In order to comply with GDPR, the Hungarian Act on the protection of data has been amended in two steps. The first amendment dealt with the appointment of the authority and declared that it shall apply the “step-by-step” principle for imposing fines, whereas the second amendment includes a number of material provisions.

As expected, the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság) has been appointed to execute the powers of the supervisory authority as per the GDPR. In addition, the first amendment declares as a principle that the authority shall have a step-by-step approach when dealing with breaches of law and use warning as a primary sanction instead of administrative fines in case of infringements for the first time.

The second amendment published in July brings several changes to the act in force, we highlight the followings.

According to the new rules, data controllers will have 25 days to examine requests related to the exercise of data subject rights and to inform them on their query.

The amendment leaves the institutions of investigation and the administrative proceeding as primary proceedings on data protection. The novelty is that these proceedings will not only be initiated ex officio but also upon request of the data subjects.

The amendment of the Data Protection Act stipulates several general regulations on the proceeding of the national authority. In all proceedings, with regard to the lawfulness of data processing, the burden of proof will be placed on data controllers and data processors.

In accordance with GDPR, the amendment introduces a process for authorization according to which the authority may approve the data controller’s codes of conduct on request (e.g. internal data processing rules) or authorizes contractual provisions by and between EU-based data controllers or data processors and those or the recipients of personal data seated in third countries or within an international organisation. The authorization process may be conducted on request and in return for an administrative service fee.

As it was expected, the mandatory registration of data controlling activities has been revoked. On the other hand, the act puts a stronger emphasis on internal registration of personal data. The data controller must keep record on (i) the personal data controlled by him; (ii) all personal data breaches and (iii) the measures taken in connection with the right of access of the data subject and must record the name and contact details of the person controlling the data and the data protection officer as well as the purpose and legal basis of data processing and the recipients of data transfer. In order to verify the legality of processing of data by electronic means, an electronic log shall be kept by the data controller as part of the internal registration in which the data controller and data processor must register the data prescribed by law in an automated data controlling system.