New Data Protection Law in Hungary: Binding Corporate Rules and ’ad hoc’ contractual arrangements omitted from the list of adequacy instruments

The Hungarian Parliament has adopted the Act No CXII of 2011 on Informational Self-Determination and Freedom of Information (the new Data Protection Act of 2011), the domestic implementation of the European Data Protection Directive (95/46/EC) which will enter into force by 1 January 2012. The new Act will replace the Act LXIII of 1992 on the Protection of Personal Data and Public Access to Data of Public Interest (the Data Protection Act of 1992). The new legislation introduces significant changes, as it establishes a stronger DPA with administrative powers and provides a “balance of interest clause” which was completely missing from the Data Protection Act of 1992.

One of the most important changes which affect multinationals are the provisions of the new Act on international data transfers and determination of adequacy: the Data Protection Act 2011 requires for international data transfers either the explicit consent of the data subject, or – besides the reliance on the legitimacy of data processing – adequacy of protection of personal data. The new act recognizes adequacy if (i) a mandatory legal act of the European Union determines adequacy; or (ii) if there is an international agreement in force between the third country and Hungary which contains such safeguards.

Notably, Binding Corporate Rules and ‘ad hoc’ contractual clauses for international data transfers are omitted from the list of recognized “adequacy” instruments under the Data Protection Act of 2011. Considering that BCR’s were developed by the Article 29 Working Party and there is no “mandatory legal act of the European Union” behind such schemes, remarkably, the provisions of the Data Protection Act of 2011 do neither permit the use of BCR’s, nor the use of “ad hoc” contractual clauses in the future, but “Model Clauses” and reliance on third country adequacy decisions only. Notably, in the context of international data transfers, no change has been made as regards the requirement of the consent of the data subject to such transfers to be explicit, but the Data Protection Act of 2011 made it simply impossible to implement BCR’s in the Hungarian jurisdiction, which is clearly a significant backward step of the new legislation. As a consequence, multinationals using BCR’s and ‘ad hoc’ contractual arrangements for international data transfers from Hungary will be required to rely on explicit consent of the data subject, an adequacy decision of the EU or Model Clauses by 1 January 2012 at the latest.