Significant changes in the data protection regulation

The Parliament has adopted the Amendment to theAct CXII of 2011, on Informational Self-determination and Freedom of Information (hereinafter the „Information Act”) on 6 July 2015. The Amendment will strengthen the position of the Hungarian data protection authority (Hungarian National Authority for Data Protection and Freedom of Information – the Authority) and amend the provisions of the Information Act on the basis of the recent experiments. Hereby we summarize the most important developments of the Amendment, which effect all companies including actors of the financial sector, these modifications will enter into force on 1 October 2015.

It is of great importance for multinational companies that the Amendment implements the institution of Binding Corporate Rules (hereinafter referred to as “BCR”) to the Information Act, which simplifies to multinational companies the export of personal data from the European Economic Area to other group entities located in third countries which do not ensure an adequate level of protection. Now according to the provisions of the Information Act the export of personal data is possible in the following cases: upon approval of the data subject or in case the adequate level of protection is secured in the third (non EEA) country. The Amendment introduces BCR as a new possibility for data transfer to the Information Act, which was already acknowledged by the EU legislation. BCR is intra-group corporate policy of multinational companies to be applied on a group level, which regulates the transfer of personal data within the group for those group member companies, where the adequate level of protection in the data importer country is not secured. The data transfer based on BCR requires on the one hand the acceptance of BCR as a corporate policy and the approval of the data protection authority on the other hand.

In witness thereof the Amendment introduces the process for approval of the BCR’s by the Authority, which shall be initiated by the data controller. The Authority shall decide on the request within 60 days, the Authority may decide on the approval, denial or completion of the request. In order to inform the data subject, upon approval Authority will disclose the name of the data controller using BCR on its website.

Significant modification of the Information Act that the Amendment extends the obligation to keep data breach registers to all data controller, till now in Hungary only telecommunication service providers were subject of this obligation. This internal data breach register shall have the following content: description of the data breach, data affected, group and number of people affected, date of the data breach, measures taken to mitigate the effect of the breach. The scope of the Amendment is to inform properly the affected people about the data beach upon their request and enables the Authority to monitor the activity of the data controllers regarding data breach registry and to make suggestions if needed to prevent further breaches.

The most important change in the sanctions to be applied in the administrative proceedings for data protection is that the maximum amount of the fine which can be imposed by the Authority increases to double, which amounts to HUF 20,000,000. 

Back to news