{"id":730,"date":"2011-09-12T08:52:58","date_gmt":"2011-09-12T06:52:58","guid":{"rendered":"http:\/\/www.dataprivacy.hu\/?p=730"},"modified":"2011-09-17T06:50:20","modified_gmt":"2011-09-17T04:50:20","slug":"new-data-protection-law-in-hungary-binding-corporate-rules-and-%e2%80%99ad-hoc%e2%80%99-contractual-arrangements-omitted-from-the-list-of-adequacy-instruments","status":"publish","type":"post","link":"https:\/\/www.dataprivacy.hu\/?p=730","title":{"rendered":"New Data Protection Law in Hungary: Binding Corporate Rules and \u2019ad hoc\u2019 contractual arrangements omitted from the list of adequacy instruments"},"content":{"rendered":"<p>The Hungarian Parliament has adopted the Act No CXII of 2011 on Informational Self-Determination and Freedom of Information (the new Data Protection Act of 2011), the domestic implementation of the European Data Protection Directive (95\/46\/EC) which will enter into force by 1 January 2012. The new Act will replace the Act LXIII of 1992 on the Protection of Personal Data and Public Access to Data of Public Interest (the Data Protection Act of 1992). The new legislation introduces significant changes, as it establishes a stronger DPA with administrative powers and provides a \u201cbalance of interest clause\u201d which was completely missing from the Data Protection Act of 1992.<\/p>\n<p><!--more-->One of the most important changes which affect multinationals are the provisions of the new Act on international data transfers and determination of adequacy: the Data Protection Act 2011 requires for international data transfers either the <em>explicit consent<\/em> of the data subject, or \u2013 besides the reliance on the legitimacy of data processing \u2013 <em>adequacy of protection<\/em> of personal data. The new act recognizes adequacy if (i) a mandatory legal act of the European Union determines adequacy; or (ii) if there is an international agreement in force between the third country and Hungary which contains such safeguards.<\/p>\n<p>Notably, <a href=\"http:\/\/ec.europa.eu\/justice\/policies\/privacy\/binding_rules\/index_en.htm\" target=\"_blank\">Binding Corporate Rules<\/a> and \u2018ad hoc\u2019 contractual clauses for international data transfers are omitted from the list of recognized \u201cadequacy\u201d instruments under the Data Protection Act of 2011. Considering that BCR\u2019s were developed by the Article 29 Working Party and there is no \u201cmandatory legal act of the European Union\u201d behind such schemes, remarkably, the provisions of the Data Protection Act of 2011 do neither permit the use of BCR\u2019s, nor the use of \u201cad hoc\u201d contractual clauses in the future, but \u201c<a href=\"http:\/\/ec.europa.eu\/justice\/policies\/privacy\/modelcontracts\/index_en.htm\" target=\"_blank\">Model Clauses<\/a>\u201d and reliance on <a href=\"http:\/\/ec.europa.eu\/justice\/policies\/privacy\/thridcountries\/index_en.htm\" target=\"_blank\">third country adequacy decisions<\/a> only. Notably, in the context of international data transfers, no change has been made as regards the requirement of the consent of the data subject to such transfers to be explicit, but the Data Protection Act of 2011 made it simply impossible to implement BCR\u2019s in the Hungarian jurisdiction, which is clearly a significant backward step of the new legislation. As a consequence, multinationals using BCR\u2019s and \u2018ad hoc\u2019 contractual arrangements for international data transfers from Hungary will be required to rely on explicit consent of the data subject, an adequacy decision of the EU or Model Clauses by 1 January 2012 at the latest.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Hungarian Parliament has adopted the Act No CXII of 2011 on Informational Self-Determination and Freedom of Information (the new Data Protection Act of 2011), the domestic implementation of the European Data Protection Directive (95\/46\/EC) which will enter into force by 1 January 2012. The new Act will replace the Act LXIII of 1992 on [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[28],"tags":[179,36,178,181,137,182,842,55,56,180,130,92,63],"_links":{"self":[{"href":"https:\/\/www.dataprivacy.hu\/index.php?rest_route=\/wp\/v2\/posts\/730"}],"collection":[{"href":"https:\/\/www.dataprivacy.hu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dataprivacy.hu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dataprivacy.hu\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dataprivacy.hu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=730"}],"version-history":[{"count":11,"href":"https:\/\/www.dataprivacy.hu\/index.php?rest_route=\/wp\/v2\/posts\/730\/revisions"}],"predecessor-version":[{"id":743,"href":"https:\/\/www.dataprivacy.hu\/index.php?rest_route=\/wp\/v2\/posts\/730\/revisions\/743"}],"wp:attachment":[{"href":"https:\/\/www.dataprivacy.hu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dataprivacy.hu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dataprivacy.hu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}