The Hungarian Parliament has adopted today the Act on Informational Self-Determination and Freedom of Information (the new Data Protection Act), the domestic implementation of the European Data Protection Directive (95/46/EC). The new Act will enter into force by 1 January 2012 and same will replace the Act LXIII of 1992 on the Protection of Personal Data and Public Access to Data of Public Interest.

The new Data Protection Act mainly preserved the material provisions of the outdated former Law. Similarly to the Data Protection Act currently in force, the new legislation covers both the general material provisions of data protection as well as freedom of information. Since the new Data Protection Act is general law, the legislator may therefore derogate from its provisions through sectoral legislation.

The most important privacy related provisions of the new Act can be summarized as follows:

– The new legislation has set up the National Agency for Data Protection and Freedom of Information (the Hungarian Data Protection Agency) responsible for the enforcement of compliance with data protection laws as well as for freedom of information laws in Hungary. The Agency will replace the Data Protection Commissioner’s Office by 1 January 2012. The Agency is independent, it cannot be instructed within its competence and it shall take its measures exclusively on the basis of legislative acts. The Agency is headed by the President who is nominated by the Prime Minister and appointed by the President of the Republic for a period of nine years.  In case of breach of the material provisions of the Act, the Agency is empowered to request case and desist from infringement and to impose a fine up to HUF 10 Million (ca. EUR 35.000,-). Considering that the Data Protection Commissioner had no broad investigative powers and was not authorized to impose a fine, the switch to the agency-model can be considered as the most important change of privacy enforcement in the Hungarian jurisdiction.

– New Legal Bases for Data Processing: the new legislation kept all the available legal bases for data processing and it introduced two new legal bases, including the implementation of Article 7(e)-(f) of the Directive. Remarkably, the “balance of interest clause” was completely missing from the former Data Protection Act which did not conform to the provisions of the Data Protection Directive as same has been expressly acknowledged by the ministerial reasoning of the new legislation.

The “balance of interest clause” has been implemented by the new Act with the following provisions of the new Act:

Section 6 (1) of the new Data Protection Act lays down that personal data may be processed, if obtaining the consent of the data subject is impossible or if same entails disproportionate expenses and
a) data processing is necessary for compliance with a legal obligation to which the controller is subject; or
b) if data processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, and the assertion of this interest is proportionate with the interference in the rights for data protection.

Further, Section 6 (5) of the new Data Protection Act provides that if personal data has been recorded with the data subject’s prior consent and data processing is necessary for the data controller to perform his/her obligations prescribed by the act of legislation or for the assertion of a legitimate interest of the data controller or a third person – unless otherwise provided by law – and except where such interests are overridden by the interests for data protection of the data subject, data can be processed without further consent or even after withdrawal of consent the data subject.

– Data Controller – Data Processor – Prohibition on Sub-Processing: the new legislation preserved the formal distinction of the former Law between the data processing activity performed by data controller (as data processing) and processing by the data processor (as technical data processing). Notably, this distinction is completely missing from the Directive. Technical data processing’ under the new Data Protection Act means the performance of technical tasks related to data processing operations, regardless of the methods or means employed or of the place of application.

Notably, the new legislation also kept the general prohibition of sub-processing of processing operations by processors. Although this was a fairly outdated provision of the former Data Protection Act, Section 10 (2) of the new legislation still generally prohibits sub-contracting by a data processor of processing services to other processors, which will most probably continue to cause problems in practice.

– International Data Transfer (Data Transfer to Non-EU countries): We note that the provisions of the Act on International Data Transfer provide much more flexibility than the former provisions of the Data Protection Act. (Regarding the pertaining provisions of the former Data Protection Act, see our earlier post on this topic.)

Section 8 (1) of the new Act lays down that data controllers falling under the scope of the Data Protection Act could transfer personal data to a data controller or to a data processor processing personal data in a third country if the data subject explicitly consents to such transfer or if the conditions for making data processing legitimate under Sections 5 and 6 of the Act are complied with and in the course of processing in the respective third country adequate protection of personal data will be ensured. Adequacy is given if a mandatory act of the European Union determines adequacy or if there is an international agreement in force between the third country and the Hungary including safeguard regulations on the enforcement right of data subjects arising from Section 14, on securing the right of legal remedy and on the independent control of data processing.

– Data Protection Register: Although the new legislation keeps the notification system of the former Data Protection Act (consequently, no authorization is needed for data processing), the new provisions introduce significant practical changes into registration matters.

As a rule, data processing must be notified to the National Agency for Data Protection and Freedom of Information, unless notification has been exempted by the Act. If notification is a must, data processing may be commenced after the registration has taken place. The registry is kept by the Hungarian DPA and the registration procedure is governed by the Act on the General Provisions of Administrative Procedure. The Agency is required to register data processing within 8 days after submitting the notification and if the Agency does not respond within this deadline, data processing could be commenced in conformity with the filing.

Although notification cannot be considered as an authorization to processing, data processing cannot be commenced until release of confirmation on registration by the DPA or at least until 9th day of submitting the notification sheet. This can be considered as a very important practical change, since the former Law required only the filing of the notification sheet but not registration.

The details to be notified into the registry generally conform to Section 28 (1) of the former Data Protection Act, however, the new legislation also requires the description of the “applied data processing technology”. Although no clarification has been provided in the ministerial reasoning of the new Act and we expect the clarification of the details to be notified by the registration manual of the Agency to be released in the future, we presume that notification of the “applied data processing technology” should include the description of the data processing applications used by the data controller / data processor.

The exemptions from the mandatory notification remained basically unchanged. In that regard, the new Act exempts from notification, inter alia, data processing relating to persons having an employment, membership, child care, student, student contract, student dormitory relationship or – with the exception of financial institutions (banks, insurance companies), community service providers and electronic communication service providers – having customer relationship with the data controller. Consequently, banks and insurance companies will be required to notify to the registry their data processing activity relating to customer data, including data transfers, outsourcing etc.

Finally, it must be noted that the Agency will charge a fee for data protection registrations. The service fee will be determined in a decree of the Minister of Justice.

– Data protection audit: the new legislation provides for the possibility of a data protection audit on the part of the National Agency for Data Protection and Freedom of Information. The data controller may request data protection audit on the part of the Agency for a charge specified in the decree of the Minister of Justice. Unless otherwise requested by the applicant, the evaluation made by the Agency shall be published.

– Conference of Internal Data Protection Officers: the new Data Protection Act also introduces the Conference of Internal Data Protection Officers which is headed by the President of the Agency and secures the information exchange between DPOs.

The new legislation has preserved the general principles of data processing, such as necessity and proportionality, the rights of the data subjects as well as the notice requirement by with minor changes as laid down by the currently effective Data Protection Act.

As a critique of the new legislation, we must add that the new Act basically relies on the outdated provisions of the former Data Protection Act and regrettably it did not consider the current developments of European data protection laws. For instance, the new legislation
– kept the general prohibition on sub-processing, which is an outdated provisions of the former legislation;
– in the new legislation the range of amount of the data protection fine (ca. EUR 35.000,- tops) cannot be considered as a real threat to huge data controllers or to multinational companies;
– no special provisions have been introduced as regards the processing of biometric data;
– the legal basis for the adoption of Binding Corporate Rules is still missing, thus, Hungary still cannot participate in the mutual recognition procedure of BCR’s;
– no data breach notification has been introduced in the new act;
– the distinction between the processing activity by the data controller and by the data processor has been upheld, although, t does not conform to the Article 29 WP Opinion on the data controller and data processor;
– the scope of the new Data Protection Act (which basically relies upon the principle of territoriality) does not conform to the Article 29 WP Opinion on the applicable law;
– in data protection registration matters, the new act introduces heavy burdens to data controllers.

Following the signature of the adopted bill by the President of the Parliament, the new Act shall be promulgated by the President of the Republic in the Official Gazette of Hungary. The new Act is scheduled to enter into force on 1 January 2012 together with the new Basic Law of Hungary.