Blog

The General Data Protection Regulation (“GDPR”) will be directly binding from 25 May 2018, among other EU member states, in Hungary. Consequently, the Hungarian legislation has an obligation to adopt legal provisions that facilitate the execution of the GDPR. The first draft (“Draft”) of the modification of the current data protection law in Hungary, Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Privacy Act”), has already been published.

We have collected the most important points of the Draft.

• First of all, it is essential to adopt a system of definitions, principles and general provisions which comply with the GDPR.

For example, the Draft adds the biometric and genetic data to the category of sensitive data which until now were unfamiliar concepts in the Hungarian data protection system. The Draft changes the definition of consent as well, clarifying that the consent may not only be a declaration of the data subject but also any other conduct that indicates his/her will without doubt.

However, the Draft fails to adopt the system of legal basis for data controlling established in the GDPR in its entirety, as legitimate interest is not listed among these.

• In certain cases, the GDPR allows room for member states to adopt their own provisions. Based on such opportunity provided by the GDPR, the Draft introduces an extensive post-mortem data protection.

Pursuant to the Draft, the data subject may authorize someone who may practice the data subject’s certain privacy rights in case of his/her death: the right to access, right to request rectification, right to request blocking or deleting, as well as the right to object.

In lack of such authorization, the close relatives of the deceased data subject may ex lege practice the right to rectification and right to request blocking or deleting, as well as the right to object, but only if the data controlling was already illegal before the death of the data subject or if the cause of data controlling ceased upon his/her death. The close relatives may also request information on the actions of the data controller regarding the deceased data subject’s personal data. Close relatives may exercise the above rights for five years from the time of the data subject’s death.

• The GDPR emphasizes the special needs of small and medium-sized enterprises (“SMEs”) and encourages the member states and their data protection authorities to consider those needs when adopting the GDPR.

The Draft does not seize this opportunity, thus allowing SMEs to be subject to administrative fines up to 20,000,000 EUR.

Section 12/A of Act XXXIV of 2004 on the SMEs and the support of their improvement (“SME Act”) introduced a general rule according to which authorities shall give a verbal notice instead of imposing any administrative fine if the SME in question qualified as a first time offender. The Draft explicitly declares that this provision will no longer be applicable in data protection cases.

The above choice has met the criticism of not only the representatives of SMEs but of lawyers and several civil organizations; even a citizens’ initiative was started in order to convince the legislation to reconsider the exclusion of data protection cases from the application of Section 12/A of the SME Act.

• In addition to the above, there are sectoral legal regulations (e.g. laws on health care, electricity, silviculture, etc.) that concern data protection matters – the Draft does not modify these besides replacing the references to the provisions of the Privacy Act to ones of the GDPR.
• It is worth mentioning that the Draft not only includes the modifications necessary to comply with the GDPR, but also the implementation of the Directive on the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

At the moment, the legislation process regarding the modification of the Privacy Act is far from complete; the Draft is still subject to possible changes.

The deadline for the Draft’s public discussion ended on 8 September 2017 but the received comments have not yet been published. Considering the above criticism regarding the lack of patience towards SMEs, it is safe to assume that these criticisms have appeared also in some of the relevant comments. Hopefully, the Hungarian legislation will react to these with positive changes in the Draft.

dr. Aliz Póczek – dr. Krisztián Tivadar