In line with the information requirements under Directive 95/46/EC, the Hungarian Data Protection Act (Info Act) provides that before the commencement of data processing, the relevant person must be given clear and detailed information of all circumstances in relation to the processing. Now, Hungary’s Authority for Data Protection and Freedom of Information (NAIH) has provided a more specific recommendation for companies on how to comply with the general information requirements in practice. NAIH also gave detailed clarifications on the requirements of privacy notices and privacy policies and, in some cases, “reinvented” the provisions of the Info Act and imposed stricter obligations on companies.

Form and Language

One change is that form and language requirements are not regulated in the Info Act. From now on, according to NAIH, more complex data processing operations should be described also in a table: name, purpose and legal basis of the processing, together with the scope of data and the applicable data retention period, by reference to the relevant legal provision, if possible. In case of foreign people, like a guest book or an international tender, the privacy information should also be available in English. If needed, the controller should make it possible for disabled people to get to know the privacy information without any obstacles. Legal declarations and privacy information should be separated, the clarification states. 

Accessibility of the Privacy Information

While the Info Act does contain such rules, NAIH specifies that it expects controllers to provide continuous access to their privacy notices and policies on the opening page of their websites and also during the most important steps of the processing, e.g., before and in the course of a registration process. In case of technical limits, like the size of a ticket, at least the processing and the controller shall be indicated with a link to the privacy information.

Expectations from Bigger Organisations

NAIH expects that controllers performing more complex data processing, or having bigger organisations, should have a specific internal privacy policy, which describes for the employees performing data processing all the tasks and obligations during these activities. Under Hungarian law, preparing such internal privacy policies was mandatory only for financial institutions, public utility companies, electronic communications service providers, public opinion survey makers, market research and direct marketing organisations.

If the controller has different departments, with more people having access to personal data in the organisation, the external privacy information should include the processing terms of each department. The privacy information shall also indicate the people that can access the data and by which means. It shall also describe what kind of operations these people can do. It is not necessary to identify them by name; it is enough to indicate their duties. In practice, it may be difficult for bigger companies to describe all material data processing terms of all their departments in a single notice, without overwhelming customers with too much privacy information, and it is not required by the Info Act at all.

Specific Privacy Information

Mandatory information on the controller shall include name, address, telephone, email and website where the privacy notices and policies are available. In a particular case, NAIH criticised a call centre where the call script did not require the disclosure of the name of the controller, the source of the data, the processing purpose and the rights of the data subject.

Processing purposes shall be described precisely. For example, it is not enough to state that the “data is processed for marketing” because this may also include advertisements sent to the data subject or other forms of marketing, such as using the data in promotion materials. It is important to avoid industry-specific words like “targeting." In case of more complex data processing, for multiple purposes, the relevant data should be listed per purpose.

The engagement of data processors does not require consent; however, it is necessary to disclose the name, the contact details and the exact activities of the processor, e.g., a hosting provider is storing the personal data. A general reference, such as "the controller uses a processor,” or "the controller transfers the personal data to a processor," is not acceptable. The privacy information shall also indicate the personal data that the processor can access, the duration of this activity and the exact operations of the processor with such data. Again, the Info Act does not require so many details about processors, and in case of any change in the processors’ activities, the privacy notice shall be amended again and again.

NAIH expects that controllers should describe briefly and clearly the data security measures. The provision of such information is not required by the Info Act, and it may be questionable in practice how security measures can be summarised in a way that such summary also provides adequate information to an average user.

Automated Decisions

The Info Act provides that in case of automated decisions, data subjects shall receive information—only upon their request—on the automated method applied and the logic in it, and they shall have the opportunity to provide their opinion. Now NAIH is overriding the Info Act and requires companies to provide prior information of automated decision-making, as it can affect the options of the data subject on providing consent.

“Balance of Interests” Tests

Privacy notices shall also include if the data are processed without consent for legitimate interest purposes. Companies shall perform a so-called “balance of interests” test, where the legitimate interest of the controller, the interest of the data subject and the underlying privacy right shall be identified, and it shall be stated whether the data may be processed as the result of the balancing. Data subjects should also be informed of the data protection measures undertaken with a view to the lack of consent and their possibility to object to the processing. NAIH’s recommendation does not provide further details on the expected protective measures in such case, which may be problematic, because the Info Act does not require such additional measures at all.

Privacy Rights and Remedies

The privacy information shall cover the rights and remedies of the relevant people in details, together with the ways of submission and the deadline for the controller to fulfill a request. NAIH allows companies to introduce mechanisms to verify the identity of the data subjects exercising their privacy rights. It is advisable to explain the content and the individual characteristics of the each right, e.g., in case of CCTV the correction of the data should mean the correction of the date on the recording. Companies can emphasise that data subjects should send their complaints to the controller firstly.

Practical Consequences

If, according to NAIH, the shortcomings in privacy information greatly affect the individuals in their consent, and therefore they could only see the consequences of data processing on a limited level, the processing may be unlawful. In such case, NAIH may impose a fine of between HUF 100,000 (approximately €320) and HUF 20,000,000 (approximately €64,050). Therefore, it is of primary importance for Hungarian companies, or companies that may be subject to Hungarian data protection laws on the basis of the Weltimmo case, to revise their privacy notices, policies and practices with a view to NAIH’s new recommendation.