Shortly before the entry into force of the new Hungarian data protection legislation by the 1st January 2012, the Hungarian Parliament has already implemented certain changes into the new law. The Act No CCI of 2011 – promulgated in the Official Gazette of 30 December 2011 – (hereafter referred to as ‘Amendment’) has implemented the following minor changes into the Data Protection Act:
1. International Data Transfers: the original language of the Data Protection Act 2011 required for international data transfers either the explicit consent of the data subject, or – besides the reliance on grounds for the legitimacy of data processing – adequate level of protection of personal data. The new wording of the law provides that in case of emergency situations or in case of the vital interest of the data subject or a third person (see EU DP Directive Art. 7(d) and Section 6 (2) of the new act) data could be transferred to a third country controller / processor without the requirement to secure adequate level of protection in relation to the data transfer.
2. Transfer / Handover of data: as regards international data transfers, the original wording of the new law did not distinguish between transfers to controllers and data transmissions to processors. The recently released Amendment slightly changed the language of the law and made it clear that the controller does not “transfer” the data to its third country processor, but “hands over” the data. However, considering that the same rules apply to “data transfers” as well as to “handover” of data in the context of international data transfers, apparently, this change could be considered only as a technical one without any practical implications.
3. The Amendment also slightly changed the wording of the new law as regards the access rights of the data subject. The original version of Section 15 (4) of the Act stated that the data controller shall give the information on data processing in written form (which means in practice the requirement to use paper form, facsimile or the use of advanced electronic signature (AES)). The Amendment states that the data controller shall provide the information in written form only if this is requested so by the data subject. Thus, access rights may be granted also in simple electronic form, unless expressly otherwise indicated by the data subject. Finally, as regards the “marking of personal data” (which means referencing the data with an identification marking with the aim of distinguishing it) the Amendment requires the provision of information to the data subject as well as to transferees if marking of data is effected. However, such information may be dispensed with if, in view of the purpose of processing, no legitimate interests of the data subject are infringed hereby.
Apparently, the above amendments of the new Hungarian Data Protection Act are only minor / cosmetic changes which did not concern the merits of the law. Therefore we have established it with regret that the Hungarian legislator did not react to the “real”, critical issues of the new legislation, such as the prohibition of the use of sub-processors, the broad requirements for logging the use of automated data processing systems or the issue of Binding Corporate Rules which were completely omitted from the list of recognised adequacy instruments.
