By Dan Cooper and Helena Marttila
On 11th of July, 2011, Hungary adopted a new data privacy law (Act CXII of 2011 on Informational Self-Determination and Freedom of Information) (the “Act”), which will enter into force on 1 January 2012. The main changes brought about by the Act are briefly discussed below:
1. Legitimacy of Processing. One of the new provisions of the Act provides that personal data may be processed without the consent of the data subject, if it is impossible or requires disproportionate effort to obtain the consent and the processing is necessary (i) in order for the data controller to comply with a legal obligation, or (ii) in order for the data controller to assert his legitimate interests and such necessity restricts privacy proportionally. Further, if personal data has been collected and processed on the basis of a data subject’s consent, such data may be continued to be processed even if the data subject revokes his or her consent, as long as either condition (i) or (ii) above is met.
2. Registry of data transfers. The Act requires data controllers to set up and maintain a registry of data transfers. Such registry must contain the date, legal basis and recipient of the data transfer and a description of the data transferred.
3. Data security obligations. The Act introduces additional data security obligations. For example, data controllers must ensure that no unauthorized use of data takes place and that it is possible to track the parties to whom personal data have been transferred and recover that data.
4. Information rights. The Act provides some flexibility regarding the methods of meeting data controllers’ obligations. For example, if it is impossible or would impose disproportionate costs to provide information on the data processing to the relevant data subjects personally, the Act allows the information to be provided via a general publication.
5. Enforcement powers. Under the Act, a new data protection authority (the “Authority”) will be established, which will be granted full powers of investigation and authority to impose fines. The amount of fine may range between HUF 100,000 (approximately EUR 370) and HFU 10 million (approximately EUR 36,500).
6. Registration requirements. Following the entry into force of the Act, companies cannot commence their data processing activities until they have registered with the data protection registry and the Authority has acknowledged such registration. In addition, a fee will be payable for the registration. The amount of the fee will be determined by a separate law. Companies can avoid making this payment if they register with the Authority under the old data privacy regime before the Act becomes effective.