TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

HUNGARY

 

The Hungarian Parliamentary Commissioner for Data Protection and Freedom of Information website: http://abiweb.obh.hu/dpc/

 

Act LXIII of 1992 on the Protection of Personal Data and Public Access to Data of Public Interest (as amended by Act No XLVIII of 2003): http://abiweb.obh.hu/dpc/index.php?menu=gyoker/relevant/national/1992_LXIII

 

What needs to be done prior to collection?

 

NOTIFY THE DATA PROTECTION COMMISSIONER OF INFORMATION FOR REGISTRATION

 

The Data Protection Register:

 

Article 28 – Information to be registered

 

(1)     Prior to commencing his activity, the data controller processing personal data shall notify the Data Protection Commissioner of the following to be registered:

a.       The purpose of the data processing

b.       The data categories and the legal basis for the processing thereof

c.        The range of data subjects

d.       The source of the data

e.        The categories and recipients of transferred data, and the legal basis of the transfer

f.         The time limits for the deletion of certain types of data

g.        The name and address (seat) of the data controller and of the technical data processor, the actual place of data processing or technical data processing, as well as any activity of the technical data processor related to the processing of data

 

Article 29 – Registration Number

 

(1)     Upon registration for the first time, each data controller shall receive a registration number. This registration  number shall be indicated whenever data are transferred, made public or supplied to the data subject

 

(2)     Any change in data specified in paragraph (1) of Article 28 shall be reported to the Data Protection Commissioner within 8 days, and the register shall be modified accordingly

 

Article 30 – Exceptions to registration

 

Registration in the data protection register shall not be required where data processing operations

(a)     Involve the data of persons having an employment, membership, student or customer relationship with the data controller,

(b)     Are governed by the internal rules of churches, religious denominations or religious communities,

(c)     Involve personal data relating to the diseases or state of health of persons receiving medial care, for purposes of medical treatment or preservation of health or for social insurance claims,

(d)     Involve data collected with the purpose of granting financial or other social assistance to the data subject or data registering such assistance,

(e)     Involve personal data of persons concerned by administrative, prosecutorial or judicial proceedings that are related to the conducting of such proceedings,

(f)      Involve personal data for the purpose of official statistics, provided that the identification of individuals with such data can be finally made impossible in a manner specified by the provisions of a separate act,

(g)     Involve data of companies or organs under the Press Law that serve solely their own informational activity,

(h)     Serve the purpose of scientific research, provided that the data are not made public,

(i)      Were transferred from the data controller to the archives, or

(j)      Serve a natural persons own purposes

 

Article 31 – Prior checking before registration

 

(1)     The Data Protection Commissioner may perform prior checking before registration

 

(2)     The Data Protection Commissioner may perform prior checking before the technical processing of new data files or the application of new technical data processing technologies at data controllers processing the following:

 

a.       Data files of national authorities, or national labour or criminal data files,

b.       Customer files of financial organisations or public utility providers,

c.        Files of telecommunications service providers relating to the users of their services, or

d.       Data files containing specific statistical data specified in a separate act

 

(3)     The data controller shall notify the Data Protection Commissioner of his intention to technically process new data files or to apply a new technical data processing technology 30 days prior to commencing such activity. The Data Protection Commissioner shall inform, within 8 days of receiving the above notification, the data controller of his intention to perform prior checking, and shall carry out the checking within 30 days. The data controller shall not start to technically process the data until the Data Protection Commissioner has completed his prior checking

 

(4)     On the basis of the checking the Data Protection Commissioner may call on the data controller to charge the range of data to be processed or the method of technical data processing. If the Data Protection Commissioner objects to the rule of law ordering the data processing, he may issue a recommendation for the amendment of that rule of law

 

CONTACT THE DATA SUBJECT

 

Article 6 – Information to be given prior to the collection of data

 

(1)     Prior to the collection of data the data subject shall be informed whether it is voluntary or compulsory to supply the data. In cases of compulsory supply the rule of law ordering data processing shall also be indicated.

 

(2)     The data subject must be given unambiguous and detailed information on all the facts relating to the processing of his data, in particular on the purposes and legal basis of the data processing, on the person authorised the carry out the data processing and the technical data processing, the duration of data processing, as well as who is authorised to have access to the data. Information shall also be given on the rights and remedies of data subjects in connection with the data processing

 

(3)     The information on data processing shall be considered to have been given where a rule of law orders the collection of data from an existing file by transfer of combination

 

(4)     If it is impossible to inform each data subject or if it would entail disproportionate expenses, particularly in the case of processing data for statistical or scientific (including historical research) purposes, information may be given by making public, in a way that will be accessible to all, the fact of data collection, the data subjects concerned, the purpose of the data collection, the duration of data processing, and the accessibility of data.

 

The data subjects rights

 

Article 11 – What the data subject may request

 

(1)     The data subject may request:

a.       Information on the processing of his personal data (Articles 12 and 13), as well as

b.       The rectification, or – except for data processing ordered by a rule of law – deletion of his personal details (Articles 14 to 16)

 

Article 12 - Information to be given at the request of the data subject

 

(1)     The data controller shall inform the data subject, upon his request, of the data processed by the data controller or technically processed by the technical data processor, of the purpose of the data processing, of its legal basis and duration, of the name, address (seat) and activity of the technical data processor in connection with the data processing, as well as those who received or will receive data and for what purpose. The duration of records on transfer and, on the basis thereof the obligation to give information, may be limited by rules of law on data processing. The limitation may not be shorter than 5 years with regard to personal data, or 20 years with regards to special data.

 

(2)     The data controller shall give the information in writing and in an easy to understand way, within the shortest time possible, but no later than within 30 days, of the lodging of the request

 

(3)     The information referred to in paragraph (2) is free of charge, unless in the given calendar year the person requesting information has already filed a request with the data controller for the same field. In other cases expenses may be charged. Such expenses shall be refunded where the data have been unlawfully processed or where the request for information has resulted in rectification.

 

Article 13 – Denial of information

 

(1)     The data controller shall not deny data subjects the information except where, in cases specified by Article 16, an Act authorises him to do so

 

(2)     The data subject shall be informed by the data controller of the grounds for the denial of information

 

(3)     The data controller shall annually report on requests which have been refused to the Parliamentary Commissioner of Data Protection

 

Article 16 – Restriction of data subject rights

 

The rights of the data subject (Articles 11 to 15) may be restricted by an Act in the interest of the external and internal security of the State, such as national defence, national security, crime prevention or criminal investigation, for the economic or financial interests of the State or the local Government, for important economic or financial interest of the European Union, for the prevention or exposure (including in all cases supervision and control) of professional disciplinary or ethical offences  or of breaches of labour law or labour safety obligations, as well as for the protection of the rights of data subjects or of other people. 

 

Article 18 – Data Subjects Compensation for Damages

 

The data controller shall be liable for any damage suffered by data subjects as a result of an unlawful processing of their data or as a result of infringement of the technical requirements of data protection. The data controller shall also be liable for any damage suffered by the data subject resulting from the actions of a technical data processor. The data controller shall be exempted from liability if he proves that the damage was the result of force majeure beyond the sphere of data processing 

 

No compensation shall be paid for the part of damage suffered by the damaged person as a result of his intentional or grossly negligent conduct

 

What needs to be done prior to shipping?

 

Article 9 – Data Transfer to foreign countries

 

(1)     Regardless of the data carrier or the way of the data transfer, personal data shall not be transferred to data controllers or technical data processors in third countries unless:

a.       The data subject has given his explicit consent

b.       Provided for by an Act or the adequate level of protection of the personal data in the third country is ensured during the processing or technical processing of the transferred data

 

(2)     The adequate level of protection of personal data is not ensured unless:

a.       The Commission of the European Communities on the basis of a legal act determined by a separate Act recognises that the third country ensures adequate level of protection,

b.       There is an international agreement in force between the third country and the Republic of Hungary including safeguard regulations on the enforcement right of data subjects arising from Article 11, on securing the right of legal remedy and on the independent control of data processing and technical data processing, or

c.        The data controller or technical data processor in the third country proves by introducing rules of data processing and technical data processing, that the protection of personal data is adequately ensured during the data processing and technical data processing, in particular when he performs the data processing or technical data processing according to the legal act of the Commission of the European Union as determined by a separate Act

 

(3)     Personal data shall be transferred into third countries in order to implement an international legal assistance agreement for the purpose and with the content laid down in the agreement

 

(4)     Data transferred to Member States of the European Economic Area shall be considered as data transfer within the territory of the Republic of Hungary

 

What are the Sanctions for non –compliance

 

Act IV of 1978 on the Criminal Code: http://abiweb.obh.hu/dpc/index.php?menu=gyoker/relevant/national/1978_IV

 

Section 177 – Violation of Privacy

(1)     Any person who reveals any private secret he has obtained in a professional or official capacity without due cause is guilty of a misdemeanour punishable with a fine.

(2)     The punishment shall be imprisonment for up to one year, community service work, or a fine, if the crime results in a considerable injury of interest.

Section 177/A – Misuse of Personal Data

(1)     Any person who, in violation of the statutory provisions governing the protection and processing of personal data:

a)       is engaged in the unauthorized and inappropriate processing of personal data;

b)       fails to notify the data subject as required by law;

c)       fails to take measures to ensure the security of data;

And thereby imposes significant injury to the interests of another person or persons is guilty of a misdemeanour punishable by imprisonment for up to one year, community service, or a fine.

(2)     The acts described under Subsection (1) shall be upgraded to felonies and punishable by imprisonment for up to three years if they are committed by a public official in the course of discharging a public duty or in the pursuit of unlawful financial gain or advantage.

(3)     Any misuse of special personal data shall be treated as a felony punishable by imprisonment for up to three years.

Please refer to the Hungarian Parliamentary Commissioner for Data Protection and Freedom of Information website for more information on the Statutes
© TRILANTIC - All rights reserved. | Disclaimer | Client Login