On 18 July, the Hungarian Financial Supervisory Authority-PSZÁF (HFSA) issued a circular for Hungarian financial institutions on the use of cloud computing technologies. It is the first time in Hungary that a regulatory authority issued such an opinion. The document outlines detailed proposals for financial institutions on data classification, pre-contracting tasks and the contents of the service agreement with the cloud provider.

Regulatory considerations

The HFSA expressly reminds the management, IT internal audit, compliance and legal departments of financial institutions that if the company is willing to use cloud computing services, they shall pay particular attention to the following.

  • Obtaining cloud services is considered as “outsourcing” under the Hungarian sector-specific regulations which results in the application of certain additional rules; e.g., notification to the HFSA, specific data processing obligations.
  • It is important to continuously monitor the changes in the regulations of the EU affecting cloud computing services, practices and best practice recommendations.
  • It is also essential to keep an eye on the Hungarian and EU data privacy provisions and practices—in particular to practices and resolutions concerning cross-border data transfers or data transfers to third countries.
  • The relationship between the master services agreement to be concluded and the related SLAs shall be harmonised.

Data classification

According to the HFSA, it is important to classify the data processed by the financial institution before determining which data can be transferred to the cloud at all. The circular states that it is not recommended to process bank secrets, personal data or other sensitive data in the public cloud and reminds that the physical storage or place of procession of data in the public cloud in particular, e.g., outside of the European Economic Area or the Safe Harbor, substantially influence the possibility of compliance with the EU data protection regulations.

Technical considerations

Before the conclusion of the relevant contract, the HFSA recommends studying the so-called "Sopot Memorandum" publication of the International Working Group on Data Protection in Telecommunications and the documents of ENISA.

In addition, the HFSA requests financial institutions—on the basis of the minimum security requirements of BSI (German authority of information security)—to consider at least the following risks.

  • There are technological means of defence that are not yet able to provide the same security level in the virtual environment, on which the cloud computing services are based, as their physical counterparts could; e.g., virtual network protection, complete confidentiality for the data processed in the cloud.
  • Digital forensic and incident management may be difficult regarding clients belonging to public CSP; e.g., accessibility and integrity of log files, possible deletion of the virtual computer and the log files, failure in archiving by the CSP has, according to the HFSA, a snapshot encrypted as a file could be an appropriate proof. This can be stored digitally signed.
  • It is not recommended to outsource a process, which cannot be maintained with adequate controls by the financial institution itself, without adequate controls to a CSP.
  • The service provider shall provide the possible sites of data processing. This is important because of the legal environment of the transferee’s country. If it is possible, data transfer outside the EU or the Safe Harbor shall be avoided.
  • The transfer and storage of data shall be executed by modern encryption, and the remote access to data—typically though the Internet—shall be based on modern identification technology; e.g., two-factored identification with strong cryptography.
  • Safety logging is expected as to the location definition, copy, deletion and other kinds of access to data.
  • Data deletion shall be executed by safe methods; e.g., by multiply overwriting of the spot of deleted data with random data.

Pre-contracting tasks

The HFSA reminds financial institutions that the cloud service contract shall remain the key of confidence with customers and the transparent, safe operation of the enterprise; therefore, the formulation of its content is particularly important.

The circular lists the following issues to consider in the pre-contracting phase:

  • Options for the financial institution to continuously monitor the master agreement and the SLA(s);
  • Uniform use of definitions and terminology in the master agreement and the SLA;
  • Using standard form contracts and general terms and conditions is not recommended—in particular those not governed by Hungarian law;
  • Defining conditions in the contract which do not hinder the change of the service provider in order to avoid “lock-in,” the possibility to terminate the contract, to secure all-time free access to the data in such a form which enables the data portability;
  • Ensuring high-availability controls; e.g. geographically separated, incident-tolerantly configured, bunched servers, data storage units as the host of the virtual servers, and excellent DRP deployment—realistic disaster recovery plans and their authentic tests which matches to the business continuity plan of the client, definition of responsibility of tests;
  • Providing strong incident management processes—immediate and as comprehensive information to the client as possible;
  • Flexibility of the CSP in changing capacity needs; e.g., fast resource allocation during periodic overloads or on the contrary flexible pricing at descending needs;
  • Regulation, practical application and supervision of change management controls; e.g., the definition of changes affecting the quality of service of which the client shall be informed immediately;
  • Independent audits with regard to the CSP's business and security interests and which contents are available to the client; e.g., vulnerability tests, unauthorized access test from outside and inside, also among the clients, and safety certificates; e.g., ISO 27001, SAS70v2:ISAE3402, PCI DSS;
  • Implementing dispute resolution provisions—applicable law and competent forum—and procedures to follow in the case of requests from authorities—conditions of release of clients' data, and
  • Detailed preparation of enforceable safeguards and liability provisions with a view to the Hungarian legal system—clarification of responsibilities, avoiding limitation of liability clauses, liability insurance and/or bank guarantee from the service provider, etc.

Practical considerations

The issuance of the circular is a remarkable first step in analysing the legal issues of cloud computing from a Hungarian law point of view and it may also be a stark reminder to financial institutions and maybe other businesses to exercise caution when engaging cloud services. However, the contents of the circular only address general legal questions and risks at this stage. The findings of the HFSA raise further wide-ranging issues and the issuance of the circular is also an important opportunity for the HFSA or the Hungarian Data Protection Supervisory Authority to advise businesses regarding cloud computing in a more detailed and specific manner in the future.

As mentioned above, the HFSA also recommends listing the location(s) of the data processing in the cloud service contract, and that financial institutions should avoid data transfer outside the EU or a Safe Harbor. Whilst data transfer outside the EU is a sensitive issue in cloud computing services, especially in the case of financial data, the HFSA should support other legal measures which are also accepted in the Hungarian practice to ensure the adequate protection of the personal data in third countries, like EU Model Clauses or specific data transfer agreements.

It is also important to note that the circular does not expressly address the allocation of liability between the financial institution and the cloud provider. Under the rather strict rules of Hungarian data privacy law, the data controller shall be liable vis-à-vis third parties for damages occurred due to the breach of the data protection rules by its data processor. The data controller shall be exempted from such liability only if it can prove that the breach is caused by a reason falling outside the scope of the data processing. In 2012, the Hungarian Data Protection Supervisory Authority (NAIH) already imposed notable fines on financial institutions—approx. €6,600 in one case—for the breach of data security obligations. Therefore, it is strongly advisable for financial institutions to regulate the allocation of their liability with the cloud provider in the cloud service contract. For example, an appropriate indemnity clause would mitigate the financial institution’s damages if its statutory liability arises due to the fault of the cloud provider and as the result of a data breach by the cloud provider, the financial institution would be obliged to reimburse the damages of its clients or fined by the NAIH.

Until further recommendations from the authorities, financial institutions should review their existing or prospective cloud service contracts to assess whether they comply with the circular and make the necessary amendments, if needed. The legal compliance of the technical and contractual details of the implementation may be verified by the HFSA during its onsite audits. In order to constantly monitor the data privacy regulations and recommendations in the EU and in Hungary, as proposed in the circular, it may be useful for financial institutions to prepare and continuously update an internal document on their findings, in order to prove that they did their best to comply with the recommended practice of the HFSA.

Written By

Marton Domokos


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»