By Dan Cooper

On 11th of July, 2011, Hungary adopted a new data privacy law (Act CXII of 2011 on Informational Self-Determination and Freedom of Information) (the “Act”), which will enter into force on 1 January 2012. The main changes brought about by the Act are briefly discussed below:

1. Legitimacy of Processing. One of the new provisions of the Act provides that personal data may be processed without the consent of the data subject, if it is impossible or requires disproportionate effort to obtain the consent and the processing is necessary (i) in order for the data controller to comply with a legal obligation, or (ii) in order for the data controller to assert his legitimate interests and such necessity restricts privacy proportionally. Further, if personal data has been collected and processed on the basis of a data subject’s consent, such data may be continued to be processed even if the data subject revokes his or her consent, as long as either condition (i) or (ii) above is met.

2. Registry of data transfers. The Act requires data controllers to set up and maintain a registry of data transfers. Such registry must contain the date, legal basis and recipient of the data transfer and a description of the data transferred.

3. Data security obligations. The Act introduces additional data security obligations. For example, data controllers must ensure that no unauthorized use of data takes place and that it is possible to track the parties to whom personal data have been transferred and recover that data.

4. Information rights. The Act provides some flexibility regarding the methods of meeting data controllers’ obligations. For example, if it is impossible or would impose disproportionate costs to provide information on the data processing to the relevant data subjects personally, the Act allows the information to be provided via a general publication.

5. Enforcement powers. Under the Act, a new data protection authority (the “Authority”) will be established, which will be granted full powers of investigation and authority to impose fines. The amount of fine may range between HUF 100,000 (approximately EUR 370) and HFU 10 million (approximately EUR 36,500).

6. Registration requirements. Following the entry into force of the Act, companies cannot commence their data processing activities until they have registered with the data protection registry and the Authority has acknowledged such registration. In addition, a fee will be payable for the registration. The amount of the fee will be determined by a separate law. Companies can avoid making this payment if they register with the Authority under the old data privacy regime before the Act becomes effective.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.