gazette.