Data Protection Enforcement in Hungary

Administrative Remedies

The Hungarian National Authority for Data Protection and Freedom of Information (“Authority”) has the power to investigate cases upon receipt of a complaint or ex officio. If The Authority commences a formal supervision procedure, the Authority may establish infringement of the Data Protection Act; prohibit illegal data processing; order the blocking or deletion of data; order the suspension of data processing; and prohibit data transfer abroad. The Authority may order the publication of the name of the data controller if the decision applies to a large number of data subjects and if publicizing the decision serves the interest of data protection. The Authority also is authorized to impose a data protection fine on a data controller if the Authority determines that material provisions of the Data Protection Act were infringed. The fines may range from HUF 100,000 (approx. €333) to HUF 10 million (approx. €33,333) in the Authority’s discretion, depending on the facts and circumstances of the case. However, with effect from October 1, 2015, the Authority will be authorized to impose a fine of up to HUF 20,000,000 (approx. €66,666). The Authority’s decisions may be challenged before a court.

Civil Remedies

A data subject who believes that his/her rights have been infringed may institute court proceedings against the data controller. The data controller is liable for any damage to personal rights suffered by a data subject as a result of the unlawful processing of personal data or the infringement of the technical requirements of data protection. In case of such harm, the data subject may request a court: to establish the infringement of his/her personal rights; to require the cessation of the infringement or the granting of satisfaction (i.e., ordering, at the expense of the infringer, the prominent displaying of the operative part of the court’s decision or any other corrective statement requested by the applicant); to hand over to the data subject the financial gains achieved through the infringement; and compensation for damages. The data subject also may claim exemplary damages (lump sum damages) which a court may award to compensate for the harm to personal rights (such as data protection rights) which occurred due to the data controller’s unlawful data processing or breach of data security requirements. In the claim for exemplary damages, the data subject is not required to evidence the existence of harm beyond the mere breach of data protection laws.

Criminal Remedies

The Penal Code (Act C of 2012) penalizes the breach of the provisions of the Data Protection Act, including data processing for unjustified or unauthorized legal purposes, the violation of the requirement to provide notice or any omission of data security requirements – if the breach is committed for financial gain or if such illegal conduct causes significant detriment to the data subject or to others – with up to one year’s imprisonment. A higher penalty (of up to two years’ imprisonment) applies if sensitive data (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health data or sex life) was the subject of the criminal conduct.

Other Remedies

An executive officer of a legal person and the individual responsible for data processing each may be held liable for the legal person’s non-compliance with data protection requirements if such non-compliance constitutes a crime. Under the Act on the Measures Applicable to Legal Entities under the Criminal Code (Act CIV of 2001), if a shareholder, officer or an employee of a legal entity committed a crime aimed at or resulting in the legal entity gaining financial advantage and such conduct could have been prevented by the executive officer by fulfilling his supervisory or control duties, a criminal court may impose a fine equal to at least 500,000 HUF (approx. €2,500) and at most three (3) times the amount of the financial advantage gained or intended to be gained by the legal entity through the criminal act. If the amount of the advantage cannot be estimated or is difficult to estimate, the criminal court may make its own estimate and assess fines accordingly.

Selected Enforcement Actions / General Comments

The Authority has been operating since January 1, 2012. In 2012, the Authority conducted 33 administrative procedures and as a result, issued fines in a total value of HUF 33 million (approx. €106,000). In 2013, the Authority conducted 41 administrative procedures and issued fines in a total value of HUF 49 million (approx. € 160,000). In 2014, 30 administrative procedures were conducted and the total amount of data protection fines imposed by the Authority was HUF 45 million (approx..€150,000). The Authority tends to impose fines only in cases in which it determines that a serious infringement of the Data Protection Act occurred. Other non-monetary sanctions are used more frequently by the Authority than monetary sanctions. In 2013, the Authority’s examinations focused on the following areas: data processing activities relative to websites, in particular the processing of minors’ personal data in the course of their registration to website; and data processing in regard to debt management and recovery. In 2014, the Authority focused on product presentation events and continued to focus on data processing relative to debt recovery. In 2015, the enforcement priorities of the Authority are investigations relating to the data processing activities of debt collection agencies, data processing for product presentation events (“roadshows”), as well as data processing for telemarketing purposes. The Authority has imposed the maximum fine on data controllers several times, including in the following cases:

  • in August 2012, the Authority fined a Slovak entity Weltimmo s.r.o., an online real estate agent, for its failure to comply with statutory requirements under the Data Protection Act, including failure to provide notice and obtain consent, lack of a purpose limitation to the data processing, the processing and transfer of data without a valid legal basis and not complying with data subjects’ access and deletion requests. This case is currently pending before the Kúria (the Supreme Court of Hungary) and has been submitted to the CJEU for a preliminary ruling under case Nr C-230/14.
  • in 2014, the Authority issued several decisions imposing penalties on companies conducting product presentation roadshows, which were found to have illegally collected health data from vulnerable consumers; including in September 2014 on a roadshow company conducting illegal data processing operations and again in April 2015 on a roadshow company for illegally processing personal data and sensitive data of consumers and for not complying with data subjects’ access and deletion requests;
  • in December 2014, the Authority issued the maximum fine on a telemarketing company for failing to comply with consent, notice, registration and data security obligations; in March 2015, the Authority fined another telemarketing company creating direct marketing databases without properly informing data subject that their data may be sold to third parties and for not keeping accurate active filings in the data protection register.

As there are very few published court cases addressing the breach of the Data Protection Act, no general conclusions can be drawn about the courts’ approach to the imposition of civil and criminal remedies. Moreover, such court decisions are based on the particular facts and circumstances of each case, and Hungarian courts are not required to follow the decisions of higher or equally ranked courts (other than Kúria decisions adopted in the interest of uniform legal interpretation and Constitutional Court decisions). The Authority’s decision may be appealed at court based on a material legal issue (such as the alleged wrongful interpretation of the law) or on procedural grounds If, on appeal, the court, finds that the Authority breached the applicable administrative procedural rules or misinterpreted a provision of applicable law, then the court must require the Authority to conduct new proceedings, as the courts do not have the authority to overrule the Authority’s findings on appeal.