Global menu

Our global pages


New Act amending sectorial laws necessary for the implementation of the data protection reform of the European Union

  • Hungary
  • General


New Act amending sectorial laws necessary for the implementation of the data protection reform of the European Union

26 June 2019

Although the General Data Protection Regulation of the European Union (“GDPR”) has been in effect also in Hungary since 25 May 2018, the Parliament has adopted some detailed rules for supplementing or derogating from the GDPR only in April this year. Act XXXIV of 2019 on the Amendments Necessary for the Implementation of the Data Protection Reform of the European Union (“the Act”), amending 86 acts came into force on 26 April 2019. Let's see what the main changes are.

Major legislative changes to implement the GDPR

According to the general reasoning of the Act, the purpose of it is to ensure the necessary legal coherence for the implementation of the GDPR by amending certain sectoral acts. With this in mind, the provisions of the individual acts on data management and data protection change. The laws affected by the amendment concern a wide area of law, including, inter alia, the amendment of Act I of 1988 on Road Transport, Act IV of 1991 on Job Assistance and Unemployment Benefits. Act XLIX of 1991 on Bankruptcy and Liquidation Proceedings, Act XXXIV of 1994 on Police, Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation Activities and the data protection provisions of Act I of 2012 on the Labour Code.

In the following we briefly summarize the main changes.

1. Amendments to the Labour Code

The employee's personal rights may be limited by the employer only when it is strictly necessary for reasons directly related to the purpose of the employment relationship and in proportion to the purpose. This rule is unchanged, and the employer must inform the employee in advance about the manner, conditions and expected duration of the limitation of the personality right. However, the legislator made it clear that this prior notification should be made in writing and should cover the circumstances justifying the necessity and proportionality of the restriction.

In the Labour Code, the provisions concerning the processing of the employee's personal data have been placed under a separate subheading.

The Act - in concordance with the previous regulation - states that the employer may require the employee to make a declaration or to disclose personal data that is essential for the establishment, performance, cessation, termination of employment or for the enforcement of a claim arising from the law. At the same time, it states that the employer can only ask for a document to be shown for verification, i.e. under this provision, it is no longer allowed to make a copy the personal identity card and keep it.

The new rules stipulate in relation to aptitude tests that the employee can only be subjected to an aptitude test prescribed by regulation on employment or is necessary to exercise the right or obligation under an employment relationship rule.

The amendment introduces regulation into the Labour Code on the processing of the employee's biometric data, which can only be done under strict rules.

The Labour Code is expanded by the rules governing the processing of the certificate of good conduct. The law states that the employer may process the employee's criminal personal data for the purpose of examining whether the law or the employer does not restrict or exclude employment in the job to be filled or actually filled. The law also states that the employer can only determine such a restrictive or exclusionary condition if the employment of the person concerned in the given job would be risking to harm significant financial interest of the employer, secret protected by law, firearm, ammunition, explosive, toxic or dangerous chemical, biological or nuclear material.

In the opinion of National Authority for Data Protection (NADP) published on 22 January 2019 regarding the certificates of good conduct, it stated that the request for the presentation of the certificate and the related data processing is also possible on the basis of the legitimate interest if it is supported by the result of the balancing test.

Provisions concerning the use of computer equipment provided to the employee and access to the data stored therein are made clearer. Under the new rules, instead of protecting privacy, the emphasis is put on the fact that the computer equipment made available to the employees is basically a work tool, thus it can only be used by the employees to fulfil their employment relationships. At the same time, as in previous practice, the new rules clearly state that, in the course of the employee's inspection, the employer can only view the data related to the employment relationship, so private e-mails still cannot be examined.

2. Amendments to the Law on Condominiums

The Act modifies the data processing requirements for the use of a camera system in a condominium. The new rules do not consider the data processing resulting from the application of the camera system to be mandatory data processing, only data processing based on the legitimate interest necessary to enforce the legitimate interests of the data processor and third parties. Therefore, the new rules include the need for persons entering a camera-equipped building to be informed of the information needed to protect personal data. It is also stated that written records must be taken on the viewing of the camera system recordings. Access to and use of recordings recorded by the camera system will in future be subject to the general rules contained in the GDPR. At the same time, the Act continues to maintain the rule that the camera system operator can only be a security company, i.e. the condominium itself cannot operate it.

3. Amendments to the Personal and Property Protection Act

The Act repeals many of the disputed provisions on the electronic surveillance of Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators. Therefore, the data protection rules for the camera systems are directly applicable from the GDPR or the Privacy Act.

For example, the Act repeals the rigid rules on data retention, including the legal basis for data processing and the retention time of recordings. Previously, as a general rule, the recorded image, sound, and audio-visual recording had to be destroyed or deleted no more than three working days after recording, and compliance with this very short deadline often caused headaches to the processors. In the future, based on the GDPR, the legal basis for camera surveillance will typically be the legitimate interest, and with this in mind, the retention time of recordings should be determined accordingly.

4. Amendments to the Trade Act

The new rules tighten the provisions for the customer complaint book. In the future, personal data entered by other buyers to the customer complaint book cannot be recognized, as the merchant should immediately remove the complaint page from the customer complaint book after the entry. The merchant must keep the removed page locked separately and make it available to the authority upon its request.

5. Amendments to the Act on Complaints and Public Interest Disclosures

The provisions of Act CLXV of 2013 on Complaints and Public Interest Disclosures have also been slightly modified. For example, the removal of the ban that processing special data (such as personal data referring to racial or ethnic origin, political opinion, religious or philosophical beliefs or sexual orientation, biometric data, data concerning health, etc.) was not allowed in the system, which in many cases was the basis for the disclosure. In connection with the amendment, the law also states that the transmission of data processed under the disclosure regime to another state or international organization is possible only if the recipient of the transfer undertakes to comply with the rules of this Act regarding the notification. In the case of multinational companies, it may be advisable to make this statement when setting up a whistleblowing system.

Download newsletter


This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.

< Go back

Print Friendly and PDF
Register to receive regular updates via email.