Hungary DPA Recommendation on information notice requirements

On 9 October 2015, the Hungarian Data Protection and Freedom of Information Agency (Hungary DPA) issued a comprehensive recommendation (the Recommendation) concerning the content of the prior notice from the data controller to data subjects about the processing of their personal data. The Recommendation consolidates the Hungary DPA’s practice to date. In the Recommendation, the Hungary DPA asked data controllers to update their privacy notices to comply with the Recommendation.

The Hungary DPA supervises and enforces data protection rights and, in this context, it has the legal right to issue recommendations on matters which it deems to be of significant practical importance. The Recommendation’s issuance signals that the Hungary DPA sees the need to develop a uniform practice on information provisions to ensure data subjects’ rights.
The Hungarian Information Act requires the data controller to give the data subject unambiguous and detailed information about all the facts relating to the data processing, but it specifies only the minimum information that must be provided to data subject when personal data is collected. That information must include: the purpose and legal basis of the data processing; the duration of the data processing; the identity of the data controller and of each data processor involved with the data; the range of persons who may access the data, if data is processed on the basis of the balance of interest clause; and the rights and remedies of data subject. Accordingly, the Hungary DPA’s practice (namely, the information that the DPA considers relevant in the context of data processing) is of paramount importance.

The Recommendation builds on the Act’s provisions by indicating both general and specific additional matters that must be addressed in the notice to data subjects to ensure that they receive appropriate information concerning the processing of their personal data.

The Recommendation’s general requirements address the quality of the information provided – which must be given in plain, understandable text, without the use of jargon, and in conspicuous form – and the accessibility and visibility of that information. As a best practice, the Hungary DPA recommends the use of layered notices, when each layer offers data subjects the information needed to understand their position and make decisions. The Hungary DPA expects that the privacy notice must be accessible at the front page of the data controller’s website. If data processing is likely to apply to foreign nationals, controllers must ensure as a minimum that the information is provided in English. This implies that, otherwise, the information is expected to be provided in Hungarian.

The Hungary DPA also set out several specific information that must be included in the notice. The Hungary DPA expects that the identity of all data controllers and data processors – including their contact information (with full address, e-mail contact, telephone and website address) – will be fully disclosed in the privacy notice. When providing information on the purpose of the data processing, the Hungary DPA articulated that processed data types and applicable data retention periods must be stated separately, for each data processing purpose. When disclosing the scope of the processed data types, the use of general language such as “personal identification information” or “contact information” is not acceptable; the privacy notice must detail the individual data types which are processed . When identifying the legal basis for the data processing, the Hungary DPA expects the controller specifically to reference the applicable legal provisions (such as “Section 5(1)(a) of the Information Act” or “Section 6 (1)-(2) of the Act on Basic Advertising Restrictions”) that govern the data processing. That same disclosure obligation applies even if the data processing is compulsory for the controller. The privacy notice also must include information on the security measures which the controller takes to protect the personal data.

Moreover, the Hungary DPA expects the privacy notice to include full disclosure concerning the rights and remedies of data subject, including the actions which may be taken and the applicable deadlines. The information on remedies must indicate the name, address, e-mail address and telephone number of the Hungary DPA. The information about judicial remedies must state that court action may be filed before the court having jurisdiction over the data subject’s place of domicile or habitual residence.

When issuing the Recommendation, the Hungary DPA called on data controllers to review and amend their data privacy notices in line with the Recommendation. The Hungary DPA did not set a specific deadline for compliance with the information requirements indicated in the Recommendation. We suggest that data controllers should review and update their privacy notices to reflect the Recommendation’s contents within a reasonable time.

The Recommendation signals that the Hungary DPA will likely become more active in reviewing privacy notices and enforcing the information provisions articulated above. If the notice is found invalid due to content deficiencies, then the fairness or lawful nature of the data processing activities could be called into question. The Hungary DPA may take action against data controllers if it finds that their data processing activities do not comply with the requirements, as interpreted by the DPA, including commencing investigation or supervision proceedings and issuing fines in certain cases.