Hungary: Recent Developments In Hungarian Data Protection Law

Data protection has become a focal issue for most enterprises. Companies offering a high level of data security and sensitivity to data protection are praised by their customers, while data breaches and negligent data protection practices may result in negative PR and investigations by authorities. 2016 will bring many interesting developments in terms of data protection in Hungary and in Europe as a whole. In this client alert, we would like to draw your attention to recent developments which may have direct implications on your organization.

• As a result of the amendment of the Hungarian Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (HDPA), as of January 1, 2016, the deadline to respond to a data subject's inquiry is shortened from 30 to 25 days. This change requires the review of data protection policies and terms of use.
• You may be aware that the European Court of Justice (ECJ) has recently declared the "Safe Harbour" regime, a widely used legal tool to ensure the legality of data transfers to the USA, to be unlawful (Case C-362/14). Therefore, it is advisable for all companies transferring personal data from Europe to US to revisit their internal regulations, policies and contracts concerning such transfers.
• To date, "binding corporate rules" (BCR) have been considered to be a robust legal tool for ensuring the legality of international data transfers, and it is worth considering whether to implement them at your company. Until recently, BCR had not been acknowledged as an eligible legal tool for ensuring the legality of international data transfers under Hungarian law. However, as of October 1, 2015, the HDPA incorporated BCR, enabling you to bring your Hungarian operations under an umbrella of BCR. The use of BCR in Hungary is, however, conditional on their registration with the Hungarian Data Protection Authority. Also, it is to be noted that the use of standard contractual clauses (as defined by the European Commission) for international data transfers beyond the boundaries of the EU and the EEA, continues to be a viable, practical and cost effective option to ensure European data protection compliance.
• On December 15, 2015, the European legislative bodies reached a final compromise concerning the new EU Data Protection Regulation. The new regulation will establish a uniform set of rules throughout the entire EU, create a one-stop-shop policy enabling organizations to deal with a single supervisory authority, and will cut back administrative burdens on companies. Although the new rules will only become applicable after two years, it is recommended that companies adopt changes in due time in preparation for the new regime.

In the event that you wish to review your data protection policies, internal regulations, policies and contracts concerning data transfer, would like to apply your existing BCR at your Hungarian entity, or you plan to implement standard contractual clauses, we are best positioned to assist you in such efforts.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.