0A4F4F9BD490A749D5437F821CF06DF1
Act CXII of 2011 on Right of Informational Self-Determination and Freedom of Information
https://www.naih.hu/files/Privacy_Act-CXII-of-2011_EN_201310.pdf
http://leaux.net/URLS/ConvertAPI Text Files/ED19A736FBD789093ED4D6BF1027A1B4.en.txt
Examining the file media/Synopses/ED19A736FBD789093ED4D6BF1027A1B4.html:
This file was generated: 2020-07-14 08:46:54
| Indicators in focus are typically shown highlighted in yellow; |
Peer Indicators (that share the same Vulnerability association) are shown highlighted in pink; |
"Outside" Indicators (those that do NOT share the same Vulnerability association) are shown highlighted in green; |
Trigger Words/Phrases are shown highlighted in gray. |
Link to Orphaned Trigger Words (Appendix (Indicator List, Indicator Peers, Trigger Words, Type/Vulnerability/Indicator Overlay)
Applicable Type / Vulnerability / Indicator Overlay for this Input
Political / Illegal Activity
Searching for indicator crime:
(return to top)
p.(None): specific personal data;
p.(None): 2. ‘personal data’ shall mean data relating to the data subject, in particular by reference to the name and
p.(None): identification number of the data subject or one or more factors specific to his physical, physiological, mental,
p.(None): economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject;
p.(None): 3. ‘special data’ shall mean:
p.(None): a) personal data revealing racial origin or nationality, political opinions and any affiliation with political
p.(None): parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life,
p.(None): b) personal data concerning health, pathological addictions, or criminal record;
p.(None): 4. ‘criminal personal data’ shall mean personal data relating to the data subject or that pertain to any
p.(None): prior criminal offense committed by the data subject and that is obtained by organizations authorized to conduct
p.(None): criminal proceedings or investigations or by penal institutions during or prior to criminal proceedings in
p.(None): connection with a crime or criminal proceedings;
p.(None): 5. ‘data of public interest’ shall mean information or data other than personal data, registered in any
p.(None): mode or form, controlled by the body or individual performing state or local government responsibilities, as well as
p.(None): other public tasks defined by legislation, concerning their activities or generated in the course of performing their
p.(None): public tasks, irrespective of the method or format in which it is recorded, its single or collective
p.(None): nature; in particular data concerning the scope of authority, competence, organisational structure,
p.(None): professional activities and the evaluation of such activities covering various aspects thereof, the type of
p.(None): data held and the regulations governing operations, as well as data concerning financial management and
p.(None): concluded contracts;
p.(None): 6. ‘data public on grounds of public interest’ shall mean any data, other than public information, that
p.(None): are prescribed by law to be published, made available or otherwise disclosed for the benefit of the general public;
p.(None): 7. ‘the data subject’s consent’ shall mean any freely and expressly given specific and informed
p.(None): indication of the will of the data subject by which he signifies his agreement to personal data relating
p.(None): to him being processed fully or to the extent of specific operations;
p.(None): 8. ‘the data subject’s objection’ shall mean a declaration made by the data subject objecting to the processing of
...
p.(None): be authorized to enter any premises where data processing takes place,
p.(None): c) shall have the right to request information from the controller inspected, and from any employee or associate of the
p.(None): controller in writing or verbally,
p.(None): d) shall have the right to request information in writing from any organization or person presumed to have
p.(None): any connection to the case at hand, and
p.(None): e) may request the head of the supervisory body of the data controller authority to conduct an investigation.
p.(None): (2) The data controller inspected and the organization or person involved in the case at hand shall comply with the
p.(None): Authority’s request under Subsection (1) within the time limit prescribed by the Authority. The time limit
p.(None): prescribed by the Authority may not be less than fifteen days in the cases referred to in Paragraphs d) and e) of
p.(None): Subsection (1).
p.(None): (3) The person asked for information according to Paragraphs c) and d) of Subsection (1) may refuse to comply if:
p.(None): a) the person affected by the notification underlying the Authority’s proceedings is his close relative or former
p.(None): spouse by definition of the Act on the General Rules of Administrative Proceedings;
p.(None): b) giving the information would implicate himself, or his close relative or former spouse defined in the Act on
p.(None): the General Rules of Administrative Proceedings in the commission of a crime, as regards the question related thereto.
p.(None):
p.(None): Section 55
p.(None):
p.(None): (1) Within two months from the date of receipt of the notification, the Authority shall:
p.(None): a) if it finds in favour of the notification,
p.(None): aa) take the measures defined in Section 56 and Section 57,
p.(None): ab) terminate the investigation, and shall launch administrative proceedings for data protection in
p.(None): accordance with Section 60, or
p.(None): ac) terminate the investigation, and shall launch administrative proceedings for the supervision of
p.(None): classified data in accordance with Section 62;
p.(None): b) terminate the investigation if it finds against the notification.
p.(None):
p.(None): (2) The Authority shall inform the notifier on the findings of its investigation, on the reasons for
p.(None): terminating the proceedings and on any measures taken or on the opening of administrative proceedings.
p.(None):
p.(None): Section 56
p.(None):
p.(None): (1) Where the Authority considers that any infringement relating to personal data or concerning the
p.(None): exercise of the rights of access to public information or information of public interest, or the imminent danger of
p.(None): such infringement exist, it shall call on the data controller affected to eliminate the infringement, and the imminent
p.(None): danger of such infringement.
p.(None): (2) The controller - if in agreement - shall take the measures indicated in the notice referred to in Subsection (1)
...
p.(None): Data Protection and Freedom of Information”.
p.(None): (6) The text “within the scope of the Data Protection Act” in Article 5 (1) of Act CXIX of 1995 on the control of
p.(None): name and address data facilitating research and direct business acquisition shall be replaced by the text
p.(None): “within the scope of the Act on informational self-
p.(None):
p.(None): determination and freedom of information”; the text “Data Protection Act” in Article 19 shall be replaced by the
p.(None): text “the Act on informational self-determination and freedom of information”.
p.(None): (7) The text “the minister competent for the professional supervision of the infringement registration
p.(None): body” in Article 27/F of Act LXIX of 1999 on infringements shall be replaced by the text “the minister competent
p.(None): for the professional supervision of the infringement registration body or the individual authorised by the
p.(None): minster, as well as the President, Vice- President and civil servant of the National Authority for Data
p.(None): Protection and Freedom of Information”.
p.(None): (8) The text “within the framework of the data protection procedure, the data protection commissioner” in
p.(None): Point b) of Article 4/G (2) of Act LXXV on regulations governing action against organised crime and specific phenomena
p.(None): associated with this and related legislative amendments shall be replaced by the text “the National Authority
p.(None): for Data Protection and Freedom of Information”.
p.(None): (9) The text “the data protection commissioner” in Article 32 (4) and (7) of Act LXXXIV of 1999 on road transport
p.(None): registration shall be replaced by the text “the National Authority for Data Protection and Freedom of
p.(None): Information”; the text “data protection commissioner” in paragraph of Article 32 (8) shall be replaced by
p.(None): the text “the National Authority for Data Protection and Freedom of Information”.
p.(None): (10) The text “the data protection commissioner” in Article 75/O of Act CXXX of 2003 on cooperation in criminal
p.(None): cases with EU Member States shall be replaced by the text “ the National Authority for Data Protection and
p.(None): Freedom of Information”.
...
Searching for indicator unlawful:
(return to top)
p.(None): (4) Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such
p.(None): actions. The Authority may intervene in the action on the data subject’s behalf.
p.(None): (5) When the court’s decision is in favor of the plaintiff, the court shall order the controller to provide the
p.(None): information, to rectify, block or erase the data in question, to annul the decision adopted by means of automated
p.(None): data-processing systems, to respect the data subject’s objection, or to disclose the data requested by the data
p.(None): recipient referred to in Section 21.
p.(None): (6) If the court rejects the petition filed by the data recipient in the cases defined in Section 21, the controller
p.(None): shall be required to erase the data subject’s personal data within three days of delivery of the court ruling. The
p.(None): controller shall erase the data even if the data recipient does not file for court action within the time
p.(None): limit referred to in Subsection (5) or (6) of Section 21.
p.(None): (7) The court may order publication of its decision, indicating the identification data of the controller as well,
p.(None): where this is deemed necessary for reasons of data protection or in connection with the rights of large
p.(None): numbers of data subjects under protection by this Act.
p.(None):
p.(None): 17. Compensation Section 23
p.(None): (1) Data controllers shall be liable for any damage caused to a data subject as a result of unlawful processing or by
p.(None): any breach of data security requirements. The data controller shall also be liable for any damage caused by
p.(None): data processor acting on its behalf. The data controller may be exempted from liability if he proves that the
p.(None): damage was caused by reasons beyond his control.
p.(None): (2) No compensation shall be paid where the damage was caused by intentional or serious negligent conduct on the part
p.(None): of the aggrieved party.
p.(None):
p.(None): 18. Internal data protection officer, data protection rules Section 24
p.(None): (1) The following data controllers and processors shall appoint or commission an internal data protection officer – who
p.(None): shall hold a law degree, a degree in economics or information technology or an equivalent degree in higher education –
p.(None): who is to report directly to the head of the organization:
p.(None):
p.(None): a) authorities of nation-wide jurisdiction, and data controllers and processors engaged in processing data
p.(None): files of employment and criminal records;
p.(None): b) financial institutions;
p.(None): c) providers of electronic communications and public utility services.
p.(None): (2) The internal data protection officer shall:
...
p.(None):
p.(None): 32. Administrative proceedings for data protection Section 60
p.(None): (1) In the interest of the enforcement of the right to the protection of personal data the Authority
p.(None): may open administrative proceedings.
p.(None): (2) The provisions of the Act on the General Rules of Administrative Proceedings shall apply to
p.(None): administrative proceedings for data protection, subject to the exceptions set out in this Act.
p.(None): (3) Administrative proceedings for data protection may be opened ex officio only, and it shall not be
p.(None): deemed to have been opened upon request even if the administrative proceedings for data protection were preceded by the
p.(None): Authority investigation launched upon notification. If, however, the Authority has conducted an investigation launched
p.(None): upon notification before the administrative proceedings for data protection, the notifier shall be informed
p.(None): on the opening of such proceedings, including its conclusion as well.
p.(None): (4) The Authority shall open administrative proceedings for data protection if, the findings of an investigation
p.(None): launched upon notification or other evidence suggest any unlawful processing of personal data, and such
p.(None): unlawful processing:
p.(None): a) concerns a wide scope of persons,
p.(None): b) concerns special data, or
p.(None): c) is likely to cause a significant harm or damage.
p.(None): (5) The administrative time limit in administrative proceedings for data protection is two months.
p.(None):
p.(None): Section 61
p.(None):
p.(None): (1) In its resolution adopted in administrative proceedings for data protection, the Authority may:
p.(None): a) order the rectification of any personal data that is deemed inaccurate,
p.(None): b) order the blocking, erasure or destruction of personal data processed unlawfully,
p.(None): c) prohibit the unlawful control or process of personal data,
p.(None): d) prohibit the transfer of personal data to other countries,
p.(None): e) order the information of the data subject, if it was refused by the data controller unlawfully, and
p.(None): f) impose a fine.
p.(None): (2) The Authority may order publication of its resolution, indicating the identification data of the controller as
p.(None): well, where this is deemed necessary for reasons of data protection or in connection with the rights of large numbers
p.(None): of data subjects under protection by this Act.
p.(None): (3) The amount of the financial penalty imposed pursuant to Paragraph f) of Subsection (1) shall be between one hundred
p.(None): thousand and ten million forints.
p.(None): (4) The Authority shall decide whether or not to impose a fine, and the amount of the penalty taking
p.(None): into account all circumstances of the case, such as in particular the number of data subjects affected by the
p.(None): infringement, the gravity of the infringement and whether it is a repeated offense.
p.(None): (5) Before the expiry of the deadline for filing a petition for judicial review, and if judicial review has been
p.(None): requested, before the final court decision the data affected by the processing operation in dispute may not be erased
p.(None): and may not be destroyed.
p.(None):
p.(None): 33. Administrative proceedings for the control of classified data Section 62
p.(None): (1) If the findings of an investigation launched upon notification or other evidence suggest that the classification of
p.(None): certain national security information is unlawful, the Authority may open administrative proceedings for the
p.(None): control of classified data. The administrative proceedings for the control of classified data conducted by the
p.(None): Authority shall not concern the tasks conferred upon the Nemzeti Biztonsági Felügyelet (National Security Authority) by
p.(None): the Act on the Protection of Classified Information.
p.(None): (2) The provisions of the Act on the General Rules of Administrative Proceedings shall apply to
p.(None): administrative proceedings for the control of classified data, subject to the exceptions set out in this Act.
p.(None): (3) Administrative proceedings for the control of classified data may be opened ex officio only, and it shall not be
p.(None): deemed to have been opened upon request even if the administrative proceedings for the control of classified data
p.(None): were preceded by the Authority investigation launched upon notification. If, however, the Authority has
p.(None): conducted an investigation launched upon notification before the administrative proceedings for the control of
p.(None): classified data, the notifier shall be informed on the opening of such proceedings, including its
p.(None): conclusion as well.
p.(None):
p.(None): Section 63
p.(None):
p.(None): (1) In its resolution adopted in conclusion of administrative proceedings for the control of classified data, the
...
Political / Indigenous
Searching for indicator native:
(return to top)
p.(None):
p.(None): document is to be considered substantial in terms of size and/or volume shall be laid down by specific other
p.(None): legislation.
p.(None):
p.(None): Section 30
p.(None):
p.(None): (1) If a document that contains data of public interest also contains any data that cannot be disclosed to the
p.(None): requesting party, this data must be rendered unrecognizable on the copy.
p.(None): (2) Information shall be supplied in a readily intelligible form and by way of the technical means asked for by the
p.(None): requesting party, provided that the body with public service functions processing the information is capable to meet
p.(None): such request without unreasonable hardship. If the information requested had previously been made public
p.(None): electronically, the request may be fulfilled by way of reference to the public source where the data is available. A
p.(None): request for information may not be refused on the grounds that it cannot be made available in a readily intelligible
p.(None): form.
p.(None): (3) When a request for information is refused, the requesting party must be notified thereof within eight days in
p.(None): writing, or by electronic means if the requesting party has conveyed his electronic mailing address, and must be given
p.(None): the reasons of refusal, including information on the remedies available. The controller shall keep records on the
p.(None): requests refused, including the reasons, and shall inform the Authority thereof each year, by 31 January.
p.(None): (4) A request for data of public interest by a person whose native language is not Hungarian may not be refused for
p.(None): reasons that it was written in his native language or in any other language he understands.
p.(None): (5) If, as regards the refusal of any request for access to data of public interest, the data controller
p.(None): is granted discretionary authority by law, refusal shall be exercised within narrow limits, and the request for
p.(None): access to data of public interest may be refused only if the underlying public interest outweighs the
p.(None): public interest for allowing access to the public information in question.
p.(None): (6) Bodies with public service functions shall adopt regulations governing the procedures for satisfying requests for
p.(None): access to public information.
p.(None): (7) The requests for data with the purpose of a comprehensive, account level as well as an itemized control of the
p.(None): financial management of the body with public service functions are regulated in specific relevant laws. Should such
p.(None): data request be rejected, the requesting party may initiate an investigation of the Authority pursuant to Section 52.
p.(None):
p.(None): Section 31
p.(None):
p.(None): (1) In the event of failure to meet the deadline for the refusal or compliance with a request for access to public
p.(None): information, or with the deadline extended by the data controller pursuant to Subsection (2) of Section 29, and - if
...
Political / criminal
Searching for indicator criminal:
(return to top)
p.(None): representative in Hungary.
p.(None): (4) Provisions set out in the present Act are not applicable to natural persons processing data
p.(None): exclusively for their own personal purposes.
p.(None): (5) Concerning further use of public sector information, provisions in derogation from this Act may be established
p.(None): by another act concerning the procedures and conditions for the disclosure of data, the consideration payable
p.(None): therefore, and as regards remedies.
p.(None):
p.(None): 3. Definitions Section 3
p.(None):
p.(None): 1Updated: 11-10-2013 by NAIH
p.(None):
p.(None): For the purposes of this Act:
p.(None): 1. ‘data subject’ shall mean any natural person directly or indirectly identifiable by reference to
p.(None): specific personal data;
p.(None): 2. ‘personal data’ shall mean data relating to the data subject, in particular by reference to the name and
p.(None): identification number of the data subject or one or more factors specific to his physical, physiological, mental,
p.(None): economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject;
p.(None): 3. ‘special data’ shall mean:
p.(None): a) personal data revealing racial origin or nationality, political opinions and any affiliation with political
p.(None): parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life,
p.(None): b) personal data concerning health, pathological addictions, or criminal record;
p.(None): 4. ‘criminal personal data’ shall mean personal data relating to the data subject or that pertain to any
p.(None): prior criminal offense committed by the data subject and that is obtained by organizations authorized to conduct
p.(None): criminal proceedings or investigations or by penal institutions during or prior to criminal proceedings in
p.(None): connection with a crime or criminal proceedings;
p.(None): 5. ‘data of public interest’ shall mean information or data other than personal data, registered in any
p.(None): mode or form, controlled by the body or individual performing state or local government responsibilities, as well as
p.(None): other public tasks defined by legislation, concerning their activities or generated in the course of performing their
p.(None): public tasks, irrespective of the method or format in which it is recorded, its single or collective
p.(None): nature; in particular data concerning the scope of authority, competence, organisational structure,
p.(None): professional activities and the evaluation of such activities covering various aspects thereof, the type of
p.(None): data held and the regulations governing operations, as well as data concerning financial management and
p.(None): concluded contracts;
p.(None): 6. ‘data public on grounds of public interest’ shall mean any data, other than public information, that
p.(None): are prescribed by law to be published, made available or otherwise disclosed for the benefit of the general public;
p.(None): 7. ‘the data subject’s consent’ shall mean any freely and expressly given specific and informed
p.(None): indication of the will of the data subject by which he signifies his agreement to personal data relating
p.(None): to him being processed fully or to the extent of specific operations;
p.(None): 8. ‘the data subject’s objection’ shall mean a declaration made by the data subject objecting to the processing of
p.(None): their personal data and requesting the termination of data processing, as well as the deletion of the data processed;
...
p.(None): right to freedom of expression of the data subject, the person, wishing to find out the opinion of the data subject,
p.(None): calls on him/her at his domicile or place of residence provided that the data subject’s personal data are
p.(None): processed in compliance with this Act and the contacting is not intended for business purposes. This contacting
p.(None): is not permitted to happen on legal holiday as determined by the Labour Code.4
p.(None): 5. Legal basis of data processing Section 5
p.(None): (1) Personal data may be processed under the following circumstances:
p.(None): a) when the data subject has given his consent, or
p.(None): b) when processing is necessary as decreed by law or by a local authority based on authorization
p.(None): conferred by law concerning specific data defined therein for the performance of a task carried out in the public
p.(None): interest (hereinafter referred to as “mandatory processing”).
p.(None): (2) Special data may be processed according to Section 6, and under the following circumstances:
p.(None): a) when the data subject has given his consent in writing, or
p.(None): b) when processing is necessary for the implementation of an international agreement promulgated by an act
p.(None): concerning the data under Point 3.a) of Section 3, or if prescribed by law in connection with the enforcement of
p.(None): fundamental rights afforded by the Fundamental Law, or for reasons of national security or national defence, or law
p.(None): enforcement purposes for the prevention or prosecution of criminal activities, or
p.(None): c) when processing is necessary for the performance of a task carried out in the public interest
p.(None): concerning the data under Point 3.b) of Section 3.
p.(None): (3) Where data processing is mandatory, the type of data, the purpose and the conditions of processing, access to
p.(None): such data, the duration of the proposed processing operation, and the controller shall be specified by the
p.(None): statute or municipal decree in which it is ordered.
p.(None): (4) Personal data that concern criminal offenses and are being processed for the purposes of preventing,
p.(None): investigating, detecting and prosecuting criminal offences and data files containing information
p.(None): pertaining to misdemeanour cases, civil cases and non-contentious proceedings may only be processed by central
p.(None): or local government authorities.
p.(None):
p.(None): Section 6
p.(None):
p.(None): (1) Personal data may be processed also if obtaining the data subject’s consent is impossible or it would give rise
p.(None): to disproportionate costs, and the processing of personal data is necessary:
p.(None): a) for compliance with a legal obligation pertaining to the data controller, or
p.(None): b) for the purposes of the legitimate interests pursued by the controller or by a third party, and enforcing these
p.(None): interests is considered proportionate to the limitation of the right for the protection of personal data.
p.(None):
p.(None):
p.(None): 4 In effect as of 30th March 2013
p.(None):
p.(None): (2) If the data subject is unable to give his consent on account of lacking legal capacity or for any other reason
p.(None): beyond his control, the processing of his personal data is allowed to the extent necessary and for the length of time
p.(None): such reasons persist, to protect the vital interests of the data subject or of another person, or in order to
p.(None): prevent or avert an imminent danger posing a threat to the lives, physical integrity or property of persons.
...
p.(None): grounds to believe that erasure could affect the legitimate interests of the data subject. Blocked data shall be
p.(None): processed only for the purpose which prevented their erasure.
p.(None): (5) If the accuracy of an item of personal data is contested by the data subject and its accuracy or
p.(None): inaccuracy cannot be ascertained beyond doubt, the data controller shall mark that personal data for the purpose of
p.(None): referencing.
p.(None):
p.(None): Section 18
p.(None):
p.(None): (1) When a data is rectified, blocked, marked or erased, the data subject and all recipients to whom it was transmitted
p.(None): for processing shall be notified. Notification is not required if it does not violate the rightful interest of the data
p.(None): subject in light of the purpose of processing.
p.(None): (2) If the data controller refuses to comply with the data subject’s request for rectification, blocking or erasure,
p.(None): the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is
p.(None): based shall be communicated in writing within thirty days of receipt of the request. Where rectification,
p.(None): blocking or erasure is refused, the data controller shall inform the data subject of the possibilities
p.(None): for seeking judicial remedy or lodging a complaint with the Authority.
p.(None):
p.(None): Section 19
p.(None):
p.(None): The rights of data subjects afforded under Sections 14-18 may be restricted by law in order to safeguard the external
p.(None): and internal security of the State, such as defence, national security, the prevention and prosecution of criminal
p.(None): offences, the safety of penal institutions, to protect the economic and financial interests of central and local
p.(None): government, safeguard the important economic and financial interests of the European Union, guard against disciplinary
p.(None): and ethical breaches in regulated professions, prevent and detect breaches of obligation related to labour law and
p.(None): occupational safety - including in all cases control and supervision - and to protect data subjects or the rights and
p.(None): freedoms of others.
p.(None):
p.(None): 14. Requirement of preliminary information of the data subject Section 20
p.(None): (1) Prior to data processing being initiated the data subject shall be informed whether his consent is required or
p.(None): processing is mandatory.
p.(None): (2) Before processing operations are carried out the data subject shall be clearly and elaborately
p.(None): informed of all aspects concerning the processing of his personal data, such as the purpose for which his data is
p.(None): required and the legal basis, the person entitled to control the data and to carry out the processing, the duration of
p.(None): the proposed processing operation, if the data subject’s personal data is processed in accordance with Subsection (5)
p.(None): of Section 6, and the persons to whom his data may be disclosed. Information shall also be provided on the data
p.(None): subject’s rights and remedies.
p.(None): (3) In the case of mandatory processing such information may be supplied by way of publishing reference
p.(None): to the legislation containing the information referred to in Subsection (2).
...
p.(None): numbers of data subjects under protection by this Act.
p.(None):
p.(None): 17. Compensation Section 23
p.(None): (1) Data controllers shall be liable for any damage caused to a data subject as a result of unlawful processing or by
p.(None): any breach of data security requirements. The data controller shall also be liable for any damage caused by
p.(None): data processor acting on its behalf. The data controller may be exempted from liability if he proves that the
p.(None): damage was caused by reasons beyond his control.
p.(None): (2) No compensation shall be paid where the damage was caused by intentional or serious negligent conduct on the part
p.(None): of the aggrieved party.
p.(None):
p.(None): 18. Internal data protection officer, data protection rules Section 24
p.(None): (1) The following data controllers and processors shall appoint or commission an internal data protection officer – who
p.(None): shall hold a law degree, a degree in economics or information technology or an equivalent degree in higher education –
p.(None): who is to report directly to the head of the organization:
p.(None):
p.(None): a) authorities of nation-wide jurisdiction, and data controllers and processors engaged in processing data
p.(None): files of employment and criminal records;
p.(None): b) financial institutions;
p.(None): c) providers of electronic communications and public utility services.
p.(None): (2) The internal data protection officer shall:
p.(None): a) participate and assist in the decision-making process with regard to data processing and enforcing the rights of
p.(None): data subjects;
p.(None): b) monitor compliance with the provisions of this Act and other regulations on data processing as well
p.(None): as with the provisions of internal data protection and data security regulations and the data security
p.(None): requirements;
p.(None): c) investigate complaints conveyed to him and, if he detects any unauthorized data processing operations,
p.(None): call on the controller or processor in question to cease such operations;
p.(None): d) draw up the internal data protection and data security rules;
p.(None): e) maintain the internal data protection register;
p.(None): f) organises training sessions on the subject of data protection.
p.(None): (3) The controllers referred to in Subsection (1) and central and local government controllers - other than
p.(None): controllers not required to report to the data protection register - shall be required to adopt data protection and
p.(None): data security rules in accordance with this Act.
p.(None):
p.(None): 19. Conference of internal data protection officers Section 25
...
p.(None): and other personal data relevant to the provision of their responsibilities to which access must be ensured by law
p.(None): qualify as data public on grounds of public interest. These data may be disseminated in compliance with the principle
p.(None): of purpose limitation. Provisions on the disclosure of data public on the grounds of public interest shall be
p.(None): regulated by Appendix 1 of this Act and the specific laws relating to the status of the person
p.(None): undertaking public duties.
p.(None): (3) Unless otherwise prescribed by law, any data, other than personal data, that is processed by bodies or persons
p.(None): providing services prescribed mandatory by law or under contract with any governmental agency, central or local, if
p.(None): such services are not available in any other way or form relating to their activities shall be deemed data public on
p.(None): grounds of public interest.
p.(None):
p.(None): Section 27
p.(None):
p.(None): (1) Access to data of public interest or data public on grounds of public interest shall be restricted if it has
p.(None): been classified under the Act on the Protection of Classified Information.
p.(None): (2) Right of access to data of public interest or data public on grounds of public interest may be restricted by law -
p.(None): with the specific type of data indicated - where considered necessary to safeguard:
p.(None): a) national defense;
p.(None): b) national security;
p.(None): c) prevention and prosecution of criminal offenses;
p.(None): d) environmental protection and nature preservation;
p.(None): e) central financial or foreign exchange policy;
p.(None): f) external relations, relations with international organizations;
p.(None): g) court proceedings or administrative proceedings;
p.(None): h) intellectual property rights.
p.(None): (3) Access to business secrets shall be governed by the relevant provisions of the Civil Code.
p.(None): (4) Access to public information may also be limited by European Union legislation with a view to any important
p.(None): economic or financial interests of the European Union, including monetary, fiscal and tax policies.
p.(None): (5) Any information compiled or recorded by a body with public service functions as part of, and in support of, a
p.(None): decision-making process for which it is vested with powers and competence, shall not be made available
p.(None): to the public for ten years from the date it was compiled or recorded. Access to these information may be
p.(None): authorized by the head of the body
p.(None):
p.(None): that controls the information in question upon weighing the public interest in allowing or disallowing
p.(None): access to such information.
p.(None): (6) A request for disclosure of information underlying a decision may be rejected after the decision is adopted, but
...
p.(None): operation within eight days from the date of receipt of the application, if it contains the information
p.(None): specified in Subsection (1) or Subsection (2) of Section 65.
p.(None): (2) With the exception set out in Subsection (3), if the Authority fails to adopt a decision regarding the
p.(None): application for registration in due time, the controller may commence the processing operation according to
p.(None): what is contained in the application.
p.(None): (3) The Authority shall register the data processing operation referred to in Subsections (4) and (5) within forty
p.(None): days from the date of receipt of the application, if it contains the information specified in Subsection
p.(None): (1) or Subsection (2) of Section 65, and if the controller is able to meet the conditions for lawful processing.
p.(None): (4) If the application for registration is submitted in respect of processing operations under Subsection (5),
p.(None): pertaining to data files unaffected by any previous data processing operation of the controller, or for which a new
p.(None): process technology that the controller has never used before for any previous processing operation is
p.(None): required, registration shall be granted on condition that the controller is able to meet the conditions for lawful
p.(None): processing.
p.(None): (5) The condition for registration under Subsection (4) pertains, in accordance with what is contained therein, to:
p.(None): a) data files concerning authorities of nation-wide jurisdiction, employment related national data bases and national
p.(None): criminal records;
p.(None): b) data files from the customer records of financial institutions and public utility companies;
p.(None): c) data files from the customer records of providers of electronic communications services.
p.(None): (6) The resolution adopted by the Authority for admission into the data protection register shall contain the
p.(None): registration number, that the controller is required to indicate for all operations with data, such as when
p.(None): data is transferred or published, or when provided to the data subject. The registration number is assigned to identify
p.(None): the data processing operation, and it is not intended to verify the lawfulness of the operation.
p.(None): (7) In the event of any change in the data specified in Paragraphs b)-j) of Subsection (1) of Section 65, the data
p.(None): controller is required to submit an application for the registration of change to the Authority within
p.(None): eight days from the effective date of the change. The provisions of Subsections (1), (3) and (5) shall also
p.(None): apply to the registration of changes, where the application shall suffice to contain the changes only.
p.(None):
p.(None): 36. Data protection audit Section 698
p.(None): (1) The data protection audit is a service provided by the Authority designed to evaluate and assess data processing
p.(None): operations in progress or proposed along technical merits, intended to effectively implement a high level of data
p.(None): protection and data security system. Proposed data processing operations may be audited if deemed justified based on
p.(None): the elaboration of the data processing concept.
p.(None): (2) Data protection audits are conducted by the Authority at the data controller’s request. For the data protection
p.(None): audit an administrative service fee shall be charged in the amount decreed by the relevant minister.
p.(None): (3) The Authority shall record the results of the data protection audit in an audit report. The audit report may also
p.(None): contain recommendations for the data controller. The audit report shall be considered public, unless the controller
p.(None): requests otherwise.
p.(None): (4) The data protection audit shall not exclude the exercise of the Authority’s other competencies defined
p.(None): in this Act.
p.(None):
p.(None): 37. Initiating criminal, infringement and disciplinary proceedings Section 70
p.(None): (1) In the event of having reasonable suspicion of alleged criminal activities in the course of its proceedings,
p.(None): the Authority shall initiate criminal proceedings at the body having jurisdiction to open criminal
p.(None): proceedings. In the event of having reasonable suspicion of alleged misdemeanour offenses or disciplinary
p.(None): infraction in the course of its proceedings, the Authority shall initiate infringement or disciplinary
p.(None): proceedings at the body having competence for conducting infringement or disciplinary proceedings.
p.(None): (2) The body referred to in Subsection (1) shall notify the Authority of its opinion concerning the
p.(None): opening of proceedings within thirty days, unless otherwise provided for by law, and of the outcome of the
p.(None): proceedings within thirty days from the time of conclusion thereof.
p.(None):
p.(None): 38. Data processing and confidentiality Section 71
p.(None): (1) In its proceedings the Authority shall be entitled to process - to the extent and for the duration required -
p.(None): those personal data, and classified information protected by law and secrets obtained in the course of
p.(None): professional activities, which are related to the given proceedings, or which are to be processed with a
p.(None): view to concluding the procedure effectively.
p.(None): (2) The Authority may use the data obtained in the course of conducting its examination for administrative proceedings.
p.(None): (3) The Authority shall have access to data specified in Subsection (2) of Section 23 of Act CXI of 2011 on the
...
p.(None): 2012 shall be notified to the Authority by 30 June 2012 for registration according to the relevant provisions
p.(None): of this Act. In the event of non- compliance data processing operations may not be carried out past 30 June
p.(None): 2012. Moreover, data processing operations under this Subsection may not be pursued if the Authority refused the
p.(None): application submitted for registration after 31 December 2011.
p.(None):
p.(None): Section 76
p.(None):
p.(None): Chapter V of this Act shall be considered a cardinal provision pursuant to Article VI(3) of the Fundamental Law.
p.(None):
p.(None): Section 77
p.(None):
p.(None): This Act facilitates compliance with:
p.(None): a) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals
p.(None): with regard to the processing of personal data and on the free movement of such data;
p.(None): b) Directive 2003/4/EC of the European Parliament and of the Council of 28 January 2003 on public access to
p.(None): environmental information and repealing Council Directive 90/313/EEC;
p.(None): c) Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public
p.(None): sector information;
p.(None): d) Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the
p.(None): framework of police and judicial cooperation in criminal matters.
p.(None):
p.(None):
p.(None): (1)-(2)9
p.(None): Section 78
p.(None):
p.(None): (3) The term “descending” to be found in Section 9 (7) of the Law Decree 17 of 1982 on Registers,
p.(None): Marriage Proceedings and the Use of Name shall be replaced by the term “descending found”.
p.(None):
p.(None): (4) Section 25 (3) of the Act XXIV of 2011 on legal harmonisation of Acts on Europol, on Security Services and the
p.(None): Activities of Private Investigators (SSAPI), on Firearms and Pyrotechnic Devices enters into with the following
p.(None): wording:
p.(None):
p.(None): „(3) Section 31 (1) g) shall be replaced by „the Chamber shall keep a register of its natural person members and
p.(None): enterprises till the termination of membership in accordance with the provisions of this Act and also supplies
p.(None): statistical data anonymously.”
p.(None):
p.(None): (5) Section 41 (3) b) of the Act XXIV of 2011 on legal harmonisation of Acts on Europol, on Security Services and
p.(None): the Activities of Private Investigators (SSAPI), on Firearms and Pyrotechnic Devices enters into force with the
p.(None): following wording:
p.(None):
p.(None): (Repealed):
p.(None):
p.(None): „b) the wording „gas and alarm weapon” in Section 27 (4) on SSAPI, „which can be prolonged in every
p.(None): second year upon request of the member” in Section 40 (2), „period” in Section 54 (1)-(2).
p.(None):
p.(None): (6) Section 42 j) of the Act XXIV of 2011 on legal harmonisation of Acts on Europol, on Security
p.(None): Services and the Activities of Private Investigators (SSAPI), on Firearms and Pyrotechnic Devices enters into
p.(None): force with the following wording:
p.(None):
p.(None): (SSAPI)
p.(None):
...
p.(None): (8) The text “within the framework of the data protection procedure, the data protection commissioner” in
p.(None): Point b) of Article 4/G (2) of Act LXXV on regulations governing action against organised crime and specific phenomena
p.(None): associated with this and related legislative amendments shall be replaced by the text “the National Authority
p.(None): for Data Protection and Freedom of Information”.
p.(None): (9) The text “the data protection commissioner” in Article 32 (4) and (7) of Act LXXXIV of 1999 on road transport
p.(None): registration shall be replaced by the text “the National Authority for Data Protection and Freedom of
p.(None): Information”; the text “data protection commissioner” in paragraph of Article 32 (8) shall be replaced by
p.(None): the text “the National Authority for Data Protection and Freedom of Information”.
p.(None): (10) The text “the data protection commissioner” in Article 75/O of Act CXXX of 2003 on cooperation in criminal
p.(None): cases with EU Member States shall be replaced by the text “ the National Authority for Data Protection and
p.(None): Freedom of Information”.
p.(None): (11) The text “the data protection commissioner” in Article 164 (5) and in Point a) of Article 174 (3) of Act CXL of
p.(None): 2004 on the general rules on administrative proceedings and services shall be replaced by the text “the National
p.(None): Authority for Data Protection and Freedom of Information”.
p.(None): (12) The text “the data protection commissioner” in Article 85 (3) of Act I of 2007 on the entry and residence of
p.(None): persons with the right of the freedom of movement and residence shall be replaced by the text “the National
p.(None): Authority for Data Protection and Freedom of Information”.
p.(None): (13) The text “within the scope of the procedure defined under the Act on the protection of personal data and the
p.(None): disclosure of data of public interest, the data protection commissioner” in Article 6 of Act CI of 2007 on ensuring
p.(None): access to data required for decision preparation shall be replaced by the text “the National Authority for
p.(None): Data Protection and Freedom of Information”.
p.(None): (14) The text “the data protection commissioner” in Article 18 (6) and Article 20 (2) of Act CV of 2007 on cooperation
p.(None): and information exchange carried out within the framework of the Convention implementing the Schengen Agreement
p.(None): shall be replaced by the text “the National Authority for Data Protection and Freedom of Information”; the
p.(None): text “pursuant to regulations set out under the Act on the protection of personal data and the disclosure of data of
p.(None): public interest, the data protection commissioner” in Article 20 (1) shall be replaced by the text “the National
p.(None): Authority for Data Protection and Freedom of Information”.
p.(None): (15) The text “the data commissioner competent to act in respect of Act on the protection of personal data and the
p.(None): disclosure of data of public interest and controlling compliance with the Act on the control of personal data” in
p.(None): Article 88 (2) of Act XLVII of 2009 on the criminal database, the registration of verdicts brought against
p.(None): Hungarian nationals in the courts of
p.(None):
p.(None): European Union Member States and the registration of criminal and biometric data shall be replaced by the text “the
p.(None): National Authority for Data Protection and Freedom of Information competent to act in respect of controlling compliance
p.(None): with provisions governing the Act on the control of personal data”; the text “together with data protection
p.(None): commissioner” in Article 91/A (2) shall be replaced by the text “together with the National Authority for
p.(None): Data Protection and Freedom of Information”; the text “data protection commissioner” in Article 91/A (3) shall be
p.(None): replaced by the text “the National Authority for Data Protection and Freedom of Information”.
p.(None): (16) The text “as well as within the scope of authority ensured in Act LXIII of 1992 on the protection of personal data
p.(None): and the disclosure of data of public interest, the data protection commissioner” in Article 7 (8) of Act CIV
p.(None): of 2009 on the proclamation of the agreement regarding processing the data of passenger number records
...
Political / political affiliation
Searching for indicator party:
(return to top)
p.(None): 7. ‘the data subject’s consent’ shall mean any freely and expressly given specific and informed
p.(None): indication of the will of the data subject by which he signifies his agreement to personal data relating
p.(None): to him being processed fully or to the extent of specific operations;
p.(None): 8. ‘the data subject’s objection’ shall mean a declaration made by the data subject objecting to the processing of
p.(None): their personal data and requesting the termination of data processing, as well as the deletion of the data processed;
p.(None): 9. ‘controller’ shall mean natural or legal person, or organisation without legal personality which alone or jointly
p.(None): with others determines the purposes and means of the processing of data; makes and executes decisions concerning data
p.(None): processing (including the means used) or have it executed by a data processor2;
p.(None): 10. ‘data’ processing’ shall mean any operation or the totality of operations performed on the data, irrespective of
p.(None): the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using,
p.(None): querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destructing the data, as
p.(None): well as preventing their further use, taking photos, making audio or visual recordings, as well as
p.(None): registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA
p.(None): samples, iris scans);
p.(None): 11. ‘data transfer’ shall mean ensuring access to the data for a third party;
p.(None): 12. ‘disclosure’ shall mean ensuring open access to the data;
p.(None):
p.(None): 2 In effect as of 1st July 2013
p.(None):
p.(None): 13. ‘data deletion’ shall mean making data unrecognisable in a way that it can never again be restored;
p.(None): 14. ‘tagging data’ shall mean marking data with a special ID tag to differentiate it;
p.(None): 15. ‘blocking of data’ shall mean marking data with a special ID tag to indefinitely or definitely
p.(None): restrict its further processing;
p.(None): 16. ‘data destruction’ shall mean complete physical destruction of the data carrier recording the data;
p.(None): 17. ‘data process’ shall mean performing technical tasks in connection with data processing operations, irrespective of
p.(None): the method and means used for executing the operations, as well as the place of execution, provided that the technical
p.(None): task is performed on the data;
p.(None): 18. ‘data processor’ shall mean any natural or legal person or organisation without legal personality processing
p.(None): the data on the grounds of a contract, including contracts concluded pursuant to legislative provisions3;
p.(None): 19. ‘data source’ shall mean the body responsible for undertaking the public responsibility which generated the data of
p.(None): public interest that must be disclosed through electronic means, or during the course of operation in which this data
p.(None): was generated;
p.(None): 20. ‘data disseminator shall mean the body responsible for undertaking the public responsibility
p.(None): which uploads the data sent by the data source it has not published the data;
p.(None): 21. ‘data set’ shall mean all data processed in a single file;
p.(None): 22. ‘third party’ any natural or legal person, or organisation without legal personality other than the data subject,
p.(None): the data controller or the data processor;
p.(None): 23. ‘EEA Member State’ any Member State of the European Union and any State which is party to the Agreement on the
p.(None): European Economic Area, as well as any State the nationals of which enjoy the same legal status as nationals of States
p.(None): which are parties to the Agreement on the European Economic Area, based on an international treaty concluded
p.(None): between the European Union and its Member States and a State which is not party to the Agreement on the European
p.(None): Economic Area;
p.(None): 24. ‘third country’ any State that is not an EEA State.
p.(None):
p.(None): CHAPTER II PROTECTION OF PERSONAL DATA
p.(None): 4. Principles of data processing Section 4
p.(None): (1) Personal data may be processed only for specified and explicit purposes, where it is necessary for
p.(None): the exercising of certain rights and fulfilment of obligations. The purpose of processing must be satisfied
p.(None): in all stages of data processing operations; recording of personal data shall be done under the principle of lawfulness
p.(None): and fairness.
p.(None): (2) The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to
p.(None): achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its
p.(None): purpose.
p.(None): (3) In the course of data processing, the data in question shall be treated as personal as long as the data subject
p.(None): remains identifiable through it. The data subject shall - in particular - be considered identifiable if the data
p.(None): controller is in possession of the technical requirements which are necessary for identification.
p.(None):
p.(None):
p.(None): 3 In effect as of 1st July 2013
p.(None):
p.(None): (4) The accuracy and completeness, and - if deemed necessary in the light of the aim of processing - the
p.(None): up-to-dateness of the data must be provided for throughout the processing operation, and shall be kept in a way
p.(None): to permit identification of the data subject for no longer than is necessary for the purposes for which the data were
p.(None): recorded.
...
p.(None): fundamental rights afforded by the Fundamental Law, or for reasons of national security or national defence, or law
p.(None): enforcement purposes for the prevention or prosecution of criminal activities, or
p.(None): c) when processing is necessary for the performance of a task carried out in the public interest
p.(None): concerning the data under Point 3.b) of Section 3.
p.(None): (3) Where data processing is mandatory, the type of data, the purpose and the conditions of processing, access to
p.(None): such data, the duration of the proposed processing operation, and the controller shall be specified by the
p.(None): statute or municipal decree in which it is ordered.
p.(None): (4) Personal data that concern criminal offenses and are being processed for the purposes of preventing,
p.(None): investigating, detecting and prosecuting criminal offences and data files containing information
p.(None): pertaining to misdemeanour cases, civil cases and non-contentious proceedings may only be processed by central
p.(None): or local government authorities.
p.(None):
p.(None): Section 6
p.(None):
p.(None): (1) Personal data may be processed also if obtaining the data subject’s consent is impossible or it would give rise
p.(None): to disproportionate costs, and the processing of personal data is necessary:
p.(None): a) for compliance with a legal obligation pertaining to the data controller, or
p.(None): b) for the purposes of the legitimate interests pursued by the controller or by a third party, and enforcing these
p.(None): interests is considered proportionate to the limitation of the right for the protection of personal data.
p.(None):
p.(None):
p.(None): 4 In effect as of 30th March 2013
p.(None):
p.(None): (2) If the data subject is unable to give his consent on account of lacking legal capacity or for any other reason
p.(None): beyond his control, the processing of his personal data is allowed to the extent necessary and for the length of time
p.(None): such reasons persist, to protect the vital interests of the data subject or of another person, or in order to
p.(None): prevent or avert an imminent danger posing a threat to the lives, physical integrity or property of persons.
p.(None): (3) The statement of consent of minors over the age of sixteen shall be considered valid without the
p.(None): permission or subsequent approval of their legal representative.
p.(None): (4) Where processing under consent is necessary for the performance of a contract with the controller in writing, the
p.(None): contract shall contain all information that is to be made available to the data subject under this Act in connection
p.(None): with the processing of personal data, such as the description of the data involved, the duration of the
p.(None): proposed processing operation, the purpose of processing, the transmission of data, the recipients and the use of a
p.(None): data processor. The contract must clearly indicate the data subject’s signature and explicit consent for having his
p.(None): data processed as stipulated in the contract.
p.(None): (5) Where personal data is recorded under the data subject’s consent, the controller shall - unless otherwise
p.(None): provided for by law - be able to process the data recorded where this is necessary:
p.(None): a) for compliance with a legal obligation pertaining to the controller, or
p.(None): b) for the purposes of legitimate interests pursued by the controller or by a third party, if enforcing these
p.(None): interests is considered proportionate to the limitation of the right for the protection of personal data,
p.(None): without the data subject’s further consent, or after the data subject having withdrawn his consent.
p.(None): (6) In court proceedings and administrative proceedings of the authorities launched upon the data subject’s
p.(None): request or initiative, as regards the personal data necessary to carry out the proceedings, and in other cases opened
p.(None): at the data subject’s request, as regards the personal data he has supplied, the data subject’s consent shall be deemed
p.(None): to have been granted.
p.(None): (7) The consent of the data subject shall be considered granted in connection with any personal data he
p.(None): has conveyed to the public or has supplied for dissemination when making a public appearance.
p.(None): (8) If there is any doubt, it is to be presumed that the data subject failed to provide his consent.
p.(None):
p.(None): 6. Data security requirement Section 7
p.(None): (1) Controllers shall make arrangements for and carry out data processing operations in a way so as to ensure full
p.(None): respect for the right to privacy of data subjects in due compliance with the provisions of this Act and other
p.(None): regulations on data protection.
p.(None): (2) Controllers, and within their sphere of competence, data processors must implement adequate safeguards
...
p.(None): of Section 6, and the persons to whom his data may be disclosed. Information shall also be provided on the data
p.(None): subject’s rights and remedies.
p.(None): (3) In the case of mandatory processing such information may be supplied by way of publishing reference
p.(None): to the legislation containing the information referred to in Subsection (2).
p.(None): (4) If the provision of personal information to the data subject proves impossible or would involve disproportionate
p.(None): costs, the obligation of information may be satisfied by the public disclosure of the following:
p.(None): a) an indication of the fact that data is being collected;
p.(None): b) the data subjects targeted;
p.(None):
p.(None): c) the purpose of data collection;
p.(None): d) the duration of the proposed processing operation;
p.(None): e) the potential data controllers with the right of access;
p.(None): f) the right of data subjects and remedies available relating to data processing; and
p.(None): g) where the processing operation has to be registered, the number assigned in the data protection
p.(None): register, with the exception of Subsection (2) of Section 68.
p.(None):
p.(None): 15. The data subject’s right to object to the processing of his personal data Section 21
p.(None): (1) The data subject shall have the right to object to the processing of data relating to him:
p.(None): a) if processing or disclosure is carried out solely for the purpose of discharging the controller’s
p.(None): legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a
p.(None): third party, unless processing is mandatory;
p.(None): b) if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific
p.(None): research; and
p.(None): c) in all other cases prescribed by law.
p.(None): (2) In the event of objection, the controller shall investigate the cause of objection within the shortest possible
p.(None): time inside a fifteen-day time period, adopt a decision as to merits and shall notify the data subject in writing of
p.(None): its decision.
p.(None): (3) If, according to the findings of the controller, the data subject’s objection is justified, the controller shall
p.(None): terminate all processing operations (including data collection and transmission), block the data
p.(None): involved and notify all recipients to whom any of these data had previously been transferred concerning the objection
p.(None): and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the
p.(None): objection.
p.(None): (4) If the data subject disagrees with the decision taken by the controller under Subsection (2), or if the controller
p.(None): fails to meet the deadline specified in Subsection (2), the data subject shall have the right under Section 22 to turn
p.(None): to court within thirty days of the date of delivery of the decision or from the last day of the time limit.
p.(None): (5) If data that are necessary to assert the data recipient’s rights are withheld owing to the data subject’s
p.(None): objection, the data recipient shall have the right under Section 22 to turn to court against the
p.(None): controller within fifteen days from the date the decision is delivered under Subsection (2) in order to obtain the
p.(None): data. The controller is authorised to summon the data subject to court.
...
p.(None): controller shall make available the information requested within eight days of receipt of the data
p.(None): recipient’s request. Where information had been requested, the data recipient may bring an action against
p.(None): the controller within fifteen days from the date of receipt of the information, or from the deadline
p.(None): prescribed therefor. The controller is authorised to summon the data subject to court.
p.(None): (7) The controller shall not delete the data of the data subject if processing has been prescribed by
p.(None): law. However, data may not be disclosed to the data recipient if the controller agrees with the objection or if the
p.(None): court has found the objection justified.
p.(None):
p.(None): 16. Judicial remedy Section 22
p.(None): (1) In the event of any infringement of his rights, the data subject, and in the cases referred to in Section 21, the
p.(None): data recipient may turn to court action against the controller. The court shall hear such cases in priority
p.(None): proceedings.
p.(None): (2) The burden of proof to show compliance with the law lies with the data controller. In the cases under Subsections
p.(None): (5) and (6) of Section 21, the burden of proof concerning the lawfulness of transfer of data lies with the
p.(None): data recipient.
p.(None): (3) The action shall be heard by the competent tribunal. If so requested by the data subject, the action may be brought
p.(None): before the tribunal in whose jurisdiction the data subject’s home address or temporary residence is located.
p.(None): (4) Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such
p.(None): actions. The Authority may intervene in the action on the data subject’s behalf.
p.(None): (5) When the court’s decision is in favor of the plaintiff, the court shall order the controller to provide the
p.(None): information, to rectify, block or erase the data in question, to annul the decision adopted by means of automated
p.(None): data-processing systems, to respect the data subject’s objection, or to disclose the data requested by the data
p.(None): recipient referred to in Section 21.
p.(None): (6) If the court rejects the petition filed by the data recipient in the cases defined in Section 21, the controller
p.(None): shall be required to erase the data subject’s personal data within three days of delivery of the court ruling. The
p.(None): controller shall erase the data even if the data recipient does not file for court action within the time
p.(None): limit referred to in Subsection (5) or (6) of Section 21.
p.(None): (7) The court may order publication of its decision, indicating the identification data of the controller as well,
p.(None): where this is deemed necessary for reasons of data protection or in connection with the rights of large
p.(None): numbers of data subjects under protection by this Act.
p.(None):
p.(None): 17. Compensation Section 23
p.(None): (1) Data controllers shall be liable for any damage caused to a data subject as a result of unlawful processing or by
p.(None): any breach of data security requirements. The data controller shall also be liable for any damage caused by
p.(None): data processor acting on its behalf. The data controller may be exempted from liability if he proves that the
p.(None): damage was caused by reasons beyond his control.
p.(None): (2) No compensation shall be paid where the damage was caused by intentional or serious negligent conduct on the part
p.(None): of the aggrieved party.
p.(None):
p.(None): 18. Internal data protection officer, data protection rules Section 24
p.(None): (1) The following data controllers and processors shall appoint or commission an internal data protection officer – who
p.(None): shall hold a law degree, a degree in economics or information technology or an equivalent degree in higher education –
p.(None): who is to report directly to the head of the organization:
p.(None):
p.(None): a) authorities of nation-wide jurisdiction, and data controllers and processors engaged in processing data
p.(None): files of employment and criminal records;
p.(None): b) financial institutions;
p.(None): c) providers of electronic communications and public utility services.
p.(None): (2) The internal data protection officer shall:
p.(None): a) participate and assist in the decision-making process with regard to data processing and enforcing the rights of
p.(None): data subjects;
p.(None): b) monitor compliance with the provisions of this Act and other regulations on data processing as well
p.(None): as with the provisions of internal data protection and data security regulations and the data security
p.(None): requirements;
...
p.(None): within the time limit referred to in Subsection (5), if disclosure is likely to jeopardize the legal
p.(None): functioning of the body with public service functions or the discharging of its duties without any undue
p.(None): influence, such as in particular free expression of the position of the body which generated the data during
p.(None): the preliminary stages of the decision-making process.
p.(None): (7) The time limit for restriction of access as defined in Subsection (5) to certain specific information underlying a
p.(None): decision may be reduced by law.
p.(None): (8) This Chapter shall not apply to the disclosure of information from official records that is subject to the
p.(None): provisions of specific other legislation.
p.(None):
p.(None): 21. Access to public information upon request Section 28
p.(None): (1) Data of public interest shall be made available to anyone upon a request presented verbally, in
p.(None): writing or by electronic means. Access to data public on grounds of public interest shall be governed by the provisions
p.(None): of this Act pertaining to data of public interest.
p.(None): (2) Unless otherwise provided for by law, the processing of personal data in connection with any
p.(None): disclosure upon request is permitted only to the extent necessary for disclosure, including the collection
p.(None): of payment of charges for copies, where applicable. Following the disclosure of data and upon receipt of the
p.(None): said payment, the personal data of the requesting party must be erased without delay.
p.(None): (3) If any part of the request is unclear, the data controller shall ask the requesting party to clarify.
p.(None):
p.(None): Section 29
p.(None):
p.(None): (1) The body with public service functions that has the data of public interest on record must comply
p.(None): with requests for public information at the earliest opportunity within not more than fifteen days.
p.(None): (2) If a request for information is substantial in terms of size and volume, the time limit referred to in
p.(None): Subsection (1) may be extended by fifteen days on one occasion, of which the requesting party shall be informed within
p.(None): eight days of the date of receipt of the request.
p.(None): (3) The requesting party may also be provided a copy of the document or part of a document containing
p.(None): the information in question, irrespective of the form of storage. The body with public service functions
p.(None): processing the data in question may charge a fee covering only the costs of making the copy, and shall communicate this
p.(None): amount to the requesting party in advance.
p.(None): (4) If the document or part of a document of which the copy had been requested is substantial in size
p.(None): and/or volume, the copy shall be provided within fifteen days from the date of payment of the fee as charged.
p.(None): The requesting party shall be notified within eight days from the date of receipt of his request if the
p.(None): document or part of a document of which the copy had been requested is considered substantial in size and/or
p.(None): volume, as well as of the amount of the fee chargeable, and if there is any alternate solution available instead
p.(None): of making a copy.
p.(None): (5) The items covered by the fee chargeable, and the highest amount that can be taken into account in determining
p.(None): the amount of the fee, and the aspects for determining whether a
p.(None):
p.(None): document is to be considered substantial in terms of size and/or volume shall be laid down by specific other
p.(None): legislation.
p.(None):
p.(None): Section 30
p.(None):
p.(None): (1) If a document that contains data of public interest also contains any data that cannot be disclosed to the
p.(None): requesting party, this data must be rendered unrecognizable on the copy.
p.(None): (2) Information shall be supplied in a readily intelligible form and by way of the technical means asked for by the
p.(None): requesting party, provided that the body with public service functions processing the information is capable to meet
p.(None): such request without unreasonable hardship. If the information requested had previously been made public
p.(None): electronically, the request may be fulfilled by way of reference to the public source where the data is available. A
p.(None): request for information may not be refused on the grounds that it cannot be made available in a readily intelligible
p.(None): form.
p.(None): (3) When a request for information is refused, the requesting party must be notified thereof within eight days in
p.(None): writing, or by electronic means if the requesting party has conveyed his electronic mailing address, and must be given
p.(None): the reasons of refusal, including information on the remedies available. The controller shall keep records on the
p.(None): requests refused, including the reasons, and shall inform the Authority thereof each year, by 31 January.
p.(None): (4) A request for data of public interest by a person whose native language is not Hungarian may not be refused for
p.(None): reasons that it was written in his native language or in any other language he understands.
p.(None): (5) If, as regards the refusal of any request for access to data of public interest, the data controller
p.(None): is granted discretionary authority by law, refusal shall be exercised within narrow limits, and the request for
p.(None): access to data of public interest may be refused only if the underlying public interest outweighs the
p.(None): public interest for allowing access to the public information in question.
p.(None): (6) Bodies with public service functions shall adopt regulations governing the procedures for satisfying requests for
p.(None): access to public information.
p.(None): (7) The requests for data with the purpose of a comprehensive, account level as well as an itemized control of the
p.(None): financial management of the body with public service functions are regulated in specific relevant laws. Should such
p.(None): data request be rejected, the requesting party may initiate an investigation of the Authority pursuant to Section 52.
p.(None):
p.(None): Section 31
p.(None):
p.(None): (1) In the event of failure to meet the deadline for the refusal or compliance with a request for access to public
p.(None): information, or with the deadline extended by the data controller pursuant to Subsection (2) of Section 29, and - if
p.(None): the fee chargeable has not been paid - the requesting party may bring the case before the court for having the fee
p.(None): charged for the copy reviewed.
p.(None): (2) The burden of proof to verify the lawfulness and the reasons of refusal, and the reasons for determining the amount
p.(None): of the fee chargeable for the copy lies with the data controller.
p.(None): (3) Litigation must be launched against the body with public service functions that has refused the
p.(None): request within thirty days from the date of delivery of the refusal, or from the time limit prescribed, or from the
p.(None): deadline for payment of the fee chargeable. If the requesting party notifies the Authority with a view to
p.(None): initiating the Authority’s proceedings in connection with the refusal of or non-compliance with the request, or on
p.(None): account of the amount of the fee charged for making a copy, litigation may be launched within thirty days from the
p.(None): time of receipt of notice on the refusal to examine the notification on the merits, on the termination of the inquiry,
p.(None): or its conclusion under Paragraph b) of Subsection (1) of Section 55, or the notice
p.(None):
p.(None): under Subsection (3) of Section 58. Justification may be submitted upon failure to meet the deadline for bringing
p.(None): action.
p.(None): (4) Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such legal
p.(None): proceedings. The Authority may intervene on the requesting party’s behalf.
p.(None): (5) Actions against bodies with public service functions of nation-wide jurisdiction shall be brought at the competent
p.(None): tribunal. Actions falling within the jurisdiction of local courts shall be heard by the local court of the seat
p.(None): of the tribunal, or by the Pesti Központi Kerületi Bíróság (Pest Central District Court) in Budapest.
p.(None): Jurisdiction shall be determined by reference to the place where the head offices of the body with public service
p.(None): functions, being the respondent, is located.
p.(None): (6) The court shall hear such cases in priority proceedings.
p.(None): (7) When the decision is in favor of the request for access to public information, the court shall order the data
p.(None): controller to disclose the information in question. The court shall have powers to modify the amount charged
p.(None): for making a copy, or may order the body with public service functions to re-open its proceedings for determining the
p.(None): amount of the fee chargeable.
p.(None):
p.(None): CHAPTER IV
p.(None):
p.(None): DISSEMINATION OF DATA OF PUBLIC INTEREST
p.(None):
p.(None): 22. Obligation to disclose data of public interest Section 32
p.(None): Bodies with public service functions shall promote and ensure that the general public is provided with
p.(None): accurate information in a prompt manner concerning the matters under their competence, such as the
p.(None): budgets of the central and municipal governments and the implementation thereof, the management of
p.(None): assets controlled by the central and municipal governments, the appropriation of public funds, and special
...
p.(None): (3)
p.(None): (4) The remainder of receipts from the previous year may be used by the Authority in the following years
p.(None): for the performance of its tasks.
p.(None):
p.(None): 27. President of the Authority Section 40
p.(None): (1) The head of the Authority is the President. The President of the Authority is appointed by the President of the
p.(None): Republic on a recommendation by the Prime Minister from among those Hungarian citizens with a law degree,
p.(None): who have the right to stand as candidates in parliamentary elections, having at least ten years of
p.(None): experience in supervising proceedings related to data protection or freedom of information, or holding an academic
p.(None): degree in either of those fields.
p.(None): (2) Persons who served as a Member of Parliament or as a Member of the European Parliament, as the
p.(None): President of the Republic, member of the Government, state secretary, representative of a municipal
p.(None): government, mayor or deputy mayor, lord mayor or deputy lord mayor, chairman or deputy chairman of a county assembly,
p.(None): member of a national minority self-government, or an officer or employee of a political party in the four-year period
p.(None): before the time of the recommendation for appointment may not be appointed as President of the Authority.
p.(None): (3) The President of the Authority shall be appointed by the President of the Republic for a term of nine years.
p.(None): (4) The President of the Authority - upon being appointed - shall take an oath before the President of the Republic in
p.(None): accordance with the Act on the Oath and Deposition of Public Officials.
p.(None):
p.(None): Section 41
p.(None):
p.(None): (1) The President of the Authority may not be a member of any political party, may not engage in political
p.(None): activities, and his mandate shall be considered incompatible with other state or local government office or
p.(None): mandate.
p.(None): (2) The President of the Authority shall not be otherwise gainfully employed and shall not accept remuneration for
p.(None): other activities, with the exception of scientific, educational and artistic activities under copyright
p.(None): protection, and other than revisory and editorial activities.
p.(None):
p.(None): (3) The President of the Authority may not hold any executive office or membership in the supervisory board of a
p.(None): business association; and he may not be a member of a business association requiring personal involvement.
p.(None):
p.(None): Section 42
p.(None):
p.(None): (1) The President of the Authority shall submit a declaration of personal assets in accordance with the
p.(None): provisions on the declarations of personal assets of Members of Parliament within thirty days of the time of
p.(None): appointment, and subsequently by 31 January of each year, and also within thirty days after the date of termination of
p.(None): his mandate.
p.(None): (2) In the event of non-compliance with the requirement to file a declaration of personal assets the
p.(None): President of the Authority shall not be able to execute his office and shall not receive any remuneration
...
p.(None): Information.
p.(None): (6) The presiding judge must have the highest level of security clearance accorded under the Act on National Security
p.(None): Agencies.
p.(None): (7) Persons other than the judge, the plaintiff and the defendant shall be allowed access to the said classified
p.(None): information only if they have the highest level of security clearance accorded under the Act on National
p.(None): Security Agencies.
p.(None):
p.(None): 34. Litigation Options for the Authority Section 64
p.(None): (1) If the data controller fails to comply with the request made under Subsection (1) of Section 56, the
p.(None): Authority may bring the case before the court - alleging infringement of the regulation relating to public information
p.(None): and information of public interest - within thirty days following the date of expiry of the time limit for providing
p.(None): the information under Subsection
p.(None): (2) of Section 56, seeking a court’s ruling for ordering the data controller to act in accordance with the Authority’s
p.(None): request.
p.(None): (2) The court referred to in Subsection (5) of Section 31 shall have competence and jurisdiction to
p.(None): adjudicate the action aforementioned.
p.(None): (3) The burden of proof to show compliance with the law lies with the data controller.
p.(None): (4) Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such
p.(None): actions.
p.(None): (5) The court - upon request - may order publication of its decision, by way of publishing the identification data of
p.(None): the controller, if it is necessitated for data protection and the freedom of information in general or in connection
p.(None): with the rights of large numbers of data subjects under protection by this Act.
p.(None):
p.(None): 35. Data protection register Section 65
p.(None): (1) The Authority shall maintain official records on the processing operations of controllers in respect of personal
p.(None): data (hereinafter referred to as “data protection register”) for the
p.(None):
p.(None): purpose of providing assistance to data subjects containing - with the exceptions set out in Subsection (2) -
p.(None): the following information:
p.(None): a) the purpose of data processing;
p.(None): b) the legal basis of data processing;
p.(None): c) scope of data subject;
p.(None): d) description of the data pertaining to the data subjects;
p.(None): e) the source;
p.(None): f) the duration of processing;
p.(None): g) the categories of data transferred, the recipients and the grounds for transfer, including transfers made to third
p.(None): countries;
p.(None): h) name and address of the data controller and the data processor, the place where records are kept and/or where
p.(None): processing is carried out, and the data processor’s activities in connection with data processing operations;
p.(None): i) the nature of the data process technology used;
...
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None): Archived for a period of at least one year
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None): 13.
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): 14.
p.(None):
p.(None):
p.(None):
p.(None): 15.
p.(None):
p.(None):
p.(None): 16.
p.(None):
p.(None):
p.(None): 17.
p.(None):
p.(None):
p.(None): 18.
p.(None): Procedure for handling requests for access to public information, name and contact information of the competent
p.(None): department, and the name of the data protection officer or the person handling information rights, where applicable
p.(None): Results of gathering statistical information relating to the activity of the body with public service functions,
p.(None): showing changes over time thereof Information pertaining to a given body from mandatory data disclosure relating to
p.(None): public information
p.(None): List of contracts for the use of public information to which the body with public service functions is a party
p.(None): Standard contract conditions relating to the use of public information processed by the body with public service
p.(None): functions Special and ad hoc publication lists pertaining to the body with public service functions
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None):
p.(None): Immediately upon the change taking effect
p.(None): Previous data shall be deleted
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be deleted
p.(None):
p.(None): III. Financial data
p.(None):
p.(None): Data description Updating Duration of processing
p.(None):
p.(None): 1. Annual (fiscal) budget of the body with public service functions, annual accounts under the Accounting Act or
p.(None): the annual budget report
p.(None): 2. Consolidated data on the staff of the body with public service functions, including personal benefits
p.(None): provided, and the remuneration, salary and regular benefits of executive officers and managers, in total, including
p.(None): their expense accounts, description and amounts of benefits provided to other employees
p.(None): 3. Information as to the names of beneficiaries to whom the body with public service functions provided any
p.(None): central subsidies, the purpose and the amount of the aid, showing also the place of implementation of the support
...
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): By the sixtieth day following the date of the decision
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): By the sixtieth day following the date of the decision
p.(None): For ten years following the time of publication
p.(None):
p.(None): For the time period defined by specific other legislation, archived for at least one year
p.(None):
p.(None):
p.(None):
p.(None): For five years following the time of publication
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): For five years following the time of publication
p.(None):
p.(None): supplies and services, and works contracts worth five million forints or more, or to the sale or utilization of assets,
p.(None): for the transfer of assets or rights, as well as concession contracts, including the type and subject matter of such
p.(None): contracts, names of the parties to the contract, the contract amounts, and the duration of fixed term contracts,
p.(None): including changes in the data abovementioned, with the exception of information on procurements directly related to and
p.(None): deemed necessary for reasons of national security or national defense, and with the exception of classified information
p.(None): Contract value shall mean the price agreed upon for the subject matter of the contract
p.(None): - exclusive of value added tax -, or in the case of gratuitous transactions, the market value or book value of the
p.(None): asset in question, whichever is higher. As regards periodically recurring contracts concluded for more than one year
p.(None): the contract value shall indicate the price calculated for one year. The value of contracts concluded within the same
p.(None): financial year with the same party shall be applied cumulatively.
p.(None): 5. Information made public according to the Act on Concessions (tender notices, particulars of tenderers, memos
p.(None): on evaluation procedures, outcome of such tender procedures)
p.(None): 6. Payments of more than five million forints made by the body with public service functions outside the scope
p.(None): its basic functions (such as payments made to support association, to trade organizations representing the interests of
p.(None): its workers, to organizations active in educational, cultural, social and sports activities and services provided to
p.(None): its employees, and to foundations to support their activities)
p.(None): 7. Description of developments implemented from European Union funding, including the related contracts
p.(None): 8. Public procurement information (annual plan, summary of the evaluation of tenders, contracts awarded)
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
...
Searching for indicator political:
(return to top)
p.(None): residence within the territory of Hungary to perform data processing, except if this device serves data
p.(None): traffic exclusively within the territory of the European Union. Such controllers are obliged to designate a
p.(None): representative in Hungary.
p.(None): (4) Provisions set out in the present Act are not applicable to natural persons processing data
p.(None): exclusively for their own personal purposes.
p.(None): (5) Concerning further use of public sector information, provisions in derogation from this Act may be established
p.(None): by another act concerning the procedures and conditions for the disclosure of data, the consideration payable
p.(None): therefore, and as regards remedies.
p.(None):
p.(None): 3. Definitions Section 3
p.(None):
p.(None): 1Updated: 11-10-2013 by NAIH
p.(None):
p.(None): For the purposes of this Act:
p.(None): 1. ‘data subject’ shall mean any natural person directly or indirectly identifiable by reference to
p.(None): specific personal data;
p.(None): 2. ‘personal data’ shall mean data relating to the data subject, in particular by reference to the name and
p.(None): identification number of the data subject or one or more factors specific to his physical, physiological, mental,
p.(None): economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject;
p.(None): 3. ‘special data’ shall mean:
p.(None): a) personal data revealing racial origin or nationality, political opinions and any affiliation with political
p.(None): parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life,
p.(None): b) personal data concerning health, pathological addictions, or criminal record;
p.(None): 4. ‘criminal personal data’ shall mean personal data relating to the data subject or that pertain to any
p.(None): prior criminal offense committed by the data subject and that is obtained by organizations authorized to conduct
p.(None): criminal proceedings or investigations or by penal institutions during or prior to criminal proceedings in
p.(None): connection with a crime or criminal proceedings;
p.(None): 5. ‘data of public interest’ shall mean information or data other than personal data, registered in any
p.(None): mode or form, controlled by the body or individual performing state or local government responsibilities, as well as
p.(None): other public tasks defined by legislation, concerning their activities or generated in the course of performing their
p.(None): public tasks, irrespective of the method or format in which it is recorded, its single or collective
p.(None): nature; in particular data concerning the scope of authority, competence, organisational structure,
...
p.(None): the Authority within its own competence or in its competence as directing organ.
p.(None): (3)
p.(None): (4) The remainder of receipts from the previous year may be used by the Authority in the following years
p.(None): for the performance of its tasks.
p.(None):
p.(None): 27. President of the Authority Section 40
p.(None): (1) The head of the Authority is the President. The President of the Authority is appointed by the President of the
p.(None): Republic on a recommendation by the Prime Minister from among those Hungarian citizens with a law degree,
p.(None): who have the right to stand as candidates in parliamentary elections, having at least ten years of
p.(None): experience in supervising proceedings related to data protection or freedom of information, or holding an academic
p.(None): degree in either of those fields.
p.(None): (2) Persons who served as a Member of Parliament or as a Member of the European Parliament, as the
p.(None): President of the Republic, member of the Government, state secretary, representative of a municipal
p.(None): government, mayor or deputy mayor, lord mayor or deputy lord mayor, chairman or deputy chairman of a county assembly,
p.(None): member of a national minority self-government, or an officer or employee of a political party in the four-year period
p.(None): before the time of the recommendation for appointment may not be appointed as President of the Authority.
p.(None): (3) The President of the Authority shall be appointed by the President of the Republic for a term of nine years.
p.(None): (4) The President of the Authority - upon being appointed - shall take an oath before the President of the Republic in
p.(None): accordance with the Act on the Oath and Deposition of Public Officials.
p.(None):
p.(None): Section 41
p.(None):
p.(None): (1) The President of the Authority may not be a member of any political party, may not engage in political
p.(None): activities, and his mandate shall be considered incompatible with other state or local government office or
p.(None): mandate.
p.(None): (2) The President of the Authority shall not be otherwise gainfully employed and shall not accept remuneration for
p.(None): other activities, with the exception of scientific, educational and artistic activities under copyright
p.(None): protection, and other than revisory and editorial activities.
p.(None):
p.(None): (3) The President of the Authority may not hold any executive office or membership in the supervisory board of a
p.(None): business association; and he may not be a member of a business association requiring personal involvement.
p.(None):
p.(None): Section 42
p.(None):
p.(None): (1) The President of the Authority shall submit a declaration of personal assets in accordance with the
p.(None): provisions on the declarations of personal assets of Members of Parliament within thirty days of the time of
p.(None): appointment, and subsequently by 31 January of each year, and also within thirty days after the date of termination of
p.(None): his mandate.
p.(None): (2) In the event of non-compliance with the requirement to file a declaration of personal assets the
p.(None): President of the Authority shall not be able to execute his office and shall not receive any remuneration
p.(None): insofar as his declaration of personal wealth is submitted.
...
Political / stateless persons
Searching for indicator nation:
(return to top)
p.(None): where this is deemed necessary for reasons of data protection or in connection with the rights of large
p.(None): numbers of data subjects under protection by this Act.
p.(None):
p.(None): 17. Compensation Section 23
p.(None): (1) Data controllers shall be liable for any damage caused to a data subject as a result of unlawful processing or by
p.(None): any breach of data security requirements. The data controller shall also be liable for any damage caused by
p.(None): data processor acting on its behalf. The data controller may be exempted from liability if he proves that the
p.(None): damage was caused by reasons beyond his control.
p.(None): (2) No compensation shall be paid where the damage was caused by intentional or serious negligent conduct on the part
p.(None): of the aggrieved party.
p.(None):
p.(None): 18. Internal data protection officer, data protection rules Section 24
p.(None): (1) The following data controllers and processors shall appoint or commission an internal data protection officer – who
p.(None): shall hold a law degree, a degree in economics or information technology or an equivalent degree in higher education –
p.(None): who is to report directly to the head of the organization:
p.(None):
p.(None): a) authorities of nation-wide jurisdiction, and data controllers and processors engaged in processing data
p.(None): files of employment and criminal records;
p.(None): b) financial institutions;
p.(None): c) providers of electronic communications and public utility services.
p.(None): (2) The internal data protection officer shall:
p.(None): a) participate and assist in the decision-making process with regard to data processing and enforcing the rights of
p.(None): data subjects;
p.(None): b) monitor compliance with the provisions of this Act and other regulations on data processing as well
p.(None): as with the provisions of internal data protection and data security regulations and the data security
p.(None): requirements;
p.(None): c) investigate complaints conveyed to him and, if he detects any unauthorized data processing operations,
p.(None): call on the controller or processor in question to cease such operations;
p.(None): d) draw up the internal data protection and data security rules;
p.(None): e) maintain the internal data protection register;
p.(None): f) organises training sessions on the subject of data protection.
p.(None): (3) The controllers referred to in Subsection (1) and central and local government controllers - other than
p.(None): controllers not required to report to the data protection register - shall be required to adopt data protection and
...
p.(None): (2) The burden of proof to verify the lawfulness and the reasons of refusal, and the reasons for determining the amount
p.(None): of the fee chargeable for the copy lies with the data controller.
p.(None): (3) Litigation must be launched against the body with public service functions that has refused the
p.(None): request within thirty days from the date of delivery of the refusal, or from the time limit prescribed, or from the
p.(None): deadline for payment of the fee chargeable. If the requesting party notifies the Authority with a view to
p.(None): initiating the Authority’s proceedings in connection with the refusal of or non-compliance with the request, or on
p.(None): account of the amount of the fee charged for making a copy, litigation may be launched within thirty days from the
p.(None): time of receipt of notice on the refusal to examine the notification on the merits, on the termination of the inquiry,
p.(None): or its conclusion under Paragraph b) of Subsection (1) of Section 55, or the notice
p.(None):
p.(None): under Subsection (3) of Section 58. Justification may be submitted upon failure to meet the deadline for bringing
p.(None): action.
p.(None): (4) Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such legal
p.(None): proceedings. The Authority may intervene on the requesting party’s behalf.
p.(None): (5) Actions against bodies with public service functions of nation-wide jurisdiction shall be brought at the competent
p.(None): tribunal. Actions falling within the jurisdiction of local courts shall be heard by the local court of the seat
p.(None): of the tribunal, or by the Pesti Központi Kerületi Bíróság (Pest Central District Court) in Budapest.
p.(None): Jurisdiction shall be determined by reference to the place where the head offices of the body with public service
p.(None): functions, being the respondent, is located.
p.(None): (6) The court shall hear such cases in priority proceedings.
p.(None): (7) When the decision is in favor of the request for access to public information, the court shall order the data
p.(None): controller to disclose the information in question. The court shall have powers to modify the amount charged
p.(None): for making a copy, or may order the body with public service functions to re-open its proceedings for determining the
p.(None): amount of the fee chargeable.
p.(None):
p.(None): CHAPTER IV
p.(None):
p.(None): DISSEMINATION OF DATA OF PUBLIC INTEREST
p.(None):
p.(None): 22. Obligation to disclose data of public interest Section 32
p.(None): Bodies with public service functions shall promote and ensure that the general public is provided with
p.(None): accurate information in a prompt manner concerning the matters under their competence, such as the
p.(None): budgets of the central and municipal governments and the implementation thereof, the management of
p.(None): assets controlled by the central and municipal governments, the appropriation of public funds, and special
p.(None): and exclusive rights conferred upon market actors, private organizations or individuals.
p.(None):
p.(None): 23. Obligation of publication by electronic means Section 33
...
p.(None):
p.(None): (1) With the exception set out in Subsection (3), the Authority shall register the data processing
p.(None): operation within eight days from the date of receipt of the application, if it contains the information
p.(None): specified in Subsection (1) or Subsection (2) of Section 65.
p.(None): (2) With the exception set out in Subsection (3), if the Authority fails to adopt a decision regarding the
p.(None): application for registration in due time, the controller may commence the processing operation according to
p.(None): what is contained in the application.
p.(None): (3) The Authority shall register the data processing operation referred to in Subsections (4) and (5) within forty
p.(None): days from the date of receipt of the application, if it contains the information specified in Subsection
p.(None): (1) or Subsection (2) of Section 65, and if the controller is able to meet the conditions for lawful processing.
p.(None): (4) If the application for registration is submitted in respect of processing operations under Subsection (5),
p.(None): pertaining to data files unaffected by any previous data processing operation of the controller, or for which a new
p.(None): process technology that the controller has never used before for any previous processing operation is
p.(None): required, registration shall be granted on condition that the controller is able to meet the conditions for lawful
p.(None): processing.
p.(None): (5) The condition for registration under Subsection (4) pertains, in accordance with what is contained therein, to:
p.(None): a) data files concerning authorities of nation-wide jurisdiction, employment related national data bases and national
p.(None): criminal records;
p.(None): b) data files from the customer records of financial institutions and public utility companies;
p.(None): c) data files from the customer records of providers of electronic communications services.
p.(None): (6) The resolution adopted by the Authority for admission into the data protection register shall contain the
p.(None): registration number, that the controller is required to indicate for all operations with data, such as when
p.(None): data is transferred or published, or when provided to the data subject. The registration number is assigned to identify
p.(None): the data processing operation, and it is not intended to verify the lawfulness of the operation.
p.(None): (7) In the event of any change in the data specified in Paragraphs b)-j) of Subsection (1) of Section 65, the data
p.(None): controller is required to submit an application for the registration of change to the Authority within
p.(None): eight days from the effective date of the change. The provisions of Subsections (1), (3) and (5) shall also
p.(None): apply to the registration of changes, where the application shall suffice to contain the changes only.
p.(None):
p.(None): 36. Data protection audit Section 698
p.(None): (1) The data protection audit is a service provided by the Authority designed to evaluate and assess data processing
...
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None): 10.
p.(None):
p.(None):
p.(None):
p.(None): 11.
p.(None): Name of any publication founded by the body with public service functions, editor’s and publisher’s name and address,
p.(None): name of the editor in chief
p.(None): Particulars specified in Point 1 of the superior or supervisory body of the body with public service functions, or the
p.(None): body empowered to hear appeal cases relating to its regulatory decisions, or failing this, of the body exercising legal
p.(None): supervision of the body with public service functions
p.(None): Immediately upon the change taking effect
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None): II. Information relating to activities and operations
p.(None):
p.(None): Data description Updating Duration of processing
p.(None):
p.(None): 1. Unabridged version of the laws governing the responsibilities, competence and core activity of the body with
p.(None): public service functions, legal act for the governance of bodies governed by public law, organizational and operational
p.(None): regulations or operating procedures, data protection and data security regulations
p.(None): 2. In connection with bodies of nation-wide jurisdiction and county and capital government offices, an
p.(None): information pamphlet on the duties and activities of the body with public service functions in Hungarian and English
p.(None): 3. Voluntary tasks of municipal governments
p.(None):
p.(None): 4. In connection with public administration, municipal government and other regulatory cases, name of the body
p.(None): having competence separately for each type of case and procedure, or the name and area of jurisdiction of the body
p.(None): actually proceeding where powers had been transferred, description of documents and other deeds required, procedural
p.(None): fees (administrative service fees), basic procedural rules, means (place and time) for the submission of documents for
p.(None): the opening of proceedings, office hours, administrative time limits (deadlines for processing and for appeals),
p.(None): guidelines, general information on handling cases and standard forms for downloading, access to electronic programs
p.(None): available for use,
p.(None): Immediately upon the change taking effect
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be deleted
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be deleted
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): 5.
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): 6.
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
...
Social / Access to Social Goods
Searching for indicator access:
(return to top)
p.(None): Act CXII of 2011
p.(None):
p.(None): on the Right of Informational Self-Determination and on Freedom of Information1
p.(None): In order to ensure the right of informational self-determination and the freedom of information, and to
p.(None): facilitate the implementation of the Fundamental Law, pursuant to Article VI of the Fundamental Law, the
p.(None): Parliament hereby adopts the following Act on the fundamental rules applicable in connection with the
p.(None): protection of personal data and the enforcement of the right to access and disseminate data of public interest and
p.(None): data public on grounds of public interest, and on the authority empowered to monitor compliance with these rules:
p.(None):
p.(None): CHAPTER I GENERAL PROVISIONS
p.(None): 1. Object of the Act Section 1
p.(None): The purpose of this Act is to lay down the fundamental rules for data processing activities with a view to ensuring
p.(None): that the right to privacy of natural persons is respected by data controllers , and to enforcing of rights
p.(None): to access and disseminate data of public interest and data public on grounds of public interest.
p.(None):
p.(None): 2. Scope Section 2
p.(None): (1) This Act shall apply to all data control and data processing activities undertaken in Hungary
p.(None): relating to the data of natural persons as well as data of public interest and data public on grounds of
p.(None): public interest.
p.(None): (2) The present Act shall apply to both data processing and data process, carried out wholly or partly, by automated
p.(None): means as well as manually.
p.(None): (3) Provisions set out in the present Act shall apply if the controller processing personal data outside
p.(None): the territory of the European Union contracts a data processor with a seat, site, branch or address or place of
p.(None): residence within the territory of Hungary to perform data processing, except if this device serves data
p.(None): traffic exclusively within the territory of the European Union. Such controllers are obliged to designate a
p.(None): representative in Hungary.
p.(None): (4) Provisions set out in the present Act are not applicable to natural persons processing data
p.(None): exclusively for their own personal purposes.
p.(None): (5) Concerning further use of public sector information, provisions in derogation from this Act may be established
p.(None): by another act concerning the procedures and conditions for the disclosure of data, the consideration payable
p.(None): therefore, and as regards remedies.
p.(None):
p.(None): 3. Definitions Section 3
p.(None):
p.(None): 1Updated: 11-10-2013 by NAIH
p.(None):
p.(None): For the purposes of this Act:
...
p.(None): are prescribed by law to be published, made available or otherwise disclosed for the benefit of the general public;
p.(None): 7. ‘the data subject’s consent’ shall mean any freely and expressly given specific and informed
p.(None): indication of the will of the data subject by which he signifies his agreement to personal data relating
p.(None): to him being processed fully or to the extent of specific operations;
p.(None): 8. ‘the data subject’s objection’ shall mean a declaration made by the data subject objecting to the processing of
p.(None): their personal data and requesting the termination of data processing, as well as the deletion of the data processed;
p.(None): 9. ‘controller’ shall mean natural or legal person, or organisation without legal personality which alone or jointly
p.(None): with others determines the purposes and means of the processing of data; makes and executes decisions concerning data
p.(None): processing (including the means used) or have it executed by a data processor2;
p.(None): 10. ‘data’ processing’ shall mean any operation or the totality of operations performed on the data, irrespective of
p.(None): the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using,
p.(None): querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destructing the data, as
p.(None): well as preventing their further use, taking photos, making audio or visual recordings, as well as
p.(None): registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA
p.(None): samples, iris scans);
p.(None): 11. ‘data transfer’ shall mean ensuring access to the data for a third party;
p.(None): 12. ‘disclosure’ shall mean ensuring open access to the data;
p.(None):
p.(None): 2 In effect as of 1st July 2013
p.(None):
p.(None): 13. ‘data deletion’ shall mean making data unrecognisable in a way that it can never again be restored;
p.(None): 14. ‘tagging data’ shall mean marking data with a special ID tag to differentiate it;
p.(None): 15. ‘blocking of data’ shall mean marking data with a special ID tag to indefinitely or definitely
p.(None): restrict its further processing;
p.(None): 16. ‘data destruction’ shall mean complete physical destruction of the data carrier recording the data;
p.(None): 17. ‘data process’ shall mean performing technical tasks in connection with data processing operations, irrespective of
p.(None): the method and means used for executing the operations, as well as the place of execution, provided that the technical
p.(None): task is performed on the data;
p.(None): 18. ‘data processor’ shall mean any natural or legal person or organisation without legal personality processing
p.(None): the data on the grounds of a contract, including contracts concluded pursuant to legislative provisions3;
p.(None): 19. ‘data source’ shall mean the body responsible for undertaking the public responsibility which generated the data of
p.(None): public interest that must be disclosed through electronic means, or during the course of operation in which this data
p.(None): was generated;
p.(None): 20. ‘data disseminator shall mean the body responsible for undertaking the public responsibility
p.(None): which uploads the data sent by the data source it has not published the data;
p.(None): 21. ‘data set’ shall mean all data processed in a single file;
p.(None): 22. ‘third party’ any natural or legal person, or organisation without legal personality other than the data subject,
...
p.(None): is not permitted to happen on legal holiday as determined by the Labour Code.4
p.(None): 5. Legal basis of data processing Section 5
p.(None): (1) Personal data may be processed under the following circumstances:
p.(None): a) when the data subject has given his consent, or
p.(None): b) when processing is necessary as decreed by law or by a local authority based on authorization
p.(None): conferred by law concerning specific data defined therein for the performance of a task carried out in the public
p.(None): interest (hereinafter referred to as “mandatory processing”).
p.(None): (2) Special data may be processed according to Section 6, and under the following circumstances:
p.(None): a) when the data subject has given his consent in writing, or
p.(None): b) when processing is necessary for the implementation of an international agreement promulgated by an act
p.(None): concerning the data under Point 3.a) of Section 3, or if prescribed by law in connection with the enforcement of
p.(None): fundamental rights afforded by the Fundamental Law, or for reasons of national security or national defence, or law
p.(None): enforcement purposes for the prevention or prosecution of criminal activities, or
p.(None): c) when processing is necessary for the performance of a task carried out in the public interest
p.(None): concerning the data under Point 3.b) of Section 3.
p.(None): (3) Where data processing is mandatory, the type of data, the purpose and the conditions of processing, access to
p.(None): such data, the duration of the proposed processing operation, and the controller shall be specified by the
p.(None): statute or municipal decree in which it is ordered.
p.(None): (4) Personal data that concern criminal offenses and are being processed for the purposes of preventing,
p.(None): investigating, detecting and prosecuting criminal offences and data files containing information
p.(None): pertaining to misdemeanour cases, civil cases and non-contentious proceedings may only be processed by central
p.(None): or local government authorities.
p.(None):
p.(None): Section 6
p.(None):
p.(None): (1) Personal data may be processed also if obtaining the data subject’s consent is impossible or it would give rise
p.(None): to disproportionate costs, and the processing of personal data is necessary:
p.(None): a) for compliance with a legal obligation pertaining to the data controller, or
p.(None): b) for the purposes of the legitimate interests pursued by the controller or by a third party, and enforcing these
p.(None): interests is considered proportionate to the limitation of the right for the protection of personal data.
p.(None):
p.(None):
p.(None): 4 In effect as of 30th March 2013
p.(None):
p.(None): (2) If the data subject is unable to give his consent on account of lacking legal capacity or for any other reason
p.(None): beyond his control, the processing of his personal data is allowed to the extent necessary and for the length of time
...
p.(None): request or initiative, as regards the personal data necessary to carry out the proceedings, and in other cases opened
p.(None): at the data subject’s request, as regards the personal data he has supplied, the data subject’s consent shall be deemed
p.(None): to have been granted.
p.(None): (7) The consent of the data subject shall be considered granted in connection with any personal data he
p.(None): has conveyed to the public or has supplied for dissemination when making a public appearance.
p.(None): (8) If there is any doubt, it is to be presumed that the data subject failed to provide his consent.
p.(None):
p.(None): 6. Data security requirement Section 7
p.(None): (1) Controllers shall make arrangements for and carry out data processing operations in a way so as to ensure full
p.(None): respect for the right to privacy of data subjects in due compliance with the provisions of this Act and other
p.(None): regulations on data protection.
p.(None): (2) Controllers, and within their sphere of competence, data processors must implement adequate safeguards
p.(None): and appropriate technical and organizational measures to protect personal data, as well as adequate procedural
p.(None): rules to enforce the provisions of this Act and other regulations concerning confidentiality and security of
p.(None): data processing.
p.(None): (3) Data must be protected by means of suitable measures against unauthorized access, alteration,
p.(None): transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to
p.(None): ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the
p.(None): applied technique.
p.(None): (4) For the protection of data sets stored in different electronic filing systems, suitable technical
p.(None): solutions shall be introduced to prevent - unless this is permitted by law - the
p.(None):
p.(None): interconnection of data stored in these filing systems and the identification of the data subjects.
p.(None): (5) In respect of automated personal data processing, data controllers and processors shall implement additional
p.(None): measures designed to:
p.(None): a) prevent the unauthorized entry of data;
p.(None): b) prevent the use of automated data-processing systems by unauthorized persons using data transfer devices;
p.(None): c) ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or
p.(None): made available using data transfer devices;
p.(None): d) ensure that it is possible to verify and establish which personal data have been entered into automated
p.(None): data-processing systems and when and by whom the data were input;
p.(None): e) ensure that installed systems may, in case of malfunctions, be restored; and
p.(None): f) ensure that faults emerging in automated data-processing systems is reported.
p.(None): (6) In determining the measures to ensure security of processing, data controllers and processors shall
p.(None): proceed taking into account the latest technical development and the state of the art of their implementation. Where
...
p.(None): freedoms of others.
p.(None):
p.(None): 14. Requirement of preliminary information of the data subject Section 20
p.(None): (1) Prior to data processing being initiated the data subject shall be informed whether his consent is required or
p.(None): processing is mandatory.
p.(None): (2) Before processing operations are carried out the data subject shall be clearly and elaborately
p.(None): informed of all aspects concerning the processing of his personal data, such as the purpose for which his data is
p.(None): required and the legal basis, the person entitled to control the data and to carry out the processing, the duration of
p.(None): the proposed processing operation, if the data subject’s personal data is processed in accordance with Subsection (5)
p.(None): of Section 6, and the persons to whom his data may be disclosed. Information shall also be provided on the data
p.(None): subject’s rights and remedies.
p.(None): (3) In the case of mandatory processing such information may be supplied by way of publishing reference
p.(None): to the legislation containing the information referred to in Subsection (2).
p.(None): (4) If the provision of personal information to the data subject proves impossible or would involve disproportionate
p.(None): costs, the obligation of information may be satisfied by the public disclosure of the following:
p.(None): a) an indication of the fact that data is being collected;
p.(None): b) the data subjects targeted;
p.(None):
p.(None): c) the purpose of data collection;
p.(None): d) the duration of the proposed processing operation;
p.(None): e) the potential data controllers with the right of access;
p.(None): f) the right of data subjects and remedies available relating to data processing; and
p.(None): g) where the processing operation has to be registered, the number assigned in the data protection
p.(None): register, with the exception of Subsection (2) of Section 68.
p.(None):
p.(None): 15. The data subject’s right to object to the processing of his personal data Section 21
p.(None): (1) The data subject shall have the right to object to the processing of data relating to him:
p.(None): a) if processing or disclosure is carried out solely for the purpose of discharging the controller’s
p.(None): legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a
p.(None): third party, unless processing is mandatory;
p.(None): b) if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific
p.(None): research; and
p.(None): c) in all other cases prescribed by law.
p.(None): (2) In the event of objection, the controller shall investigate the cause of objection within the shortest possible
p.(None): time inside a fifteen-day time period, adopt a decision as to merits and shall notify the data subject in writing of
p.(None): its decision.
p.(None): (3) If, according to the findings of the controller, the data subject’s objection is justified, the controller shall
p.(None): terminate all processing operations (including data collection and transmission), block the data
p.(None): involved and notify all recipients to whom any of these data had previously been transferred concerning the objection
...
p.(None): requirements;
p.(None): c) investigate complaints conveyed to him and, if he detects any unauthorized data processing operations,
p.(None): call on the controller or processor in question to cease such operations;
p.(None): d) draw up the internal data protection and data security rules;
p.(None): e) maintain the internal data protection register;
p.(None): f) organises training sessions on the subject of data protection.
p.(None): (3) The controllers referred to in Subsection (1) and central and local government controllers - other than
p.(None): controllers not required to report to the data protection register - shall be required to adopt data protection and
p.(None): data security rules in accordance with this Act.
p.(None):
p.(None): 19. Conference of internal data protection officers Section 25
p.(None): (1) The conference of internal data protection officers (hereinafter referred to as “conference”)
p.(None): is intended to maintain regular professional contacts between the Authority and internal data protection officers, the
p.(None): purpose of which is to ensure the consistency of the case- law as regards the protection of personal data and access to
p.(None): public information.
p.(None): (2) The President of the Authority shall call the conference at least once every year, or as necessary, and shall
p.(None): determine its agenda.
p.(None): (3) The internal data protection officers of all organizations where such office has to be maintained by
p.(None): law shall have a seat on the conference.
p.(None): (4) The internal data protection officers of those organizations where such office is not required may
p.(None): also have a seat on the conference. To this end they may seek admission to the register of internal data protection
p.(None): officers maintained by the Authority.
p.(None): (5) For communication purposes, the Authority shall maintain a register of internal data protection
p.(None): officers on members of the conference. The register contains the name, postal and electronic mail address of internal
p.(None): data protection officers, and the name of the organization they represent.
p.(None): (6) The Authority shall record the data mentioned in Subsection (5) until the time of receiving
p.(None): information on the termination of the internal data protection officer’s term in office.
p.(None):
p.(None): CHAPTER III
p.(None):
p.(None): ACCESSXTOXINFORMATION OF PUBLIC INTEREST
p.(None):
p.(None): 20. General provisions on access to information of public interest Section 26
p.(None): (1) Any person or body attending to statutory State or municipal government functions or performing other public duties
p.(None): provided for by the relevant legislation (hereinafter referred to collectively as “body with public service
p.(None): functions”) shall allow free access to the data of public interest and data public on grounds of public
p.(None): interest under its control to any person, save where otherwise provided for in this Act.
p.(None): (2) The name of the person undertaking tasks within the scope of responsibilities and authority of the
p.(None): body undertaking public duties, as well as their scope of responsibilities, scope of work, executive mandate
p.(None): and other personal data relevant to the provision of their responsibilities to which access must be ensured by law
p.(None): qualify as data public on grounds of public interest. These data may be disseminated in compliance with the principle
p.(None): of purpose limitation. Provisions on the disclosure of data public on the grounds of public interest shall be
p.(None): regulated by Appendix 1 of this Act and the specific laws relating to the status of the person
p.(None): undertaking public duties.
p.(None): (3) Unless otherwise prescribed by law, any data, other than personal data, that is processed by bodies or persons
p.(None): providing services prescribed mandatory by law or under contract with any governmental agency, central or local, if
p.(None): such services are not available in any other way or form relating to their activities shall be deemed data public on
p.(None): grounds of public interest.
p.(None):
p.(None): Section 27
p.(None):
p.(None): (1) Access to data of public interest or data public on grounds of public interest shall be restricted if it has
p.(None): been classified under the Act on the Protection of Classified Information.
p.(None): (2) Right of access to data of public interest or data public on grounds of public interest may be restricted by law -
p.(None): with the specific type of data indicated - where considered necessary to safeguard:
p.(None): a) national defense;
p.(None): b) national security;
p.(None): c) prevention and prosecution of criminal offenses;
p.(None): d) environmental protection and nature preservation;
p.(None): e) central financial or foreign exchange policy;
p.(None): f) external relations, relations with international organizations;
p.(None): g) court proceedings or administrative proceedings;
p.(None): h) intellectual property rights.
p.(None): (3) Access to business secrets shall be governed by the relevant provisions of the Civil Code.
p.(None): (4) Access to public information may also be limited by European Union legislation with a view to any important
p.(None): economic or financial interests of the European Union, including monetary, fiscal and tax policies.
p.(None): (5) Any information compiled or recorded by a body with public service functions as part of, and in support of, a
p.(None): decision-making process for which it is vested with powers and competence, shall not be made available
p.(None): to the public for ten years from the date it was compiled or recorded. Access to these information may be
p.(None): authorized by the head of the body
p.(None):
p.(None): that controls the information in question upon weighing the public interest in allowing or disallowing
p.(None): access to such information.
p.(None): (6) A request for disclosure of information underlying a decision may be rejected after the decision is adopted, but
p.(None): within the time limit referred to in Subsection (5), if disclosure is likely to jeopardize the legal
p.(None): functioning of the body with public service functions or the discharging of its duties without any undue
p.(None): influence, such as in particular free expression of the position of the body which generated the data during
p.(None): the preliminary stages of the decision-making process.
p.(None): (7) The time limit for restriction of access as defined in Subsection (5) to certain specific information underlying a
p.(None): decision may be reduced by law.
p.(None): (8) This Chapter shall not apply to the disclosure of information from official records that is subject to the
p.(None): provisions of specific other legislation.
p.(None):
p.(None): 21. Access to public information upon request Section 28
p.(None): (1) Data of public interest shall be made available to anyone upon a request presented verbally, in
p.(None): writing or by electronic means. Access to data public on grounds of public interest shall be governed by the provisions
p.(None): of this Act pertaining to data of public interest.
p.(None): (2) Unless otherwise provided for by law, the processing of personal data in connection with any
p.(None): disclosure upon request is permitted only to the extent necessary for disclosure, including the collection
p.(None): of payment of charges for copies, where applicable. Following the disclosure of data and upon receipt of the
p.(None): said payment, the personal data of the requesting party must be erased without delay.
p.(None): (3) If any part of the request is unclear, the data controller shall ask the requesting party to clarify.
p.(None):
p.(None): Section 29
p.(None):
p.(None): (1) The body with public service functions that has the data of public interest on record must comply
p.(None): with requests for public information at the earliest opportunity within not more than fifteen days.
p.(None): (2) If a request for information is substantial in terms of size and volume, the time limit referred to in
p.(None): Subsection (1) may be extended by fifteen days on one occasion, of which the requesting party shall be informed within
p.(None): eight days of the date of receipt of the request.
p.(None): (3) The requesting party may also be provided a copy of the document or part of a document containing
p.(None): the information in question, irrespective of the form of storage. The body with public service functions
p.(None): processing the data in question may charge a fee covering only the costs of making the copy, and shall communicate this
...
p.(None): requesting party, provided that the body with public service functions processing the information is capable to meet
p.(None): such request without unreasonable hardship. If the information requested had previously been made public
p.(None): electronically, the request may be fulfilled by way of reference to the public source where the data is available. A
p.(None): request for information may not be refused on the grounds that it cannot be made available in a readily intelligible
p.(None): form.
p.(None): (3) When a request for information is refused, the requesting party must be notified thereof within eight days in
p.(None): writing, or by electronic means if the requesting party has conveyed his electronic mailing address, and must be given
p.(None): the reasons of refusal, including information on the remedies available. The controller shall keep records on the
p.(None): requests refused, including the reasons, and shall inform the Authority thereof each year, by 31 January.
p.(None): (4) A request for data of public interest by a person whose native language is not Hungarian may not be refused for
p.(None): reasons that it was written in his native language or in any other language he understands.
p.(None): (5) If, as regards the refusal of any request for access to data of public interest, the data controller
p.(None): is granted discretionary authority by law, refusal shall be exercised within narrow limits, and the request for
p.(None): access to data of public interest may be refused only if the underlying public interest outweighs the
p.(None): public interest for allowing access to the public information in question.
p.(None): (6) Bodies with public service functions shall adopt regulations governing the procedures for satisfying requests for
p.(None): access to public information.
p.(None): (7) The requests for data with the purpose of a comprehensive, account level as well as an itemized control of the
p.(None): financial management of the body with public service functions are regulated in specific relevant laws. Should such
p.(None): data request be rejected, the requesting party may initiate an investigation of the Authority pursuant to Section 52.
p.(None):
p.(None): Section 31
p.(None):
p.(None): (1) In the event of failure to meet the deadline for the refusal or compliance with a request for access to public
p.(None): information, or with the deadline extended by the data controller pursuant to Subsection (2) of Section 29, and - if
p.(None): the fee chargeable has not been paid - the requesting party may bring the case before the court for having the fee
p.(None): charged for the copy reviewed.
p.(None): (2) The burden of proof to verify the lawfulness and the reasons of refusal, and the reasons for determining the amount
p.(None): of the fee chargeable for the copy lies with the data controller.
p.(None): (3) Litigation must be launched against the body with public service functions that has refused the
p.(None): request within thirty days from the date of delivery of the refusal, or from the time limit prescribed, or from the
p.(None): deadline for payment of the fee chargeable. If the requesting party notifies the Authority with a view to
p.(None): initiating the Authority’s proceedings in connection with the refusal of or non-compliance with the request, or on
p.(None): account of the amount of the fee charged for making a copy, litigation may be launched within thirty days from the
p.(None): time of receipt of notice on the refusal to examine the notification on the merits, on the termination of the inquiry,
p.(None): or its conclusion under Paragraph b) of Subsection (1) of Section 55, or the notice
p.(None):
p.(None): under Subsection (3) of Section 58. Justification may be submitted upon failure to meet the deadline for bringing
p.(None): action.
p.(None): (4) Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such legal
p.(None): proceedings. The Authority may intervene on the requesting party’s behalf.
p.(None): (5) Actions against bodies with public service functions of nation-wide jurisdiction shall be brought at the competent
p.(None): tribunal. Actions falling within the jurisdiction of local courts shall be heard by the local court of the seat
p.(None): of the tribunal, or by the Pesti Központi Kerületi Bíróság (Pest Central District Court) in Budapest.
p.(None): Jurisdiction shall be determined by reference to the place where the head offices of the body with public service
p.(None): functions, being the respondent, is located.
p.(None): (6) The court shall hear such cases in priority proceedings.
p.(None): (7) When the decision is in favor of the request for access to public information, the court shall order the data
p.(None): controller to disclose the information in question. The court shall have powers to modify the amount charged
p.(None): for making a copy, or may order the body with public service functions to re-open its proceedings for determining the
p.(None): amount of the fee chargeable.
p.(None):
p.(None): CHAPTER IV
p.(None):
p.(None): DISSEMINATION OF DATA OF PUBLIC INTEREST
p.(None):
p.(None): 22. Obligation to disclose data of public interest Section 32
p.(None): Bodies with public service functions shall promote and ensure that the general public is provided with
p.(None): accurate information in a prompt manner concerning the matters under their competence, such as the
p.(None): budgets of the central and municipal governments and the implementation thereof, the management of
p.(None): assets controlled by the central and municipal governments, the appropriation of public funds, and special
p.(None): and exclusive rights conferred upon market actors, private organizations or individuals.
p.(None):
p.(None): 23. Obligation of publication by electronic means Section 33
p.(None): (1) Access to public information whose publication is rendered mandatory under this Act shall be made available through
p.(None): the internet, in digital format, to the general public without any restriction, in a manner not to allow the
p.(None): identification of specific individuals, in a format allowing for printing or copying without any loss or
p.(None): distortion of data, free of charge, covering also the functions of consultation, downloading, printing,
p.(None): copying and network transmission (hereinafter referred to as “electronic publication”). Access to
p.(None): information disseminated as per the above shall not be made contingent upon the disclosure of personal data.
p.(None): (2) Unless otherwise provided for by law, the following shall disseminate specific information defined
p.(None): on the publication lists referred to in Section 37:
p.(None): a) Köztársasági Elnök Hivatala (President of the Republic), Országgyűlés Hivatala (Parliament),
p.(None): Alkotmánybíróság Hivatala (Constitutional Court), Alapvető Jogok Biztosának Hivatala (Commissioner for Fundamental
p.(None): Rights), Állami Számvevőszék (State Audit Office), Magyar Tudományos Akadémia (Hungarian Academy of Sciences),
p.(None): Magyar Művészeti
p.(None):
p.(None): Akadémia (Hungarian Academy of Arts), Országos Bírósági Hivatal (National Office for the Judiciary), Legfőbb Ügyészség
p.(None): (Prosecutor General’s Office);
p.(None): b)
p.(None): c) central administrative authorities with the exception of governmental committees as well as national chambers; and
p.(None): d) county and capital Government Offices.
p.(None): (3) The bodies with public service functions, other than those listed in Subsection (2), shall have the option to
p.(None): fulfil their obligation of publication by electronic means, defined in Section 37, through their own website or other
p.(None): websites maintained jointly with their associations, or by other bodies appointed to supervise their organizational and
p.(None): professional infrastructure, or coordinating their operations, or through a central website set up for this purpose.
p.(None): (4) Any public education institution having no national or regional duties shall discharge their obligation of
p.(None): publication by electronic means under this Act by way of data disclosure to the information systems specified by the
p.(None): relevant legislation governing the given sector.
p.(None):
p.(None): Section 34
p.(None):
p.(None): (1) The data source, if disseminating information through the website of others shall transfer the data - in accordance
p.(None): with Section 35 - to the data disseminator, who shall take measures for having the data published on a website, and
p.(None): shall ascertain that the name of the body from which public information originates or to which it pertains is clearly
p.(None): indicated.
p.(None): (2) The data disseminator shall design the website used for publication with facilities to disseminate
p.(None): data and information, and shall ensure that the website runs without interruption and it is properly maintained, and
p.(None): that data are updated on a regular basis.
p.(None): (3) The website used for dissemination shall offer easily understandable information concerning the rules of
p.(None): access to public information, including the remedies available.
p.(None): (4) In addition to the public information specified on the publication lists, other public information and
p.(None): information of public interest may also be published on the website used for dissemination by way of electronic means.
p.(None):
p.(None): Section 35
p.(None):
p.(None): (1) The head of the data source subject to electronic publication shall provide for having the data and information
p.(None): specified on the publication lists defined in Section 37 published accurately, up-to-date and on a
p.(None): regular basis, and for having them sent to the data disseminator.
p.(None): (2) Responsibility for the publication of the data by electronic means, continuous access, and for keeping them
p.(None): authentic and regularly updates lies with the data disseminator.
p.(None): (3) The data source and the data disseminator shall adopt internal regulations for laying down the
p.(None): detailed rules for discharging the obligations referred to in Subsection (1) and Subsection (2),
p.(None): respectively.
p.(None): (4) Information published electronically may not be removed from the website, unless otherwise provided for
p.(None): by this Act or other legislation. In the event of dissolution of a body, the obligation of publication shall devolve
p.(None): upon the successor.
p.(None):
p.(None): Section 36
p.(None):
p.(None): Dissemination of the information specified in the publication lists referred to in Section 37 shall be without
p.(None): prejudice to the obligation of the given body concerning the publication of public information or information of public
p.(None): interest prescribed in other legislation.
p.(None):
p.(None): 24. Disclosure lists Section 37
p.(None): (1) The bodies referred to in Subsections (2)-(4) of Section 33 (hereinafter referred to collectively as
p.(None): “body subject to disclosure requirement”) shall - subject to the exception set out in Subsection (4) - disseminate the
p.(None): data specified in the standard disclosure list referred to in Schedule No. 1 - as pertaining to their activities - by
p.(None): way of the means defined in Annex No. 1.
p.(None): (2) Additional data may be prescribed by law to be disseminated by certain types of bodies with public service
p.(None): functions regarding certain specific sectors (hereinafter referred to as “special disclosure list”).
p.(None): (3) The publication of specific other data may be rendered mandatory by the head of the body subject to disclosure
...
p.(None): (5) In the case of collegiate bodies subject to disclosure requirement, these bodies shall have powers to establish,
p.(None): and amend, the ad hoc disclosure list, upon consulting with the Authority.
p.(None): (6) The head of the body subject to disclosure requirement shall review the disclosure list he has published under
p.(None): Subsection (3), taking into consideration any demand shown for public information that was not included in the
p.(None): publication list, and shall include such public information where demand is considered substantial in terms of
p.(None): the amount and number of requests received.
p.(None): (7) The disclosure list may also provide for the frequency of publication, depending on the type of data in question.
p.(None): (8) The Authority may present a recommendation for having special and ad hoc publication lists drawn up, or amended.
p.(None):
p.(None): 24/A. Central electronic register of public information and the single data retrieval system Section 37/A
p.(None): (1) In the interest of providing fast and easy access to information that has been published electronically, the
p.(None): central electronic register posted on a designated website - set up by the minister in charge for the
p.(None): implementation of infrastructure requirements for administrative information technology systems - contains all
p.(None): relevant descriptive information on the websites of bodies subject to the obligation of publication of public
p.(None): information by electronic means under this Act, pertaining also to their databases and registers.
p.(None): (2) Electronic access using a single platform to the public information of the bodies referred to in Subsection (1) and
p.(None): facilities for searching among public information shall be ensured by
p.(None):
p.(None): the single data retrieval system set up by the minister in charge for the implementation of
p.(None): infrastructure requirements for administrative information technology systems.
p.(None):
p.(None): Section 37/B
p.(None):
p.(None): (1) The data source shall provide for having the descriptive information on websites, databases and
p.(None): registers containing public information made available to the minister in charge for the implementation of
p.(None): infrastructure requirements for administrative information technology systems and for updating on a regular
p.(None): basis the public information thus forwarded, and shall be responsible for the contents of public information forwarded
p.(None): to the single data retrieval system, as well as for having such public information updated on a regular basis.
p.(None): (2) Maintaining the databases and registers containing public information and linking up with the single
p.(None): data retrieval system shall not exonerate the data source from the obligation of publication by electronic means.
p.(None): CHAPTER V
p.(None):
p.(None): NEMZETI ADATVÉDELMI ÉS INFORMÁCIÓSZABADSÁG HATÓSÁG (NATIONAL AUTHORITY FOR DATA PROTECTION AND FREEDOM OF INFORMATION)
p.(None):
p.(None): 25. Legal status of the Authority Section 38
p.(None): (1) The Authority is an autonomous administrative organ.
p.(None): (2) The Authority shall be responsible to supervise and promote the enforcement of the rights to the
p.(None): protection of personal data and access to public information and information of public interest.
p.(None): (3) Within its scope of responsibilities conferred under Subsection (2), the Authority:
p.(None): a) shall conduct investigations upon notification;
p.(None): b) may conduct ex officio administrative proceedings for data protection;
p.(None): c) may conduct ex officio administrative proceedings for the control of classified data;
p.(None): d) may turn to court in connection with any infringement concerning public information and information of public
p.(None): interest;
p.(None): e) may intervene in court actions brought by others;
p.(None): f) maintain the data protection register; in accordance with this Act.
p.(None): (4) Within its scope of responsibilities conferred under Subsection (2), the Authority:
p.(None): a) shall have powers to make recommendations for new regulations and for the amendment of legislation pertaining to
p.(None): the processing of personal data, to public information and information of public interest, and shall
p.(None): express its opinion on drafts covering the same subject;
p.(None): b) shall publish a report on its activities each year, by 31 March, and shall present this report to
p.(None): Parliament;
p.(None): c) shall make recommendations in general, or to specific controllers;
p.(None): d) shall give an opinion on special and ad hoc disclosure lists prescribed mandatory by this Act relating to the
p.(None): activities of the given body with public service functions;
...
p.(None): Authority’s website without delay. The declaration of personal assets may not be removed from the website for a period
p.(None): of one year following termination of the mandate of the President of the Authority.
p.(None): (4) The Prime Minister’s proceedings relating to the declaration of personal assets of the President of the
p.(None): Authority may be requested by anyone with reference to specific sections of the declaration, and the contents of such
p.(None): sections, that is disputed. If the petition submitted is not in conformity with the requirements set out in
p.(None): this Subsection, or if it is manifestly unfounded, or if the petition is re-submitted and it offers no new
p.(None): argument or evidence, the Prime Minister shall refuse the petition without the opening of an examination as to merits.
p.(None): The Prime Minister shall check the authenticity and credibility of the information supplied in the declaration of
p.(None): personal assets.
p.(None): (5) In proceedings related to the declaration of personal wealth, the President of the Authority shall -
p.(None): at the Prime Minister’s request - submit a statement without delay, offering proof for the data and information
p.(None): contained in the declaration of personal wealth concerning his personal finances, income and other financial interests
p.(None): to the Prime Minister in writing. The Prime Minister shall send the findings of the proceedings to the President of the
p.(None): Republic along with the relevant data and information. Access to such data and information is restricted to the Prime
p.(None): Minister and the President of the Republic.
p.(None): (6) The evidence submitted by the President of the Authority in connection with his declaration of
p.(None): personal wealth shall be deleted on the thirtieth day following the date of conclusion of the proceedings.
p.(None):
p.(None): Section 43
p.(None):
p.(None): (1) The President of the Authority shall be entitled to the same remuneration and benefits as the salary and benefits
p.(None): of ministers, including an executive bonus in the amount equal to one and a half times of the executive bonus of
p.(None): ministers.
p.(None): (2) The President of the Authority is entitled to forty working days of paid annual leave per calendar year.
p.(None):
p.(None): Section 44
p.(None):
p.(None): (1) In terms of eligibility for social security benefits, the President of the Authority shall be regarded as employed
p.(None): in public service relationship.
p.(None): (2) The time period of the President’s mandate shall be recognized as spent in public service at an administrative
p.(None): body.
p.(None):
p.(None): Section 45
p.(None):
p.(None): (1) The mandate of the President of the Authority shall terminate:
p.(None): a) upon expiry of his term of office;
p.(None): b) upon resignation;
p.(None): c) upon death;
p.(None): d) if the requirements for appointment are no longer satisfied or upon violation of the rules regarding the declaration
p.(None): of assets;
p.(None): e) upon declaration of incompatibility;
p.(None): f) - g)
...
p.(None): of the Authority - from among the civil servants in the Authority’s employ who have a degree of higher education in
p.(None): information technology or law, and at least three years of experience as a data protection expert or data protection
p.(None): officer, and who have passed a professional examination in public administration or professional examination
p.(None): in law.
p.(None):
p.(None): (2) Examiners are appointed for indefinite terms, and may be dismissed by the President of the Authority any time
p.(None): without cause. If the President of the Authority has withdrawn the appointment of an examiner, the civil
p.(None): servant in question shall be reinstated in his last position before the appointment.
p.(None): (3) Examiners are entitled to the salary of head of unit, exclusive of executive bonus.
p.(None):
p.(None): CHAPTER VI PROCEEDINGS OF THE AUTHORITY
p.(None): 30. Investigation by the Authority Section 52
p.(None): (1) Any person shall have the right to notify the Authority and request an investigation alleging an
p.(None): infringement relating to his or her personal data or concerning the exercise of the rights of access to public
p.(None): information or information of public interest, or if there is imminent danger of such infringement.
p.(None): (2) The Authority’s investigations ensuing shall not be treated as administrative proceedings, and
p.(None): shall not fall within the scope of the Act on the General Rules of Administrative Proceedings.
p.(None): (3) Having submitted a notification to the Authority may not entail any discrimination against the
p.(None): notifier. The Authority may reveal the person of the notifier only if the inquiry cannot be carried out otherwise.
p.(None): If so requested by the notifier, the Authority may not disclose his identity even if the inquiry cannot be carried out
p.(None): otherwise. The notifier must be informed by the Authority of this circumstance.
p.(None): (4) The Authority shall carry out the investigation free of charge; the costs thereof shall be advanced and borne by
p.(None): the Authority.
p.(None):
p.(None): Section 53
p.(None):
p.(None): (1) Subject to the exceptions set out in Subsections (2) and (3), the Authority shall examine the notifications
p.(None): received as to merits.
p.(None): (2) The Authority may refuse the notification without examination thereof as to merits if:
p.(None): a) the infringement alleged in the notification is considered minor, or
...
p.(None):
p.(None): a) the petition should have been refused pursuant to Subsections (3)-(4), however, the authority obtained
p.(None): information concerning the grounds for refusal following the opening of the investigation;
p.(None): b) the reason for continuing the investigation no longer exists.
p.(None): (6) The Authority shall inform the notifier concerning the refusal of the notification without examination thereof as
p.(None): to merits and on the termination of the investigation, including the reasons for refusal and termination.
p.(None): (7) The Authority shall refer a case for which it has no competence to the proper authority, of which the notifier
p.(None): shall be informed, provided that there is sufficient information available to determine the identity of the relevant
p.(None): authority. If, based on the notification received in a case for which it has no competence, the Authority
p.(None): comes to the conclusion that the case should be brought before the court, the notifier shall be informed thereof.
p.(None):
p.(None): Section 54
p.(None):
p.(None): (1) In the course of that investigation, the Authority:
p.(None): a) shall have powers to inspect all documents of the controller inspected, presumed to have any bearing on the case at
p.(None): hand, and may request copies of such documents,
p.(None): b) shall be given access to any data processing operation presumed to have any bearing on the case at hand, and shall
p.(None): be authorized to enter any premises where data processing takes place,
p.(None): c) shall have the right to request information from the controller inspected, and from any employee or associate of the
p.(None): controller in writing or verbally,
p.(None): d) shall have the right to request information in writing from any organization or person presumed to have
p.(None): any connection to the case at hand, and
p.(None): e) may request the head of the supervisory body of the data controller authority to conduct an investigation.
p.(None): (2) The data controller inspected and the organization or person involved in the case at hand shall comply with the
p.(None): Authority’s request under Subsection (1) within the time limit prescribed by the Authority. The time limit
p.(None): prescribed by the Authority may not be less than fifteen days in the cases referred to in Paragraphs d) and e) of
p.(None): Subsection (1).
p.(None): (3) The person asked for information according to Paragraphs c) and d) of Subsection (1) may refuse to comply if:
p.(None): a) the person affected by the notification underlying the Authority’s proceedings is his close relative or former
p.(None): spouse by definition of the Act on the General Rules of Administrative Proceedings;
p.(None): b) giving the information would implicate himself, or his close relative or former spouse defined in the Act on
p.(None): the General Rules of Administrative Proceedings in the commission of a crime, as regards the question related thereto.
p.(None):
p.(None): Section 55
p.(None):
p.(None): (1) Within two months from the date of receipt of the notification, the Authority shall:
p.(None): a) if it finds in favour of the notification,
p.(None): aa) take the measures defined in Section 56 and Section 57,
p.(None): ab) terminate the investigation, and shall launch administrative proceedings for data protection in
p.(None): accordance with Section 60, or
p.(None): ac) terminate the investigation, and shall launch administrative proceedings for the supervision of
p.(None): classified data in accordance with Section 62;
p.(None): b) terminate the investigation if it finds against the notification.
p.(None):
p.(None): (2) The Authority shall inform the notifier on the findings of its investigation, on the reasons for
p.(None): terminating the proceedings and on any measures taken or on the opening of administrative proceedings.
p.(None):
p.(None): Section 56
p.(None):
p.(None): (1) Where the Authority considers that any infringement relating to personal data or concerning the
p.(None): exercise of the rights of access to public information or information of public interest, or the imminent danger of
p.(None): such infringement exist, it shall call on the data controller affected to eliminate the infringement, and the imminent
p.(None): danger of such infringement.
p.(None): (2) The controller - if in agreement - shall take the measures indicated in the notice referred to in Subsection (1)
p.(None): without delay, and shall inform the Authority concerning the measures it has taken, or - if in disagreement - of its
p.(None): argument within thirty days from the date of receipt of the notice.
p.(None): (3) If the data controller authority has a supervisory body, the Authority - if the notice referred to
p.(None): in Subsection (1) failed to obtain satisfaction - may present a recommendation to the controller’s supervisory body, of
p.(None): which the controller has to be notified concurrently. The Authority may also present a recommendation directly,
p.(None): without sending a notice to the controller under Subsection (1), if it is of the opinion that this is
p.(None): a more efficient way to remedy the infringement and to eliminate the imminent danger of such infringement.
p.(None): (4) The supervisory body shall notify the Authority in writing of its position concerning the recommendation as to
p.(None): merits, or on the measures taken within thirty days from the date of receipt of the recommendation.
p.(None):
p.(None): Section 57
p.(None):
...
p.(None): review within sixty days following the date of delivery of the resolution. Upon receipt of the petition for
p.(None): judicial review, enforcement of the resolution shall be delayed. If the classifier did not seek legal
p.(None): action in the court of law within sixty days following the date of delivery of the resolution, the information
p.(None): classified at the national level shall be considered declassified on the sixty-first day following the date
p.(None): of delivery of the resolution, or the level or term of classification shall be modified in accordance
p.(None): with the resolution.
p.(None): (3) The regulations of the Act on the Code of Civil Procedure on administrative actions shall apply to
p.(None): these court proceedings, where they shall be heard in closed session in priority proceedings.
p.(None): (4) The court shall either sustain or reverse, or abolish the Authority’s resolution, and may order the Authority to
p.(None): re-open the proceedings where deemed necessary.
p.(None): (5) The court ruling or the Authority’s resolution shall not affect the obligation of the classifier for
p.(None): the review of classified national security information, as defined by the Act on the Protection of Classified
p.(None): Information.
p.(None): (6) The presiding judge must have the highest level of security clearance accorded under the Act on National Security
p.(None): Agencies.
p.(None): (7) Persons other than the judge, the plaintiff and the defendant shall be allowed access to the said classified
p.(None): information only if they have the highest level of security clearance accorded under the Act on National
p.(None): Security Agencies.
p.(None):
p.(None): 34. Litigation Options for the Authority Section 64
p.(None): (1) If the data controller fails to comply with the request made under Subsection (1) of Section 56, the
p.(None): Authority may bring the case before the court - alleging infringement of the regulation relating to public information
p.(None): and information of public interest - within thirty days following the date of expiry of the time limit for providing
p.(None): the information under Subsection
p.(None): (2) of Section 56, seeking a court’s ruling for ordering the data controller to act in accordance with the Authority’s
p.(None): request.
p.(None): (2) The court referred to in Subsection (5) of Section 31 shall have competence and jurisdiction to
p.(None): adjudicate the action aforementioned.
p.(None): (3) The burden of proof to show compliance with the law lies with the data controller.
p.(None): (4) Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such
p.(None): actions.
p.(None): (5) The court - upon request - may order publication of its decision, by way of publishing the identification data of
p.(None): the controller, if it is necessitated for data protection and the freedom of information in general or in connection
...
p.(None): proceedings. In the event of having reasonable suspicion of alleged misdemeanour offenses or disciplinary
p.(None): infraction in the course of its proceedings, the Authority shall initiate infringement or disciplinary
p.(None): proceedings at the body having competence for conducting infringement or disciplinary proceedings.
p.(None): (2) The body referred to in Subsection (1) shall notify the Authority of its opinion concerning the
p.(None): opening of proceedings within thirty days, unless otherwise provided for by law, and of the outcome of the
p.(None): proceedings within thirty days from the time of conclusion thereof.
p.(None):
p.(None): 38. Data processing and confidentiality Section 71
p.(None): (1) In its proceedings the Authority shall be entitled to process - to the extent and for the duration required -
p.(None): those personal data, and classified information protected by law and secrets obtained in the course of
p.(None): professional activities, which are related to the given proceedings, or which are to be processed with a
p.(None): view to concluding the procedure effectively.
p.(None): (2) The Authority may use the data obtained in the course of conducting its examination for administrative proceedings.
p.(None): (3) The Authority shall have access to data specified in Subsection (2) of Section 23 of Act CXI of 2011 on the
p.(None): Commissioner of Fundamental Rights as defined in Subsection (7) of Section 23 of Act CXI of 2011 on the
p.(None): Commissioner of Fundamental Rights.
p.(None): (4) In proceedings related to the processing of classified information the Vice-President of the Authority, including
p.(None): executive officers and examiners shall - in possession of a personal
p.(None):
p.(None):
p.(None): 8 Entered into force: as of 01.01.2013.
p.(None):
p.(None): security certificate of appropriate level of clearance - be allowed access to classified information
p.(None): without the authorization prescribed in the Act on the Protection of Classified Information for use.
p.(None): (5) The President and Vice-President of the Authority, and persons currently or formerly employed by the
p.(None): Authority as civil servants or in any other work-related relationship shall keep confidential any personal
p.(None): data, classified information, secrets protected by law and secrets obtained in the course of professional
p.(None): activities they may have learnt in relation to the operation and actions of the Authority as well as any other data,
p.(None): fact or circumstance that the Authority is not required to make available to the public - except for any disclosure or
p.(None): supply of data to other organizations under the relevant legislation -, during the term of their
p.(None): employment and after the termination thereof.
p.(None): (6) According to the confidentiality requirement, the persons mentioned in Subsection (5) may not disclose unlawfully
p.(None): any data, facts or circumstance they obtained in connection with the performance of their official duties, nor
p.(None): shall they be allowed to use or reveal such information to third persons.
p.(None): CHAPTER VII CLOSING PROVISIONS
p.(None): Section 72
p.(None):
p.(None): (1) The Government is hereby authorized to decree:
p.(None): a) the detailed regulations for disclosure of public information by electronic means;
p.(None): b) the items covered by the fee chargeable for copies provided in connection with requests for public information, and
...
p.(None): (2) The data controlled by the data protection commissioner before 1 January 2012 in an official capacity shall be
p.(None): transferred to the Authority effective as of 1 January 2012.
p.(None): (3) Data processing operations having commenced prior to 1 January 2012, that fall within the scope of registration
p.(None): in the data protection register under this Act that had not been notified for registration before 1 January
p.(None): 2012 shall be notified to the Authority by 30 June 2012 for registration according to the relevant provisions
p.(None): of this Act. In the event of non- compliance data processing operations may not be carried out past 30 June
p.(None): 2012. Moreover, data processing operations under this Subsection may not be pursued if the Authority refused the
p.(None): application submitted for registration after 31 December 2011.
p.(None):
p.(None): Section 76
p.(None):
p.(None): Chapter V of this Act shall be considered a cardinal provision pursuant to Article VI(3) of the Fundamental Law.
p.(None):
p.(None): Section 77
p.(None):
p.(None): This Act facilitates compliance with:
p.(None): a) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals
p.(None): with regard to the processing of personal data and on the free movement of such data;
p.(None): b) Directive 2003/4/EC of the European Parliament and of the Council of 28 January 2003 on public access to
p.(None): environmental information and repealing Council Directive 90/313/EEC;
p.(None): c) Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public
p.(None): sector information;
p.(None): d) Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the
p.(None): framework of police and judicial cooperation in criminal matters.
p.(None):
p.(None):
p.(None): (1)-(2)9
p.(None): Section 78
p.(None):
p.(None): (3) The term “descending” to be found in Section 9 (7) of the Law Decree 17 of 1982 on Registers,
p.(None): Marriage Proceedings and the Use of Name shall be replaced by the term “descending found”.
p.(None):
p.(None): (4) Section 25 (3) of the Act XXIV of 2011 on legal harmonisation of Acts on Europol, on Security Services and the
p.(None): Activities of Private Investigators (SSAPI), on Firearms and Pyrotechnic Devices enters into with the following
p.(None): wording:
p.(None):
p.(None): „(3) Section 31 (1) g) shall be replaced by „the Chamber shall keep a register of its natural person members and
p.(None): enterprises till the termination of membership in accordance with the provisions of this Act and also supplies
p.(None): statistical data anonymously.”
p.(None):
p.(None): (5) Section 41 (3) b) of the Act XXIV of 2011 on legal harmonisation of Acts on Europol, on Security Services and
p.(None): the Activities of Private Investigators (SSAPI), on Firearms and Pyrotechnic Devices enters into force with the
p.(None): following wording:
p.(None):
p.(None): (Repealed):
p.(None):
...
p.(None): (9) Section 15 (3) of the Act LXXVII. Of 2011 on World Heritage shall not enter into force.
p.(None):
p.(None): Section 80
p.(None):
p.(None): (1) The following Point n) shall be added to Article 51 (2) of Act CXII of 1996 on credit institutions
p.(None): and financial corporations:
p.(None): [Pursuant to Point b) of paragraph (2), the obligation to safeguard bank secrets does not apply]
p.(None): “n) to the National Authority for Data Protection and Freedom of Information within its competent scope of
p.(None): responsibilities”
p.(None): (contrary to requests made in writing by these bodies to the financial institution.)
p.(None): (2) The following Point r) shall be added to Article 157 (1) of Act LX of 2003 on insurance companies and insurance
p.(None): activities:
p.(None): (The obligation to safeguard insurance secrets does not apply)
p.(None): “r) in the case of the National Authority for Data Protection and Freedom of Information within their
p.(None): respective scope of responsibilities”
p.(None): [contrary to how should the body or individual specified under Points a)-j), n) and s) be entitled to
p.(None): submit a request in writing containing the name of the client or the insurance contract number, the type
p.(None): of data requested, the objective of the data request and its legal grounds on condition that the body or individual
p.(None): specified under points k), l), m), p) and q) is exclusively obliged to provide the type of data requested and its legal
p.(None): grounds. Reference to the legislation authorising data access equally qualifies as certification of the
p.(None): objective indicated and the legal status.]
p.(None): (3) The following Point m) shall be added to Article 8 (2) of Act LVII of 2004 on the legal status of Hungarian MPs
p.(None): delegated to the European Parliament:
p.(None): “m) The President and Vice-President of the National Authority for Data Protection and Freedom of
p.(None): Information.”
p.(None): (cannot be a Member of the European Parliament)
p.(None): (4) The following Point k) shall be added to Article 118 (3) of Act CXXXVIII of 2007 on investment companies and
p.(None): commodity exchange service providers, as well as rules concerning the activities they may engage in:
p.(None): (The confidentiality obligation defined under paragraph [1] does not apply)
p.(None):
p.(None): “r) to the National Authority for Data Protection and Freedom of Information within its respective scope
p.(None): of responsibilities”
p.(None): (contrary to requests made in writing by these bodies to the investment companies or commodity exchange
p.(None): service providers.)
p.(None): (5) The following Point q) and final text shall be added to Article 88 (1) of Act CLIX of 2007 on collaterals:
p.(None): (In accordance with the present Act, the obligation to safeguard insurance secrets does not apply)
p.(None): “q) to the National Authority for Data Protection and Freedom of Information within its respective scope
p.(None): of responsibilities.”
...
p.(None): cases with EU Member States shall be replaced by the text “ the National Authority for Data Protection and
p.(None): Freedom of Information”.
p.(None): (11) The text “the data protection commissioner” in Article 164 (5) and in Point a) of Article 174 (3) of Act CXL of
p.(None): 2004 on the general rules on administrative proceedings and services shall be replaced by the text “the National
p.(None): Authority for Data Protection and Freedom of Information”.
p.(None): (12) The text “the data protection commissioner” in Article 85 (3) of Act I of 2007 on the entry and residence of
p.(None): persons with the right of the freedom of movement and residence shall be replaced by the text “the National
p.(None): Authority for Data Protection and Freedom of Information”.
p.(None): (13) The text “within the scope of the procedure defined under the Act on the protection of personal data and the
p.(None): disclosure of data of public interest, the data protection commissioner” in Article 6 of Act CI of 2007 on ensuring
p.(None): access to data required for decision preparation shall be replaced by the text “the National Authority for
p.(None): Data Protection and Freedom of Information”.
p.(None): (14) The text “the data protection commissioner” in Article 18 (6) and Article 20 (2) of Act CV of 2007 on cooperation
p.(None): and information exchange carried out within the framework of the Convention implementing the Schengen Agreement
p.(None): shall be replaced by the text “the National Authority for Data Protection and Freedom of Information”; the
p.(None): text “pursuant to regulations set out under the Act on the protection of personal data and the disclosure of data of
p.(None): public interest, the data protection commissioner” in Article 20 (1) shall be replaced by the text “the National
p.(None): Authority for Data Protection and Freedom of Information”.
p.(None): (15) The text “the data commissioner competent to act in respect of Act on the protection of personal data and the
p.(None): disclosure of data of public interest and controlling compliance with the Act on the control of personal data” in
p.(None): Article 88 (2) of Act XLVII of 2009 on the criminal database, the registration of verdicts brought against
...
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None): II. Information relating to activities and operations
p.(None):
p.(None): Data description Updating Duration of processing
p.(None):
p.(None): 1. Unabridged version of the laws governing the responsibilities, competence and core activity of the body with
p.(None): public service functions, legal act for the governance of bodies governed by public law, organizational and operational
p.(None): regulations or operating procedures, data protection and data security regulations
p.(None): 2. In connection with bodies of nation-wide jurisdiction and county and capital government offices, an
p.(None): information pamphlet on the duties and activities of the body with public service functions in Hungarian and English
p.(None): 3. Voluntary tasks of municipal governments
p.(None):
p.(None): 4. In connection with public administration, municipal government and other regulatory cases, name of the body
p.(None): having competence separately for each type of case and procedure, or the name and area of jurisdiction of the body
p.(None): actually proceeding where powers had been transferred, description of documents and other deeds required, procedural
p.(None): fees (administrative service fees), basic procedural rules, means (place and time) for the submission of documents for
p.(None): the opening of proceedings, office hours, administrative time limits (deadlines for processing and for appeals),
p.(None): guidelines, general information on handling cases and standard forms for downloading, access to electronic programs
p.(None): available for use,
p.(None): Immediately upon the change taking effect
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be deleted
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be deleted
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): 5.
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): 6.
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): 7.
p.(None):
p.(None):
p.(None): 8.
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): 9.
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): 10.
p.(None):
p.(None):
p.(None): 11.
p.(None):
p.(None):
p.(None):
p.(None): 12.
p.(None): appointments, list of legislation for different types of cases, information on clients’ rights and obligations
p.(None): Description and contents of public services provided by the body with public
p.(None): service functions or financed from budget, rules of access to public services, amount of fees charged for public
p.(None): services, any allowances from such fees
p.(None): Descriptive information on databases and registers maintained by the body with public service functions (name, format,
p.(None): purpose and legal basis of processing, duration of processing, data subjects involved, data sources, questionnaire,
p.(None): where applicable), particulars for the identification of records to be notified for the data protection register; type
p.(None): of data collected and processed by the body with public service functions within the framework of its principal
p.(None): activity, means of access, costs of making copies
p.(None): Title and subject of publications of the body with public service functions, means of access, price of the publication,
p.(None): if any In respect of collegiate bodies, decision- making process, means of participation by the general public
p.(None): (opinionate), procedural rules, place and time of settings of the collegiate body, publicity, decisions, minutes or
p.(None): summaries of meetings; information on voting in the collegiate body, if this is not restricted by law Legislative
p.(None): proposals and related documents to be published by virtue of law; motions and proposals submitted to public meetings of
p.(None): the councils of local self-governments from the time of submission
p.(None): Public announcements and statements made by the body with public service functions
p.(None): Technical description of tenders published by the body with public service functions, the outcome of such procedure and
p.(None): the reasons
p.(None): Public findings of examinations and inspections carried out in connection with the core activity of the body with
p.(None): public service functions
p.(None):
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None):
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Unless otherwise provided for by law, immediately from the time of submission
p.(None):
p.(None):
p.(None): Continuously
p.(None):
p.(None):
p.(None): Continuously
p.(None):
p.(None):
p.(None):
p.(None): Immediately upon receiving the report on the examination
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None): Archived for a period of at least one year
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None): 13.
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): 14.
p.(None):
p.(None):
p.(None):
p.(None): 15.
p.(None):
p.(None):
p.(None): 16.
p.(None):
p.(None):
p.(None): 17.
p.(None):
p.(None):
p.(None): 18.
p.(None): Procedure for handling requests for access to public information, name and contact information of the competent
p.(None): department, and the name of the data protection officer or the person handling information rights, where applicable
p.(None): Results of gathering statistical information relating to the activity of the body with public service functions,
p.(None): showing changes over time thereof Information pertaining to a given body from mandatory data disclosure relating to
p.(None): public information
p.(None): List of contracts for the use of public information to which the body with public service functions is a party
p.(None): Standard contract conditions relating to the use of public information processed by the body with public service
p.(None): functions Special and ad hoc publication lists pertaining to the body with public service functions
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None):
p.(None): Immediately upon the change taking effect
p.(None): Previous data shall be deleted
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be deleted
p.(None):
p.(None): III. Financial data
p.(None):
p.(None): Data description Updating Duration of processing
p.(None):
...
Searching for indicator access to information:
(return to top)
p.(None): (2) The President of the Authority shall call the conference at least once every year, or as necessary, and shall
p.(None): determine its agenda.
p.(None): (3) The internal data protection officers of all organizations where such office has to be maintained by
p.(None): law shall have a seat on the conference.
p.(None): (4) The internal data protection officers of those organizations where such office is not required may
p.(None): also have a seat on the conference. To this end they may seek admission to the register of internal data protection
p.(None): officers maintained by the Authority.
p.(None): (5) For communication purposes, the Authority shall maintain a register of internal data protection
p.(None): officers on members of the conference. The register contains the name, postal and electronic mail address of internal
p.(None): data protection officers, and the name of the organization they represent.
p.(None): (6) The Authority shall record the data mentioned in Subsection (5) until the time of receiving
p.(None): information on the termination of the internal data protection officer’s term in office.
p.(None):
p.(None): CHAPTER III
p.(None):
p.(None): ACCESSXTOXINFORMATION OF PUBLIC INTEREST
p.(None):
p.(None): 20. General provisions on access to information of public interest Section 26
p.(None): (1) Any person or body attending to statutory State or municipal government functions or performing other public duties
p.(None): provided for by the relevant legislation (hereinafter referred to collectively as “body with public service
p.(None): functions”) shall allow free access to the data of public interest and data public on grounds of public
p.(None): interest under its control to any person, save where otherwise provided for in this Act.
p.(None): (2) The name of the person undertaking tasks within the scope of responsibilities and authority of the
p.(None): body undertaking public duties, as well as their scope of responsibilities, scope of work, executive mandate
p.(None): and other personal data relevant to the provision of their responsibilities to which access must be ensured by law
p.(None): qualify as data public on grounds of public interest. These data may be disseminated in compliance with the principle
p.(None): of purpose limitation. Provisions on the disclosure of data public on the grounds of public interest shall be
p.(None): regulated by Appendix 1 of this Act and the specific laws relating to the status of the person
p.(None): undertaking public duties.
p.(None): (3) Unless otherwise prescribed by law, any data, other than personal data, that is processed by bodies or persons
p.(None): providing services prescribed mandatory by law or under contract with any governmental agency, central or local, if
p.(None): such services are not available in any other way or form relating to their activities shall be deemed data public on
p.(None): grounds of public interest.
p.(None):
p.(None): Section 27
p.(None):
...
p.(None): requirement - upon consulting with the Authority -, as well as by statutory provisions for bodies with public
p.(None): service functions, and other agencies controlled and/or supervised by such bodies, or sections of such agencies
p.(None): (hereinafter referred to as “ad hoc disclosure list”).
p.(None): (4) The Government shall decree - upon consulting with the Authority - the information to be made public by the
p.(None): national security services.
p.(None): (5) In the case of collegiate bodies subject to disclosure requirement, these bodies shall have powers to establish,
p.(None): and amend, the ad hoc disclosure list, upon consulting with the Authority.
p.(None): (6) The head of the body subject to disclosure requirement shall review the disclosure list he has published under
p.(None): Subsection (3), taking into consideration any demand shown for public information that was not included in the
p.(None): publication list, and shall include such public information where demand is considered substantial in terms of
p.(None): the amount and number of requests received.
p.(None): (7) The disclosure list may also provide for the frequency of publication, depending on the type of data in question.
p.(None): (8) The Authority may present a recommendation for having special and ad hoc publication lists drawn up, or amended.
p.(None):
p.(None): 24/A. Central electronic register of public information and the single data retrieval system Section 37/A
p.(None): (1) In the interest of providing fast and easy access to information that has been published electronically, the
p.(None): central electronic register posted on a designated website - set up by the minister in charge for the
p.(None): implementation of infrastructure requirements for administrative information technology systems - contains all
p.(None): relevant descriptive information on the websites of bodies subject to the obligation of publication of public
p.(None): information by electronic means under this Act, pertaining also to their databases and registers.
p.(None): (2) Electronic access using a single platform to the public information of the bodies referred to in Subsection (1) and
p.(None): facilities for searching among public information shall be ensured by
p.(None):
p.(None): the single data retrieval system set up by the minister in charge for the implementation of
p.(None): infrastructure requirements for administrative information technology systems.
p.(None):
p.(None): Section 37/B
p.(None):
p.(None): (1) The data source shall provide for having the descriptive information on websites, databases and
p.(None): registers containing public information made available to the minister in charge for the implementation of
p.(None): infrastructure requirements for administrative information technology systems and for updating on a regular
p.(None): basis the public information thus forwarded, and shall be responsible for the contents of public information forwarded
p.(None): to the single data retrieval system, as well as for having such public information updated on a regular basis.
...
Searching for indicator freedom of information:
(return to top)
p.(None): (2) Electronic access using a single platform to the public information of the bodies referred to in Subsection (1) and
p.(None): facilities for searching among public information shall be ensured by
p.(None):
p.(None): the single data retrieval system set up by the minister in charge for the implementation of
p.(None): infrastructure requirements for administrative information technology systems.
p.(None):
p.(None): Section 37/B
p.(None):
p.(None): (1) The data source shall provide for having the descriptive information on websites, databases and
p.(None): registers containing public information made available to the minister in charge for the implementation of
p.(None): infrastructure requirements for administrative information technology systems and for updating on a regular
p.(None): basis the public information thus forwarded, and shall be responsible for the contents of public information forwarded
p.(None): to the single data retrieval system, as well as for having such public information updated on a regular basis.
p.(None): (2) Maintaining the databases and registers containing public information and linking up with the single
p.(None): data retrieval system shall not exonerate the data source from the obligation of publication by electronic means.
p.(None): CHAPTER V
p.(None):
p.(None): NEMZETI ADATVÉDELMI ÉS INFORMÁCIÓSZABADSÁG HATÓSÁG (NATIONAL AUTHORITY FOR DATA PROTECTION AND FREEDOM OF INFORMATION)
p.(None):
p.(None): 25. Legal status of the Authority Section 38
p.(None): (1) The Authority is an autonomous administrative organ.
p.(None): (2) The Authority shall be responsible to supervise and promote the enforcement of the rights to the
p.(None): protection of personal data and access to public information and information of public interest.
p.(None): (3) Within its scope of responsibilities conferred under Subsection (2), the Authority:
p.(None): a) shall conduct investigations upon notification;
p.(None): b) may conduct ex officio administrative proceedings for data protection;
p.(None): c) may conduct ex officio administrative proceedings for the control of classified data;
p.(None): d) may turn to court in connection with any infringement concerning public information and information of public
p.(None): interest;
p.(None): e) may intervene in court actions brought by others;
p.(None): f) maintain the data protection register; in accordance with this Act.
p.(None): (4) Within its scope of responsibilities conferred under Subsection (2), the Authority:
p.(None): a) shall have powers to make recommendations for new regulations and for the amendment of legislation pertaining to
p.(None): the processing of personal data, to public information and information of public interest, and shall
...
p.(None): constitute an independent title within the budgetary chapter of Parliament.
p.(None): (2) The main totals of expenditures and receipts of the Authority for the current budgetary year may only be
p.(None): reduced by Parliament, with the exception of natural disasters endangering life and property as defined in the Act on
p.(None): Public Finances, of temporary measures adopted to relieve the consequences of such disasters, or of measures taken by
p.(None): the Authority within its own competence or in its competence as directing organ.
p.(None): (3)
p.(None): (4) The remainder of receipts from the previous year may be used by the Authority in the following years
p.(None): for the performance of its tasks.
p.(None):
p.(None): 27. President of the Authority Section 40
p.(None): (1) The head of the Authority is the President. The President of the Authority is appointed by the President of the
p.(None): Republic on a recommendation by the Prime Minister from among those Hungarian citizens with a law degree,
p.(None): who have the right to stand as candidates in parliamentary elections, having at least ten years of
p.(None): experience in supervising proceedings related to data protection or freedom of information, or holding an academic
p.(None): degree in either of those fields.
p.(None): (2) Persons who served as a Member of Parliament or as a Member of the European Parliament, as the
p.(None): President of the Republic, member of the Government, state secretary, representative of a municipal
p.(None): government, mayor or deputy mayor, lord mayor or deputy lord mayor, chairman or deputy chairman of a county assembly,
p.(None): member of a national minority self-government, or an officer or employee of a political party in the four-year period
p.(None): before the time of the recommendation for appointment may not be appointed as President of the Authority.
p.(None): (3) The President of the Authority shall be appointed by the President of the Republic for a term of nine years.
p.(None): (4) The President of the Authority - upon being appointed - shall take an oath before the President of the Republic in
p.(None): accordance with the Act on the Oath and Deposition of Public Officials.
p.(None):
p.(None): Section 41
p.(None):
p.(None): (1) The President of the Authority may not be a member of any political party, may not engage in political
...
p.(None): within fifteen days from the date of the final decision adopted on the merits of the case.
p.(None):
p.(None): (7) If the mandate of the President of the Authority terminates under Paragraph a) or b) of Subsection (1), the
p.(None): President shall be entitled to an extra payment of three times the monthly remuneration in effect at the time of
p.(None): termination.
p.(None): (8) As regards the decisions conferred by Subsections (3) and (6) of this Section and by Section 40 under
p.(None): the competence of the President of the Republic, no endorsement is required.
p.(None):
p.(None): Section 45/A
p.(None):
p.(None): The President of the Authority shall have the right to participate in and address the Parliament
p.(None): committee meetings.
p.(None):
p.(None):
p.(None): 28. Vice-President of the Authority Section 46
p.(None): (1) The President of the Authority shall appoint a Vice-President for an indefinite period to assist in his work.
p.(None): The President of the Authority shall exercise the employer’s rights in respect of the Vice-President.
p.(None): (2) The Vice-President shall be able to satisfy the requirements set out in Subsections (1) and (2) of Section 40
p.(None): for the appointment of the President of the Authority but with a distinction of having at least five
p.(None): years of experience in supervising proceedings related to data protection or freedom of information, or holding
p.(None): an academic degree in either of those fields.
p.(None):
p.(None): (3) The provisions of Section 41 on conflict of interest shall apply to the Vice-President as well.
p.(None): (4) In the event that the President is temporarily prevented from attending to his duties, or if the office of the
p.(None): President is vacant, the powers and responsibilities of the President shall be exercised by the Vice-President.
p.(None):
p.(None): Section 47
p.(None):
p.(None): The provisions of Section 42 shall also apply to the obligation of the Vice-President to file a declaration of personal
p.(None): assets, and also to the related proceedings, with the exception that the President of the Authority shall hear cases
p.(None): related to the declaration of personal assets instead of the Prime Minister, and that the President of the
p.(None): Republic need not be informed of the findings of the proceedings.
p.(None):
p.(None): Section 48
p.(None):
p.(None): (1) The Vice-President shall be entitled to the same remuneration and benefits as the salary and benefits of state
p.(None): secretaries.
p.(None): (2) The Vice-President is entitled to forty working days of paid annual leave per calendar year.
p.(None): (3) In terms of eligibility for social security benefits, the Vice-President shall be regarded as employed in public
p.(None): service relationship.
p.(None): (4) The time period of the Vice-President’s mandate shall be recognized as spent in public service at an administrative
p.(None): body.
p.(None):
p.(None): Section 49
p.(None):
p.(None): (1) The mandate of the Vice-President of the Authority shall terminate:
p.(None): a) upon resignation;
p.(None): b) upon death;
p.(None): c) if the requirements for appointment are no longer satisfied;
...
p.(None): information only if they have the highest level of security clearance accorded under the Act on National
p.(None): Security Agencies.
p.(None):
p.(None): 34. Litigation Options for the Authority Section 64
p.(None): (1) If the data controller fails to comply with the request made under Subsection (1) of Section 56, the
p.(None): Authority may bring the case before the court - alleging infringement of the regulation relating to public information
p.(None): and information of public interest - within thirty days following the date of expiry of the time limit for providing
p.(None): the information under Subsection
p.(None): (2) of Section 56, seeking a court’s ruling for ordering the data controller to act in accordance with the Authority’s
p.(None): request.
p.(None): (2) The court referred to in Subsection (5) of Section 31 shall have competence and jurisdiction to
p.(None): adjudicate the action aforementioned.
p.(None): (3) The burden of proof to show compliance with the law lies with the data controller.
p.(None): (4) Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such
p.(None): actions.
p.(None): (5) The court - upon request - may order publication of its decision, by way of publishing the identification data of
p.(None): the controller, if it is necessitated for data protection and the freedom of information in general or in connection
p.(None): with the rights of large numbers of data subjects under protection by this Act.
p.(None):
p.(None): 35. Data protection register Section 65
p.(None): (1) The Authority shall maintain official records on the processing operations of controllers in respect of personal
p.(None): data (hereinafter referred to as “data protection register”) for the
p.(None):
p.(None): purpose of providing assistance to data subjects containing - with the exceptions set out in Subsection (2) -
p.(None): the following information:
p.(None): a) the purpose of data processing;
p.(None): b) the legal basis of data processing;
p.(None): c) scope of data subject;
p.(None): d) description of the data pertaining to the data subjects;
p.(None): e) the source;
p.(None): f) the duration of processing;
p.(None): g) the categories of data transferred, the recipients and the grounds for transfer, including transfers made to third
p.(None): countries;
p.(None): h) name and address of the data controller and the data processor, the place where records are kept and/or where
p.(None): processing is carried out, and the data processor’s activities in connection with data processing operations;
p.(None): i) the nature of the data process technology used;
p.(None): j) the name of and contact details of the internal data protection officer, where applicable.
p.(None): (2) As regards national security agencies, the data protection register shall indicate the name and address of the
...
p.(None): Information.”
p.(None): (cannot be a Member of the European Parliament)
p.(None): (4) The following Point k) shall be added to Article 118 (3) of Act CXXXVIII of 2007 on investment companies and
p.(None): commodity exchange service providers, as well as rules concerning the activities they may engage in:
p.(None): (The confidentiality obligation defined under paragraph [1] does not apply)
p.(None):
p.(None): “r) to the National Authority for Data Protection and Freedom of Information within its respective scope
p.(None): of responsibilities”
p.(None): (contrary to requests made in writing by these bodies to the investment companies or commodity exchange
p.(None): service providers.)
p.(None): (5) The following Point q) and final text shall be added to Article 88 (1) of Act CLIX of 2007 on collaterals:
p.(None): (In accordance with the present Act, the obligation to safeguard insurance secrets does not apply)
p.(None): “q) to the National Authority for Data Protection and Freedom of Information within its respective scope
p.(None): of responsibilities.”
p.(None): (6) The following Point h) shall be added to Article 13 (3) of Act CLV of 2009 on the protection of
p.(None): confidential information:
p.(None): (In regard to the provision of state or public duties)
p.(None): “h) the President of the National Authority for Data Protection and Freedom of Information”
p.(None): [is authorised to exercise regulatory licenses defined in Point a) and b) of Article 18 (2) without
p.(None): holding any national security clearance, personal security attestation, as well as a confidentiality statement
p.(None): and user permit in connection with classified information within their respective scope of responsibilities and
p.(None): authority.]
p.(None):
p.(None): Section 81
p.(None):
p.(None): (1) The text “the minister competent for the professional supervision of the registration body, the data protection
p.(None): commissioner or the individual authorised by this commissioner” in Article 21/H of Act I of 1998 on road
p.(None): transport shall be replaced by the text “ the minister competent for the professional supervision of the
p.(None): registration body or the individual authorised by this minister, as well as the President, Vice-President and
p.(None): civil servant of the National Authority for Data Protection and Freedom of Information”.
p.(None): (2) The text “the Office of the Constitutional Court” in Article 1 (2) of Act XXIII of 1992 on the legal status of
p.(None): civil servants (hereinafter Civil Service Act) shall be replaced by the text “ Office of the Constitutional Court
p.(None): and the National Authority for Data Protection and Freedom of Information”.
p.(None): (3) The text “at the Hungarian Competition Authority” in Article 44 (1) of the Civil Service Act shall be replaced by
p.(None): the text “at the Hungarian Competition Authority and the National Authority for Data Protection and Freedom of
p.(None): Information” .
p.(None): (4) The text “the data protection commissioner” in Point i) of Article 63 (1) of the Civil Service Act
p.(None): shall be replaced by the text “the National Authority for Data Protection and Freedom of Information”.
p.(None): (5) The text “the data protection commissioner” in Article 7 (3) of Act XLVI of 1993 on statistics
p.(None): shall be replaced by the text “President of the National Authority for Data Protection and Freedom of Information”; the
p.(None): text “data protection commissioner” in Article 19 (3) shall be replaced by the text “the National Authority for
p.(None): Data Protection and Freedom of Information”.
p.(None): (6) The text “within the scope of the Data Protection Act” in Article 5 (1) of Act CXIX of 1995 on the control of
p.(None): name and address data facilitating research and direct business acquisition shall be replaced by the text
p.(None): “within the scope of the Act on informational self-
p.(None):
p.(None): determination and freedom of information”; the text “Data Protection Act” in Article 19 shall be replaced by the
p.(None): text “the Act on informational self-determination and freedom of information”.
p.(None): (7) The text “the minister competent for the professional supervision of the infringement registration
p.(None): body” in Article 27/F of Act LXIX of 1999 on infringements shall be replaced by the text “the minister competent
p.(None): for the professional supervision of the infringement registration body or the individual authorised by the
p.(None): minster, as well as the President, Vice- President and civil servant of the National Authority for Data
p.(None): Protection and Freedom of Information”.
p.(None): (8) The text “within the framework of the data protection procedure, the data protection commissioner” in
p.(None): Point b) of Article 4/G (2) of Act LXXV on regulations governing action against organised crime and specific phenomena
p.(None): associated with this and related legislative amendments shall be replaced by the text “the National Authority
p.(None): for Data Protection and Freedom of Information”.
p.(None): (9) The text “the data protection commissioner” in Article 32 (4) and (7) of Act LXXXIV of 1999 on road transport
p.(None): registration shall be replaced by the text “the National Authority for Data Protection and Freedom of
p.(None): Information”; the text “data protection commissioner” in paragraph of Article 32 (8) shall be replaced by
p.(None): the text “the National Authority for Data Protection and Freedom of Information”.
p.(None): (10) The text “the data protection commissioner” in Article 75/O of Act CXXX of 2003 on cooperation in criminal
p.(None): cases with EU Member States shall be replaced by the text “ the National Authority for Data Protection and
p.(None): Freedom of Information”.
p.(None): (11) The text “the data protection commissioner” in Article 164 (5) and in Point a) of Article 174 (3) of Act CXL of
p.(None): 2004 on the general rules on administrative proceedings and services shall be replaced by the text “the National
p.(None): Authority for Data Protection and Freedom of Information”.
p.(None): (12) The text “the data protection commissioner” in Article 85 (3) of Act I of 2007 on the entry and residence of
p.(None): persons with the right of the freedom of movement and residence shall be replaced by the text “the National
p.(None): Authority for Data Protection and Freedom of Information”.
p.(None): (13) The text “within the scope of the procedure defined under the Act on the protection of personal data and the
p.(None): disclosure of data of public interest, the data protection commissioner” in Article 6 of Act CI of 2007 on ensuring
p.(None): access to data required for decision preparation shall be replaced by the text “the National Authority for
p.(None): Data Protection and Freedom of Information”.
p.(None): (14) The text “the data protection commissioner” in Article 18 (6) and Article 20 (2) of Act CV of 2007 on cooperation
p.(None): and information exchange carried out within the framework of the Convention implementing the Schengen Agreement
p.(None): shall be replaced by the text “the National Authority for Data Protection and Freedom of Information”; the
p.(None): text “pursuant to regulations set out under the Act on the protection of personal data and the disclosure of data of
p.(None): public interest, the data protection commissioner” in Article 20 (1) shall be replaced by the text “the National
p.(None): Authority for Data Protection and Freedom of Information”.
p.(None): (15) The text “the data commissioner competent to act in respect of Act on the protection of personal data and the
p.(None): disclosure of data of public interest and controlling compliance with the Act on the control of personal data” in
p.(None): Article 88 (2) of Act XLVII of 2009 on the criminal database, the registration of verdicts brought against
p.(None): Hungarian nationals in the courts of
p.(None):
p.(None): European Union Member States and the registration of criminal and biometric data shall be replaced by the text “the
p.(None): National Authority for Data Protection and Freedom of Information competent to act in respect of controlling compliance
p.(None): with provisions governing the Act on the control of personal data”; the text “together with data protection
p.(None): commissioner” in Article 91/A (2) shall be replaced by the text “together with the National Authority for
p.(None): Data Protection and Freedom of Information”; the text “data protection commissioner” in Article 91/A (3) shall be
p.(None): replaced by the text “the National Authority for Data Protection and Freedom of Information”.
p.(None): (16) The text “as well as within the scope of authority ensured in Act LXIII of 1992 on the protection of personal data
p.(None): and the disclosure of data of public interest, the data protection commissioner” in Article 7 (8) of Act CIV
p.(None): of 2009 on the proclamation of the agreement regarding processing the data of passenger number records
p.(None): (PNR) between the European Union and the United States of America and the transfer of this data to the
p.(None): Department of Home Security amending Act XCII of 1995 on air transport shall be replaced by the text “as well as
p.(None): within the scope of authority ensured in the Act on the right of informational self- determination and
p.(None): freedom of information, the National Authority for Data Protection and Freedom of Information”.
p.(None): (17) The text “the data protection commissioner” in the eighth paragraph of Article 6 of Act CLV of 2009 on the
p.(None): protection of classified information shall be replaced by the text “the National Authority for Data Protection
p.(None): and Freedom of Information”; the text “together with the data protection commissioner” in Point r) of the second
p.(None): paragraph of Article 20 shall be replaced by the text “together with the National Authority for Data Protection and
p.(None): Freedom of Information”.
p.(None): (18) The text “the data protection commissioner and an authorised associated employee” in Point j) of the first
p.(None): paragraph of Article 76 of Act CXXII of 2010 on the National Tax and Customs Authority shall be replaced by the text
p.(None): “President, Vice-President and civil servant of the National Authority for Data Protection and Freedom of Information”.
p.(None): (19) The text “the data protection commissioner shall undertake supervision within their respective scope of
p.(None): authority ensured by Act LXIII of 1992 on the protection of personal data and the disclosure of data of public
p.(None): interest” in the fifth paragraph of Article 7 of Act LVI of 2011 on the proclamation of the Convention on the
p.(None): South-East European Law Enforcement Centre signed in Bucharest on 9 December 2009 and the Protocol on the
p.(None): privileges and immunities of the South-East European Law Enforcement Centre signed in Bucharest on 24 November 2010
p.(None): shall be replaced by the text “the National Authority for Data Protection and Freedom of Information shall undertake
p.(None): the supervision”.
p.(None):
p.(None): Section 82-89
p.(None):
p.(None): Annex No. 1 to Act CXII of 2011
p.(None):
p.(None): STANDARD DISCLOSURE LIST
p.(None):
p.(None): I. Organizational information, staff particulars
p.(None):
p.(None):
p.(None): Data description
p.(None): 1. Official name, registered office, postal address, telephone and fax number, electronic mail address, website
p.(None): and customer service contact information of
p.(None): Updating Immediately upon the change taking effect
p.(None): Duration of processing Previous data shall be deleted
p.(None):
p.(None): the body with public service functions
p.(None): 2. Organizational structure of the body with public service functions, showing the departments, and the tasks and
p.(None): duties of each department
p.(None): 3. Name and title of the executive employees of the body with public service functions and its departments,
p.(None): including contact information (telephone and fax number, electronic mail address)
p.(None): 4. Name of the head of customer relations, including contact information (telephone and fax number, electronic
p.(None): mail address) and customer service hours
p.(None): 5. In respect of collegiate bodies, number of members and composition, name, title and contact information of
p.(None): members
p.(None): 6. Name of any other body with public service functions under the control, supervision or oversight of, or
p.(None): subordinated to the body with public service functions, including the particulars specified in Point 1
p.(None): 7. Name, registered office and contact information (postal address, telephone and fax number, electronic mail
p.(None): address) of any economic operator in which the body with public service functions has a majority ownership share or
...
Social / Age
Searching for indicator age:
(return to top)
p.(None): or local government authorities.
p.(None):
p.(None): Section 6
p.(None):
p.(None): (1) Personal data may be processed also if obtaining the data subject’s consent is impossible or it would give rise
p.(None): to disproportionate costs, and the processing of personal data is necessary:
p.(None): a) for compliance with a legal obligation pertaining to the data controller, or
p.(None): b) for the purposes of the legitimate interests pursued by the controller or by a third party, and enforcing these
p.(None): interests is considered proportionate to the limitation of the right for the protection of personal data.
p.(None):
p.(None):
p.(None): 4 In effect as of 30th March 2013
p.(None):
p.(None): (2) If the data subject is unable to give his consent on account of lacking legal capacity or for any other reason
p.(None): beyond his control, the processing of his personal data is allowed to the extent necessary and for the length of time
p.(None): such reasons persist, to protect the vital interests of the data subject or of another person, or in order to
p.(None): prevent or avert an imminent danger posing a threat to the lives, physical integrity or property of persons.
p.(None): (3) The statement of consent of minors over the age of sixteen shall be considered valid without the
p.(None): permission or subsequent approval of their legal representative.
p.(None): (4) Where processing under consent is necessary for the performance of a contract with the controller in writing, the
p.(None): contract shall contain all information that is to be made available to the data subject under this Act in connection
p.(None): with the processing of personal data, such as the description of the data involved, the duration of the
p.(None): proposed processing operation, the purpose of processing, the transmission of data, the recipients and the use of a
p.(None): data processor. The contract must clearly indicate the data subject’s signature and explicit consent for having his
p.(None): data processed as stipulated in the contract.
p.(None): (5) Where personal data is recorded under the data subject’s consent, the controller shall - unless otherwise
p.(None): provided for by law - be able to process the data recorded where this is necessary:
p.(None): a) for compliance with a legal obligation pertaining to the controller, or
p.(None): b) for the purposes of legitimate interests pursued by the controller or by a third party, if enforcing these
p.(None): interests is considered proportionate to the limitation of the right for the protection of personal data,
p.(None): without the data subject’s further consent, or after the data subject having withdrawn his consent.
...
Social / Incarcerated
Searching for indicator restricted:
(return to top)
p.(None):
p.(None):
p.(None): 7 In effect as of 1st July 2013
p.(None):
p.(None): (4) Personal data shall be blocked instead of erased if so requested by the data subject, or if there are reasonable
p.(None): grounds to believe that erasure could affect the legitimate interests of the data subject. Blocked data shall be
p.(None): processed only for the purpose which prevented their erasure.
p.(None): (5) If the accuracy of an item of personal data is contested by the data subject and its accuracy or
p.(None): inaccuracy cannot be ascertained beyond doubt, the data controller shall mark that personal data for the purpose of
p.(None): referencing.
p.(None):
p.(None): Section 18
p.(None):
p.(None): (1) When a data is rectified, blocked, marked or erased, the data subject and all recipients to whom it was transmitted
p.(None): for processing shall be notified. Notification is not required if it does not violate the rightful interest of the data
p.(None): subject in light of the purpose of processing.
p.(None): (2) If the data controller refuses to comply with the data subject’s request for rectification, blocking or erasure,
p.(None): the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is
p.(None): based shall be communicated in writing within thirty days of receipt of the request. Where rectification,
p.(None): blocking or erasure is refused, the data controller shall inform the data subject of the possibilities
p.(None): for seeking judicial remedy or lodging a complaint with the Authority.
p.(None):
p.(None): Section 19
p.(None):
p.(None): The rights of data subjects afforded under Sections 14-18 may be restricted by law in order to safeguard the external
p.(None): and internal security of the State, such as defence, national security, the prevention and prosecution of criminal
p.(None): offences, the safety of penal institutions, to protect the economic and financial interests of central and local
p.(None): government, safeguard the important economic and financial interests of the European Union, guard against disciplinary
p.(None): and ethical breaches in regulated professions, prevent and detect breaches of obligation related to labour law and
p.(None): occupational safety - including in all cases control and supervision - and to protect data subjects or the rights and
p.(None): freedoms of others.
p.(None):
p.(None): 14. Requirement of preliminary information of the data subject Section 20
p.(None): (1) Prior to data processing being initiated the data subject shall be informed whether his consent is required or
p.(None): processing is mandatory.
p.(None): (2) Before processing operations are carried out the data subject shall be clearly and elaborately
p.(None): informed of all aspects concerning the processing of his personal data, such as the purpose for which his data is
p.(None): required and the legal basis, the person entitled to control the data and to carry out the processing, the duration of
p.(None): the proposed processing operation, if the data subject’s personal data is processed in accordance with Subsection (5)
p.(None): of Section 6, and the persons to whom his data may be disclosed. Information shall also be provided on the data
p.(None): subject’s rights and remedies.
...
p.(None): functions”) shall allow free access to the data of public interest and data public on grounds of public
p.(None): interest under its control to any person, save where otherwise provided for in this Act.
p.(None): (2) The name of the person undertaking tasks within the scope of responsibilities and authority of the
p.(None): body undertaking public duties, as well as their scope of responsibilities, scope of work, executive mandate
p.(None): and other personal data relevant to the provision of their responsibilities to which access must be ensured by law
p.(None): qualify as data public on grounds of public interest. These data may be disseminated in compliance with the principle
p.(None): of purpose limitation. Provisions on the disclosure of data public on the grounds of public interest shall be
p.(None): regulated by Appendix 1 of this Act and the specific laws relating to the status of the person
p.(None): undertaking public duties.
p.(None): (3) Unless otherwise prescribed by law, any data, other than personal data, that is processed by bodies or persons
p.(None): providing services prescribed mandatory by law or under contract with any governmental agency, central or local, if
p.(None): such services are not available in any other way or form relating to their activities shall be deemed data public on
p.(None): grounds of public interest.
p.(None):
p.(None): Section 27
p.(None):
p.(None): (1) Access to data of public interest or data public on grounds of public interest shall be restricted if it has
p.(None): been classified under the Act on the Protection of Classified Information.
p.(None): (2) Right of access to data of public interest or data public on grounds of public interest may be restricted by law -
p.(None): with the specific type of data indicated - where considered necessary to safeguard:
p.(None): a) national defense;
p.(None): b) national security;
p.(None): c) prevention and prosecution of criminal offenses;
p.(None): d) environmental protection and nature preservation;
p.(None): e) central financial or foreign exchange policy;
p.(None): f) external relations, relations with international organizations;
p.(None): g) court proceedings or administrative proceedings;
p.(None): h) intellectual property rights.
p.(None): (3) Access to business secrets shall be governed by the relevant provisions of the Civil Code.
p.(None): (4) Access to public information may also be limited by European Union legislation with a view to any important
p.(None): economic or financial interests of the European Union, including monetary, fiscal and tax policies.
p.(None): (5) Any information compiled or recorded by a body with public service functions as part of, and in support of, a
p.(None): decision-making process for which it is vested with powers and competence, shall not be made available
p.(None): to the public for ten years from the date it was compiled or recorded. Access to these information may be
p.(None): authorized by the head of the body
p.(None):
p.(None): that controls the information in question upon weighing the public interest in allowing or disallowing
...
p.(None): of one year following termination of the mandate of the President of the Authority.
p.(None): (4) The Prime Minister’s proceedings relating to the declaration of personal assets of the President of the
p.(None): Authority may be requested by anyone with reference to specific sections of the declaration, and the contents of such
p.(None): sections, that is disputed. If the petition submitted is not in conformity with the requirements set out in
p.(None): this Subsection, or if it is manifestly unfounded, or if the petition is re-submitted and it offers no new
p.(None): argument or evidence, the Prime Minister shall refuse the petition without the opening of an examination as to merits.
p.(None): The Prime Minister shall check the authenticity and credibility of the information supplied in the declaration of
p.(None): personal assets.
p.(None): (5) In proceedings related to the declaration of personal wealth, the President of the Authority shall -
p.(None): at the Prime Minister’s request - submit a statement without delay, offering proof for the data and information
p.(None): contained in the declaration of personal wealth concerning his personal finances, income and other financial interests
p.(None): to the Prime Minister in writing. The Prime Minister shall send the findings of the proceedings to the President of the
p.(None): Republic along with the relevant data and information. Access to such data and information is restricted to the Prime
p.(None): Minister and the President of the Republic.
p.(None): (6) The evidence submitted by the President of the Authority in connection with his declaration of
p.(None): personal wealth shall be deleted on the thirtieth day following the date of conclusion of the proceedings.
p.(None):
p.(None): Section 43
p.(None):
p.(None): (1) The President of the Authority shall be entitled to the same remuneration and benefits as the salary and benefits
p.(None): of ministers, including an executive bonus in the amount equal to one and a half times of the executive bonus of
p.(None): ministers.
p.(None): (2) The President of the Authority is entitled to forty working days of paid annual leave per calendar year.
p.(None):
p.(None): Section 44
p.(None):
p.(None): (1) In terms of eligibility for social security benefits, the President of the Authority shall be regarded as employed
p.(None): in public service relationship.
p.(None): (2) The time period of the President’s mandate shall be recognized as spent in public service at an administrative
p.(None): body.
p.(None):
p.(None): Section 45
p.(None):
p.(None): (1) The mandate of the President of the Authority shall terminate:
p.(None): a) upon expiry of his term of office;
p.(None): b) upon resignation;
p.(None): c) upon death;
p.(None): d) if the requirements for appointment are no longer satisfied or upon violation of the rules regarding the declaration
p.(None): of assets;
p.(None): e) upon declaration of incompatibility;
p.(None): f) - g)
...
p.(None): 8.
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): 9.
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): 10.
p.(None):
p.(None):
p.(None): 11.
p.(None):
p.(None):
p.(None):
p.(None): 12.
p.(None): appointments, list of legislation for different types of cases, information on clients’ rights and obligations
p.(None): Description and contents of public services provided by the body with public
p.(None): service functions or financed from budget, rules of access to public services, amount of fees charged for public
p.(None): services, any allowances from such fees
p.(None): Descriptive information on databases and registers maintained by the body with public service functions (name, format,
p.(None): purpose and legal basis of processing, duration of processing, data subjects involved, data sources, questionnaire,
p.(None): where applicable), particulars for the identification of records to be notified for the data protection register; type
p.(None): of data collected and processed by the body with public service functions within the framework of its principal
p.(None): activity, means of access, costs of making copies
p.(None): Title and subject of publications of the body with public service functions, means of access, price of the publication,
p.(None): if any In respect of collegiate bodies, decision- making process, means of participation by the general public
p.(None): (opinionate), procedural rules, place and time of settings of the collegiate body, publicity, decisions, minutes or
p.(None): summaries of meetings; information on voting in the collegiate body, if this is not restricted by law Legislative
p.(None): proposals and related documents to be published by virtue of law; motions and proposals submitted to public meetings of
p.(None): the councils of local self-governments from the time of submission
p.(None): Public announcements and statements made by the body with public service functions
p.(None): Technical description of tenders published by the body with public service functions, the outcome of such procedure and
p.(None): the reasons
p.(None): Public findings of examinations and inspections carried out in connection with the core activity of the body with
p.(None): public service functions
p.(None):
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None):
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Unless otherwise provided for by law, immediately from the time of submission
p.(None):
p.(None):
p.(None): Continuously
p.(None):
p.(None):
p.(None): Continuously
p.(None):
p.(None):
p.(None):
p.(None): Immediately upon receiving the report on the examination
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
...
Social / Linguistic Proficiency
Searching for indicator language:
(return to top)
p.(None): legislation.
p.(None):
p.(None): Section 30
p.(None):
p.(None): (1) If a document that contains data of public interest also contains any data that cannot be disclosed to the
p.(None): requesting party, this data must be rendered unrecognizable on the copy.
p.(None): (2) Information shall be supplied in a readily intelligible form and by way of the technical means asked for by the
p.(None): requesting party, provided that the body with public service functions processing the information is capable to meet
p.(None): such request without unreasonable hardship. If the information requested had previously been made public
p.(None): electronically, the request may be fulfilled by way of reference to the public source where the data is available. A
p.(None): request for information may not be refused on the grounds that it cannot be made available in a readily intelligible
p.(None): form.
p.(None): (3) When a request for information is refused, the requesting party must be notified thereof within eight days in
p.(None): writing, or by electronic means if the requesting party has conveyed his electronic mailing address, and must be given
p.(None): the reasons of refusal, including information on the remedies available. The controller shall keep records on the
p.(None): requests refused, including the reasons, and shall inform the Authority thereof each year, by 31 January.
p.(None): (4) A request for data of public interest by a person whose native language is not Hungarian may not be refused for
p.(None): reasons that it was written in his native language or in any other language he understands.
p.(None): (5) If, as regards the refusal of any request for access to data of public interest, the data controller
p.(None): is granted discretionary authority by law, refusal shall be exercised within narrow limits, and the request for
p.(None): access to data of public interest may be refused only if the underlying public interest outweighs the
p.(None): public interest for allowing access to the public information in question.
p.(None): (6) Bodies with public service functions shall adopt regulations governing the procedures for satisfying requests for
p.(None): access to public information.
p.(None): (7) The requests for data with the purpose of a comprehensive, account level as well as an itemized control of the
p.(None): financial management of the body with public service functions are regulated in specific relevant laws. Should such
p.(None): data request be rejected, the requesting party may initiate an investigation of the Authority pursuant to Section 52.
p.(None):
p.(None): Section 31
p.(None):
p.(None): (1) In the event of failure to meet the deadline for the refusal or compliance with a request for access to public
p.(None): information, or with the deadline extended by the data controller pursuant to Subsection (2) of Section 29, and - if
...
Social / Marital Status
Searching for indicator single:
(return to top)
p.(None): parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life,
p.(None): b) personal data concerning health, pathological addictions, or criminal record;
p.(None): 4. ‘criminal personal data’ shall mean personal data relating to the data subject or that pertain to any
p.(None): prior criminal offense committed by the data subject and that is obtained by organizations authorized to conduct
p.(None): criminal proceedings or investigations or by penal institutions during or prior to criminal proceedings in
p.(None): connection with a crime or criminal proceedings;
p.(None): 5. ‘data of public interest’ shall mean information or data other than personal data, registered in any
p.(None): mode or form, controlled by the body or individual performing state or local government responsibilities, as well as
p.(None): other public tasks defined by legislation, concerning their activities or generated in the course of performing their
p.(None): public tasks, irrespective of the method or format in which it is recorded, its single or collective
p.(None): nature; in particular data concerning the scope of authority, competence, organisational structure,
p.(None): professional activities and the evaluation of such activities covering various aspects thereof, the type of
p.(None): data held and the regulations governing operations, as well as data concerning financial management and
p.(None): concluded contracts;
p.(None): 6. ‘data public on grounds of public interest’ shall mean any data, other than public information, that
p.(None): are prescribed by law to be published, made available or otherwise disclosed for the benefit of the general public;
p.(None): 7. ‘the data subject’s consent’ shall mean any freely and expressly given specific and informed
p.(None): indication of the will of the data subject by which he signifies his agreement to personal data relating
p.(None): to him being processed fully or to the extent of specific operations;
p.(None): 8. ‘the data subject’s objection’ shall mean a declaration made by the data subject objecting to the processing of
p.(None): their personal data and requesting the termination of data processing, as well as the deletion of the data processed;
p.(None): 9. ‘controller’ shall mean natural or legal person, or organisation without legal personality which alone or jointly
p.(None): with others determines the purposes and means of the processing of data; makes and executes decisions concerning data
p.(None): processing (including the means used) or have it executed by a data processor2;
p.(None): 10. ‘data’ processing’ shall mean any operation or the totality of operations performed on the data, irrespective of
...
p.(None): 12. ‘disclosure’ shall mean ensuring open access to the data;
p.(None):
p.(None): 2 In effect as of 1st July 2013
p.(None):
p.(None): 13. ‘data deletion’ shall mean making data unrecognisable in a way that it can never again be restored;
p.(None): 14. ‘tagging data’ shall mean marking data with a special ID tag to differentiate it;
p.(None): 15. ‘blocking of data’ shall mean marking data with a special ID tag to indefinitely or definitely
p.(None): restrict its further processing;
p.(None): 16. ‘data destruction’ shall mean complete physical destruction of the data carrier recording the data;
p.(None): 17. ‘data process’ shall mean performing technical tasks in connection with data processing operations, irrespective of
p.(None): the method and means used for executing the operations, as well as the place of execution, provided that the technical
p.(None): task is performed on the data;
p.(None): 18. ‘data processor’ shall mean any natural or legal person or organisation without legal personality processing
p.(None): the data on the grounds of a contract, including contracts concluded pursuant to legislative provisions3;
p.(None): 19. ‘data source’ shall mean the body responsible for undertaking the public responsibility which generated the data of
p.(None): public interest that must be disclosed through electronic means, or during the course of operation in which this data
p.(None): was generated;
p.(None): 20. ‘data disseminator shall mean the body responsible for undertaking the public responsibility
p.(None): which uploads the data sent by the data source it has not published the data;
p.(None): 21. ‘data set’ shall mean all data processed in a single file;
p.(None): 22. ‘third party’ any natural or legal person, or organisation without legal personality other than the data subject,
p.(None): the data controller or the data processor;
p.(None): 23. ‘EEA Member State’ any Member State of the European Union and any State which is party to the Agreement on the
p.(None): European Economic Area, as well as any State the nationals of which enjoy the same legal status as nationals of States
p.(None): which are parties to the Agreement on the European Economic Area, based on an international treaty concluded
p.(None): between the European Union and its Member States and a State which is not party to the Agreement on the European
p.(None): Economic Area;
p.(None): 24. ‘third country’ any State that is not an EEA State.
p.(None):
p.(None): CHAPTER II PROTECTION OF PERSONAL DATA
p.(None): 4. Principles of data processing Section 4
p.(None): (1) Personal data may be processed only for specified and explicit purposes, where it is necessary for
p.(None): the exercising of certain rights and fulfilment of obligations. The purpose of processing must be satisfied
p.(None): in all stages of data processing operations; recording of personal data shall be done under the principle of lawfulness
p.(None): and fairness.
p.(None): (2) The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to
p.(None): achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its
p.(None): purpose.
...
p.(None): (3) The publication of specific other data may be rendered mandatory by the head of the body subject to disclosure
p.(None): requirement - upon consulting with the Authority -, as well as by statutory provisions for bodies with public
p.(None): service functions, and other agencies controlled and/or supervised by such bodies, or sections of such agencies
p.(None): (hereinafter referred to as “ad hoc disclosure list”).
p.(None): (4) The Government shall decree - upon consulting with the Authority - the information to be made public by the
p.(None): national security services.
p.(None): (5) In the case of collegiate bodies subject to disclosure requirement, these bodies shall have powers to establish,
p.(None): and amend, the ad hoc disclosure list, upon consulting with the Authority.
p.(None): (6) The head of the body subject to disclosure requirement shall review the disclosure list he has published under
p.(None): Subsection (3), taking into consideration any demand shown for public information that was not included in the
p.(None): publication list, and shall include such public information where demand is considered substantial in terms of
p.(None): the amount and number of requests received.
p.(None): (7) The disclosure list may also provide for the frequency of publication, depending on the type of data in question.
p.(None): (8) The Authority may present a recommendation for having special and ad hoc publication lists drawn up, or amended.
p.(None):
p.(None): 24/A. Central electronic register of public information and the single data retrieval system Section 37/A
p.(None): (1) In the interest of providing fast and easy access to information that has been published electronically, the
p.(None): central electronic register posted on a designated website - set up by the minister in charge for the
p.(None): implementation of infrastructure requirements for administrative information technology systems - contains all
p.(None): relevant descriptive information on the websites of bodies subject to the obligation of publication of public
p.(None): information by electronic means under this Act, pertaining also to their databases and registers.
p.(None): (2) Electronic access using a single platform to the public information of the bodies referred to in Subsection (1) and
p.(None): facilities for searching among public information shall be ensured by
p.(None):
p.(None): the single data retrieval system set up by the minister in charge for the implementation of
p.(None): infrastructure requirements for administrative information technology systems.
p.(None):
p.(None): Section 37/B
p.(None):
p.(None): (1) The data source shall provide for having the descriptive information on websites, databases and
p.(None): registers containing public information made available to the minister in charge for the implementation of
p.(None): infrastructure requirements for administrative information technology systems and for updating on a regular
p.(None): basis the public information thus forwarded, and shall be responsible for the contents of public information forwarded
p.(None): to the single data retrieval system, as well as for having such public information updated on a regular basis.
p.(None): (2) Maintaining the databases and registers containing public information and linking up with the single
p.(None): data retrieval system shall not exonerate the data source from the obligation of publication by electronic means.
p.(None): CHAPTER V
p.(None):
p.(None): NEMZETI ADATVÉDELMI ÉS INFORMÁCIÓSZABADSÁG HATÓSÁG (NATIONAL AUTHORITY FOR DATA PROTECTION AND FREEDOM OF INFORMATION)
p.(None):
p.(None): 25. Legal status of the Authority Section 38
p.(None): (1) The Authority is an autonomous administrative organ.
p.(None): (2) The Authority shall be responsible to supervise and promote the enforcement of the rights to the
p.(None): protection of personal data and access to public information and information of public interest.
p.(None): (3) Within its scope of responsibilities conferred under Subsection (2), the Authority:
p.(None): a) shall conduct investigations upon notification;
p.(None): b) may conduct ex officio administrative proceedings for data protection;
p.(None): c) may conduct ex officio administrative proceedings for the control of classified data;
p.(None): d) may turn to court in connection with any infringement concerning public information and information of public
p.(None): interest;
p.(None): e) may intervene in court actions brought by others;
p.(None): f) maintain the data protection register; in accordance with this Act.
...
p.(None): Authority as civil servants or in any other work-related relationship shall keep confidential any personal
p.(None): data, classified information, secrets protected by law and secrets obtained in the course of professional
p.(None): activities they may have learnt in relation to the operation and actions of the Authority as well as any other data,
p.(None): fact or circumstance that the Authority is not required to make available to the public - except for any disclosure or
p.(None): supply of data to other organizations under the relevant legislation -, during the term of their
p.(None): employment and after the termination thereof.
p.(None): (6) According to the confidentiality requirement, the persons mentioned in Subsection (5) may not disclose unlawfully
p.(None): any data, facts or circumstance they obtained in connection with the performance of their official duties, nor
p.(None): shall they be allowed to use or reveal such information to third persons.
p.(None): CHAPTER VII CLOSING PROVISIONS
p.(None): Section 72
p.(None):
p.(None): (1) The Government is hereby authorized to decree:
p.(None): a) the detailed regulations for disclosure of public information by electronic means;
p.(None): b) the items covered by the fee chargeable for copies provided in connection with requests for public information, and
p.(None): the highest amount that can be taken into account in determining the amount of the fee, and the aspects for determining
p.(None): whether a document is to be considered substantial in terms of size and/or volume;
p.(None): c) the compilation of special disclosure lists;
p.(None): d) the data contents of the single data retrieval system and the central register, and the rules for data integration.
p.(None): e) the scope of information to be made public by the national security services which they control, upon consultation
p.(None): with the Authority.
p.(None):
p.(None): (2) Authorizations:
p.(None): a) the minister having relevant competence is hereby authorized to publish special disclosure lists in
p.(None): respect of the bodies he supervises or controls, by means of a decree;
p.(None): b) the minister in charge of e-administration is hereby authorized to decree the models for the standard forms to be
p.(None): used for the dissemination of data contained in the disclosure lists;
p.(None): c)
p.(None):
p.(None): (3) The minister in charge of the judicial system is hereby authorized to decree - upon consulting with
p.(None): the Authority and in agreement with the minister in charge of taxation - the amount of the administrative service fee
p.(None): payable for admission to the data protection register and for data protection audits, and the detailed rules relating
p.(None): to the collection, management, recording and refund of such fees.
p.(None):
p.(None): Section 73
p.(None):
p.(None): (1) This Act - with the exceptions set out in Subsections (2) and (3) - shall enter into force on the day following
p.(None): promulgation.
p.(None):
p.(None): (2) Sections 1-37, Subsections (1)-(3) of Section 38, Paragraphs a)-f) of Subsection (4) of Section 38, Subsection (5)
p.(None): of Section 38, Section 39, Sections 41-68, Sections 70-72, Sections 75-77 and Sections 79-88, and Schedule No. 1 shall
p.(None): enter into force on 1 January 2012.
...
Social / Police Officer
Searching for indicator officer:
(return to top)
p.(None): recipient referred to in Section 21.
p.(None): (6) If the court rejects the petition filed by the data recipient in the cases defined in Section 21, the controller
p.(None): shall be required to erase the data subject’s personal data within three days of delivery of the court ruling. The
p.(None): controller shall erase the data even if the data recipient does not file for court action within the time
p.(None): limit referred to in Subsection (5) or (6) of Section 21.
p.(None): (7) The court may order publication of its decision, indicating the identification data of the controller as well,
p.(None): where this is deemed necessary for reasons of data protection or in connection with the rights of large
p.(None): numbers of data subjects under protection by this Act.
p.(None):
p.(None): 17. Compensation Section 23
p.(None): (1) Data controllers shall be liable for any damage caused to a data subject as a result of unlawful processing or by
p.(None): any breach of data security requirements. The data controller shall also be liable for any damage caused by
p.(None): data processor acting on its behalf. The data controller may be exempted from liability if he proves that the
p.(None): damage was caused by reasons beyond his control.
p.(None): (2) No compensation shall be paid where the damage was caused by intentional or serious negligent conduct on the part
p.(None): of the aggrieved party.
p.(None):
p.(None): 18. Internal data protection officer, data protection rules Section 24
p.(None): (1) The following data controllers and processors shall appoint or commission an internal data protection officer – who
p.(None): shall hold a law degree, a degree in economics or information technology or an equivalent degree in higher education –
p.(None): who is to report directly to the head of the organization:
p.(None):
p.(None): a) authorities of nation-wide jurisdiction, and data controllers and processors engaged in processing data
p.(None): files of employment and criminal records;
p.(None): b) financial institutions;
p.(None): c) providers of electronic communications and public utility services.
p.(None): (2) The internal data protection officer shall:
p.(None): a) participate and assist in the decision-making process with regard to data processing and enforcing the rights of
p.(None): data subjects;
p.(None): b) monitor compliance with the provisions of this Act and other regulations on data processing as well
p.(None): as with the provisions of internal data protection and data security regulations and the data security
p.(None): requirements;
p.(None): c) investigate complaints conveyed to him and, if he detects any unauthorized data processing operations,
p.(None): call on the controller or processor in question to cease such operations;
p.(None): d) draw up the internal data protection and data security rules;
p.(None): e) maintain the internal data protection register;
p.(None): f) organises training sessions on the subject of data protection.
p.(None): (3) The controllers referred to in Subsection (1) and central and local government controllers - other than
p.(None): controllers not required to report to the data protection register - shall be required to adopt data protection and
p.(None): data security rules in accordance with this Act.
p.(None):
p.(None): 19. Conference of internal data protection officers Section 25
p.(None): (1) The conference of internal data protection officers (hereinafter referred to as “conference”)
...
p.(None): public information.
p.(None): (2) The President of the Authority shall call the conference at least once every year, or as necessary, and shall
p.(None): determine its agenda.
p.(None): (3) The internal data protection officers of all organizations where such office has to be maintained by
p.(None): law shall have a seat on the conference.
p.(None): (4) The internal data protection officers of those organizations where such office is not required may
p.(None): also have a seat on the conference. To this end they may seek admission to the register of internal data protection
p.(None): officers maintained by the Authority.
p.(None): (5) For communication purposes, the Authority shall maintain a register of internal data protection
p.(None): officers on members of the conference. The register contains the name, postal and electronic mail address of internal
p.(None): data protection officers, and the name of the organization they represent.
p.(None): (6) The Authority shall record the data mentioned in Subsection (5) until the time of receiving
p.(None): information on the termination of the internal data protection officer’s term in office.
p.(None):
p.(None): CHAPTER III
p.(None):
p.(None): ACCESSXTOXINFORMATION OF PUBLIC INTEREST
p.(None):
p.(None): 20. General provisions on access to information of public interest Section 26
p.(None): (1) Any person or body attending to statutory State or municipal government functions or performing other public duties
p.(None): provided for by the relevant legislation (hereinafter referred to collectively as “body with public service
p.(None): functions”) shall allow free access to the data of public interest and data public on grounds of public
p.(None): interest under its control to any person, save where otherwise provided for in this Act.
p.(None): (2) The name of the person undertaking tasks within the scope of responsibilities and authority of the
p.(None): body undertaking public duties, as well as their scope of responsibilities, scope of work, executive mandate
p.(None): and other personal data relevant to the provision of their responsibilities to which access must be ensured by law
p.(None): qualify as data public on grounds of public interest. These data may be disseminated in compliance with the principle
p.(None): of purpose limitation. Provisions on the disclosure of data public on the grounds of public interest shall be
p.(None): regulated by Appendix 1 of this Act and the specific laws relating to the status of the person
p.(None): undertaking public duties.
p.(None): (3) Unless otherwise prescribed by law, any data, other than personal data, that is processed by bodies or persons
...
p.(None): the Authority within its own competence or in its competence as directing organ.
p.(None): (3)
p.(None): (4) The remainder of receipts from the previous year may be used by the Authority in the following years
p.(None): for the performance of its tasks.
p.(None):
p.(None): 27. President of the Authority Section 40
p.(None): (1) The head of the Authority is the President. The President of the Authority is appointed by the President of the
p.(None): Republic on a recommendation by the Prime Minister from among those Hungarian citizens with a law degree,
p.(None): who have the right to stand as candidates in parliamentary elections, having at least ten years of
p.(None): experience in supervising proceedings related to data protection or freedom of information, or holding an academic
p.(None): degree in either of those fields.
p.(None): (2) Persons who served as a Member of Parliament or as a Member of the European Parliament, as the
p.(None): President of the Republic, member of the Government, state secretary, representative of a municipal
p.(None): government, mayor or deputy mayor, lord mayor or deputy lord mayor, chairman or deputy chairman of a county assembly,
p.(None): member of a national minority self-government, or an officer or employee of a political party in the four-year period
p.(None): before the time of the recommendation for appointment may not be appointed as President of the Authority.
p.(None): (3) The President of the Authority shall be appointed by the President of the Republic for a term of nine years.
p.(None): (4) The President of the Authority - upon being appointed - shall take an oath before the President of the Republic in
p.(None): accordance with the Act on the Oath and Deposition of Public Officials.
p.(None):
p.(None): Section 41
p.(None):
p.(None): (1) The President of the Authority may not be a member of any political party, may not engage in political
p.(None): activities, and his mandate shall be considered incompatible with other state or local government office or
p.(None): mandate.
p.(None): (2) The President of the Authority shall not be otherwise gainfully employed and shall not accept remuneration for
p.(None): other activities, with the exception of scientific, educational and artistic activities under copyright
p.(None): protection, and other than revisory and editorial activities.
p.(None):
...
p.(None): (7) The President of the Authority shall decide upon the declaration of non-compliance with the requirements for the
p.(None): appointment of the Vice-President of the Authority.
p.(None): (8) If the mandate of the Vice-President of the Authority terminates under Paragraph a) or
p.(None): e) of Subsection (1), the Vice-President shall be entitled to an extra payment of three times the monthly remuneration
p.(None): in effect at the time of termination.
p.(None):
p.(None): 29. Staff of the Authority Section 50
p.(None): The President of the Authority shall exercise employer’s rights in respect of the Authority’s public servants and
p.(None): employees.
p.(None):
p.(None): Section 51
p.(None):
p.(None): (1) The President of the Authority shall be entitled to appoint examiners - up to twenty per cent of all civil servants
p.(None): of the Authority - from among the civil servants in the Authority’s employ who have a degree of higher education in
p.(None): information technology or law, and at least three years of experience as a data protection expert or data protection
p.(None): officer, and who have passed a professional examination in public administration or professional examination
p.(None): in law.
p.(None):
p.(None): (2) Examiners are appointed for indefinite terms, and may be dismissed by the President of the Authority any time
p.(None): without cause. If the President of the Authority has withdrawn the appointment of an examiner, the civil
p.(None): servant in question shall be reinstated in his last position before the appointment.
p.(None): (3) Examiners are entitled to the salary of head of unit, exclusive of executive bonus.
p.(None):
p.(None): CHAPTER VI PROCEEDINGS OF THE AUTHORITY
p.(None): 30. Investigation by the Authority Section 52
p.(None): (1) Any person shall have the right to notify the Authority and request an investigation alleging an
p.(None): infringement relating to his or her personal data or concerning the exercise of the rights of access to public
p.(None): information or information of public interest, or if there is imminent danger of such infringement.
p.(None): (2) The Authority’s investigations ensuing shall not be treated as administrative proceedings, and
p.(None): shall not fall within the scope of the Act on the General Rules of Administrative Proceedings.
p.(None): (3) Having submitted a notification to the Authority may not entail any discrimination against the
...
p.(None): the controller, if it is necessitated for data protection and the freedom of information in general or in connection
p.(None): with the rights of large numbers of data subjects under protection by this Act.
p.(None):
p.(None): 35. Data protection register Section 65
p.(None): (1) The Authority shall maintain official records on the processing operations of controllers in respect of personal
p.(None): data (hereinafter referred to as “data protection register”) for the
p.(None):
p.(None): purpose of providing assistance to data subjects containing - with the exceptions set out in Subsection (2) -
p.(None): the following information:
p.(None): a) the purpose of data processing;
p.(None): b) the legal basis of data processing;
p.(None): c) scope of data subject;
p.(None): d) description of the data pertaining to the data subjects;
p.(None): e) the source;
p.(None): f) the duration of processing;
p.(None): g) the categories of data transferred, the recipients and the grounds for transfer, including transfers made to third
p.(None): countries;
p.(None): h) name and address of the data controller and the data processor, the place where records are kept and/or where
p.(None): processing is carried out, and the data processor’s activities in connection with data processing operations;
p.(None): i) the nature of the data process technology used;
p.(None): j) the name of and contact details of the internal data protection officer, where applicable.
p.(None): (2) As regards national security agencies, the data protection register shall indicate the name and address of the
p.(None): given national security agency, and the purpose of and legal basis for data processing.
p.(None): (3) The Authority’s data protection register shall not cover operations:
p.(None): a) concerning the data of the data controller’s employees or members, students engaged under kindergarten
p.(None): education agreement, or under student or apprenticeship agreement, with or without dormitory services, or customers,
p.(None): other than the customers of financial institutions, public utility companies and electronic telecommunications service
p.(None): providers;
p.(None): b) carried out in accordance with the internal rules of the recognized church;
p.(None): c) that concerns the personal data of a person undergoing medical treatment, for the purposes of health
p.(None): care and preventive measures or for settling claims for benefits and services in the social insurance system;
p.(None): d) where it contains information concerning the provision of social and other benefits to the data subject;
p.(None): e) where it contains the personal data of persons implicated in an official regulatory, public prosecutor or court
p.(None): proceeding to the extent required for such proceeding, or it concerns personal data processed by penal
p.(None): institutions in the execution of a sentence;
...
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Unless otherwise provided for by law, immediately from the time of submission
p.(None):
p.(None):
p.(None): Continuously
p.(None):
p.(None):
p.(None): Continuously
p.(None):
p.(None):
p.(None):
p.(None): Immediately upon receiving the report on the examination
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None):
p.(None):
p.(None): Archived for a period of at least one year
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None): 13.
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): 14.
p.(None):
p.(None):
p.(None):
p.(None): 15.
p.(None):
p.(None):
p.(None): 16.
p.(None):
p.(None):
p.(None): 17.
p.(None):
p.(None):
p.(None): 18.
p.(None): Procedure for handling requests for access to public information, name and contact information of the competent
p.(None): department, and the name of the data protection officer or the person handling information rights, where applicable
p.(None): Results of gathering statistical information relating to the activity of the body with public service functions,
p.(None): showing changes over time thereof Information pertaining to a given body from mandatory data disclosure relating to
p.(None): public information
p.(None): List of contracts for the use of public information to which the body with public service functions is a party
p.(None): Standard contract conditions relating to the use of public information processed by the body with public service
p.(None): functions Special and ad hoc publication lists pertaining to the body with public service functions
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None):
p.(None): Immediately upon the change taking effect
p.(None): Previous data shall be deleted
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be deleted
p.(None):
p.(None): III. Financial data
p.(None):
p.(None): Data description Updating Duration of processing
p.(None):
p.(None): 1. Annual (fiscal) budget of the body with public service functions, annual accounts under the Accounting Act or
p.(None): the annual budget report
p.(None): 2. Consolidated data on the staff of the body with public service functions, including personal benefits
...
Searching for indicator police:
(return to top)
p.(None): 2012 shall be notified to the Authority by 30 June 2012 for registration according to the relevant provisions
p.(None): of this Act. In the event of non- compliance data processing operations may not be carried out past 30 June
p.(None): 2012. Moreover, data processing operations under this Subsection may not be pursued if the Authority refused the
p.(None): application submitted for registration after 31 December 2011.
p.(None):
p.(None): Section 76
p.(None):
p.(None): Chapter V of this Act shall be considered a cardinal provision pursuant to Article VI(3) of the Fundamental Law.
p.(None):
p.(None): Section 77
p.(None):
p.(None): This Act facilitates compliance with:
p.(None): a) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals
p.(None): with regard to the processing of personal data and on the free movement of such data;
p.(None): b) Directive 2003/4/EC of the European Parliament and of the Council of 28 January 2003 on public access to
p.(None): environmental information and repealing Council Directive 90/313/EEC;
p.(None): c) Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public
p.(None): sector information;
p.(None): d) Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the
p.(None): framework of police and judicial cooperation in criminal matters.
p.(None):
p.(None):
p.(None): (1)-(2)9
p.(None): Section 78
p.(None):
p.(None): (3) The term “descending” to be found in Section 9 (7) of the Law Decree 17 of 1982 on Registers,
p.(None): Marriage Proceedings and the Use of Name shall be replaced by the term “descending found”.
p.(None):
p.(None): (4) Section 25 (3) of the Act XXIV of 2011 on legal harmonisation of Acts on Europol, on Security Services and the
p.(None): Activities of Private Investigators (SSAPI), on Firearms and Pyrotechnic Devices enters into with the following
p.(None): wording:
p.(None):
p.(None): „(3) Section 31 (1) g) shall be replaced by „the Chamber shall keep a register of its natural person members and
p.(None): enterprises till the termination of membership in accordance with the provisions of this Act and also supplies
p.(None): statistical data anonymously.”
p.(None):
p.(None): (5) Section 41 (3) b) of the Act XXIV of 2011 on legal harmonisation of Acts on Europol, on Security Services and
p.(None): the Activities of Private Investigators (SSAPI), on Firearms and Pyrotechnic Devices enters into force with the
p.(None): following wording:
p.(None):
p.(None): (Repealed):
p.(None):
p.(None): „b) the wording „gas and alarm weapon” in Section 27 (4) on SSAPI, „which can be prolonged in every
p.(None): second year upon request of the member” in Section 40 (2), „period” in Section 54 (1)-(2).
p.(None):
p.(None): (6) Section 42 j) of the Act XXIV of 2011 on legal harmonisation of Acts on Europol, on Security
p.(None): Services and the Activities of Private Investigators (SSAPI), on Firearms and Pyrotechnic Devices enters into
p.(None): force with the following wording:
p.(None):
p.(None): (SSAPI)
p.(None):
...
Social / Property Ownership
Searching for indicator home:
(return to top)
p.(None): (6) If the data controller fails to send notice as specified in Subsection (3), the data recipient shall have the right
p.(None): to request information from the controller concerning the circumstances of non-disclosure, upon which the
p.(None): controller shall make available the information requested within eight days of receipt of the data
p.(None): recipient’s request. Where information had been requested, the data recipient may bring an action against
p.(None): the controller within fifteen days from the date of receipt of the information, or from the deadline
p.(None): prescribed therefor. The controller is authorised to summon the data subject to court.
p.(None): (7) The controller shall not delete the data of the data subject if processing has been prescribed by
p.(None): law. However, data may not be disclosed to the data recipient if the controller agrees with the objection or if the
p.(None): court has found the objection justified.
p.(None):
p.(None): 16. Judicial remedy Section 22
p.(None): (1) In the event of any infringement of his rights, the data subject, and in the cases referred to in Section 21, the
p.(None): data recipient may turn to court action against the controller. The court shall hear such cases in priority
p.(None): proceedings.
p.(None): (2) The burden of proof to show compliance with the law lies with the data controller. In the cases under Subsections
p.(None): (5) and (6) of Section 21, the burden of proof concerning the lawfulness of transfer of data lies with the
p.(None): data recipient.
p.(None): (3) The action shall be heard by the competent tribunal. If so requested by the data subject, the action may be brought
p.(None): before the tribunal in whose jurisdiction the data subject’s home address or temporary residence is located.
p.(None): (4) Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such
p.(None): actions. The Authority may intervene in the action on the data subject’s behalf.
p.(None): (5) When the court’s decision is in favor of the plaintiff, the court shall order the controller to provide the
p.(None): information, to rectify, block or erase the data in question, to annul the decision adopted by means of automated
p.(None): data-processing systems, to respect the data subject’s objection, or to disclose the data requested by the data
p.(None): recipient referred to in Section 21.
p.(None): (6) If the court rejects the petition filed by the data recipient in the cases defined in Section 21, the controller
p.(None): shall be required to erase the data subject’s personal data within three days of delivery of the court ruling. The
p.(None): controller shall erase the data even if the data recipient does not file for court action within the time
p.(None): limit referred to in Subsection (5) or (6) of Section 21.
p.(None): (7) The court may order publication of its decision, indicating the identification data of the controller as well,
p.(None): where this is deemed necessary for reasons of data protection or in connection with the rights of large
p.(None): numbers of data subjects under protection by this Act.
p.(None):
p.(None): 17. Compensation Section 23
...
p.(None): with provisions governing the Act on the control of personal data”; the text “together with data protection
p.(None): commissioner” in Article 91/A (2) shall be replaced by the text “together with the National Authority for
p.(None): Data Protection and Freedom of Information”; the text “data protection commissioner” in Article 91/A (3) shall be
p.(None): replaced by the text “the National Authority for Data Protection and Freedom of Information”.
p.(None): (16) The text “as well as within the scope of authority ensured in Act LXIII of 1992 on the protection of personal data
p.(None): and the disclosure of data of public interest, the data protection commissioner” in Article 7 (8) of Act CIV
p.(None): of 2009 on the proclamation of the agreement regarding processing the data of passenger number records
p.(None): (PNR) between the European Union and the United States of America and the transfer of this data to the
p.(None): Department of Home Security amending Act XCII of 1995 on air transport shall be replaced by the text “as well as
p.(None): within the scope of authority ensured in the Act on the right of informational self- determination and
p.(None): freedom of information, the National Authority for Data Protection and Freedom of Information”.
p.(None): (17) The text “the data protection commissioner” in the eighth paragraph of Article 6 of Act CLV of 2009 on the
p.(None): protection of classified information shall be replaced by the text “the National Authority for Data Protection
p.(None): and Freedom of Information”; the text “together with the data protection commissioner” in Point r) of the second
p.(None): paragraph of Article 20 shall be replaced by the text “together with the National Authority for Data Protection and
p.(None): Freedom of Information”.
p.(None): (18) The text “the data protection commissioner and an authorised associated employee” in Point j) of the first
...
Searching for indicator property:
(return to top)
p.(None): pertaining to misdemeanour cases, civil cases and non-contentious proceedings may only be processed by central
p.(None): or local government authorities.
p.(None):
p.(None): Section 6
p.(None):
p.(None): (1) Personal data may be processed also if obtaining the data subject’s consent is impossible or it would give rise
p.(None): to disproportionate costs, and the processing of personal data is necessary:
p.(None): a) for compliance with a legal obligation pertaining to the data controller, or
p.(None): b) for the purposes of the legitimate interests pursued by the controller or by a third party, and enforcing these
p.(None): interests is considered proportionate to the limitation of the right for the protection of personal data.
p.(None):
p.(None):
p.(None): 4 In effect as of 30th March 2013
p.(None):
p.(None): (2) If the data subject is unable to give his consent on account of lacking legal capacity or for any other reason
p.(None): beyond his control, the processing of his personal data is allowed to the extent necessary and for the length of time
p.(None): such reasons persist, to protect the vital interests of the data subject or of another person, or in order to
p.(None): prevent or avert an imminent danger posing a threat to the lives, physical integrity or property of persons.
p.(None): (3) The statement of consent of minors over the age of sixteen shall be considered valid without the
p.(None): permission or subsequent approval of their legal representative.
p.(None): (4) Where processing under consent is necessary for the performance of a contract with the controller in writing, the
p.(None): contract shall contain all information that is to be made available to the data subject under this Act in connection
p.(None): with the processing of personal data, such as the description of the data involved, the duration of the
p.(None): proposed processing operation, the purpose of processing, the transmission of data, the recipients and the use of a
p.(None): data processor. The contract must clearly indicate the data subject’s signature and explicit consent for having his
p.(None): data processed as stipulated in the contract.
p.(None): (5) Where personal data is recorded under the data subject’s consent, the controller shall - unless otherwise
p.(None): provided for by law - be able to process the data recorded where this is necessary:
p.(None): a) for compliance with a legal obligation pertaining to the controller, or
p.(None): b) for the purposes of legitimate interests pursued by the controller or by a third party, if enforcing these
p.(None): interests is considered proportionate to the limitation of the right for the protection of personal data,
...
p.(None): regulated by Appendix 1 of this Act and the specific laws relating to the status of the person
p.(None): undertaking public duties.
p.(None): (3) Unless otherwise prescribed by law, any data, other than personal data, that is processed by bodies or persons
p.(None): providing services prescribed mandatory by law or under contract with any governmental agency, central or local, if
p.(None): such services are not available in any other way or form relating to their activities shall be deemed data public on
p.(None): grounds of public interest.
p.(None):
p.(None): Section 27
p.(None):
p.(None): (1) Access to data of public interest or data public on grounds of public interest shall be restricted if it has
p.(None): been classified under the Act on the Protection of Classified Information.
p.(None): (2) Right of access to data of public interest or data public on grounds of public interest may be restricted by law -
p.(None): with the specific type of data indicated - where considered necessary to safeguard:
p.(None): a) national defense;
p.(None): b) national security;
p.(None): c) prevention and prosecution of criminal offenses;
p.(None): d) environmental protection and nature preservation;
p.(None): e) central financial or foreign exchange policy;
p.(None): f) external relations, relations with international organizations;
p.(None): g) court proceedings or administrative proceedings;
p.(None): h) intellectual property rights.
p.(None): (3) Access to business secrets shall be governed by the relevant provisions of the Civil Code.
p.(None): (4) Access to public information may also be limited by European Union legislation with a view to any important
p.(None): economic or financial interests of the European Union, including monetary, fiscal and tax policies.
p.(None): (5) Any information compiled or recorded by a body with public service functions as part of, and in support of, a
p.(None): decision-making process for which it is vested with powers and competence, shall not be made available
p.(None): to the public for ten years from the date it was compiled or recorded. Access to these information may be
p.(None): authorized by the head of the body
p.(None):
p.(None): that controls the information in question upon weighing the public interest in allowing or disallowing
p.(None): access to such information.
p.(None): (6) A request for disclosure of information underlying a decision may be rejected after the decision is adopted, but
p.(None): within the time limit referred to in Subsection (5), if disclosure is likely to jeopardize the legal
p.(None): functioning of the body with public service functions or the discharging of its duties without any undue
p.(None): influence, such as in particular free expression of the position of the body which generated the data during
p.(None): the preliminary stages of the decision-making process.
...
p.(None): d) shall give an opinion on special and ad hoc disclosure lists prescribed mandatory by this Act relating to the
p.(None): activities of the given body with public service functions;
p.(None): e) shall collaborate with the bodies and persons defined in specific other legislation to represent
p.(None): Hungary in the joint data protection supervisory bodies of the European Union;
p.(None): f) organize the conference of internal data protection officers; g)-h)
p.(None):
p.(None): (5) The Authority is an independent body that is subject to Hungarian law only, it may not be instructed in its
p.(None): official capacity, shall operate independent of any outside interference, without any bias. Tasks may only be
p.(None): prescribed for the Authority by acts of Parliament.
p.(None):
p.(None): 26. Budget and financial management of the Authority Section 39
p.(None): (1) The Authority shall be a central budgetary organ with the powers of a budgetary chapter, and its budget shall
p.(None): constitute an independent title within the budgetary chapter of Parliament.
p.(None): (2) The main totals of expenditures and receipts of the Authority for the current budgetary year may only be
p.(None): reduced by Parliament, with the exception of natural disasters endangering life and property as defined in the Act on
p.(None): Public Finances, of temporary measures adopted to relieve the consequences of such disasters, or of measures taken by
p.(None): the Authority within its own competence or in its competence as directing organ.
p.(None): (3)
p.(None): (4) The remainder of receipts from the previous year may be used by the Authority in the following years
p.(None): for the performance of its tasks.
p.(None):
p.(None): 27. President of the Authority Section 40
p.(None): (1) The head of the Authority is the President. The President of the Authority is appointed by the President of the
p.(None): Republic on a recommendation by the Prime Minister from among those Hungarian citizens with a law degree,
p.(None): who have the right to stand as candidates in parliamentary elections, having at least ten years of
p.(None): experience in supervising proceedings related to data protection or freedom of information, or holding an academic
p.(None): degree in either of those fields.
p.(None): (2) Persons who served as a Member of Parliament or as a Member of the European Parliament, as the
p.(None): President of the Republic, member of the Government, state secretary, representative of a municipal
p.(None): government, mayor or deputy mayor, lord mayor or deputy lord mayor, chairman or deputy chairman of a county assembly,
...
p.(None):
p.(None):
p.(None): (1)-(2)9
p.(None): Section 78
p.(None):
p.(None): (3) The term “descending” to be found in Section 9 (7) of the Law Decree 17 of 1982 on Registers,
p.(None): Marriage Proceedings and the Use of Name shall be replaced by the term “descending found”.
p.(None):
p.(None): (4) Section 25 (3) of the Act XXIV of 2011 on legal harmonisation of Acts on Europol, on Security Services and the
p.(None): Activities of Private Investigators (SSAPI), on Firearms and Pyrotechnic Devices enters into with the following
p.(None): wording:
p.(None):
p.(None): „(3) Section 31 (1) g) shall be replaced by „the Chamber shall keep a register of its natural person members and
p.(None): enterprises till the termination of membership in accordance with the provisions of this Act and also supplies
p.(None): statistical data anonymously.”
p.(None):
p.(None): (5) Section 41 (3) b) of the Act XXIV of 2011 on legal harmonisation of Acts on Europol, on Security Services and
p.(None): the Activities of Private Investigators (SSAPI), on Firearms and Pyrotechnic Devices enters into force with the
p.(None): following wording:
p.(None):
p.(None): (Repealed):
p.(None):
p.(None): „b) the wording „gas and alarm weapon” in Section 27 (4) on SSAPI, „which can be prolonged in every
p.(None): second year upon request of the member” in Section 40 (2), „period” in Section 54 (1)-(2).
p.(None):
p.(None): (6) Section 42 j) of the Act XXIV of 2011 on legal harmonisation of Acts on Europol, on Security
p.(None): Services and the Activities of Private Investigators (SSAPI), on Firearms and Pyrotechnic Devices enters into
p.(None): force with the following wording:
p.(None):
p.(None): (SSAPI)
p.(None):
p.(None): j) the wording „security technology- property protection” in Section 26 (1) e) shall be replaced by
p.(None): „electronic property protection”, „electronic security technology” in Section 28
p.(None): (2) d) by „electronic property protection”, the Act LXIII of 1992 by this Act, „security technology”
p.(None): in Section 32 (5) by „electronic property protection”, „the kind of security technology- property
p.(None): protection” in Section 74 (7) by „electronic property protection”.
p.(None):
p.(None): (7) Section 42 l) of the Act XXIV of 2011 on legal harmonisation of Acts on Europol, on Security Services and
p.(None): the Activities of Private Investigators (SSAPI), on Firearms and Pyrotechnic Devices enters into force with
p.(None): the following wording:
p.(None):
p.(None): (SSAPI)
p.(None):
p.(None): „l) in Sections 30 (1) and (4), 32 (1) the text “Avtv.” shall be replaced by “Infotv.”, in Section 63
p.(None): (4) the text „an unauthorised person and property protection as well as private investigator” shall be
p.(None): replaced by „unauthorised person and property protection” in accordance with Section 13 of Government
p.(None): decree 218/1999. (XII. 28.) on Misdemeanours, in
p.(None):
p.(None):
p.(None):
p.(None): 9 Repealed by Section 110 of the Act LXXVI of 2013 as of 01.07.2013.
p.(None):
p.(None): Section 39 (3) the text „presenting his ID pass” shall be replaced by „in his application for chamber membership”.
p.(None):
p.(None): (8) Section 34 (1) c) enacted by Section 23 of the Act XXIV of 2011 on legal harmonisation of Acts on Europol, on
p.(None): Security Services and the Activities of Private Investigators (SSAPI), on Firearms and Pyrotechnic Devices enters into
p.(None): force with the following wording:
p.(None):
p.(None): (The private investigator in order to conclude the contract)
p.(None):
p.(None): „may produce or use visual or audiovisual recordings in accordance with the framework of the relevant contract and in
p.(None): compliance with the regulations of this Act on data protection and personality rights”,
p.(None):
p.(None): (9) Section 15 (3) of the Act LXXVII. Of 2011 on World Heritage shall not enter into force.
p.(None):
p.(None): Section 80
p.(None):
p.(None): (1) The following Point n) shall be added to Article 51 (2) of Act CXII of 1996 on credit institutions
p.(None): and financial corporations:
p.(None): [Pursuant to Point b) of paragraph (2), the obligation to safeguard bank secrets does not apply]
p.(None): “n) to the National Authority for Data Protection and Freedom of Information within its competent scope of
p.(None): responsibilities”
p.(None): (contrary to requests made in writing by these bodies to the financial institution.)
...
Social / Racial Minority
Searching for indicator minority:
(return to top)
p.(None): Public Finances, of temporary measures adopted to relieve the consequences of such disasters, or of measures taken by
p.(None): the Authority within its own competence or in its competence as directing organ.
p.(None): (3)
p.(None): (4) The remainder of receipts from the previous year may be used by the Authority in the following years
p.(None): for the performance of its tasks.
p.(None):
p.(None): 27. President of the Authority Section 40
p.(None): (1) The head of the Authority is the President. The President of the Authority is appointed by the President of the
p.(None): Republic on a recommendation by the Prime Minister from among those Hungarian citizens with a law degree,
p.(None): who have the right to stand as candidates in parliamentary elections, having at least ten years of
p.(None): experience in supervising proceedings related to data protection or freedom of information, or holding an academic
p.(None): degree in either of those fields.
p.(None): (2) Persons who served as a Member of Parliament or as a Member of the European Parliament, as the
p.(None): President of the Republic, member of the Government, state secretary, representative of a municipal
p.(None): government, mayor or deputy mayor, lord mayor or deputy lord mayor, chairman or deputy chairman of a county assembly,
p.(None): member of a national minority self-government, or an officer or employee of a political party in the four-year period
p.(None): before the time of the recommendation for appointment may not be appointed as President of the Authority.
p.(None): (3) The President of the Authority shall be appointed by the President of the Republic for a term of nine years.
p.(None): (4) The President of the Authority - upon being appointed - shall take an oath before the President of the Republic in
p.(None): accordance with the Act on the Oath and Deposition of Public Officials.
p.(None):
p.(None): Section 41
p.(None):
p.(None): (1) The President of the Authority may not be a member of any political party, may not engage in political
p.(None): activities, and his mandate shall be considered incompatible with other state or local government office or
p.(None): mandate.
p.(None): (2) The President of the Authority shall not be otherwise gainfully employed and shall not accept remuneration for
p.(None): other activities, with the exception of scientific, educational and artistic activities under copyright
p.(None): protection, and other than revisory and editorial activities.
p.(None):
...
Searching for indicator racial:
(return to top)
p.(None): the territory of the European Union contracts a data processor with a seat, site, branch or address or place of
p.(None): residence within the territory of Hungary to perform data processing, except if this device serves data
p.(None): traffic exclusively within the territory of the European Union. Such controllers are obliged to designate a
p.(None): representative in Hungary.
p.(None): (4) Provisions set out in the present Act are not applicable to natural persons processing data
p.(None): exclusively for their own personal purposes.
p.(None): (5) Concerning further use of public sector information, provisions in derogation from this Act may be established
p.(None): by another act concerning the procedures and conditions for the disclosure of data, the consideration payable
p.(None): therefore, and as regards remedies.
p.(None):
p.(None): 3. Definitions Section 3
p.(None):
p.(None): 1Updated: 11-10-2013 by NAIH
p.(None):
p.(None): For the purposes of this Act:
p.(None): 1. ‘data subject’ shall mean any natural person directly or indirectly identifiable by reference to
p.(None): specific personal data;
p.(None): 2. ‘personal data’ shall mean data relating to the data subject, in particular by reference to the name and
p.(None): identification number of the data subject or one or more factors specific to his physical, physiological, mental,
p.(None): economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject;
p.(None): 3. ‘special data’ shall mean:
p.(None): a) personal data revealing racial origin or nationality, political opinions and any affiliation with political
p.(None): parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life,
p.(None): b) personal data concerning health, pathological addictions, or criminal record;
p.(None): 4. ‘criminal personal data’ shall mean personal data relating to the data subject or that pertain to any
p.(None): prior criminal offense committed by the data subject and that is obtained by organizations authorized to conduct
p.(None): criminal proceedings or investigations or by penal institutions during or prior to criminal proceedings in
p.(None): connection with a crime or criminal proceedings;
p.(None): 5. ‘data of public interest’ shall mean information or data other than personal data, registered in any
p.(None): mode or form, controlled by the body or individual performing state or local government responsibilities, as well as
p.(None): other public tasks defined by legislation, concerning their activities or generated in the course of performing their
p.(None): public tasks, irrespective of the method or format in which it is recorded, its single or collective
...
Social / Religion
Searching for indicator religious:
(return to top)
p.(None): traffic exclusively within the territory of the European Union. Such controllers are obliged to designate a
p.(None): representative in Hungary.
p.(None): (4) Provisions set out in the present Act are not applicable to natural persons processing data
p.(None): exclusively for their own personal purposes.
p.(None): (5) Concerning further use of public sector information, provisions in derogation from this Act may be established
p.(None): by another act concerning the procedures and conditions for the disclosure of data, the consideration payable
p.(None): therefore, and as regards remedies.
p.(None):
p.(None): 3. Definitions Section 3
p.(None):
p.(None): 1Updated: 11-10-2013 by NAIH
p.(None):
p.(None): For the purposes of this Act:
p.(None): 1. ‘data subject’ shall mean any natural person directly or indirectly identifiable by reference to
p.(None): specific personal data;
p.(None): 2. ‘personal data’ shall mean data relating to the data subject, in particular by reference to the name and
p.(None): identification number of the data subject or one or more factors specific to his physical, physiological, mental,
p.(None): economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject;
p.(None): 3. ‘special data’ shall mean:
p.(None): a) personal data revealing racial origin or nationality, political opinions and any affiliation with political
p.(None): parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life,
p.(None): b) personal data concerning health, pathological addictions, or criminal record;
p.(None): 4. ‘criminal personal data’ shall mean personal data relating to the data subject or that pertain to any
p.(None): prior criminal offense committed by the data subject and that is obtained by organizations authorized to conduct
p.(None): criminal proceedings or investigations or by penal institutions during or prior to criminal proceedings in
p.(None): connection with a crime or criminal proceedings;
p.(None): 5. ‘data of public interest’ shall mean information or data other than personal data, registered in any
p.(None): mode or form, controlled by the body or individual performing state or local government responsibilities, as well as
p.(None): other public tasks defined by legislation, concerning their activities or generated in the course of performing their
p.(None): public tasks, irrespective of the method or format in which it is recorded, its single or collective
p.(None): nature; in particular data concerning the scope of authority, competence, organisational structure,
...
Social / Student
Searching for indicator student:
(return to top)
p.(None):
p.(None): purpose of providing assistance to data subjects containing - with the exceptions set out in Subsection (2) -
p.(None): the following information:
p.(None): a) the purpose of data processing;
p.(None): b) the legal basis of data processing;
p.(None): c) scope of data subject;
p.(None): d) description of the data pertaining to the data subjects;
p.(None): e) the source;
p.(None): f) the duration of processing;
p.(None): g) the categories of data transferred, the recipients and the grounds for transfer, including transfers made to third
p.(None): countries;
p.(None): h) name and address of the data controller and the data processor, the place where records are kept and/or where
p.(None): processing is carried out, and the data processor’s activities in connection with data processing operations;
p.(None): i) the nature of the data process technology used;
p.(None): j) the name of and contact details of the internal data protection officer, where applicable.
p.(None): (2) As regards national security agencies, the data protection register shall indicate the name and address of the
p.(None): given national security agency, and the purpose of and legal basis for data processing.
p.(None): (3) The Authority’s data protection register shall not cover operations:
p.(None): a) concerning the data of the data controller’s employees or members, students engaged under kindergarten
p.(None): education agreement, or under student or apprenticeship agreement, with or without dormitory services, or customers,
p.(None): other than the customers of financial institutions, public utility companies and electronic telecommunications service
p.(None): providers;
p.(None): b) carried out in accordance with the internal rules of the recognized church;
p.(None): c) that concerns the personal data of a person undergoing medical treatment, for the purposes of health
p.(None): care and preventive measures or for settling claims for benefits and services in the social insurance system;
p.(None): d) where it contains information concerning the provision of social and other benefits to the data subject;
p.(None): e) where it contains the personal data of persons implicated in an official regulatory, public prosecutor or court
p.(None): proceeding to the extent required for such proceeding, or it concerns personal data processed by penal
p.(None): institutions in the execution of a sentence;
p.(None): f) where it contains personal data for official statistical purposes, provided there are adequate
p.(None): guarantees that the verification of the link between the data and the data subject is definitively severed in such a
p.(None): way that the data subject is no longer identifiable in accordance with the relevant legislation;
p.(None): g) where it concerns the data of a media content provider defined by the Act on Media Services and on
p.(None): the Mass Media, which are used solely for its own information activities;
p.(None): h) if it serves the purposes of scientific research, and if the data is not made available to the public;
p.(None): i) where it concerns documents deposited in archive.
p.(None): (4) The data protection register shall be open to the general public; it may be inspected by any person, including
p.(None): taking notes.
...
Social / Threat of Stigma
Searching for indicator threat:
(return to top)
p.(None): investigating, detecting and prosecuting criminal offences and data files containing information
p.(None): pertaining to misdemeanour cases, civil cases and non-contentious proceedings may only be processed by central
p.(None): or local government authorities.
p.(None):
p.(None): Section 6
p.(None):
p.(None): (1) Personal data may be processed also if obtaining the data subject’s consent is impossible or it would give rise
p.(None): to disproportionate costs, and the processing of personal data is necessary:
p.(None): a) for compliance with a legal obligation pertaining to the data controller, or
p.(None): b) for the purposes of the legitimate interests pursued by the controller or by a third party, and enforcing these
p.(None): interests is considered proportionate to the limitation of the right for the protection of personal data.
p.(None):
p.(None):
p.(None): 4 In effect as of 30th March 2013
p.(None):
p.(None): (2) If the data subject is unable to give his consent on account of lacking legal capacity or for any other reason
p.(None): beyond his control, the processing of his personal data is allowed to the extent necessary and for the length of time
p.(None): such reasons persist, to protect the vital interests of the data subject or of another person, or in order to
p.(None): prevent or avert an imminent danger posing a threat to the lives, physical integrity or property of persons.
p.(None): (3) The statement of consent of minors over the age of sixteen shall be considered valid without the
p.(None): permission or subsequent approval of their legal representative.
p.(None): (4) Where processing under consent is necessary for the performance of a contract with the controller in writing, the
p.(None): contract shall contain all information that is to be made available to the data subject under this Act in connection
p.(None): with the processing of personal data, such as the description of the data involved, the duration of the
p.(None): proposed processing operation, the purpose of processing, the transmission of data, the recipients and the use of a
p.(None): data processor. The contract must clearly indicate the data subject’s signature and explicit consent for having his
p.(None): data processed as stipulated in the contract.
p.(None): (5) Where personal data is recorded under the data subject’s consent, the controller shall - unless otherwise
p.(None): provided for by law - be able to process the data recorded where this is necessary:
p.(None): a) for compliance with a legal obligation pertaining to the controller, or
p.(None): b) for the purposes of legitimate interests pursued by the controller or by a third party, if enforcing these
...
p.(None): merits, or on the measures taken within thirty days from the date of receipt of the recommendation.
p.(None):
p.(None): Section 57
p.(None):
p.(None): If, based on the findings of the investigation, the Authority considers that the infringement or the imminent danger
p.(None): thereof is attributable to any provision of legislation or regulatory instrument for the governance of
p.(None): bodies governed by public law that is deemed redundant, unclear or inadequate, or the lack of legal regulation
p.(None): of issues relating to data processing, or the deficiency thereof, it may present a proposal for legislative
p.(None): step, or for the issue of a regulatory instrument for the governance of bodies governed by public law in the
p.(None): interest of eliminating such infringements and the imminent danger thereof in the future, to the
p.(None): appropriate bodies for the issue of a legal act for the governance of bodies governed by public law or for drafting
p.(None): bills of legislation. In the recommendation the Authority may propose the amendment, repeal or adoption of
p.(None): legislation or legal act for the governance of public organizations. The body contacted shall inform the
p.(None): Authority within sixty days concerning its opinion, or on the measures taken in conformity with the recommendation.
p.(None):
p.(None): Section 58
p.(None):
p.(None): (1) Should, pursuant to the notification issued or the recommendation presented in accordance with Article 56, the
p.(None): anomaly not have been addressed and its immediate threat not have been ceased, the Authority shall make a decision
p.(None): regarding further necessary measures to be taken within a period of 30 days following the expiry of the deadline date
p.(None): for notification specified in Article 56 (2), or Article 56 (4) if a recommendation was not issued.
p.(None): (2) Where Subsection (1) applies, the Authority shall take further action as per the following:
p.(None): a) open administrative proceedings for data protection under Section 60;
p.(None): b) open administrative proceedings for the control of classified data under Section 62;
p.(None):
p.(None): c) initiate court proceedings according to Section 64; or
p.(None): d) draw up a report according to Section 59.
p.(None): (3) The Authority shall inform the notifier concerning the outcome of the measures taken under Sections 56 and 57, and
p.(None): on taking further action according to Subsection (2) hereof.
p.(None):
p.(None): 31. The Authority’s report Section 59
p.(None): (1) The Authority may draw up a report on the findings of an investigation conducted on basis of notification in a
p.(None): case where the Authority did not open administrative proceedings and did not file for court action.
p.(None): (2) The report shall contain the facts revealed by the investigation, and the resulting findings and
p.(None): conclusions.
...
Social / Trade Union Membership
Searching for indicator union:
(return to top)
p.(None): facilitate the implementation of the Fundamental Law, pursuant to Article VI of the Fundamental Law, the
p.(None): Parliament hereby adopts the following Act on the fundamental rules applicable in connection with the
p.(None): protection of personal data and the enforcement of the right to access and disseminate data of public interest and
p.(None): data public on grounds of public interest, and on the authority empowered to monitor compliance with these rules:
p.(None):
p.(None): CHAPTER I GENERAL PROVISIONS
p.(None): 1. Object of the Act Section 1
p.(None): The purpose of this Act is to lay down the fundamental rules for data processing activities with a view to ensuring
p.(None): that the right to privacy of natural persons is respected by data controllers , and to enforcing of rights
p.(None): to access and disseminate data of public interest and data public on grounds of public interest.
p.(None):
p.(None): 2. Scope Section 2
p.(None): (1) This Act shall apply to all data control and data processing activities undertaken in Hungary
p.(None): relating to the data of natural persons as well as data of public interest and data public on grounds of
p.(None): public interest.
p.(None): (2) The present Act shall apply to both data processing and data process, carried out wholly or partly, by automated
p.(None): means as well as manually.
p.(None): (3) Provisions set out in the present Act shall apply if the controller processing personal data outside
p.(None): the territory of the European Union contracts a data processor with a seat, site, branch or address or place of
p.(None): residence within the territory of Hungary to perform data processing, except if this device serves data
p.(None): traffic exclusively within the territory of the European Union. Such controllers are obliged to designate a
p.(None): representative in Hungary.
p.(None): (4) Provisions set out in the present Act are not applicable to natural persons processing data
p.(None): exclusively for their own personal purposes.
p.(None): (5) Concerning further use of public sector information, provisions in derogation from this Act may be established
p.(None): by another act concerning the procedures and conditions for the disclosure of data, the consideration payable
p.(None): therefore, and as regards remedies.
p.(None):
p.(None): 3. Definitions Section 3
p.(None):
p.(None): 1Updated: 11-10-2013 by NAIH
p.(None):
p.(None): For the purposes of this Act:
p.(None): 1. ‘data subject’ shall mean any natural person directly or indirectly identifiable by reference to
p.(None): specific personal data;
p.(None): 2. ‘personal data’ shall mean data relating to the data subject, in particular by reference to the name and
p.(None): identification number of the data subject or one or more factors specific to his physical, physiological, mental,
p.(None): economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject;
p.(None): 3. ‘special data’ shall mean:
p.(None): a) personal data revealing racial origin or nationality, political opinions and any affiliation with political
p.(None): parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life,
p.(None): b) personal data concerning health, pathological addictions, or criminal record;
p.(None): 4. ‘criminal personal data’ shall mean personal data relating to the data subject or that pertain to any
p.(None): prior criminal offense committed by the data subject and that is obtained by organizations authorized to conduct
p.(None): criminal proceedings or investigations or by penal institutions during or prior to criminal proceedings in
p.(None): connection with a crime or criminal proceedings;
p.(None): 5. ‘data of public interest’ shall mean information or data other than personal data, registered in any
p.(None): mode or form, controlled by the body or individual performing state or local government responsibilities, as well as
p.(None): other public tasks defined by legislation, concerning their activities or generated in the course of performing their
p.(None): public tasks, irrespective of the method or format in which it is recorded, its single or collective
p.(None): nature; in particular data concerning the scope of authority, competence, organisational structure,
p.(None): professional activities and the evaluation of such activities covering various aspects thereof, the type of
...
p.(None): 14. ‘tagging data’ shall mean marking data with a special ID tag to differentiate it;
p.(None): 15. ‘blocking of data’ shall mean marking data with a special ID tag to indefinitely or definitely
p.(None): restrict its further processing;
p.(None): 16. ‘data destruction’ shall mean complete physical destruction of the data carrier recording the data;
p.(None): 17. ‘data process’ shall mean performing technical tasks in connection with data processing operations, irrespective of
p.(None): the method and means used for executing the operations, as well as the place of execution, provided that the technical
p.(None): task is performed on the data;
p.(None): 18. ‘data processor’ shall mean any natural or legal person or organisation without legal personality processing
p.(None): the data on the grounds of a contract, including contracts concluded pursuant to legislative provisions3;
p.(None): 19. ‘data source’ shall mean the body responsible for undertaking the public responsibility which generated the data of
p.(None): public interest that must be disclosed through electronic means, or during the course of operation in which this data
p.(None): was generated;
p.(None): 20. ‘data disseminator shall mean the body responsible for undertaking the public responsibility
p.(None): which uploads the data sent by the data source it has not published the data;
p.(None): 21. ‘data set’ shall mean all data processed in a single file;
p.(None): 22. ‘third party’ any natural or legal person, or organisation without legal personality other than the data subject,
p.(None): the data controller or the data processor;
p.(None): 23. ‘EEA Member State’ any Member State of the European Union and any State which is party to the Agreement on the
p.(None): European Economic Area, as well as any State the nationals of which enjoy the same legal status as nationals of States
p.(None): which are parties to the Agreement on the European Economic Area, based on an international treaty concluded
p.(None): between the European Union and its Member States and a State which is not party to the Agreement on the European
p.(None): Economic Area;
p.(None): 24. ‘third country’ any State that is not an EEA State.
p.(None):
p.(None): CHAPTER II PROTECTION OF PERSONAL DATA
p.(None): 4. Principles of data processing Section 4
p.(None): (1) Personal data may be processed only for specified and explicit purposes, where it is necessary for
p.(None): the exercising of certain rights and fulfilment of obligations. The purpose of processing must be satisfied
p.(None): in all stages of data processing operations; recording of personal data shall be done under the principle of lawfulness
p.(None): and fairness.
p.(None): (2) The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to
p.(None): achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its
p.(None): purpose.
p.(None): (3) In the course of data processing, the data in question shall be treated as personal as long as the data subject
p.(None): remains identifiable through it. The data subject shall - in particular - be considered identifiable if the data
p.(None): controller is in possession of the technical requirements which are necessary for identification.
p.(None):
p.(None):
p.(None): 3 In effect as of 1st July 2013
p.(None):
p.(None): (4) The accuracy and completeness, and - if deemed necessary in the light of the aim of processing - the
p.(None): up-to-dateness of the data must be provided for throughout the processing operation, and shall be kept in a way
p.(None): to permit identification of the data subject for no longer than is necessary for the purposes for which the data were
p.(None): recorded.
...
p.(None): data-processing systems and when and by whom the data were input;
p.(None): e) ensure that installed systems may, in case of malfunctions, be restored; and
p.(None): f) ensure that faults emerging in automated data-processing systems is reported.
p.(None): (6) In determining the measures to ensure security of processing, data controllers and processors shall
p.(None): proceed taking into account the latest technical development and the state of the art of their implementation. Where
p.(None): alternate data processing solutions are available, the one selected shall ensure the highest level of protection of
p.(None): personal data, except if this would entail unreasonable hardship for the data controller.
p.(None):
p.(None): 7. Data transfer to other countries Section 8
p.(None): (1) Personal data may be transmitted by a data controller covered by this Act to a data controller or
p.(None): processor5 operating in a third country, or may be transferred to a data controller or processor operating in a third
p.(None): country if:
p.(None): a) the data subject has given his explicit consent, or
p.(None): b) the conditions laid down in Section 5 and/or Section 6 for data processing are satisfied and - save where Subsection
p.(None): (2) of Section 6 applies – the adequate level of protection of the personal data have been ensured in the third
p.(None): country during the course of the control and processing of the data transferred.
p.(None): (2) Adequate level of protection of personal data is ensured should:
p.(None): a) this be stated in a binding legal act of the European Union, or
p.(None): b) there is an international agreement between the third country and Hungary containing guarantees for the
p.(None): rights of data subjects referred to in Section 14, their rights to remedies, and for the independent supervision
p.(None): and control of data control and data processing operations.
p.(None): (3) Personal data may be transferred to third countries in the interest of the implementation of an international
p.(None): agreement on international legal aid, exchange of information in tax matters and on double taxation, for
p.(None): the purpose and with the contents specified in the international agreement, also in the absence of the
p.(None): conditions specified in Subsection (2).
p.(None): (4) Transfer of data to EEA Member States shall be considered as if the transmission took place within the territory of
p.(None): Hungary.
p.(None):
p.(None): 8. Restrictions to data processing Section 9
p.(None):
p.(None):
p.(None): 5 In effect as of 1st July 2013
p.(None):
p.(None): (1) Where personal data is transmitted under this Act and in accordance with international agreement or a binding legal
p.(None): act of the European Union, and the transmitting data controller indicates to the recipient at the time of transmission
p.(None): of the personal data:
p.(None): a) the purposes for which it can use those data,
p.(None): b) the time limits for the retention of data,
p.(None): c) the potential recipients of the data,
p.(None): d) the restrictions of the data subject’s rights ensured under this Act, or
p.(None): e) specific other processing restrictions that may apply,
p.(None): (hereinafter referred to collectively as “processing restrictions”), the recipient of such personal data
p.(None): (hereinafter referred to as “data recipient”) shall process the personal data to the extent and by way of the means
p.(None): stipulated in the processing restrictions, and shall ensure the data subject’s rights in line with the processing
p.(None): restrictions.
p.(None): (2) The data recipient shall be allowed to process personal data irrespective of restrictions and may enforce the
p.(None): data subject’s rights provided a prior consent has been granted by him/her to the transmitting data
p.(None): controller.
p.(None): (3) Where personal data is transmitted under this Act and in accordance with international agreement or a binding legal
p.(None): act of the European Union, the transmitting data controller shall indicate to the recipient at the time of transmission
p.(None): the processing restrictions applicable.
p.(None): (4) The data controller shall be able to give the consent referred to in Subsection (2) if it is not contrary to any
p.(None): legal provision applicable to legal subjects falling within the scope of jurisdiction of Hungary.
p.(None): (5) The data recipient shall – upon request – inform the transmitting data controller concerning the use
p.(None): of the personal data received.
p.(None):
p.(None): 9. Data process Section 10
p.(None): (1) The rights and obligations of data processors arising in connection with the process of personal data shall be
p.(None): determined by the data controller within the scope specified by this Act and other legislation on data processing.
p.(None): The data controller shall be held liable for the legitimacy of his instructions.
p.(None): (2) The data processor shall be permitted to subcontract another data processor according to the notice of the data
p.(None): controller.6
p.(None): (3) The data processor may not make any decision on the merits of data processing and shall process any and all data
p.(None): entrusted to him solely as instructed by the controller; the processor shall not engage in data process for his own
p.(None): purposes and shall store and safeguard personal data according to the instructions of the controller.
p.(None): (4) Contracts for the process of data must be made in writing. Any company that is interested in the
p.(None): business activity for which personal data is used may not be contracted for the process of such data.
p.(None):
p.(None): 10. Decision adopted by means of automated data-process systems Section 11
...
p.(None): inaccuracy cannot be ascertained beyond doubt, the data controller shall mark that personal data for the purpose of
p.(None): referencing.
p.(None):
p.(None): Section 18
p.(None):
p.(None): (1) When a data is rectified, blocked, marked or erased, the data subject and all recipients to whom it was transmitted
p.(None): for processing shall be notified. Notification is not required if it does not violate the rightful interest of the data
p.(None): subject in light of the purpose of processing.
p.(None): (2) If the data controller refuses to comply with the data subject’s request for rectification, blocking or erasure,
p.(None): the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is
p.(None): based shall be communicated in writing within thirty days of receipt of the request. Where rectification,
p.(None): blocking or erasure is refused, the data controller shall inform the data subject of the possibilities
p.(None): for seeking judicial remedy or lodging a complaint with the Authority.
p.(None):
p.(None): Section 19
p.(None):
p.(None): The rights of data subjects afforded under Sections 14-18 may be restricted by law in order to safeguard the external
p.(None): and internal security of the State, such as defence, national security, the prevention and prosecution of criminal
p.(None): offences, the safety of penal institutions, to protect the economic and financial interests of central and local
p.(None): government, safeguard the important economic and financial interests of the European Union, guard against disciplinary
p.(None): and ethical breaches in regulated professions, prevent and detect breaches of obligation related to labour law and
p.(None): occupational safety - including in all cases control and supervision - and to protect data subjects or the rights and
p.(None): freedoms of others.
p.(None):
p.(None): 14. Requirement of preliminary information of the data subject Section 20
p.(None): (1) Prior to data processing being initiated the data subject shall be informed whether his consent is required or
p.(None): processing is mandatory.
p.(None): (2) Before processing operations are carried out the data subject shall be clearly and elaborately
p.(None): informed of all aspects concerning the processing of his personal data, such as the purpose for which his data is
p.(None): required and the legal basis, the person entitled to control the data and to carry out the processing, the duration of
p.(None): the proposed processing operation, if the data subject’s personal data is processed in accordance with Subsection (5)
p.(None): of Section 6, and the persons to whom his data may be disclosed. Information shall also be provided on the data
p.(None): subject’s rights and remedies.
p.(None): (3) In the case of mandatory processing such information may be supplied by way of publishing reference
p.(None): to the legislation containing the information referred to in Subsection (2).
p.(None): (4) If the provision of personal information to the data subject proves impossible or would involve disproportionate
p.(None): costs, the obligation of information may be satisfied by the public disclosure of the following:
p.(None): a) an indication of the fact that data is being collected;
p.(None): b) the data subjects targeted;
p.(None):
...
p.(None): such services are not available in any other way or form relating to their activities shall be deemed data public on
p.(None): grounds of public interest.
p.(None):
p.(None): Section 27
p.(None):
p.(None): (1) Access to data of public interest or data public on grounds of public interest shall be restricted if it has
p.(None): been classified under the Act on the Protection of Classified Information.
p.(None): (2) Right of access to data of public interest or data public on grounds of public interest may be restricted by law -
p.(None): with the specific type of data indicated - where considered necessary to safeguard:
p.(None): a) national defense;
p.(None): b) national security;
p.(None): c) prevention and prosecution of criminal offenses;
p.(None): d) environmental protection and nature preservation;
p.(None): e) central financial or foreign exchange policy;
p.(None): f) external relations, relations with international organizations;
p.(None): g) court proceedings or administrative proceedings;
p.(None): h) intellectual property rights.
p.(None): (3) Access to business secrets shall be governed by the relevant provisions of the Civil Code.
p.(None): (4) Access to public information may also be limited by European Union legislation with a view to any important
p.(None): economic or financial interests of the European Union, including monetary, fiscal and tax policies.
p.(None): (5) Any information compiled or recorded by a body with public service functions as part of, and in support of, a
p.(None): decision-making process for which it is vested with powers and competence, shall not be made available
p.(None): to the public for ten years from the date it was compiled or recorded. Access to these information may be
p.(None): authorized by the head of the body
p.(None):
p.(None): that controls the information in question upon weighing the public interest in allowing or disallowing
p.(None): access to such information.
p.(None): (6) A request for disclosure of information underlying a decision may be rejected after the decision is adopted, but
p.(None): within the time limit referred to in Subsection (5), if disclosure is likely to jeopardize the legal
p.(None): functioning of the body with public service functions or the discharging of its duties without any undue
p.(None): influence, such as in particular free expression of the position of the body which generated the data during
p.(None): the preliminary stages of the decision-making process.
p.(None): (7) The time limit for restriction of access as defined in Subsection (5) to certain specific information underlying a
p.(None): decision may be reduced by law.
p.(None): (8) This Chapter shall not apply to the disclosure of information from official records that is subject to the
p.(None): provisions of specific other legislation.
p.(None):
p.(None): 21. Access to public information upon request Section 28
...
p.(None): b) may conduct ex officio administrative proceedings for data protection;
p.(None): c) may conduct ex officio administrative proceedings for the control of classified data;
p.(None): d) may turn to court in connection with any infringement concerning public information and information of public
p.(None): interest;
p.(None): e) may intervene in court actions brought by others;
p.(None): f) maintain the data protection register; in accordance with this Act.
p.(None): (4) Within its scope of responsibilities conferred under Subsection (2), the Authority:
p.(None): a) shall have powers to make recommendations for new regulations and for the amendment of legislation pertaining to
p.(None): the processing of personal data, to public information and information of public interest, and shall
p.(None): express its opinion on drafts covering the same subject;
p.(None): b) shall publish a report on its activities each year, by 31 March, and shall present this report to
p.(None): Parliament;
p.(None): c) shall make recommendations in general, or to specific controllers;
p.(None): d) shall give an opinion on special and ad hoc disclosure lists prescribed mandatory by this Act relating to the
p.(None): activities of the given body with public service functions;
p.(None): e) shall collaborate with the bodies and persons defined in specific other legislation to represent
p.(None): Hungary in the joint data protection supervisory bodies of the European Union;
p.(None): f) organize the conference of internal data protection officers; g)-h)
p.(None):
p.(None): (5) The Authority is an independent body that is subject to Hungarian law only, it may not be instructed in its
p.(None): official capacity, shall operate independent of any outside interference, without any bias. Tasks may only be
p.(None): prescribed for the Authority by acts of Parliament.
p.(None):
p.(None): 26. Budget and financial management of the Authority Section 39
p.(None): (1) The Authority shall be a central budgetary organ with the powers of a budgetary chapter, and its budget shall
p.(None): constitute an independent title within the budgetary chapter of Parliament.
p.(None): (2) The main totals of expenditures and receipts of the Authority for the current budgetary year may only be
p.(None): reduced by Parliament, with the exception of natural disasters endangering life and property as defined in the Act on
p.(None): Public Finances, of temporary measures adopted to relieve the consequences of such disasters, or of measures taken by
p.(None): the Authority within its own competence or in its competence as directing organ.
p.(None): (3)
p.(None): (4) The remainder of receipts from the previous year may be used by the Authority in the following years
p.(None): for the performance of its tasks.
p.(None):
...
p.(None): Data Protection and Freedom of Information”.
p.(None): (14) The text “the data protection commissioner” in Article 18 (6) and Article 20 (2) of Act CV of 2007 on cooperation
p.(None): and information exchange carried out within the framework of the Convention implementing the Schengen Agreement
p.(None): shall be replaced by the text “the National Authority for Data Protection and Freedom of Information”; the
p.(None): text “pursuant to regulations set out under the Act on the protection of personal data and the disclosure of data of
p.(None): public interest, the data protection commissioner” in Article 20 (1) shall be replaced by the text “the National
p.(None): Authority for Data Protection and Freedom of Information”.
p.(None): (15) The text “the data commissioner competent to act in respect of Act on the protection of personal data and the
p.(None): disclosure of data of public interest and controlling compliance with the Act on the control of personal data” in
p.(None): Article 88 (2) of Act XLVII of 2009 on the criminal database, the registration of verdicts brought against
p.(None): Hungarian nationals in the courts of
p.(None):
p.(None): European Union Member States and the registration of criminal and biometric data shall be replaced by the text “the
p.(None): National Authority for Data Protection and Freedom of Information competent to act in respect of controlling compliance
p.(None): with provisions governing the Act on the control of personal data”; the text “together with data protection
p.(None): commissioner” in Article 91/A (2) shall be replaced by the text “together with the National Authority for
p.(None): Data Protection and Freedom of Information”; the text “data protection commissioner” in Article 91/A (3) shall be
p.(None): replaced by the text “the National Authority for Data Protection and Freedom of Information”.
p.(None): (16) The text “as well as within the scope of authority ensured in Act LXIII of 1992 on the protection of personal data
p.(None): and the disclosure of data of public interest, the data protection commissioner” in Article 7 (8) of Act CIV
p.(None): of 2009 on the proclamation of the agreement regarding processing the data of passenger number records
p.(None): (PNR) between the European Union and the United States of America and the transfer of this data to the
p.(None): Department of Home Security amending Act XCII of 1995 on air transport shall be replaced by the text “as well as
p.(None): within the scope of authority ensured in the Act on the right of informational self- determination and
p.(None): freedom of information, the National Authority for Data Protection and Freedom of Information”.
p.(None): (17) The text “the data protection commissioner” in the eighth paragraph of Article 6 of Act CLV of 2009 on the
p.(None): protection of classified information shall be replaced by the text “the National Authority for Data Protection
p.(None): and Freedom of Information”; the text “together with the data protection commissioner” in Point r) of the second
p.(None): paragraph of Article 20 shall be replaced by the text “together with the National Authority for Data Protection and
p.(None): Freedom of Information”.
p.(None): (18) The text “the data protection commissioner and an authorised associated employee” in Point j) of the first
...
p.(None): contracts, names of the parties to the contract, the contract amounts, and the duration of fixed term contracts,
p.(None): including changes in the data abovementioned, with the exception of information on procurements directly related to and
p.(None): deemed necessary for reasons of national security or national defense, and with the exception of classified information
p.(None): Contract value shall mean the price agreed upon for the subject matter of the contract
p.(None): - exclusive of value added tax -, or in the case of gratuitous transactions, the market value or book value of the
p.(None): asset in question, whichever is higher. As regards periodically recurring contracts concluded for more than one year
p.(None): the contract value shall indicate the price calculated for one year. The value of contracts concluded within the same
p.(None): financial year with the same party shall be applied cumulatively.
p.(None): 5. Information made public according to the Act on Concessions (tender notices, particulars of tenderers, memos
p.(None): on evaluation procedures, outcome of such tender procedures)
p.(None): 6. Payments of more than five million forints made by the body with public service functions outside the scope
p.(None): its basic functions (such as payments made to support association, to trade organizations representing the interests of
p.(None): its workers, to organizations active in educational, cultural, social and sports activities and services provided to
p.(None): its employees, and to foundations to support their activities)
p.(None): 7. Description of developments implemented from European Union funding, including the related contracts
p.(None): 8. Public procurement information (annual plan, summary of the evaluation of tenders, contracts awarded)
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): For the time period defined by specific other legislation, archived for at least one year
p.(None): For the time period defined by specific other legislation, archived for at least one year
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Archived for a period of at least one year
p.(None):
...
Social / Youth/Minors
Searching for indicator minor:
(return to top)
p.(None): information or information of public interest, or if there is imminent danger of such infringement.
p.(None): (2) The Authority’s investigations ensuing shall not be treated as administrative proceedings, and
p.(None): shall not fall within the scope of the Act on the General Rules of Administrative Proceedings.
p.(None): (3) Having submitted a notification to the Authority may not entail any discrimination against the
p.(None): notifier. The Authority may reveal the person of the notifier only if the inquiry cannot be carried out otherwise.
p.(None): If so requested by the notifier, the Authority may not disclose his identity even if the inquiry cannot be carried out
p.(None): otherwise. The notifier must be informed by the Authority of this circumstance.
p.(None): (4) The Authority shall carry out the investigation free of charge; the costs thereof shall be advanced and borne by
p.(None): the Authority.
p.(None):
p.(None): Section 53
p.(None):
p.(None): (1) Subject to the exceptions set out in Subsections (2) and (3), the Authority shall examine the notifications
p.(None): received as to merits.
p.(None): (2) The Authority may refuse the notification without examination thereof as to merits if:
p.(None): a) the infringement alleged in the notification is considered minor, or
p.(None): b) the notification is anonymous.
p.(None): (3) The Authority shall refuse the notification without examination thereof as to merits if:
p.(None): a) court proceedings are in progress, or a final court ruling has previously been rendered concerning the case in
p.(None): question,
p.(None): b) the notifier maintains his request for not having his identity disclosed despite the information
p.(None): provided under Subsection (3) of Section 52,
p.(None): c) the notification is manifestly unfounded,
p.(None): d) the notification has been re-submitted and it contains no new facts or information as to merits.
p.(None): (4) The Authority may only refuse a notification that has been submitted by the Commissioner
p.(None): of Fundamental Rights without examination thereof as to merits if court proceedings are in progress, or a
p.(None): final court ruling has previously been rendered concerning the case in question.
p.(None): (5) The Authority shall terminate the investigation if:
p.(None):
p.(None): a) the petition should have been refused pursuant to Subsections (3)-(4), however, the authority obtained
p.(None): information concerning the grounds for refusal following the opening of the investigation;
p.(None): b) the reason for continuing the investigation no longer exists.
p.(None): (6) The Authority shall inform the notifier concerning the refusal of the notification without examination thereof as
p.(None): to merits and on the termination of the investigation, including the reasons for refusal and termination.
...
Social / education
Searching for indicator education:
(return to top)
p.(None): limit referred to in Subsection (5) or (6) of Section 21.
p.(None): (7) The court may order publication of its decision, indicating the identification data of the controller as well,
p.(None): where this is deemed necessary for reasons of data protection or in connection with the rights of large
p.(None): numbers of data subjects under protection by this Act.
p.(None):
p.(None): 17. Compensation Section 23
p.(None): (1) Data controllers shall be liable for any damage caused to a data subject as a result of unlawful processing or by
p.(None): any breach of data security requirements. The data controller shall also be liable for any damage caused by
p.(None): data processor acting on its behalf. The data controller may be exempted from liability if he proves that the
p.(None): damage was caused by reasons beyond his control.
p.(None): (2) No compensation shall be paid where the damage was caused by intentional or serious negligent conduct on the part
p.(None): of the aggrieved party.
p.(None):
p.(None): 18. Internal data protection officer, data protection rules Section 24
p.(None): (1) The following data controllers and processors shall appoint or commission an internal data protection officer – who
p.(None): shall hold a law degree, a degree in economics or information technology or an equivalent degree in higher education –
p.(None): who is to report directly to the head of the organization:
p.(None):
p.(None): a) authorities of nation-wide jurisdiction, and data controllers and processors engaged in processing data
p.(None): files of employment and criminal records;
p.(None): b) financial institutions;
p.(None): c) providers of electronic communications and public utility services.
p.(None): (2) The internal data protection officer shall:
p.(None): a) participate and assist in the decision-making process with regard to data processing and enforcing the rights of
p.(None): data subjects;
p.(None): b) monitor compliance with the provisions of this Act and other regulations on data processing as well
p.(None): as with the provisions of internal data protection and data security regulations and the data security
p.(None): requirements;
p.(None): c) investigate complaints conveyed to him and, if he detects any unauthorized data processing operations,
p.(None): call on the controller or processor in question to cease such operations;
p.(None): d) draw up the internal data protection and data security rules;
p.(None): e) maintain the internal data protection register;
p.(None): f) organises training sessions on the subject of data protection.
p.(None): (3) The controllers referred to in Subsection (1) and central and local government controllers - other than
...
p.(None): copying and network transmission (hereinafter referred to as “electronic publication”). Access to
p.(None): information disseminated as per the above shall not be made contingent upon the disclosure of personal data.
p.(None): (2) Unless otherwise provided for by law, the following shall disseminate specific information defined
p.(None): on the publication lists referred to in Section 37:
p.(None): a) Köztársasági Elnök Hivatala (President of the Republic), Országgyűlés Hivatala (Parliament),
p.(None): Alkotmánybíróság Hivatala (Constitutional Court), Alapvető Jogok Biztosának Hivatala (Commissioner for Fundamental
p.(None): Rights), Állami Számvevőszék (State Audit Office), Magyar Tudományos Akadémia (Hungarian Academy of Sciences),
p.(None): Magyar Művészeti
p.(None):
p.(None): Akadémia (Hungarian Academy of Arts), Országos Bírósági Hivatal (National Office for the Judiciary), Legfőbb Ügyészség
p.(None): (Prosecutor General’s Office);
p.(None): b)
p.(None): c) central administrative authorities with the exception of governmental committees as well as national chambers; and
p.(None): d) county and capital Government Offices.
p.(None): (3) The bodies with public service functions, other than those listed in Subsection (2), shall have the option to
p.(None): fulfil their obligation of publication by electronic means, defined in Section 37, through their own website or other
p.(None): websites maintained jointly with their associations, or by other bodies appointed to supervise their organizational and
p.(None): professional infrastructure, or coordinating their operations, or through a central website set up for this purpose.
p.(None): (4) Any public education institution having no national or regional duties shall discharge their obligation of
p.(None): publication by electronic means under this Act by way of data disclosure to the information systems specified by the
p.(None): relevant legislation governing the given sector.
p.(None):
p.(None): Section 34
p.(None):
p.(None): (1) The data source, if disseminating information through the website of others shall transfer the data - in accordance
p.(None): with Section 35 - to the data disseminator, who shall take measures for having the data published on a website, and
p.(None): shall ascertain that the name of the body from which public information originates or to which it pertains is clearly
p.(None): indicated.
p.(None): (2) The data disseminator shall design the website used for publication with facilities to disseminate
p.(None): data and information, and shall ensure that the website runs without interruption and it is properly maintained, and
p.(None): that data are updated on a regular basis.
p.(None): (3) The website used for dissemination shall offer easily understandable information concerning the rules of
p.(None): access to public information, including the remedies available.
p.(None): (4) In addition to the public information specified on the publication lists, other public information and
p.(None): information of public interest may also be published on the website used for dissemination by way of electronic means.
p.(None):
p.(None): Section 35
p.(None):
p.(None): (1) The head of the data source subject to electronic publication shall provide for having the data and information
p.(None): specified on the publication lists defined in Section 37 published accurately, up-to-date and on a
p.(None): regular basis, and for having them sent to the data disseminator.
...
p.(None): fails to attend to his vested duties for a period of over ninety days for reasons within his control, or if he has
p.(None): knowingly disclosed false data or information in his declaration of personal wealth.
p.(None): (7) The President of the Authority shall decide upon the declaration of non-compliance with the requirements for the
p.(None): appointment of the Vice-President of the Authority.
p.(None): (8) If the mandate of the Vice-President of the Authority terminates under Paragraph a) or
p.(None): e) of Subsection (1), the Vice-President shall be entitled to an extra payment of three times the monthly remuneration
p.(None): in effect at the time of termination.
p.(None):
p.(None): 29. Staff of the Authority Section 50
p.(None): The President of the Authority shall exercise employer’s rights in respect of the Authority’s public servants and
p.(None): employees.
p.(None):
p.(None): Section 51
p.(None):
p.(None): (1) The President of the Authority shall be entitled to appoint examiners - up to twenty per cent of all civil servants
p.(None): of the Authority - from among the civil servants in the Authority’s employ who have a degree of higher education in
p.(None): information technology or law, and at least three years of experience as a data protection expert or data protection
p.(None): officer, and who have passed a professional examination in public administration or professional examination
p.(None): in law.
p.(None):
p.(None): (2) Examiners are appointed for indefinite terms, and may be dismissed by the President of the Authority any time
p.(None): without cause. If the President of the Authority has withdrawn the appointment of an examiner, the civil
p.(None): servant in question shall be reinstated in his last position before the appointment.
p.(None): (3) Examiners are entitled to the salary of head of unit, exclusive of executive bonus.
p.(None):
p.(None): CHAPTER VI PROCEEDINGS OF THE AUTHORITY
p.(None): 30. Investigation by the Authority Section 52
p.(None): (1) Any person shall have the right to notify the Authority and request an investigation alleging an
p.(None): infringement relating to his or her personal data or concerning the exercise of the rights of access to public
p.(None): information or information of public interest, or if there is imminent danger of such infringement.
p.(None): (2) The Authority’s investigations ensuing shall not be treated as administrative proceedings, and
...
p.(None):
p.(None): purpose of providing assistance to data subjects containing - with the exceptions set out in Subsection (2) -
p.(None): the following information:
p.(None): a) the purpose of data processing;
p.(None): b) the legal basis of data processing;
p.(None): c) scope of data subject;
p.(None): d) description of the data pertaining to the data subjects;
p.(None): e) the source;
p.(None): f) the duration of processing;
p.(None): g) the categories of data transferred, the recipients and the grounds for transfer, including transfers made to third
p.(None): countries;
p.(None): h) name and address of the data controller and the data processor, the place where records are kept and/or where
p.(None): processing is carried out, and the data processor’s activities in connection with data processing operations;
p.(None): i) the nature of the data process technology used;
p.(None): j) the name of and contact details of the internal data protection officer, where applicable.
p.(None): (2) As regards national security agencies, the data protection register shall indicate the name and address of the
p.(None): given national security agency, and the purpose of and legal basis for data processing.
p.(None): (3) The Authority’s data protection register shall not cover operations:
p.(None): a) concerning the data of the data controller’s employees or members, students engaged under kindergarten
p.(None): education agreement, or under student or apprenticeship agreement, with or without dormitory services, or customers,
p.(None): other than the customers of financial institutions, public utility companies and electronic telecommunications service
p.(None): providers;
p.(None): b) carried out in accordance with the internal rules of the recognized church;
p.(None): c) that concerns the personal data of a person undergoing medical treatment, for the purposes of health
p.(None): care and preventive measures or for settling claims for benefits and services in the social insurance system;
p.(None): d) where it contains information concerning the provision of social and other benefits to the data subject;
p.(None): e) where it contains the personal data of persons implicated in an official regulatory, public prosecutor or court
p.(None): proceeding to the extent required for such proceeding, or it concerns personal data processed by penal
p.(None): institutions in the execution of a sentence;
p.(None): f) where it contains personal data for official statistical purposes, provided there are adequate
p.(None): guarantees that the verification of the link between the data and the data subject is definitively severed in such a
p.(None): way that the data subject is no longer identifiable in accordance with the relevant legislation;
p.(None): g) where it concerns the data of a media content provider defined by the Act on Media Services and on
p.(None): the Mass Media, which are used solely for its own information activities;
p.(None): h) if it serves the purposes of scientific research, and if the data is not made available to the public;
p.(None): i) where it concerns documents deposited in archive.
...
Searching for indicator educational:
(return to top)
p.(None): member of a national minority self-government, or an officer or employee of a political party in the four-year period
p.(None): before the time of the recommendation for appointment may not be appointed as President of the Authority.
p.(None): (3) The President of the Authority shall be appointed by the President of the Republic for a term of nine years.
p.(None): (4) The President of the Authority - upon being appointed - shall take an oath before the President of the Republic in
p.(None): accordance with the Act on the Oath and Deposition of Public Officials.
p.(None):
p.(None): Section 41
p.(None):
p.(None): (1) The President of the Authority may not be a member of any political party, may not engage in political
p.(None): activities, and his mandate shall be considered incompatible with other state or local government office or
p.(None): mandate.
p.(None): (2) The President of the Authority shall not be otherwise gainfully employed and shall not accept remuneration for
p.(None): other activities, with the exception of scientific, educational and artistic activities under copyright
p.(None): protection, and other than revisory and editorial activities.
p.(None):
p.(None): (3) The President of the Authority may not hold any executive office or membership in the supervisory board of a
p.(None): business association; and he may not be a member of a business association requiring personal involvement.
p.(None):
p.(None): Section 42
p.(None):
p.(None): (1) The President of the Authority shall submit a declaration of personal assets in accordance with the
p.(None): provisions on the declarations of personal assets of Members of Parliament within thirty days of the time of
p.(None): appointment, and subsequently by 31 January of each year, and also within thirty days after the date of termination of
p.(None): his mandate.
p.(None): (2) In the event of non-compliance with the requirement to file a declaration of personal assets the
p.(None): President of the Authority shall not be able to execute his office and shall not receive any remuneration
p.(None): insofar as his declaration of personal wealth is submitted.
p.(None): (3) The declaration of personal assets shall be made public and an authentic copy teherof shall be posted on the
p.(None): Authority’s website without delay. The declaration of personal assets may not be removed from the website for a period
p.(None): of one year following termination of the mandate of the President of the Authority.
...
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): For five years following the time of publication
p.(None):
p.(None): supplies and services, and works contracts worth five million forints or more, or to the sale or utilization of assets,
p.(None): for the transfer of assets or rights, as well as concession contracts, including the type and subject matter of such
p.(None): contracts, names of the parties to the contract, the contract amounts, and the duration of fixed term contracts,
p.(None): including changes in the data abovementioned, with the exception of information on procurements directly related to and
p.(None): deemed necessary for reasons of national security or national defense, and with the exception of classified information
p.(None): Contract value shall mean the price agreed upon for the subject matter of the contract
p.(None): - exclusive of value added tax -, or in the case of gratuitous transactions, the market value or book value of the
p.(None): asset in question, whichever is higher. As regards periodically recurring contracts concluded for more than one year
p.(None): the contract value shall indicate the price calculated for one year. The value of contracts concluded within the same
p.(None): financial year with the same party shall be applied cumulatively.
p.(None): 5. Information made public according to the Act on Concessions (tender notices, particulars of tenderers, memos
p.(None): on evaluation procedures, outcome of such tender procedures)
p.(None): 6. Payments of more than five million forints made by the body with public service functions outside the scope
p.(None): its basic functions (such as payments made to support association, to trade organizations representing the interests of
p.(None): its workers, to organizations active in educational, cultural, social and sports activities and services provided to
p.(None): its employees, and to foundations to support their activities)
p.(None): 7. Description of developments implemented from European Union funding, including the related contracts
p.(None): 8. Public procurement information (annual plan, summary of the evaluation of tenders, contracts awarded)
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): For the time period defined by specific other legislation, archived for at least one year
p.(None): For the time period defined by specific other legislation, archived for at least one year
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Archived for a period of at least one year
p.(None):
...
Social / employees
Searching for indicator employees:
(return to top)
p.(None): shall, at the same time, offer a civil service relationship to the Vice-President at the Authority and an examiner’s
p.(None): position even in the absence of the requirements set out in Subsection (1) of Section 51.
p.(None): (6) The President of the Authority shall remove the Vice-President of the Authority from office, if the Vice-President
p.(None): fails to attend to his vested duties for a period of over ninety days for reasons within his control, or if he has
p.(None): knowingly disclosed false data or information in his declaration of personal wealth.
p.(None): (7) The President of the Authority shall decide upon the declaration of non-compliance with the requirements for the
p.(None): appointment of the Vice-President of the Authority.
p.(None): (8) If the mandate of the Vice-President of the Authority terminates under Paragraph a) or
p.(None): e) of Subsection (1), the Vice-President shall be entitled to an extra payment of three times the monthly remuneration
p.(None): in effect at the time of termination.
p.(None):
p.(None): 29. Staff of the Authority Section 50
p.(None): The President of the Authority shall exercise employer’s rights in respect of the Authority’s public servants and
p.(None): employees.
p.(None):
p.(None): Section 51
p.(None):
p.(None): (1) The President of the Authority shall be entitled to appoint examiners - up to twenty per cent of all civil servants
p.(None): of the Authority - from among the civil servants in the Authority’s employ who have a degree of higher education in
p.(None): information technology or law, and at least three years of experience as a data protection expert or data protection
p.(None): officer, and who have passed a professional examination in public administration or professional examination
p.(None): in law.
p.(None):
p.(None): (2) Examiners are appointed for indefinite terms, and may be dismissed by the President of the Authority any time
p.(None): without cause. If the President of the Authority has withdrawn the appointment of an examiner, the civil
p.(None): servant in question shall be reinstated in his last position before the appointment.
p.(None): (3) Examiners are entitled to the salary of head of unit, exclusive of executive bonus.
p.(None):
p.(None): CHAPTER VI PROCEEDINGS OF THE AUTHORITY
p.(None): 30. Investigation by the Authority Section 52
...
p.(None): data (hereinafter referred to as “data protection register”) for the
p.(None):
p.(None): purpose of providing assistance to data subjects containing - with the exceptions set out in Subsection (2) -
p.(None): the following information:
p.(None): a) the purpose of data processing;
p.(None): b) the legal basis of data processing;
p.(None): c) scope of data subject;
p.(None): d) description of the data pertaining to the data subjects;
p.(None): e) the source;
p.(None): f) the duration of processing;
p.(None): g) the categories of data transferred, the recipients and the grounds for transfer, including transfers made to third
p.(None): countries;
p.(None): h) name and address of the data controller and the data processor, the place where records are kept and/or where
p.(None): processing is carried out, and the data processor’s activities in connection with data processing operations;
p.(None): i) the nature of the data process technology used;
p.(None): j) the name of and contact details of the internal data protection officer, where applicable.
p.(None): (2) As regards national security agencies, the data protection register shall indicate the name and address of the
p.(None): given national security agency, and the purpose of and legal basis for data processing.
p.(None): (3) The Authority’s data protection register shall not cover operations:
p.(None): a) concerning the data of the data controller’s employees or members, students engaged under kindergarten
p.(None): education agreement, or under student or apprenticeship agreement, with or without dormitory services, or customers,
p.(None): other than the customers of financial institutions, public utility companies and electronic telecommunications service
p.(None): providers;
p.(None): b) carried out in accordance with the internal rules of the recognized church;
p.(None): c) that concerns the personal data of a person undergoing medical treatment, for the purposes of health
p.(None): care and preventive measures or for settling claims for benefits and services in the social insurance system;
p.(None): d) where it contains information concerning the provision of social and other benefits to the data subject;
p.(None): e) where it contains the personal data of persons implicated in an official regulatory, public prosecutor or court
p.(None): proceeding to the extent required for such proceeding, or it concerns personal data processed by penal
p.(None): institutions in the execution of a sentence;
p.(None): f) where it contains personal data for official statistical purposes, provided there are adequate
p.(None): guarantees that the verification of the link between the data and the data subject is definitively severed in such a
p.(None): way that the data subject is no longer identifiable in accordance with the relevant legislation;
p.(None): g) where it concerns the data of a media content provider defined by the Act on Media Services and on
p.(None): the Mass Media, which are used solely for its own information activities;
p.(None): h) if it serves the purposes of scientific research, and if the data is not made available to the public;
...
p.(None): authority ensured by Act LXIII of 1992 on the protection of personal data and the disclosure of data of public
p.(None): interest” in the fifth paragraph of Article 7 of Act LVI of 2011 on the proclamation of the Convention on the
p.(None): South-East European Law Enforcement Centre signed in Bucharest on 9 December 2009 and the Protocol on the
p.(None): privileges and immunities of the South-East European Law Enforcement Centre signed in Bucharest on 24 November 2010
p.(None): shall be replaced by the text “the National Authority for Data Protection and Freedom of Information shall undertake
p.(None): the supervision”.
p.(None):
p.(None): Section 82-89
p.(None):
p.(None): Annex No. 1 to Act CXII of 2011
p.(None):
p.(None): STANDARD DISCLOSURE LIST
p.(None):
p.(None): I. Organizational information, staff particulars
p.(None):
p.(None):
p.(None): Data description
p.(None): 1. Official name, registered office, postal address, telephone and fax number, electronic mail address, website
p.(None): and customer service contact information of
p.(None): Updating Immediately upon the change taking effect
p.(None): Duration of processing Previous data shall be deleted
p.(None):
p.(None): the body with public service functions
p.(None): 2. Organizational structure of the body with public service functions, showing the departments, and the tasks and
p.(None): duties of each department
p.(None): 3. Name and title of the executive employees of the body with public service functions and its departments,
p.(None): including contact information (telephone and fax number, electronic mail address)
p.(None): 4. Name of the head of customer relations, including contact information (telephone and fax number, electronic
p.(None): mail address) and customer service hours
p.(None): 5. In respect of collegiate bodies, number of members and composition, name, title and contact information of
p.(None): members
p.(None): 6. Name of any other body with public service functions under the control, supervision or oversight of, or
p.(None): subordinated to the body with public service functions, including the particulars specified in Point 1
p.(None): 7. Name, registered office and contact information (postal address, telephone and fax number, electronic mail
p.(None): address) of any economic operator in which the body with public service functions has a majority ownership share or
p.(None): participation, including scope of activities, name of representative, and the percentage of the share the body with
p.(None): public service functions controls
p.(None): 8. Name, registered office and contact information (postal address, telephone and fax number, electronic mail
p.(None): address) of any public foundation established by the body with public service functions, including the bylaws, and the
p.(None): name of the managing body
p.(None): 9. Name and registered office of any publicly-financed entity founded by the body with public service functions,
p.(None): reference to the legislation or resolution based on which the publicly-financed entity is established, charter
p.(None): document, head of the publicly-financed entity, website address, operating permit
p.(None):
p.(None): Immediately upon the change taking effect
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None):
p.(None):
p.(None):
...
p.(None): public information
p.(None): List of contracts for the use of public information to which the body with public service functions is a party
p.(None): Standard contract conditions relating to the use of public information processed by the body with public service
p.(None): functions Special and ad hoc publication lists pertaining to the body with public service functions
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Immediately upon the change taking effect
p.(None):
p.(None): Immediately upon the change taking effect
p.(None): Previous data shall be deleted
p.(None):
p.(None):
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None):
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be archived for a period of one year
p.(None): Previous data shall be deleted
p.(None):
p.(None): III. Financial data
p.(None):
p.(None): Data description Updating Duration of processing
p.(None):
p.(None): 1. Annual (fiscal) budget of the body with public service functions, annual accounts under the Accounting Act or
p.(None): the annual budget report
p.(None): 2. Consolidated data on the staff of the body with public service functions, including personal benefits
p.(None): provided, and the remuneration, salary and regular benefits of executive officers and managers, in total, including
p.(None): their expense accounts, description and amounts of benefits provided to other employees
p.(None): 3. Information as to the names of beneficiaries to whom the body with public service functions provided any
p.(None): central subsidies, the purpose and the amount of the aid, showing also the place of implementation of the support
p.(None): program, except if the central subsidies are withdrawn before the time of publication or if the beneficiary declined to
p.(None): accept
p.(None): 4. Description of contracts relating to the allocation of public funds, management of public assets concerning
p.(None): the purchases of
p.(None): Immediately upon the change taking effect
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): By the sixtieth day following the date of the decision
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): By the sixtieth day following the date of the decision
p.(None): For ten years following the time of publication
p.(None):
p.(None): For the time period defined by specific other legislation, archived for at least one year
p.(None):
p.(None):
p.(None):
p.(None): For five years following the time of publication
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): For five years following the time of publication
p.(None):
p.(None): supplies and services, and works contracts worth five million forints or more, or to the sale or utilization of assets,
p.(None): for the transfer of assets or rights, as well as concession contracts, including the type and subject matter of such
p.(None): contracts, names of the parties to the contract, the contract amounts, and the duration of fixed term contracts,
p.(None): including changes in the data abovementioned, with the exception of information on procurements directly related to and
p.(None): deemed necessary for reasons of national security or national defense, and with the exception of classified information
p.(None): Contract value shall mean the price agreed upon for the subject matter of the contract
p.(None): - exclusive of value added tax -, or in the case of gratuitous transactions, the market value or book value of the
p.(None): asset in question, whichever is higher. As regards periodically recurring contracts concluded for more than one year
p.(None): the contract value shall indicate the price calculated for one year. The value of contracts concluded within the same
p.(None): financial year with the same party shall be applied cumulatively.
p.(None): 5. Information made public according to the Act on Concessions (tender notices, particulars of tenderers, memos
p.(None): on evaluation procedures, outcome of such tender procedures)
p.(None): 6. Payments of more than five million forints made by the body with public service functions outside the scope
p.(None): its basic functions (such as payments made to support association, to trade organizations representing the interests of
p.(None): its workers, to organizations active in educational, cultural, social and sports activities and services provided to
p.(None): its employees, and to foundations to support their activities)
p.(None): 7. Description of developments implemented from European Union funding, including the related contracts
p.(None): 8. Public procurement information (annual plan, summary of the evaluation of tenders, contracts awarded)
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None): Quarterly
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): For the time period defined by specific other legislation, archived for at least one year
p.(None): For the time period defined by specific other legislation, archived for at least one year
p.(None):
p.(None):
p.(None):
p.(None):
p.(None): Archived for a period of at least one year
p.(None):
...
Social / philosophical differences/differences of opinion
Searching for indicator opinion:
(return to top)
p.(None): 4. Principles of data processing Section 4
p.(None): (1) Personal data may be processed only for specified and explicit purposes, where it is necessary for
p.(None): the exercising of certain rights and fulfilment of obligations. The purpose of processing must be satisfied
p.(None): in all stages of data processing operations; recording of personal data shall be done under the principle of lawfulness
p.(None): and fairness.
p.(None): (2) The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to
p.(None): achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its
p.(None): purpose.
p.(None): (3) In the course of data processing, the data in question shall be treated as personal as long as the data subject
p.(None): remains identifiable through it. The data subject shall - in particular - be considered identifiable if the data
p.(None): controller is in possession of the technical requirements which are necessary for identification.
p.(None):
p.(None):
p.(None): 3 In effect as of 1st July 2013
p.(None):
p.(None): (4) The accuracy and completeness, and - if deemed necessary in the light of the aim of processing - the
p.(None): up-to-dateness of the data must be provided for throughout the processing operation, and shall be kept in a way
p.(None): to permit identification of the data subject for no longer than is necessary for the purposes for which the data were
p.(None): recorded.
p.(None): (5) Processing of personal data shall be deemed lawful and fair if, for the objective of ensuring the
p.(None): right to freedom of expression of the data subject, the person, wishing to find out the opinion of the data subject,
p.(None): calls on him/her at his domicile or place of residence provided that the data subject’s personal data are
p.(None): processed in compliance with this Act and the contacting is not intended for business purposes. This contacting
p.(None): is not permitted to happen on legal holiday as determined by the Labour Code.4
p.(None): 5. Legal basis of data processing Section 5
p.(None): (1) Personal data may be processed under the following circumstances:
p.(None): a) when the data subject has given his consent, or
p.(None): b) when processing is necessary as decreed by law or by a local authority based on authorization
p.(None): conferred by law concerning specific data defined therein for the performance of a task carried out in the public
p.(None): interest (hereinafter referred to as “mandatory processing”).
p.(None): (2) Special data may be processed according to Section 6, and under the following circumstances:
p.(None): a) when the data subject has given his consent in writing, or
p.(None): b) when processing is necessary for the implementation of an international agreement promulgated by an act
p.(None): concerning the data under Point 3.a) of Section 3, or if prescribed by law in connection with the enforcement of
p.(None): fundamental rights afforded by the Fundamental Law, or for reasons of national security or national defence, or law
p.(None): enforcement purposes for the prevention or prosecution of criminal activities, or
p.(None): c) when processing is necessary for the performance of a task carried out in the public interest
p.(None): concerning the data under Point 3.b) of Section 3.
...
p.(None): The data controller shall be held liable for the legitimacy of his instructions.
p.(None): (2) The data processor shall be permitted to subcontract another data processor according to the notice of the data
p.(None): controller.6
p.(None): (3) The data processor may not make any decision on the merits of data processing and shall process any and all data
p.(None): entrusted to him solely as instructed by the controller; the processor shall not engage in data process for his own
p.(None): purposes and shall store and safeguard personal data according to the instructions of the controller.
p.(None): (4) Contracts for the process of data must be made in writing. Any company that is interested in the
p.(None): business activity for which personal data is used may not be contracted for the process of such data.
p.(None):
p.(None): 10. Decision adopted by means of automated data-process systems Section 11
p.(None): (1) A decision which is based solely on automated process of data intended to evaluate certain personal
p.(None): characteristics relating to the data subject shall be permitted only if:
p.(None):
p.(None): 6 In effect as of 1st July 2013
p.(None):
p.(None): a) it is taken in the course of the entering into or performance of a contract, provided that the request for entering
p.(None): into or performance of the contract was lodged by the data subject, or
p.(None): b) authorized by a law which also lays down measures to safeguard the data subject’s legitimate
p.(None): interests.
p.(None): (2) In connection with decisions adopted by means of automated data-process systems, the data subject shall, at his
p.(None): request, be informed of the method that is used and its essence, and shall be given the opportunity to express his
p.(None): opinion.
p.(None):
p.(None): 11. Processing personal data relating to scientific research Section 12
p.(None): (1) Personal data recorded for scientific reasons must be used only for scientific research projects.
p.(None): (2) Personal data attributed to the data subject shall be made permanently anonymous when they are no longer required
p.(None): for scientific purposes. Until this is done, personal data that can attributed to an identified or identifiable natural
p.(None): person shall be stored separately. Such data may be linked to other data if it is necessary for the purposes of
p.(None): research.
p.(None): (3) An organization or person conducting scientific research shall be allowed to disseminate personal data only if:
p.(None): a) the data subject has given his consent, or
p.(None): b) it is necessary to demonstrate the findings of research in connection with historical events.
p.(None):
p.(None): 12. Use of personal data for statistical purposes Section 13
p.(None): (1) Unless otherwise provided for by law, the Központi Statisztikai Hivatal (Hungarian Central Statistical
p.(None): Office) shall be entitled to receive for statistical purposes personal data processed within the framework
p.(None): of mandatory processing in a form which permits the identification of the data subject, and to process
p.(None): them in accordance with the relevant legislation.
p.(None): (2) Unless otherwise provided for by law, personal data recorded, received or processed for statistical purposes may
p.(None): only be used for statistical purposes. The detailed regulations governing processing operations involving
p.(None): personal data are defined in specific other act.
p.(None):
p.(None): 13. Rights of data subjects; enforcement Section 14
...
p.(None): subject’s rights and remedies.
p.(None): (3) In the case of mandatory processing such information may be supplied by way of publishing reference
p.(None): to the legislation containing the information referred to in Subsection (2).
p.(None): (4) If the provision of personal information to the data subject proves impossible or would involve disproportionate
p.(None): costs, the obligation of information may be satisfied by the public disclosure of the following:
p.(None): a) an indication of the fact that data is being collected;
p.(None): b) the data subjects targeted;
p.(None):
p.(None): c) the purpose of data collection;
p.(None): d) the duration of the proposed processing operation;
p.(None): e) the potential data controllers with the right of access;
p.(None): f) the right of data subjects and remedies available relating to data processing; and
p.(None): g) where the processing operation has to be registered, the number assigned in the data protection
p.(None): register, with the exception of Subsection (2) of Section 68.
p.(None):
p.(None): 15. The data subject’s right to object to the processing of his personal data Section 21
p.(None): (1) The data subject shall have the right to object to the processing of data relating to him:
p.(None): a) if processing or disclosure is carried out solely for the purpose of discharging the controller’s
p.(None): legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a
p.(None): third party, unless processing is mandatory;
p.(None): b) if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific
p.(None): research; and
p.(None): c) in all other cases prescribed by law.
p.(None): (2) In the event of objection, the controller shall investigate the cause of objection within the shortest possible
p.(None): time inside a fifteen-day time period, adopt a decision as to merits and shall notify the data subject in writing of
p.(None): its decision.
p.(None): (3) If, according to the findings of the controller, the data subject’s objection is justified, the controller shall
p.(None): terminate all processing operations (including data collection and transmission), block the data
p.(None): involved and notify all recipients to whom any of these data had previously been transferred concerning the objection
p.(None): and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the
p.(None): objection.
p.(None): (4) If the data subject disagrees with the decision taken by the controller under Subsection (2), or if the controller
p.(None): fails to meet the deadline specified in Subsection (2), the data subject shall have the right under Section 22 to turn
p.(None): to court within thirty days of the date of delivery of the decision or from the last day of the time limit.
p.(None): (5) If data that are necessary to assert the data recipient’s rights are withheld owing to the data subject’s
p.(None): objection, the data recipient shall have the right under Section 22 to turn to court against the
p.(None): controller within fifteen days from the date the decision is delivered under Subsection (2) in order to obtain the
p.(None): data. The controller is authorised to summon the data subject to court.
p.(None): (6) If the data controller fails to send notice as specified in Subsection (3), the data recipient shall have the right
...
p.(None):
p.(None): 25. Legal status of the Authority Section 38
p.(None): (1) The Authority is an autonomous administrative organ.
p.(None): (2) The Authority shall be responsible to supervise and promote the enforcement of the rights to the
p.(None): protection of personal data and access to public information and information of public interest.
p.(None): (3) Within its scope of responsibilities conferred under Subsection (2), the Authority:
p.(None): a) shall conduct investigations upon notification;
p.(None): b) may conduct ex officio administrative proceedings for data protection;
p.(None): c) may conduct ex officio administrative proceedings for the control of classified data;
p.(None): d) may turn to court in connection with any infringement concerning public information and information of public
p.(None): interest;
p.(None): e) may intervene in court actions brought by others;
p.(None): f) maintain the data protection register; in accordance with this Act.
p.(None): (4) Within its scope of responsibilities conferred under Subsection (2), the Authority:
p.(None): a) shall have powers to make recommendations for new regulations and for the amendment of legislation pertaining to
p.(None): the processing of personal data, to public information and information of public interest, and shall
p.(None): express its opinion on drafts covering the same subject;
p.(None): b) shall publish a report on its activities each year, by 31 March, and shall present this report to
p.(None): Parliament;
p.(None): c) shall make recommendations in general, or to specific controllers;
p.(None): d) shall give an opinion on special and ad hoc disclosure lists prescribed mandatory by this Act relating to the
p.(None): activities of the given body with public service functions;
p.(None): e) shall collaborate with the bodies and persons defined in specific other legislation to represent
p.(None): Hungary in the joint data protection supervisory bodies of the European Union;
p.(None): f) organize the conference of internal data protection officers; g)-h)
p.(None):
p.(None): (5) The Authority is an independent body that is subject to Hungarian law only, it may not be instructed in its
p.(None): official capacity, shall operate independent of any outside interference, without any bias. Tasks may only be
p.(None): prescribed for the Authority by acts of Parliament.
p.(None):
p.(None): 26. Budget and financial management of the Authority Section 39
p.(None): (1) The Authority shall be a central budgetary organ with the powers of a budgetary chapter, and its budget shall
p.(None): constitute an independent title within the budgetary chapter of Parliament.
p.(None): (2) The main totals of expenditures and receipts of the Authority for the current budgetary year may only be
p.(None): reduced by Parliament, with the exception of natural disasters endangering life and property as defined in the Act on
...
p.(None): terminating the proceedings and on any measures taken or on the opening of administrative proceedings.
p.(None):
p.(None): Section 56
p.(None):
p.(None): (1) Where the Authority considers that any infringement relating to personal data or concerning the
p.(None): exercise of the rights of access to public information or information of public interest, or the imminent danger of
p.(None): such infringement exist, it shall call on the data controller affected to eliminate the infringement, and the imminent
p.(None): danger of such infringement.
p.(None): (2) The controller - if in agreement - shall take the measures indicated in the notice referred to in Subsection (1)
p.(None): without delay, and shall inform the Authority concerning the measures it has taken, or - if in disagreement - of its
p.(None): argument within thirty days from the date of receipt of the notice.
p.(None): (3) If the data controller authority has a supervisory body, the Authority - if the notice referred to
p.(None): in Subsection (1) failed to obtain satisfaction - may present a recommendation to the controller’s supervisory body, of
p.(None): which the controller has to be notified concurrently. The Authority may also present a recommendation directly,
p.(None): without sending a notice to the controller under Subsection (1), if it is of the opinion that this is
p.(None): a more efficient way to remedy the infringement and to eliminate the imminent danger of such infringement.
p.(None): (4) The supervisory body shall notify the Authority in writing of its position concerning the recommendation as to
p.(None): merits, or on the measures taken within thirty days from the date of receipt of the recommendation.
p.(None):
p.(None): Section 57
p.(None):
p.(None): If, based on the findings of the investigation, the Authority considers that the infringement or the imminent danger
p.(None): thereof is attributable to any provision of legislation or regulatory instrument for the governance of
p.(None): bodies governed by public law that is deemed redundant, unclear or inadequate, or the lack of legal regulation
p.(None): of issues relating to data processing, or the deficiency thereof, it may present a proposal for legislative
p.(None): step, or for the issue of a regulatory instrument for the governance of bodies governed by public law in the
p.(None): interest of eliminating such infringements and the imminent danger thereof in the future, to the
p.(None): appropriate bodies for the issue of a legal act for the governance of bodies governed by public law or for drafting
p.(None): bills of legislation. In the recommendation the Authority may propose the amendment, repeal or adoption of
p.(None): legislation or legal act for the governance of public organizations. The body contacted shall inform the
p.(None): Authority within sixty days concerning its opinion, or on the measures taken in conformity with the recommendation.
p.(None):
p.(None): Section 58
p.(None):
p.(None): (1) Should, pursuant to the notification issued or the recommendation presented in accordance with Article 56, the
p.(None): anomaly not have been addressed and its immediate threat not have been ceased, the Authority shall make a decision
p.(None): regarding further necessary measures to be taken within a period of 30 days following the expiry of the deadline date
p.(None): for notification specified in Article 56 (2), or Article 56 (4) if a recommendation was not issued.
p.(None): (2) Where Subsection (1) applies, the Authority shall take further action as per the following:
p.(None): a) open administrative proceedings for data protection under Section 60;
p.(None): b) open administrative proceedings for the control of classified data under Section 62;
p.(None):
p.(None): c) initiate court proceedings according to Section 64; or
p.(None): d) draw up a report according to Section 59.
p.(None): (3) The Authority shall inform the notifier concerning the outcome of the measures taken under Sections 56 and 57, and
p.(None): on taking further action according to Subsection (2) hereof.
p.(None):
p.(None): 31. The Authority’s report Section 59
p.(None): (1) The Authority may draw up a report on the findings of an investigation conducted on basis of notification in a
...
p.(None): (3) The Authority shall record the results of the data protection audit in an audit report. The audit report may also
p.(None): contain recommendations for the data controller. The audit report shall be considered public, unless the controller
p.(None): requests otherwise.
p.(None): (4) The data protection audit shall not exclude the exercise of the Authority’s other competencies defined
p.(None): in this Act.
p.(None):
p.(None): 37. Initiating criminal, infringement and disciplinary proceedings Section 70
p.(None): (1) In the event of having reasonable suspicion of alleged criminal activities in the course of its proceedings,
p.(None): the Authority shall initiate criminal proceedings at the body having jurisdiction to open criminal
p.(None): proceedings. In the event of having reasonable suspicion of alleged misdemeanour offenses or disciplinary
p.(None): infraction in the course of its proceedings, the Authority shall initiate infringement or disciplinary
p.(None): proceedings at the body having competence for conducting infringement or disciplinary proceedings.
p.(None): (2) The body referred to in Subsection (1) shall notify the Authority of its opinion concerning the
p.(None): opening of proceedings within thirty days, unless otherwise provided for by law, and of the outcome of the
p.(None): proceedings within thirty days from the time of conclusion thereof.
p.(None):
p.(None): 38. Data processing and confidentiality Section 71
p.(None): (1) In its proceedings the Authority shall be entitled to process - to the extent and for the duration required -
p.(None): those personal data, and classified information protected by law and secrets obtained in the course of
p.(None): professional activities, which are related to the given proceedings, or which are to be processed with a
p.(None): view to concluding the procedure effectively.
p.(None): (2) The Authority may use the data obtained in the course of conducting its examination for administrative proceedings.
p.(None): (3) The Authority shall have access to data specified in Subsection (2) of Section 23 of Act CXI of 2011 on the
p.(None): Commissioner of Fundamental Rights as defined in Subsection (7) of Section 23 of Act CXI of 2011 on the
p.(None): Commissioner of Fundamental Rights.
p.(None): (4) In proceedings related to the processing of classified information the Vice-President of the Authority, including
p.(None): executive officers and examiners shall - in possession of a personal
p.(None):
p.(None):
p.(None): 8 Entered into force: as of 01.01.2013.
p.(None):
p.(None): security certificate of appropriate level of clearance - be allowed access to classified information
...
General/Other / Relationship to Authority
Searching for indicator authority:
(return to top)
p.(None): Act CXII of 2011
p.(None):
p.(None): on the Right of Informational Self-Determination and on Freedom of Information1
p.(None): In order to ensure the right of informational self-determination and the freedom of information, and to
p.(None): facilitate the implementation of the Fundamental Law, pursuant to Article VI of the Fundamental Law, the
p.(None): Parliament hereby adopts the following Act on the fundamental rules applicable in connection with the
p.(None): protection of personal data and the enforcement of the right to access and disseminate data of public interest and
p.(None): data public on grounds of public interest, and on the authority empowered to monitor compliance with these rules:
p.(None):
p.(None): CHAPTER I GENERAL PROVISIONS
p.(None): 1. Object of the Act Section 1
p.(None): The purpose of this Act is to lay down the fundamental rules for data processing activities with a view to ensuring
p.(None): that the right to privacy of natural persons is respected by data controllers , and to enforcing of rights
p.(None): to access and disseminate data of public interest and data public on grounds of public interest.
p.(None):
p.(None): 2. Scope Section 2
p.(None): (1) This Act shall apply to all data control and data processing activities undertaken in Hungary
p.(None): relating to the data of natural persons as well as data of public interest and data public on grounds of
p.(None): public interest.
p.(None): (2) The present Act shall apply to both data processing and data process, carried out wholly or partly, by automated
p.(None): means as well as manually.
p.(None): (3) Provisions set out in the present Act shall apply if the controller processing personal data outside
p.(None): the territory of the European Union contracts a data processor with a seat, site, branch or address or place of
p.(None): residence within the territory of Hungary to perform data processing, except if this device serves data
p.(None): traffic exclusively within the territory of the European Union. Such controllers are obliged to designate a
p.(None): representative in Hungary.
p.(None): (4) Provisions set out in the present Act are not applicable to natural persons processing data
p.(None): exclusively for their own personal purposes.
...
p.(None): parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life,
p.(None): b) personal data concerning health, pathological addictions, or criminal record;
p.(None): 4. ‘criminal personal data’ shall mean personal data relating to the data subject or that pertain to any
p.(None): prior criminal offense committed by the data subject and that is obtained by organizations authorized to conduct
p.(None): criminal proceedings or investigations or by penal institutions during or prior to criminal proceedings in
p.(None): connection with a crime or criminal proceedings;
p.(None): 5. ‘data of public interest’ shall mean information or data other than personal data, registered in any
p.(None): mode or form, controlled by the body or individual performing state or local government responsibilities, as well as
p.(None): other public tasks defined by legislation, concerning their activities or generated in the course of performing their
p.(None): public tasks, irrespective of the method or format in which it is recorded, its single or collective
p.(None): nature; in particular data concerning the scope of authority, competence, organisational structure,
p.(None): professional activities and the evaluation of such activities covering various aspects thereof, the type of
p.(None): data held and the regulations governing operations, as well as data concerning financial management and
p.(None): concluded contracts;
p.(None): 6. ‘data public on grounds of public interest’ shall mean any data, other than public information, that
p.(None): are prescribed by law to be published, made available or otherwise disclosed for the benefit of the general public;
p.(None): 7. ‘the data subject’s consent’ shall mean any freely and expressly given specific and informed
p.(None): indication of the will of the data subject by which he signifies his agreement to personal data relating
p.(None): to him being processed fully or to the extent of specific operations;
p.(None): 8. ‘the data subject’s objection’ shall mean a declaration made by the data subject objecting to the processing of
p.(None): their personal data and requesting the termination of data processing, as well as the deletion of the data processed;
p.(None): 9. ‘controller’ shall mean natural or legal person, or organisation without legal personality which alone or jointly
p.(None): with others determines the purposes and means of the processing of data; makes and executes decisions concerning data
p.(None): processing (including the means used) or have it executed by a data processor2;
p.(None): 10. ‘data’ processing’ shall mean any operation or the totality of operations performed on the data, irrespective of
p.(None): the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using,
p.(None): querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destructing the data, as
...
p.(None): purpose.
p.(None): (3) In the course of data processing, the data in question shall be treated as personal as long as the data subject
p.(None): remains identifiable through it. The data subject shall - in particular - be considered identifiable if the data
p.(None): controller is in possession of the technical requirements which are necessary for identification.
p.(None):
p.(None):
p.(None): 3 In effect as of 1st July 2013
p.(None):
p.(None): (4) The accuracy and completeness, and - if deemed necessary in the light of the aim of processing - the
p.(None): up-to-dateness of the data must be provided for throughout the processing operation, and shall be kept in a way
p.(None): to permit identification of the data subject for no longer than is necessary for the purposes for which the data were
p.(None): recorded.
p.(None): (5) Processing of personal data shall be deemed lawful and fair if, for the objective of ensuring the
p.(None): right to freedom of expression of the data subject, the person, wishing to find out the opinion of the data subject,
p.(None): calls on him/her at his domicile or place of residence provided that the data subject’s personal data are
p.(None): processed in compliance with this Act and the contacting is not intended for business purposes. This contacting
p.(None): is not permitted to happen on legal holiday as determined by the Labour Code.4
p.(None): 5. Legal basis of data processing Section 5
p.(None): (1) Personal data may be processed under the following circumstances:
p.(None): a) when the data subject has given his consent, or
p.(None): b) when processing is necessary as decreed by law or by a local authority based on authorization
p.(None): conferred by law concerning specific data defined therein for the performance of a task carried out in the public
p.(None): interest (hereinafter referred to as “mandatory processing”).
p.(None): (2) Special data may be processed according to Section 6, and under the following circumstances:
p.(None): a) when the data subject has given his consent in writing, or
p.(None): b) when processing is necessary for the implementation of an international agreement promulgated by an act
p.(None): concerning the data under Point 3.a) of Section 3, or if prescribed by law in connection with the enforcement of
p.(None): fundamental rights afforded by the Fundamental Law, or for reasons of national security or national defence, or law
p.(None): enforcement purposes for the prevention or prosecution of criminal activities, or
p.(None): c) when processing is necessary for the performance of a task carried out in the public interest
p.(None): concerning the data under Point 3.b) of Section 3.
p.(None): (3) Where data processing is mandatory, the type of data, the purpose and the conditions of processing, access to
p.(None): such data, the duration of the proposed processing operation, and the controller shall be specified by the
p.(None): statute or municipal decree in which it is ordered.
p.(None): (4) Personal data that concern criminal offenses and are being processed for the purposes of preventing,
p.(None): investigating, detecting and prosecuting criminal offences and data files containing information
...
p.(None): (3) The duration of retention of the data referred to in Subsection (2) in the transmission log, and the duration
p.(None): of the ensuing obligation of information may be limited by the legislation on data processing. The
p.(None): above-specified period of limitation shall not be less than five years in respect of personal data, and twenty years in
p.(None): respect of special data.
p.(None): (4) Data controllers must comply with requests for information without any delay, and provide the
p.(None): information requested in an intelligible form, in writing at the data subject’s request, within not more
p.(None): than thirty days.
p.(None): (5) The information prescribed in Subsection (4) shall be provided free of charge for any category of data once a
p.(None): year. Additional information concerning the same category of data may be subject to a charge. The amount of such
p.(None): charge may be fixed in an agreement between the parties. Where any payment is made in connection with data
p.(None): that was processed unlawfully, or the request led to rectification, it shall be refunded.
p.(None):
p.(None): Section 16
p.(None):
p.(None): (1) The data controller may refuse to provide information to the data subject in the cases defined under Subsection (1)
p.(None): of Section 9 and under Section 19.
p.(None): (2) Should a request for information be denied, the data controller shall inform the data subject in
p.(None): writing as to the provision of this Act serving grounds for refusal. Where information is refused, the data
p.(None): controller shall inform the data subject of the possibilities for seeking judicial remedy or lodging a
p.(None): complaint with the Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data
p.(None): Protection and Freedom of Information) (hereinafter referred to as “Authority”).
p.(None): (3) Data controllers shall notify the Authority of refused requests once a year, by 31 January of the following year.
p.(None):
p.(None): Section 17
p.(None):
p.(None): (1) Where a personal data is deemed inaccurate, and the correct personal data is at the controller’s
p.(None): disposal, the data controller shall rectify the personal data in question.
p.(None): (2) Personal data shall be erased if:
p.(None): a) processed unlawfully;
p.(None): b) so requested by the data subject in accordance with Paragraph c) of Section 14;
p.(None): c) incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not disallowed by statutory
p.(None): provision of an act;
p.(None): d) the purpose of processing no longer exists or the legal time limit for storage has expired;
p.(None): e) so ordered by court or by the Authority.
p.(None): (3) Where Paragraph d) of Subsection (2) applies, the requirement of erasure shall not apply to personal data recorded
p.(None): on a carrier that is to be deposited in archive under the legislation on the protection of archive materials.
p.(None):
p.(None):
p.(None): 7 In effect as of 1st July 2013
p.(None):
p.(None): (4) Personal data shall be blocked instead of erased if so requested by the data subject, or if there are reasonable
p.(None): grounds to believe that erasure could affect the legitimate interests of the data subject. Blocked data shall be
p.(None): processed only for the purpose which prevented their erasure.
p.(None): (5) If the accuracy of an item of personal data is contested by the data subject and its accuracy or
p.(None): inaccuracy cannot be ascertained beyond doubt, the data controller shall mark that personal data for the purpose of
p.(None): referencing.
p.(None):
p.(None): Section 18
p.(None):
p.(None): (1) When a data is rectified, blocked, marked or erased, the data subject and all recipients to whom it was transmitted
p.(None): for processing shall be notified. Notification is not required if it does not violate the rightful interest of the data
p.(None): subject in light of the purpose of processing.
p.(None): (2) If the data controller refuses to comply with the data subject’s request for rectification, blocking or erasure,
p.(None): the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is
p.(None): based shall be communicated in writing within thirty days of receipt of the request. Where rectification,
p.(None): blocking or erasure is refused, the data controller shall inform the data subject of the possibilities
p.(None): for seeking judicial remedy or lodging a complaint with the Authority.
p.(None):
p.(None): Section 19
p.(None):
p.(None): The rights of data subjects afforded under Sections 14-18 may be restricted by law in order to safeguard the external
p.(None): and internal security of the State, such as defence, national security, the prevention and prosecution of criminal
p.(None): offences, the safety of penal institutions, to protect the economic and financial interests of central and local
p.(None): government, safeguard the important economic and financial interests of the European Union, guard against disciplinary
p.(None): and ethical breaches in regulated professions, prevent and detect breaches of obligation related to labour law and
p.(None): occupational safety - including in all cases control and supervision - and to protect data subjects or the rights and
p.(None): freedoms of others.
p.(None):
p.(None): 14. Requirement of preliminary information of the data subject Section 20
p.(None): (1) Prior to data processing being initiated the data subject shall be informed whether his consent is required or
p.(None): processing is mandatory.
p.(None): (2) Before processing operations are carried out the data subject shall be clearly and elaborately
p.(None): informed of all aspects concerning the processing of his personal data, such as the purpose for which his data is
p.(None): required and the legal basis, the person entitled to control the data and to carry out the processing, the duration of
p.(None): the proposed processing operation, if the data subject’s personal data is processed in accordance with Subsection (5)
...
p.(None): recipient’s request. Where information had been requested, the data recipient may bring an action against
p.(None): the controller within fifteen days from the date of receipt of the information, or from the deadline
p.(None): prescribed therefor. The controller is authorised to summon the data subject to court.
p.(None): (7) The controller shall not delete the data of the data subject if processing has been prescribed by
p.(None): law. However, data may not be disclosed to the data recipient if the controller agrees with the objection or if the
p.(None): court has found the objection justified.
p.(None):
p.(None): 16. Judicial remedy Section 22
p.(None): (1) In the event of any infringement of his rights, the data subject, and in the cases referred to in Section 21, the
p.(None): data recipient may turn to court action against the controller. The court shall hear such cases in priority
p.(None): proceedings.
p.(None): (2) The burden of proof to show compliance with the law lies with the data controller. In the cases under Subsections
p.(None): (5) and (6) of Section 21, the burden of proof concerning the lawfulness of transfer of data lies with the
p.(None): data recipient.
p.(None): (3) The action shall be heard by the competent tribunal. If so requested by the data subject, the action may be brought
p.(None): before the tribunal in whose jurisdiction the data subject’s home address or temporary residence is located.
p.(None): (4) Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such
p.(None): actions. The Authority may intervene in the action on the data subject’s behalf.
p.(None): (5) When the court’s decision is in favor of the plaintiff, the court shall order the controller to provide the
p.(None): information, to rectify, block or erase the data in question, to annul the decision adopted by means of automated
p.(None): data-processing systems, to respect the data subject’s objection, or to disclose the data requested by the data
p.(None): recipient referred to in Section 21.
p.(None): (6) If the court rejects the petition filed by the data recipient in the cases defined in Section 21, the controller
p.(None): shall be required to erase the data subject’s personal data within three days of delivery of the court ruling. The
p.(None): controller shall erase the data even if the data recipient does not file for court action within the time
p.(None): limit referred to in Subsection (5) or (6) of Section 21.
p.(None): (7) The court may order publication of its decision, indicating the identification data of the controller as well,
p.(None): where this is deemed necessary for reasons of data protection or in connection with the rights of large
p.(None): numbers of data subjects under protection by this Act.
p.(None):
p.(None): 17. Compensation Section 23
p.(None): (1) Data controllers shall be liable for any damage caused to a data subject as a result of unlawful processing or by
p.(None): any breach of data security requirements. The data controller shall also be liable for any damage caused by
p.(None): data processor acting on its behalf. The data controller may be exempted from liability if he proves that the
p.(None): damage was caused by reasons beyond his control.
...
p.(None): data subjects;
p.(None): b) monitor compliance with the provisions of this Act and other regulations on data processing as well
p.(None): as with the provisions of internal data protection and data security regulations and the data security
p.(None): requirements;
p.(None): c) investigate complaints conveyed to him and, if he detects any unauthorized data processing operations,
p.(None): call on the controller or processor in question to cease such operations;
p.(None): d) draw up the internal data protection and data security rules;
p.(None): e) maintain the internal data protection register;
p.(None): f) organises training sessions on the subject of data protection.
p.(None): (3) The controllers referred to in Subsection (1) and central and local government controllers - other than
p.(None): controllers not required to report to the data protection register - shall be required to adopt data protection and
p.(None): data security rules in accordance with this Act.
p.(None):
p.(None): 19. Conference of internal data protection officers Section 25
p.(None): (1) The conference of internal data protection officers (hereinafter referred to as “conference”)
p.(None): is intended to maintain regular professional contacts between the Authority and internal data protection officers, the
p.(None): purpose of which is to ensure the consistency of the case- law as regards the protection of personal data and access to
p.(None): public information.
p.(None): (2) The President of the Authority shall call the conference at least once every year, or as necessary, and shall
p.(None): determine its agenda.
p.(None): (3) The internal data protection officers of all organizations where such office has to be maintained by
p.(None): law shall have a seat on the conference.
p.(None): (4) The internal data protection officers of those organizations where such office is not required may
p.(None): also have a seat on the conference. To this end they may seek admission to the register of internal data protection
p.(None): officers maintained by the Authority.
p.(None): (5) For communication purposes, the Authority shall maintain a register of internal data protection
p.(None): officers on members of the conference. The register contains the name, postal and electronic mail address of internal
p.(None): data protection officers, and the name of the organization they represent.
p.(None): (6) The Authority shall record the data mentioned in Subsection (5) until the time of receiving
p.(None): information on the termination of the internal data protection officer’s term in office.
p.(None):
p.(None): CHAPTER III
p.(None):
p.(None): ACCESSXTOXINFORMATION OF PUBLIC INTEREST
p.(None):
p.(None): 20. General provisions on access to information of public interest Section 26
p.(None): (1) Any person or body attending to statutory State or municipal government functions or performing other public duties
p.(None): provided for by the relevant legislation (hereinafter referred to collectively as “body with public service
p.(None): functions”) shall allow free access to the data of public interest and data public on grounds of public
p.(None): interest under its control to any person, save where otherwise provided for in this Act.
p.(None): (2) The name of the person undertaking tasks within the scope of responsibilities and authority of the
p.(None): body undertaking public duties, as well as their scope of responsibilities, scope of work, executive mandate
p.(None): and other personal data relevant to the provision of their responsibilities to which access must be ensured by law
p.(None): qualify as data public on grounds of public interest. These data may be disseminated in compliance with the principle
p.(None): of purpose limitation. Provisions on the disclosure of data public on the grounds of public interest shall be
p.(None): regulated by Appendix 1 of this Act and the specific laws relating to the status of the person
p.(None): undertaking public duties.
p.(None): (3) Unless otherwise prescribed by law, any data, other than personal data, that is processed by bodies or persons
p.(None): providing services prescribed mandatory by law or under contract with any governmental agency, central or local, if
p.(None): such services are not available in any other way or form relating to their activities shall be deemed data public on
p.(None): grounds of public interest.
p.(None):
p.(None): Section 27
p.(None):
p.(None): (1) Access to data of public interest or data public on grounds of public interest shall be restricted if it has
p.(None): been classified under the Act on the Protection of Classified Information.
p.(None): (2) Right of access to data of public interest or data public on grounds of public interest may be restricted by law -
p.(None): with the specific type of data indicated - where considered necessary to safeguard:
p.(None): a) national defense;
...
p.(None): the amount of the fee, and the aspects for determining whether a
p.(None):
p.(None): document is to be considered substantial in terms of size and/or volume shall be laid down by specific other
p.(None): legislation.
p.(None):
p.(None): Section 30
p.(None):
p.(None): (1) If a document that contains data of public interest also contains any data that cannot be disclosed to the
p.(None): requesting party, this data must be rendered unrecognizable on the copy.
p.(None): (2) Information shall be supplied in a readily intelligible form and by way of the technical means asked for by the
p.(None): requesting party, provided that the body with public service functions processing the information is capable to meet
p.(None): such request without unreasonable hardship. If the information requested had previously been made public
p.(None): electronically, the request may be fulfilled by way of reference to the public source where the data is available. A
p.(None): request for information may not be refused on the grounds that it cannot be made available in a readily intelligible
p.(None): form.
p.(None): (3) When a request for information is refused, the requesting party must be notified thereof within eight days in
p.(None): writing, or by electronic means if the requesting party has conveyed his electronic mailing address, and must be given
p.(None): the reasons of refusal, including information on the remedies available. The controller shall keep records on the
p.(None): requests refused, including the reasons, and shall inform the Authority thereof each year, by 31 January.
p.(None): (4) A request for data of public interest by a person whose native language is not Hungarian may not be refused for
p.(None): reasons that it was written in his native language or in any other language he understands.
p.(None): (5) If, as regards the refusal of any request for access to data of public interest, the data controller
p.(None): is granted discretionary authority by law, refusal shall be exercised within narrow limits, and the request for
p.(None): access to data of public interest may be refused only if the underlying public interest outweighs the
p.(None): public interest for allowing access to the public information in question.
p.(None): (6) Bodies with public service functions shall adopt regulations governing the procedures for satisfying requests for
p.(None): access to public information.
p.(None): (7) The requests for data with the purpose of a comprehensive, account level as well as an itemized control of the
p.(None): financial management of the body with public service functions are regulated in specific relevant laws. Should such
p.(None): data request be rejected, the requesting party may initiate an investigation of the Authority pursuant to Section 52.
p.(None):
p.(None): Section 31
p.(None):
p.(None): (1) In the event of failure to meet the deadline for the refusal or compliance with a request for access to public
p.(None): information, or with the deadline extended by the data controller pursuant to Subsection (2) of Section 29, and - if
p.(None): the fee chargeable has not been paid - the requesting party may bring the case before the court for having the fee
p.(None): charged for the copy reviewed.
p.(None): (2) The burden of proof to verify the lawfulness and the reasons of refusal, and the reasons for determining the amount
p.(None): of the fee chargeable for the copy lies with the data controller.
p.(None): (3) Litigation must be launched against the body with public service functions that has refused the
p.(None): request within thirty days from the date of delivery of the refusal, or from the time limit prescribed, or from the
p.(None): deadline for payment of the fee chargeable. If the requesting party notifies the Authority with a view to
p.(None): initiating the Authority’s proceedings in connection with the refusal of or non-compliance with the request, or on
p.(None): account of the amount of the fee charged for making a copy, litigation may be launched within thirty days from the
p.(None): time of receipt of notice on the refusal to examine the notification on the merits, on the termination of the inquiry,
p.(None): or its conclusion under Paragraph b) of Subsection (1) of Section 55, or the notice
p.(None):
p.(None): under Subsection (3) of Section 58. Justification may be submitted upon failure to meet the deadline for bringing
p.(None): action.
p.(None): (4) Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such legal
p.(None): proceedings. The Authority may intervene on the requesting party’s behalf.
p.(None): (5) Actions against bodies with public service functions of nation-wide jurisdiction shall be brought at the competent
p.(None): tribunal. Actions falling within the jurisdiction of local courts shall be heard by the local court of the seat
p.(None): of the tribunal, or by the Pesti Központi Kerületi Bíróság (Pest Central District Court) in Budapest.
p.(None): Jurisdiction shall be determined by reference to the place where the head offices of the body with public service
p.(None): functions, being the respondent, is located.
p.(None): (6) The court shall hear such cases in priority proceedings.
p.(None): (7) When the decision is in favor of the request for access to public information, the court shall order the data
p.(None): controller to disclose the information in question. The court shall have powers to modify the amount charged
p.(None): for making a copy, or may order the body with public service functions to re-open its proceedings for determining the
p.(None): amount of the fee chargeable.
p.(None):
p.(None): CHAPTER IV
p.(None):
p.(None): DISSEMINATION OF DATA OF PUBLIC INTEREST
p.(None):
p.(None): 22. Obligation to disclose data of public interest Section 32
p.(None): Bodies with public service functions shall promote and ensure that the general public is provided with
p.(None): accurate information in a prompt manner concerning the matters under their competence, such as the
p.(None): budgets of the central and municipal governments and the implementation thereof, the management of
...
p.(None): authentic and regularly updates lies with the data disseminator.
p.(None): (3) The data source and the data disseminator shall adopt internal regulations for laying down the
p.(None): detailed rules for discharging the obligations referred to in Subsection (1) and Subsection (2),
p.(None): respectively.
p.(None): (4) Information published electronically may not be removed from the website, unless otherwise provided for
p.(None): by this Act or other legislation. In the event of dissolution of a body, the obligation of publication shall devolve
p.(None): upon the successor.
p.(None):
p.(None): Section 36
p.(None):
p.(None): Dissemination of the information specified in the publication lists referred to in Section 37 shall be without
p.(None): prejudice to the obligation of the given body concerning the publication of public information or information of public
p.(None): interest prescribed in other legislation.
p.(None):
p.(None): 24. Disclosure lists Section 37
p.(None): (1) The bodies referred to in Subsections (2)-(4) of Section 33 (hereinafter referred to collectively as
p.(None): “body subject to disclosure requirement”) shall - subject to the exception set out in Subsection (4) - disseminate the
p.(None): data specified in the standard disclosure list referred to in Schedule No. 1 - as pertaining to their activities - by
p.(None): way of the means defined in Annex No. 1.
p.(None): (2) Additional data may be prescribed by law to be disseminated by certain types of bodies with public service
p.(None): functions regarding certain specific sectors (hereinafter referred to as “special disclosure list”).
p.(None): (3) The publication of specific other data may be rendered mandatory by the head of the body subject to disclosure
p.(None): requirement - upon consulting with the Authority -, as well as by statutory provisions for bodies with public
p.(None): service functions, and other agencies controlled and/or supervised by such bodies, or sections of such agencies
p.(None): (hereinafter referred to as “ad hoc disclosure list”).
p.(None): (4) The Government shall decree - upon consulting with the Authority - the information to be made public by the
p.(None): national security services.
p.(None): (5) In the case of collegiate bodies subject to disclosure requirement, these bodies shall have powers to establish,
p.(None): and amend, the ad hoc disclosure list, upon consulting with the Authority.
p.(None): (6) The head of the body subject to disclosure requirement shall review the disclosure list he has published under
p.(None): Subsection (3), taking into consideration any demand shown for public information that was not included in the
p.(None): publication list, and shall include such public information where demand is considered substantial in terms of
p.(None): the amount and number of requests received.
p.(None): (7) The disclosure list may also provide for the frequency of publication, depending on the type of data in question.
p.(None): (8) The Authority may present a recommendation for having special and ad hoc publication lists drawn up, or amended.
p.(None):
p.(None): 24/A. Central electronic register of public information and the single data retrieval system Section 37/A
p.(None): (1) In the interest of providing fast and easy access to information that has been published electronically, the
p.(None): central electronic register posted on a designated website - set up by the minister in charge for the
p.(None): implementation of infrastructure requirements for administrative information technology systems - contains all
p.(None): relevant descriptive information on the websites of bodies subject to the obligation of publication of public
p.(None): information by electronic means under this Act, pertaining also to their databases and registers.
p.(None): (2) Electronic access using a single platform to the public information of the bodies referred to in Subsection (1) and
p.(None): facilities for searching among public information shall be ensured by
p.(None):
p.(None): the single data retrieval system set up by the minister in charge for the implementation of
p.(None): infrastructure requirements for administrative information technology systems.
p.(None):
p.(None): Section 37/B
p.(None):
p.(None): (1) The data source shall provide for having the descriptive information on websites, databases and
p.(None): registers containing public information made available to the minister in charge for the implementation of
p.(None): infrastructure requirements for administrative information technology systems and for updating on a regular
p.(None): basis the public information thus forwarded, and shall be responsible for the contents of public information forwarded
p.(None): to the single data retrieval system, as well as for having such public information updated on a regular basis.
p.(None): (2) Maintaining the databases and registers containing public information and linking up with the single
p.(None): data retrieval system shall not exonerate the data source from the obligation of publication by electronic means.
p.(None): CHAPTER V
p.(None):
p.(None): NEMZETI ADATVÉDELMI ÉS INFORMÁCIÓSZABADSÁG HATÓSÁG (NATIONAL AUTHORITY FOR DATA PROTECTION AND FREEDOM OF INFORMATION)
p.(None):
p.(None): 25. Legal status of the Authority Section 38
p.(None): (1) The Authority is an autonomous administrative organ.
p.(None): (2) The Authority shall be responsible to supervise and promote the enforcement of the rights to the
p.(None): protection of personal data and access to public information and information of public interest.
p.(None): (3) Within its scope of responsibilities conferred under Subsection (2), the Authority:
p.(None): a) shall conduct investigations upon notification;
p.(None): b) may conduct ex officio administrative proceedings for data protection;
p.(None): c) may conduct ex officio administrative proceedings for the control of classified data;
p.(None): d) may turn to court in connection with any infringement concerning public information and information of public
p.(None): interest;
p.(None): e) may intervene in court actions brought by others;
p.(None): f) maintain the data protection register; in accordance with this Act.
p.(None): (4) Within its scope of responsibilities conferred under Subsection (2), the Authority:
p.(None): a) shall have powers to make recommendations for new regulations and for the amendment of legislation pertaining to
p.(None): the processing of personal data, to public information and information of public interest, and shall
p.(None): express its opinion on drafts covering the same subject;
p.(None): b) shall publish a report on its activities each year, by 31 March, and shall present this report to
p.(None): Parliament;
p.(None): c) shall make recommendations in general, or to specific controllers;
p.(None): d) shall give an opinion on special and ad hoc disclosure lists prescribed mandatory by this Act relating to the
p.(None): activities of the given body with public service functions;
p.(None): e) shall collaborate with the bodies and persons defined in specific other legislation to represent
p.(None): Hungary in the joint data protection supervisory bodies of the European Union;
p.(None): f) organize the conference of internal data protection officers; g)-h)
p.(None):
p.(None): (5) The Authority is an independent body that is subject to Hungarian law only, it may not be instructed in its
p.(None): official capacity, shall operate independent of any outside interference, without any bias. Tasks may only be
p.(None): prescribed for the Authority by acts of Parliament.
p.(None):
p.(None): 26. Budget and financial management of the Authority Section 39
p.(None): (1) The Authority shall be a central budgetary organ with the powers of a budgetary chapter, and its budget shall
p.(None): constitute an independent title within the budgetary chapter of Parliament.
p.(None): (2) The main totals of expenditures and receipts of the Authority for the current budgetary year may only be
p.(None): reduced by Parliament, with the exception of natural disasters endangering life and property as defined in the Act on
p.(None): Public Finances, of temporary measures adopted to relieve the consequences of such disasters, or of measures taken by
p.(None): the Authority within its own competence or in its competence as directing organ.
p.(None): (3)
p.(None): (4) The remainder of receipts from the previous year may be used by the Authority in the following years
p.(None): for the performance of its tasks.
p.(None):
p.(None): 27. President of the Authority Section 40
p.(None): (1) The head of the Authority is the President. The President of the Authority is appointed by the President of the
p.(None): Republic on a recommendation by the Prime Minister from among those Hungarian citizens with a law degree,
p.(None): who have the right to stand as candidates in parliamentary elections, having at least ten years of
p.(None): experience in supervising proceedings related to data protection or freedom of information, or holding an academic
p.(None): degree in either of those fields.
p.(None): (2) Persons who served as a Member of Parliament or as a Member of the European Parliament, as the
p.(None): President of the Republic, member of the Government, state secretary, representative of a municipal
p.(None): government, mayor or deputy mayor, lord mayor or deputy lord mayor, chairman or deputy chairman of a county assembly,
p.(None): member of a national minority self-government, or an officer or employee of a political party in the four-year period
p.(None): before the time of the recommendation for appointment may not be appointed as President of the Authority.
p.(None): (3) The President of the Authority shall be appointed by the President of the Republic for a term of nine years.
p.(None): (4) The President of the Authority - upon being appointed - shall take an oath before the President of the Republic in
p.(None): accordance with the Act on the Oath and Deposition of Public Officials.
p.(None):
p.(None): Section 41
p.(None):
p.(None): (1) The President of the Authority may not be a member of any political party, may not engage in political
p.(None): activities, and his mandate shall be considered incompatible with other state or local government office or
p.(None): mandate.
p.(None): (2) The President of the Authority shall not be otherwise gainfully employed and shall not accept remuneration for
p.(None): other activities, with the exception of scientific, educational and artistic activities under copyright
p.(None): protection, and other than revisory and editorial activities.
p.(None):
p.(None): (3) The President of the Authority may not hold any executive office or membership in the supervisory board of a
p.(None): business association; and he may not be a member of a business association requiring personal involvement.
p.(None):
p.(None): Section 42
p.(None):
p.(None): (1) The President of the Authority shall submit a declaration of personal assets in accordance with the
p.(None): provisions on the declarations of personal assets of Members of Parliament within thirty days of the time of
p.(None): appointment, and subsequently by 31 January of each year, and also within thirty days after the date of termination of
p.(None): his mandate.
p.(None): (2) In the event of non-compliance with the requirement to file a declaration of personal assets the
p.(None): President of the Authority shall not be able to execute his office and shall not receive any remuneration
p.(None): insofar as his declaration of personal wealth is submitted.
p.(None): (3) The declaration of personal assets shall be made public and an authentic copy teherof shall be posted on the
p.(None): Authority’s website without delay. The declaration of personal assets may not be removed from the website for a period
p.(None): of one year following termination of the mandate of the President of the Authority.
p.(None): (4) The Prime Minister’s proceedings relating to the declaration of personal assets of the President of the
p.(None): Authority may be requested by anyone with reference to specific sections of the declaration, and the contents of such
p.(None): sections, that is disputed. If the petition submitted is not in conformity with the requirements set out in
p.(None): this Subsection, or if it is manifestly unfounded, or if the petition is re-submitted and it offers no new
p.(None): argument or evidence, the Prime Minister shall refuse the petition without the opening of an examination as to merits.
p.(None): The Prime Minister shall check the authenticity and credibility of the information supplied in the declaration of
p.(None): personal assets.
p.(None): (5) In proceedings related to the declaration of personal wealth, the President of the Authority shall -
p.(None): at the Prime Minister’s request - submit a statement without delay, offering proof for the data and information
p.(None): contained in the declaration of personal wealth concerning his personal finances, income and other financial interests
p.(None): to the Prime Minister in writing. The Prime Minister shall send the findings of the proceedings to the President of the
p.(None): Republic along with the relevant data and information. Access to such data and information is restricted to the Prime
p.(None): Minister and the President of the Republic.
p.(None): (6) The evidence submitted by the President of the Authority in connection with his declaration of
p.(None): personal wealth shall be deleted on the thirtieth day following the date of conclusion of the proceedings.
p.(None):
p.(None): Section 43
p.(None):
p.(None): (1) The President of the Authority shall be entitled to the same remuneration and benefits as the salary and benefits
p.(None): of ministers, including an executive bonus in the amount equal to one and a half times of the executive bonus of
p.(None): ministers.
p.(None): (2) The President of the Authority is entitled to forty working days of paid annual leave per calendar year.
p.(None):
p.(None): Section 44
p.(None):
p.(None): (1) In terms of eligibility for social security benefits, the President of the Authority shall be regarded as employed
p.(None): in public service relationship.
p.(None): (2) The time period of the President’s mandate shall be recognized as spent in public service at an administrative
p.(None): body.
p.(None):
p.(None): Section 45
p.(None):
p.(None): (1) The mandate of the President of the Authority shall terminate:
p.(None): a) upon expiry of his term of office;
p.(None): b) upon resignation;
p.(None): c) upon death;
p.(None): d) if the requirements for appointment are no longer satisfied or upon violation of the rules regarding the declaration
p.(None): of assets;
p.(None): e) upon declaration of incompatibility;
p.(None): f) - g)
p.(None): (2) The President of the Authority shall be able to resign from office any time, by means of tendering his
p.(None): resignation in writing submitted to the Prime Minister and addressed to the President of the Republic. The
p.(None): mandate of the President of the Authority shall terminate on the day subsequent to the date of resignation, as
p.(None): indicated in the resignation, or failing this on the day when the resignation is submitted. A declaration of acceptance
p.(None): is not required for the effectiveness of the resignation.
p.(None): (3) If the President of the Authority fails to resolve the conflict of interest specified under Section 41 within
p.(None): thirty days from the date of appointment, or if any conflict of interest arises while in office, the President of the
p.(None): Republic shall decide as to incompatibility, on a proposal by the Prime Minister, within thirty days following the date
p.(None): of receipt of the proposal.
p.(None): (4)- (5)
p.(None): (6) The President of the Republic shall decide upon the declaration of non-compliance with the requirements for the
p.(None): appointment of the President of the Authority on a proposal by the Prime Minister. The President of the Republic shall
p.(None): - on a proposal by the Prime Minister - establish the infringement of the provisions on the declaration of
p.(None): personal wealth, if the President of the Authority has knowingly disclosed false data or information in his
p.(None): declaration of personal wealth.
p.(None): (6a) The Prime Minister shall send a copy of his proposal made under Subsections (3) and
p.(None): (6) to the President of the Republic and to the President of the Authority as well.
p.(None): (6b) The President of the Authority may contest the proposal and bring the case before the court within thirty days
p.(None): from the date of receipt of the proposal. No application for continuation will be accepted upon failure to
p.(None): meet this deadline. The action shall be brought against the Prime Minister. The court shall proceed in accordance with
p.(None): the provisions of the Code of Civil Procedure on actions relating to contracts of employment and other
p.(None): similar relationships, with the proviso that the case shall be heard by the Fővárosi Közigazgatási és Munkaügyi Bíróság
p.(None): (Budapest Administrative and Labour Tribunal) in priority proceedings under exclusive jurisdiction, and the action and
p.(None): the final decision shall be communicated to the President of the Republic as well.
p.(None): (6c) If based on the action brought by the President of the Authority according to Subsection (6b) the
p.(None): court in its final decision finds the Prime Minister’s proposal made under Subsections (3) and (6) unsubstantiated,
p.(None): the President of the Republic shall not declare the mandate of the President of the Authority terminated.
p.(None): (6d) The President of the Republic shall decide on the Prime Minister’s proposal made under Subsections
p.(None): (3) and (6):
p.(None): a) if the President of the Authority did not file for court action inside the time limit specified in
p.(None): Subsection (6b), within fifteen days past the time limit,
p.(None): b) if the President of the Authority did file for court action inside the time limit specified in Subsection (6b),
p.(None): within fifteen days from the date of the final decision adopted on the merits of the case.
p.(None):
p.(None): (7) If the mandate of the President of the Authority terminates under Paragraph a) or b) of Subsection (1), the
p.(None): President shall be entitled to an extra payment of three times the monthly remuneration in effect at the time of
p.(None): termination.
p.(None): (8) As regards the decisions conferred by Subsections (3) and (6) of this Section and by Section 40 under
p.(None): the competence of the President of the Republic, no endorsement is required.
p.(None):
p.(None): Section 45/A
p.(None):
p.(None): The President of the Authority shall have the right to participate in and address the Parliament
p.(None): committee meetings.
p.(None):
p.(None):
p.(None): 28. Vice-President of the Authority Section 46
p.(None): (1) The President of the Authority shall appoint a Vice-President for an indefinite period to assist in his work.
p.(None): The President of the Authority shall exercise the employer’s rights in respect of the Vice-President.
p.(None): (2) The Vice-President shall be able to satisfy the requirements set out in Subsections (1) and (2) of Section 40
p.(None): for the appointment of the President of the Authority but with a distinction of having at least five
p.(None): years of experience in supervising proceedings related to data protection or freedom of information, or holding
p.(None): an academic degree in either of those fields.
p.(None):
p.(None): (3) The provisions of Section 41 on conflict of interest shall apply to the Vice-President as well.
p.(None): (4) In the event that the President is temporarily prevented from attending to his duties, or if the office of the
p.(None): President is vacant, the powers and responsibilities of the President shall be exercised by the Vice-President.
p.(None):
p.(None): Section 47
p.(None):
p.(None): The provisions of Section 42 shall also apply to the obligation of the Vice-President to file a declaration of personal
p.(None): assets, and also to the related proceedings, with the exception that the President of the Authority shall hear cases
p.(None): related to the declaration of personal assets instead of the Prime Minister, and that the President of the
p.(None): Republic need not be informed of the findings of the proceedings.
p.(None):
p.(None): Section 48
p.(None):
p.(None): (1) The Vice-President shall be entitled to the same remuneration and benefits as the salary and benefits of state
p.(None): secretaries.
p.(None): (2) The Vice-President is entitled to forty working days of paid annual leave per calendar year.
p.(None): (3) In terms of eligibility for social security benefits, the Vice-President shall be regarded as employed in public
p.(None): service relationship.
p.(None): (4) The time period of the Vice-President’s mandate shall be recognized as spent in public service at an administrative
p.(None): body.
p.(None):
p.(None): Section 49
p.(None):
p.(None): (1) The mandate of the Vice-President of the Authority shall terminate:
p.(None): a) upon resignation;
p.(None): b) upon death;
p.(None): c) if the requirements for appointment are no longer satisfied;
p.(None): d) upon declaration of incompatibility;
p.(None): e) upon dismissal;
p.(None): f) upon removal from office.
p.(None): (2) The Vice-President of the Authority shall be able to resign from office any time, by means of
p.(None): tendering his resignation in writing submitted to the President of the Authority. The mandate of the Vice-President of
p.(None): the Authority shall terminate on the day subsequent to the date of resignation, as indicated in the resignation,
p.(None): or failing this on the day when the resignation is submitted. A declaration of acceptance is not required for
p.(None): the effectiveness of the resignation.
p.(None): (3) If the Vice-President of the Authority fails to resolve the conflict of interest specified under Section 41 within
p.(None): thirty days from the date of appointment, or if any conflict of interest arises while in office, the President of the
p.(None): Authority shall decide as to incompatibility.
p.(None): (4) The President of the Authority shall dismiss the Vice-President of the Authority, if the Vice-President of the
p.(None): Authority is unable to attend to his vested duties for a period of over ninety days for reasons beyond his control.
p.(None): (5) The President of the Authority shall be entitled to dismiss the Vice-President of the Authority and
p.(None): shall, at the same time, offer a civil service relationship to the Vice-President at the Authority and an examiner’s
p.(None): position even in the absence of the requirements set out in Subsection (1) of Section 51.
p.(None): (6) The President of the Authority shall remove the Vice-President of the Authority from office, if the Vice-President
p.(None): fails to attend to his vested duties for a period of over ninety days for reasons within his control, or if he has
p.(None): knowingly disclosed false data or information in his declaration of personal wealth.
p.(None): (7) The President of the Authority shall decide upon the declaration of non-compliance with the requirements for the
p.(None): appointment of the Vice-President of the Authority.
p.(None): (8) If the mandate of the Vice-President of the Authority terminates under Paragraph a) or
p.(None): e) of Subsection (1), the Vice-President shall be entitled to an extra payment of three times the monthly remuneration
p.(None): in effect at the time of termination.
p.(None):
p.(None): 29. Staff of the Authority Section 50
p.(None): The President of the Authority shall exercise employer’s rights in respect of the Authority’s public servants and
p.(None): employees.
p.(None):
p.(None): Section 51
p.(None):
p.(None): (1) The President of the Authority shall be entitled to appoint examiners - up to twenty per cent of all civil servants
p.(None): of the Authority - from among the civil servants in the Authority’s employ who have a degree of higher education in
p.(None): information technology or law, and at least three years of experience as a data protection expert or data protection
p.(None): officer, and who have passed a professional examination in public administration or professional examination
p.(None): in law.
p.(None):
p.(None): (2) Examiners are appointed for indefinite terms, and may be dismissed by the President of the Authority any time
p.(None): without cause. If the President of the Authority has withdrawn the appointment of an examiner, the civil
p.(None): servant in question shall be reinstated in his last position before the appointment.
p.(None): (3) Examiners are entitled to the salary of head of unit, exclusive of executive bonus.
p.(None):
p.(None): CHAPTER VI PROCEEDINGS OF THE AUTHORITY
p.(None): 30. Investigation by the Authority Section 52
p.(None): (1) Any person shall have the right to notify the Authority and request an investigation alleging an
p.(None): infringement relating to his or her personal data or concerning the exercise of the rights of access to public
p.(None): information or information of public interest, or if there is imminent danger of such infringement.
p.(None): (2) The Authority’s investigations ensuing shall not be treated as administrative proceedings, and
p.(None): shall not fall within the scope of the Act on the General Rules of Administrative Proceedings.
p.(None): (3) Having submitted a notification to the Authority may not entail any discrimination against the
p.(None): notifier. The Authority may reveal the person of the notifier only if the inquiry cannot be carried out otherwise.
p.(None): If so requested by the notifier, the Authority may not disclose his identity even if the inquiry cannot be carried out
p.(None): otherwise. The notifier must be informed by the Authority of this circumstance.
p.(None): (4) The Authority shall carry out the investigation free of charge; the costs thereof shall be advanced and borne by
p.(None): the Authority.
p.(None):
p.(None): Section 53
p.(None):
p.(None): (1) Subject to the exceptions set out in Subsections (2) and (3), the Authority shall examine the notifications
p.(None): received as to merits.
p.(None): (2) The Authority may refuse the notification without examination thereof as to merits if:
p.(None): a) the infringement alleged in the notification is considered minor, or
p.(None): b) the notification is anonymous.
p.(None): (3) The Authority shall refuse the notification without examination thereof as to merits if:
p.(None): a) court proceedings are in progress, or a final court ruling has previously been rendered concerning the case in
p.(None): question,
p.(None): b) the notifier maintains his request for not having his identity disclosed despite the information
p.(None): provided under Subsection (3) of Section 52,
p.(None): c) the notification is manifestly unfounded,
p.(None): d) the notification has been re-submitted and it contains no new facts or information as to merits.
p.(None): (4) The Authority may only refuse a notification that has been submitted by the Commissioner
p.(None): of Fundamental Rights without examination thereof as to merits if court proceedings are in progress, or a
p.(None): final court ruling has previously been rendered concerning the case in question.
p.(None): (5) The Authority shall terminate the investigation if:
p.(None):
p.(None): a) the petition should have been refused pursuant to Subsections (3)-(4), however, the authority obtained
p.(None): information concerning the grounds for refusal following the opening of the investigation;
p.(None): b) the reason for continuing the investigation no longer exists.
p.(None): (6) The Authority shall inform the notifier concerning the refusal of the notification without examination thereof as
p.(None): to merits and on the termination of the investigation, including the reasons for refusal and termination.
...
p.(None): spouse by definition of the Act on the General Rules of Administrative Proceedings;
p.(None): b) giving the information would implicate himself, or his close relative or former spouse defined in the Act on
p.(None): the General Rules of Administrative Proceedings in the commission of a crime, as regards the question related thereto.
p.(None):
p.(None): Section 55
p.(None):
p.(None): (1) Within two months from the date of receipt of the notification, the Authority shall:
p.(None): a) if it finds in favour of the notification,
p.(None): aa) take the measures defined in Section 56 and Section 57,
p.(None): ab) terminate the investigation, and shall launch administrative proceedings for data protection in
p.(None): accordance with Section 60, or
p.(None): ac) terminate the investigation, and shall launch administrative proceedings for the supervision of
p.(None): classified data in accordance with Section 62;
p.(None): b) terminate the investigation if it finds against the notification.
p.(None):
p.(None): (2) The Authority shall inform the notifier on the findings of its investigation, on the reasons for
p.(None): terminating the proceedings and on any measures taken or on the opening of administrative proceedings.
p.(None):
p.(None): Section 56
p.(None):
p.(None): (1) Where the Authority considers that any infringement relating to personal data or concerning the
p.(None): exercise of the rights of access to public information or information of public interest, or the imminent danger of
p.(None): such infringement exist, it shall call on the data controller affected to eliminate the infringement, and the imminent
p.(None): danger of such infringement.
p.(None): (2) The controller - if in agreement - shall take the measures indicated in the notice referred to in Subsection (1)
p.(None): without delay, and shall inform the Authority concerning the measures it has taken, or - if in disagreement - of its
p.(None): argument within thirty days from the date of receipt of the notice.
p.(None): (3) If the data controller authority has a supervisory body, the Authority - if the notice referred to
p.(None): in Subsection (1) failed to obtain satisfaction - may present a recommendation to the controller’s supervisory body, of
p.(None): which the controller has to be notified concurrently. The Authority may also present a recommendation directly,
p.(None): without sending a notice to the controller under Subsection (1), if it is of the opinion that this is
p.(None): a more efficient way to remedy the infringement and to eliminate the imminent danger of such infringement.
p.(None): (4) The supervisory body shall notify the Authority in writing of its position concerning the recommendation as to
p.(None): merits, or on the measures taken within thirty days from the date of receipt of the recommendation.
p.(None):
p.(None): Section 57
p.(None):
p.(None): If, based on the findings of the investigation, the Authority considers that the infringement or the imminent danger
p.(None): thereof is attributable to any provision of legislation or regulatory instrument for the governance of
p.(None): bodies governed by public law that is deemed redundant, unclear or inadequate, or the lack of legal regulation
p.(None): of issues relating to data processing, or the deficiency thereof, it may present a proposal for legislative
p.(None): step, or for the issue of a regulatory instrument for the governance of bodies governed by public law in the
p.(None): interest of eliminating such infringements and the imminent danger thereof in the future, to the
p.(None): appropriate bodies for the issue of a legal act for the governance of bodies governed by public law or for drafting
p.(None): bills of legislation. In the recommendation the Authority may propose the amendment, repeal or adoption of
p.(None): legislation or legal act for the governance of public organizations. The body contacted shall inform the
p.(None): Authority within sixty days concerning its opinion, or on the measures taken in conformity with the recommendation.
p.(None):
p.(None): Section 58
p.(None):
p.(None): (1) Should, pursuant to the notification issued or the recommendation presented in accordance with Article 56, the
p.(None): anomaly not have been addressed and its immediate threat not have been ceased, the Authority shall make a decision
p.(None): regarding further necessary measures to be taken within a period of 30 days following the expiry of the deadline date
p.(None): for notification specified in Article 56 (2), or Article 56 (4) if a recommendation was not issued.
p.(None): (2) Where Subsection (1) applies, the Authority shall take further action as per the following:
p.(None): a) open administrative proceedings for data protection under Section 60;
p.(None): b) open administrative proceedings for the control of classified data under Section 62;
p.(None):
p.(None): c) initiate court proceedings according to Section 64; or
p.(None): d) draw up a report according to Section 59.
p.(None): (3) The Authority shall inform the notifier concerning the outcome of the measures taken under Sections 56 and 57, and
p.(None): on taking further action according to Subsection (2) hereof.
p.(None):
p.(None): 31. The Authority’s report Section 59
p.(None): (1) The Authority may draw up a report on the findings of an investigation conducted on basis of notification in a
p.(None): case where the Authority did not open administrative proceedings and did not file for court action.
p.(None): (2) The report shall contain the facts revealed by the investigation, and the resulting findings and
p.(None): conclusions.
p.(None): (3) The Authority’s report shall be public. The President of the Authority shall classify the report if it contains any
p.(None): classified information, or shall confirm its existing classification. If the report contains any classified information
p.(None): or any secrets protected by law, it shall be made available to the public with the classified information or
p.(None): secrets protected by law properly concealed.
p.(None): (4) The report made by the Authority on the examination of the activities of bodies authorized for
p.(None): using secret service means and methods may not contain any data or information that may suggest any covert
p.(None): investigation conducted by these bodies in a given case.
p.(None): (5) The Authority’s report may not be contested in court or before any other authority.
p.(None):
p.(None): 32. Administrative proceedings for data protection Section 60
p.(None): (1) In the interest of the enforcement of the right to the protection of personal data the Authority
p.(None): may open administrative proceedings.
p.(None): (2) The provisions of the Act on the General Rules of Administrative Proceedings shall apply to
p.(None): administrative proceedings for data protection, subject to the exceptions set out in this Act.
p.(None): (3) Administrative proceedings for data protection may be opened ex officio only, and it shall not be
p.(None): deemed to have been opened upon request even if the administrative proceedings for data protection were preceded by the
p.(None): Authority investigation launched upon notification. If, however, the Authority has conducted an investigation launched
p.(None): upon notification before the administrative proceedings for data protection, the notifier shall be informed
p.(None): on the opening of such proceedings, including its conclusion as well.
p.(None): (4) The Authority shall open administrative proceedings for data protection if, the findings of an investigation
p.(None): launched upon notification or other evidence suggest any unlawful processing of personal data, and such
p.(None): unlawful processing:
p.(None): a) concerns a wide scope of persons,
p.(None): b) concerns special data, or
p.(None): c) is likely to cause a significant harm or damage.
p.(None): (5) The administrative time limit in administrative proceedings for data protection is two months.
p.(None):
p.(None): Section 61
p.(None):
p.(None): (1) In its resolution adopted in administrative proceedings for data protection, the Authority may:
p.(None): a) order the rectification of any personal data that is deemed inaccurate,
p.(None): b) order the blocking, erasure or destruction of personal data processed unlawfully,
p.(None): c) prohibit the unlawful control or process of personal data,
p.(None): d) prohibit the transfer of personal data to other countries,
p.(None): e) order the information of the data subject, if it was refused by the data controller unlawfully, and
p.(None): f) impose a fine.
p.(None): (2) The Authority may order publication of its resolution, indicating the identification data of the controller as
p.(None): well, where this is deemed necessary for reasons of data protection or in connection with the rights of large numbers
p.(None): of data subjects under protection by this Act.
p.(None): (3) The amount of the financial penalty imposed pursuant to Paragraph f) of Subsection (1) shall be between one hundred
p.(None): thousand and ten million forints.
p.(None): (4) The Authority shall decide whether or not to impose a fine, and the amount of the penalty taking
p.(None): into account all circumstances of the case, such as in particular the number of data subjects affected by the
p.(None): infringement, the gravity of the infringement and whether it is a repeated offense.
p.(None): (5) Before the expiry of the deadline for filing a petition for judicial review, and if judicial review has been
p.(None): requested, before the final court decision the data affected by the processing operation in dispute may not be erased
p.(None): and may not be destroyed.
p.(None):
p.(None): 33. Administrative proceedings for the control of classified data Section 62
p.(None): (1) If the findings of an investigation launched upon notification or other evidence suggest that the classification of
p.(None): certain national security information is unlawful, the Authority may open administrative proceedings for the
p.(None): control of classified data. The administrative proceedings for the control of classified data conducted by the
p.(None): Authority shall not concern the tasks conferred upon the Nemzeti Biztonsági Felügyelet (National Security Authority) by
p.(None): the Act on the Protection of Classified Information.
p.(None): (2) The provisions of the Act on the General Rules of Administrative Proceedings shall apply to
p.(None): administrative proceedings for the control of classified data, subject to the exceptions set out in this Act.
p.(None): (3) Administrative proceedings for the control of classified data may be opened ex officio only, and it shall not be
p.(None): deemed to have been opened upon request even if the administrative proceedings for the control of classified data
p.(None): were preceded by the Authority investigation launched upon notification. If, however, the Authority has
p.(None): conducted an investigation launched upon notification before the administrative proceedings for the control of
p.(None): classified data, the notifier shall be informed on the opening of such proceedings, including its
p.(None): conclusion as well.
p.(None):
p.(None): Section 63
p.(None):
p.(None): (1) In its resolution adopted in conclusion of administrative proceedings for the control of classified data, the
p.(None): Authority - in the event of any infringement of the regulations pertaining to the classification of certain national
p.(None): security information - shall call upon the classifier to
p.(None):
p.(None): modify - in accordance with the law - the level or term of classification of information classified at
p.(None): the national level, or to have it declassified.
p.(None): (2) The classifier, if it finds the Authority’s resolution under Subsection (1) unsubstantiated, may request judicial
p.(None): review within sixty days following the date of delivery of the resolution. Upon receipt of the petition for
p.(None): judicial review, enforcement of the resolution shall be delayed. If the classifier did not seek legal
p.(None): action in the court of law within sixty days following the date of delivery of the resolution, the information
p.(None): classified at the national level shall be considered declassified on the sixty-first day following the date
p.(None): of delivery of the resolution, or the level or term of classification shall be modified in accordance
p.(None): with the resolution.
p.(None): (3) The regulations of the Act on the Code of Civil Procedure on administrative actions shall apply to
p.(None): these court proceedings, where they shall be heard in closed session in priority proceedings.
p.(None): (4) The court shall either sustain or reverse, or abolish the Authority’s resolution, and may order the Authority to
p.(None): re-open the proceedings where deemed necessary.
p.(None): (5) The court ruling or the Authority’s resolution shall not affect the obligation of the classifier for
p.(None): the review of classified national security information, as defined by the Act on the Protection of Classified
p.(None): Information.
p.(None): (6) The presiding judge must have the highest level of security clearance accorded under the Act on National Security
p.(None): Agencies.
p.(None): (7) Persons other than the judge, the plaintiff and the defendant shall be allowed access to the said classified
p.(None): information only if they have the highest level of security clearance accorded under the Act on National
p.(None): Security Agencies.
p.(None):
p.(None): 34. Litigation Options for the Authority Section 64
p.(None): (1) If the data controller fails to comply with the request made under Subsection (1) of Section 56, the
p.(None): Authority may bring the case before the court - alleging infringement of the regulation relating to public information
p.(None): and information of public interest - within thirty days following the date of expiry of the time limit for providing
p.(None): the information under Subsection
p.(None): (2) of Section 56, seeking a court’s ruling for ordering the data controller to act in accordance with the Authority’s
p.(None): request.
p.(None): (2) The court referred to in Subsection (5) of Section 31 shall have competence and jurisdiction to
p.(None): adjudicate the action aforementioned.
p.(None): (3) The burden of proof to show compliance with the law lies with the data controller.
p.(None): (4) Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such
p.(None): actions.
p.(None): (5) The court - upon request - may order publication of its decision, by way of publishing the identification data of
p.(None): the controller, if it is necessitated for data protection and the freedom of information in general or in connection
p.(None): with the rights of large numbers of data subjects under protection by this Act.
p.(None):
p.(None): 35. Data protection register Section 65
p.(None): (1) The Authority shall maintain official records on the processing operations of controllers in respect of personal
p.(None): data (hereinafter referred to as “data protection register”) for the
p.(None):
p.(None): purpose of providing assistance to data subjects containing - with the exceptions set out in Subsection (2) -
p.(None): the following information:
p.(None): a) the purpose of data processing;
p.(None): b) the legal basis of data processing;
p.(None): c) scope of data subject;
p.(None): d) description of the data pertaining to the data subjects;
p.(None): e) the source;
p.(None): f) the duration of processing;
p.(None): g) the categories of data transferred, the recipients and the grounds for transfer, including transfers made to third
p.(None): countries;
p.(None): h) name and address of the data controller and the data processor, the place where records are kept and/or where
p.(None): processing is carried out, and the data processor’s activities in connection with data processing operations;
p.(None): i) the nature of the data process technology used;
p.(None): j) the name of and contact details of the internal data protection officer, where applicable.
p.(None): (2) As regards national security agencies, the data protection register shall indicate the name and address of the
p.(None): given national security agency, and the purpose of and legal basis for data processing.
p.(None): (3) The Authority’s data protection register shall not cover operations:
p.(None): a) concerning the data of the data controller’s employees or members, students engaged under kindergarten
p.(None): education agreement, or under student or apprenticeship agreement, with or without dormitory services, or customers,
p.(None): other than the customers of financial institutions, public utility companies and electronic telecommunications service
p.(None): providers;
p.(None): b) carried out in accordance with the internal rules of the recognized church;
p.(None): c) that concerns the personal data of a person undergoing medical treatment, for the purposes of health
p.(None): care and preventive measures or for settling claims for benefits and services in the social insurance system;
p.(None): d) where it contains information concerning the provision of social and other benefits to the data subject;
p.(None): e) where it contains the personal data of persons implicated in an official regulatory, public prosecutor or court
p.(None): proceeding to the extent required for such proceeding, or it concerns personal data processed by penal
p.(None): institutions in the execution of a sentence;
p.(None): f) where it contains personal data for official statistical purposes, provided there are adequate
p.(None): guarantees that the verification of the link between the data and the data subject is definitively severed in such a
p.(None): way that the data subject is no longer identifiable in accordance with the relevant legislation;
p.(None): g) where it concerns the data of a media content provider defined by the Act on Media Services and on
p.(None): the Mass Media, which are used solely for its own information activities;
p.(None): h) if it serves the purposes of scientific research, and if the data is not made available to the public;
p.(None): i) where it concerns documents deposited in archive.
p.(None): (4) The data protection register shall be open to the general public; it may be inspected by any person, including
p.(None): taking notes.
p.(None):
p.(None): Section 66
p.(None):
p.(None): (1) Controllers shall apply to the Authority for having their personal data processing operation
p.(None): registered before the commencement of processing, with the exception of mandatory processing. Apart
p.(None): from mandatory processing and with the exception set out in Subsection (2) of Section 68, processing may not
p.(None): commence prior to registration.
p.(None):
p.(None): (2) Registration of mandatory processing shall be requested by the controller from the Authority within
p.(None): twenty days following the coming into force of the relevant legislation in which data processing is prescribed.
p.(None): (3) In terms of registration, data controls with alternative objectives qualify as independent data control even if the
p.(None): same set of data is controlled.
p.(None): (4) The application for registration shall contain the information specified in Subsection (1) or Subsection (2) of
p.(None): Section 65.
p.(None):
p.(None): Section 67
p.(None):
p.(None): With the exception of mandatory processing, admission to the data protection register shall be subject to an
p.(None): administrative service fee payable in the amount decreed by the relevant minister.
p.(None):
p.(None): Section 68
p.(None):
p.(None): (1) With the exception set out in Subsection (3), the Authority shall register the data processing
p.(None): operation within eight days from the date of receipt of the application, if it contains the information
p.(None): specified in Subsection (1) or Subsection (2) of Section 65.
p.(None): (2) With the exception set out in Subsection (3), if the Authority fails to adopt a decision regarding the
p.(None): application for registration in due time, the controller may commence the processing operation according to
p.(None): what is contained in the application.
p.(None): (3) The Authority shall register the data processing operation referred to in Subsections (4) and (5) within forty
p.(None): days from the date of receipt of the application, if it contains the information specified in Subsection
p.(None): (1) or Subsection (2) of Section 65, and if the controller is able to meet the conditions for lawful processing.
p.(None): (4) If the application for registration is submitted in respect of processing operations under Subsection (5),
p.(None): pertaining to data files unaffected by any previous data processing operation of the controller, or for which a new
p.(None): process technology that the controller has never used before for any previous processing operation is
p.(None): required, registration shall be granted on condition that the controller is able to meet the conditions for lawful
p.(None): processing.
p.(None): (5) The condition for registration under Subsection (4) pertains, in accordance with what is contained therein, to:
p.(None): a) data files concerning authorities of nation-wide jurisdiction, employment related national data bases and national
p.(None): criminal records;
p.(None): b) data files from the customer records of financial institutions and public utility companies;
p.(None): c) data files from the customer records of providers of electronic communications services.
p.(None): (6) The resolution adopted by the Authority for admission into the data protection register shall contain the
p.(None): registration number, that the controller is required to indicate for all operations with data, such as when
p.(None): data is transferred or published, or when provided to the data subject. The registration number is assigned to identify
p.(None): the data processing operation, and it is not intended to verify the lawfulness of the operation.
p.(None): (7) In the event of any change in the data specified in Paragraphs b)-j) of Subsection (1) of Section 65, the data
p.(None): controller is required to submit an application for the registration of change to the Authority within
p.(None): eight days from the effective date of the change. The provisions of Subsections (1), (3) and (5) shall also
p.(None): apply to the registration of changes, where the application shall suffice to contain the changes only.
p.(None):
p.(None): 36. Data protection audit Section 698
p.(None): (1) The data protection audit is a service provided by the Authority designed to evaluate and assess data processing
p.(None): operations in progress or proposed along technical merits, intended to effectively implement a high level of data
p.(None): protection and data security system. Proposed data processing operations may be audited if deemed justified based on
p.(None): the elaboration of the data processing concept.
p.(None): (2) Data protection audits are conducted by the Authority at the data controller’s request. For the data protection
p.(None): audit an administrative service fee shall be charged in the amount decreed by the relevant minister.
p.(None): (3) The Authority shall record the results of the data protection audit in an audit report. The audit report may also
p.(None): contain recommendations for the data controller. The audit report shall be considered public, unless the controller
p.(None): requests otherwise.
p.(None): (4) The data protection audit shall not exclude the exercise of the Authority’s other competencies defined
p.(None): in this Act.
p.(None):
p.(None): 37. Initiating criminal, infringement and disciplinary proceedings Section 70
p.(None): (1) In the event of having reasonable suspicion of alleged criminal activities in the course of its proceedings,
p.(None): the Authority shall initiate criminal proceedings at the body having jurisdiction to open criminal
p.(None): proceedings. In the event of having reasonable suspicion of alleged misdemeanour offenses or disciplinary
p.(None): infraction in the course of its proceedings, the Authority shall initiate infringement or disciplinary
p.(None): proceedings at the body having competence for conducting infringement or disciplinary proceedings.
p.(None): (2) The body referred to in Subsection (1) shall notify the Authority of its opinion concerning the
p.(None): opening of proceedings within thirty days, unless otherwise provided for by law, and of the outcome of the
p.(None): proceedings within thirty days from the time of conclusion thereof.
p.(None):
p.(None): 38. Data processing and confidentiality Section 71
p.(None): (1) In its proceedings the Authority shall be entitled to process - to the extent and for the duration required -
p.(None): those personal data, and classified information protected by law and secrets obtained in the course of
p.(None): professional activities, which are related to the given proceedings, or which are to be processed with a
p.(None): view to concluding the procedure effectively.
p.(None): (2) The Authority may use the data obtained in the course of conducting its examination for administrative proceedings.
p.(None): (3) The Authority shall have access to data specified in Subsection (2) of Section 23 of Act CXI of 2011 on the
p.(None): Commissioner of Fundamental Rights as defined in Subsection (7) of Section 23 of Act CXI of 2011 on the
p.(None): Commissioner of Fundamental Rights.
p.(None): (4) In proceedings related to the processing of classified information the Vice-President of the Authority, including
p.(None): executive officers and examiners shall - in possession of a personal
p.(None):
p.(None):
p.(None): 8 Entered into force: as of 01.01.2013.
p.(None):
p.(None): security certificate of appropriate level of clearance - be allowed access to classified information
p.(None): without the authorization prescribed in the Act on the Protection of Classified Information for use.
p.(None): (5) The President and Vice-President of the Authority, and persons currently or formerly employed by the
p.(None): Authority as civil servants or in any other work-related relationship shall keep confidential any personal
p.(None): data, classified information, secrets protected by law and secrets obtained in the course of professional
p.(None): activities they may have learnt in relation to the operation and actions of the Authority as well as any other data,
p.(None): fact or circumstance that the Authority is not required to make available to the public - except for any disclosure or
p.(None): supply of data to other organizations under the relevant legislation -, during the term of their
p.(None): employment and after the termination thereof.
p.(None): (6) According to the confidentiality requirement, the persons mentioned in Subsection (5) may not disclose unlawfully
p.(None): any data, facts or circumstance they obtained in connection with the performance of their official duties, nor
p.(None): shall they be allowed to use or reveal such information to third persons.
p.(None): CHAPTER VII CLOSING PROVISIONS
p.(None): Section 72
p.(None):
p.(None): (1) The Government is hereby authorized to decree:
p.(None): a) the detailed regulations for disclosure of public information by electronic means;
p.(None): b) the items covered by the fee chargeable for copies provided in connection with requests for public information, and
p.(None): the highest amount that can be taken into account in determining the amount of the fee, and the aspects for determining
p.(None): whether a document is to be considered substantial in terms of size and/or volume;
p.(None): c) the compilation of special disclosure lists;
p.(None): d) the data contents of the single data retrieval system and the central register, and the rules for data integration.
p.(None): e) the scope of information to be made public by the national security services which they control, upon consultation
p.(None): with the Authority.
p.(None):
p.(None): (2) Authorizations:
p.(None): a) the minister having relevant competence is hereby authorized to publish special disclosure lists in
p.(None): respect of the bodies he supervises or controls, by means of a decree;
p.(None): b) the minister in charge of e-administration is hereby authorized to decree the models for the standard forms to be
p.(None): used for the dissemination of data contained in the disclosure lists;
p.(None): c)
p.(None):
p.(None): (3) The minister in charge of the judicial system is hereby authorized to decree - upon consulting with
p.(None): the Authority and in agreement with the minister in charge of taxation - the amount of the administrative service fee
p.(None): payable for admission to the data protection register and for data protection audits, and the detailed rules relating
p.(None): to the collection, management, recording and refund of such fees.
p.(None):
p.(None): Section 73
p.(None):
p.(None): (1) This Act - with the exceptions set out in Subsections (2) and (3) - shall enter into force on the day following
p.(None): promulgation.
p.(None):
p.(None): (2) Sections 1-37, Subsections (1)-(3) of Section 38, Paragraphs a)-f) of Subsection (4) of Section 38, Subsection (5)
p.(None): of Section 38, Section 39, Sections 41-68, Sections 70-72, Sections 75-77 and Sections 79-88, and Schedule No. 1 shall
p.(None): enter into force on 1 January 2012.
p.(None): (3) Paragraphs g) and h) of Subsection (4) of Section 38 and Section 69 shall enter into force on 1
p.(None): January 2013.
p.(None):
p.(None): Section 73/A
p.(None):
p.(None): (1)50 Sections 26 (2) and 30 (7) of this Act amended by the Act XCI of 2013 shall be applied in
p.(None): procedures pending at the time of entry into force of Act XCI of 2013.
p.(None):
p.(None): Section 74
p.(None):
p.(None): The Prime Minister shall present a recommendation for the first President of the Authority to the President of the
p.(None): Republic by 15 November 2011. The President of the Republic shall appoint the first president of the Authority
p.(None): effective as of 1 January 2012.
p.(None):
p.(None): Section 75
p.(None):
p.(None): (1) The cases submitted to the data protection commissioner before 1 January 2012 shall be handled by the Authority in
p.(None): accordance with the provisions of this Act.
p.(None): (2) The data controlled by the data protection commissioner before 1 January 2012 in an official capacity shall be
p.(None): transferred to the Authority effective as of 1 January 2012.
p.(None): (3) Data processing operations having commenced prior to 1 January 2012, that fall within the scope of registration
p.(None): in the data protection register under this Act that had not been notified for registration before 1 January
p.(None): 2012 shall be notified to the Authority by 30 June 2012 for registration according to the relevant provisions
p.(None): of this Act. In the event of non- compliance data processing operations may not be carried out past 30 June
p.(None): 2012. Moreover, data processing operations under this Subsection may not be pursued if the Authority refused the
p.(None): application submitted for registration after 31 December 2011.
p.(None):
p.(None): Section 76
p.(None):
p.(None): Chapter V of this Act shall be considered a cardinal provision pursuant to Article VI(3) of the Fundamental Law.
p.(None):
p.(None): Section 77
p.(None):
p.(None): This Act facilitates compliance with:
p.(None): a) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals
p.(None): with regard to the processing of personal data and on the free movement of such data;
p.(None): b) Directive 2003/4/EC of the European Parliament and of the Council of 28 January 2003 on public access to
p.(None): environmental information and repealing Council Directive 90/313/EEC;
p.(None): c) Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public
p.(None): sector information;
p.(None): d) Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the
p.(None): framework of police and judicial cooperation in criminal matters.
p.(None):
p.(None):
p.(None): (1)-(2)9
p.(None): Section 78
p.(None):
p.(None): (3) The term “descending” to be found in Section 9 (7) of the Law Decree 17 of 1982 on Registers,
p.(None): Marriage Proceedings and the Use of Name shall be replaced by the term “descending found”.
p.(None):
p.(None): (4) Section 25 (3) of the Act XXIV of 2011 on legal harmonisation of Acts on Europol, on Security Services and the
...
p.(None): replaced by „unauthorised person and property protection” in accordance with Section 13 of Government
p.(None): decree 218/1999. (XII. 28.) on Misdemeanours, in
p.(None):
p.(None):
p.(None):
p.(None): 9 Repealed by Section 110 of the Act LXXVI of 2013 as of 01.07.2013.
p.(None):
p.(None): Section 39 (3) the text „presenting his ID pass” shall be replaced by „in his application for chamber membership”.
p.(None):
p.(None): (8) Section 34 (1) c) enacted by Section 23 of the Act XXIV of 2011 on legal harmonisation of Acts on Europol, on
p.(None): Security Services and the Activities of Private Investigators (SSAPI), on Firearms and Pyrotechnic Devices enters into
p.(None): force with the following wording:
p.(None):
p.(None): (The private investigator in order to conclude the contract)
p.(None):
p.(None): „may produce or use visual or audiovisual recordings in accordance with the framework of the relevant contract and in
p.(None): compliance with the regulations of this Act on data protection and personality rights”,
p.(None):
p.(None): (9) Section 15 (3) of the Act LXXVII. Of 2011 on World Heritage shall not enter into force.
p.(None):
p.(None): Section 80
p.(None):
p.(None): (1) The following Point n) shall be added to Article 51 (2) of Act CXII of 1996 on credit institutions
p.(None): and financial corporations:
p.(None): [Pursuant to Point b) of paragraph (2), the obligation to safeguard bank secrets does not apply]
p.(None): “n) to the National Authority for Data Protection and Freedom of Information within its competent scope of
p.(None): responsibilities”
p.(None): (contrary to requests made in writing by these bodies to the financial institution.)
p.(None): (2) The following Point r) shall be added to Article 157 (1) of Act LX of 2003 on insurance companies and insurance
p.(None): activities:
p.(None): (The obligation to safeguard insurance secrets does not apply)
p.(None): “r) in the case of the National Authority for Data Protection and Freedom of Information within their
p.(None): respective scope of responsibilities”
p.(None): [contrary to how should the body or individual specified under Points a)-j), n) and s) be entitled to
p.(None): submit a request in writing containing the name of the client or the insurance contract number, the type
p.(None): of data requested, the objective of the data request and its legal grounds on condition that the body or individual
p.(None): specified under points k), l), m), p) and q) is exclusively obliged to provide the type of data requested and its legal
p.(None): grounds. Reference to the legislation authorising data access equally qualifies as certification of the
p.(None): objective indicated and the legal status.]
p.(None): (3) The following Point m) shall be added to Article 8 (2) of Act LVII of 2004 on the legal status of Hungarian MPs
p.(None): delegated to the European Parliament:
p.(None): “m) The President and Vice-President of the National Authority for Data Protection and Freedom of
p.(None): Information.”
p.(None): (cannot be a Member of the European Parliament)
p.(None): (4) The following Point k) shall be added to Article 118 (3) of Act CXXXVIII of 2007 on investment companies and
p.(None): commodity exchange service providers, as well as rules concerning the activities they may engage in:
p.(None): (The confidentiality obligation defined under paragraph [1] does not apply)
p.(None):
p.(None): “r) to the National Authority for Data Protection and Freedom of Information within its respective scope
p.(None): of responsibilities”
p.(None): (contrary to requests made in writing by these bodies to the investment companies or commodity exchange
p.(None): service providers.)
p.(None): (5) The following Point q) and final text shall be added to Article 88 (1) of Act CLIX of 2007 on collaterals:
p.(None): (In accordance with the present Act, the obligation to safeguard insurance secrets does not apply)
p.(None): “q) to the National Authority for Data Protection and Freedom of Information within its respective scope
p.(None): of responsibilities.”
p.(None): (6) The following Point h) shall be added to Article 13 (3) of Act CLV of 2009 on the protection of
p.(None): confidential information:
p.(None): (In regard to the provision of state or public duties)
p.(None): “h) the President of the National Authority for Data Protection and Freedom of Information”
p.(None): [is authorised to exercise regulatory licenses defined in Point a) and b) of Article 18 (2) without
p.(None): holding any national security clearance, personal security attestation, as well as a confidentiality statement
p.(None): and user permit in connection with classified information within their respective scope of responsibilities and
p.(None): authority.]
p.(None):
p.(None): Section 81
p.(None):
p.(None): (1) The text “the minister competent for the professional supervision of the registration body, the data protection
p.(None): commissioner or the individual authorised by this commissioner” in Article 21/H of Act I of 1998 on road
p.(None): transport shall be replaced by the text “ the minister competent for the professional supervision of the
p.(None): registration body or the individual authorised by this minister, as well as the President, Vice-President and
p.(None): civil servant of the National Authority for Data Protection and Freedom of Information”.
p.(None): (2) The text “the Office of the Constitutional Court” in Article 1 (2) of Act XXIII of 1992 on the legal status of
p.(None): civil servants (hereinafter Civil Service Act) shall be replaced by the text “ Office of the Constitutional Court
p.(None): and the National Authority for Data Protection and Freedom of Information”.
p.(None): (3) The text “at the Hungarian Competition Authority” in Article 44 (1) of the Civil Service Act shall be replaced by
p.(None): the text “at the Hungarian Competition Authority and the National Authority for Data Protection and Freedom of
p.(None): Information” .
p.(None): (4) The text “the data protection commissioner” in Point i) of Article 63 (1) of the Civil Service Act
p.(None): shall be replaced by the text “the National Authority for Data Protection and Freedom of Information”.
p.(None): (5) The text “the data protection commissioner” in Article 7 (3) of Act XLVI of 1993 on statistics
p.(None): shall be replaced by the text “President of the National Authority for Data Protection and Freedom of Information”; the
p.(None): text “data protection commissioner” in Article 19 (3) shall be replaced by the text “the National Authority for
p.(None): Data Protection and Freedom of Information”.
p.(None): (6) The text “within the scope of the Data Protection Act” in Article 5 (1) of Act CXIX of 1995 on the control of
p.(None): name and address data facilitating research and direct business acquisition shall be replaced by the text
p.(None): “within the scope of the Act on informational self-
p.(None):
p.(None): determination and freedom of information”; the text “Data Protection Act” in Article 19 shall be replaced by the
p.(None): text “the Act on informational self-determination and freedom of information”.
p.(None): (7) The text “the minister competent for the professional supervision of the infringement registration
p.(None): body” in Article 27/F of Act LXIX of 1999 on infringements shall be replaced by the text “the minister competent
p.(None): for the professional supervision of the infringement registration body or the individual authorised by the
p.(None): minster, as well as the President, Vice- President and civil servant of the National Authority for Data
p.(None): Protection and Freedom of Information”.
p.(None): (8) The text “within the framework of the data protection procedure, the data protection commissioner” in
p.(None): Point b) of Article 4/G (2) of Act LXXV on regulations governing action against organised crime and specific phenomena
p.(None): associated with this and related legislative amendments shall be replaced by the text “the National Authority
p.(None): for Data Protection and Freedom of Information”.
p.(None): (9) The text “the data protection commissioner” in Article 32 (4) and (7) of Act LXXXIV of 1999 on road transport
p.(None): registration shall be replaced by the text “the National Authority for Data Protection and Freedom of
p.(None): Information”; the text “data protection commissioner” in paragraph of Article 32 (8) shall be replaced by
p.(None): the text “the National Authority for Data Protection and Freedom of Information”.
p.(None): (10) The text “the data protection commissioner” in Article 75/O of Act CXXX of 2003 on cooperation in criminal
p.(None): cases with EU Member States shall be replaced by the text “ the National Authority for Data Protection and
p.(None): Freedom of Information”.
p.(None): (11) The text “the data protection commissioner” in Article 164 (5) and in Point a) of Article 174 (3) of Act CXL of
p.(None): 2004 on the general rules on administrative proceedings and services shall be replaced by the text “the National
p.(None): Authority for Data Protection and Freedom of Information”.
p.(None): (12) The text “the data protection commissioner” in Article 85 (3) of Act I of 2007 on the entry and residence of
p.(None): persons with the right of the freedom of movement and residence shall be replaced by the text “the National
p.(None): Authority for Data Protection and Freedom of Information”.
p.(None): (13) The text “within the scope of the procedure defined under the Act on the protection of personal data and the
p.(None): disclosure of data of public interest, the data protection commissioner” in Article 6 of Act CI of 2007 on ensuring
p.(None): access to data required for decision preparation shall be replaced by the text “the National Authority for
p.(None): Data Protection and Freedom of Information”.
p.(None): (14) The text “the data protection commissioner” in Article 18 (6) and Article 20 (2) of Act CV of 2007 on cooperation
p.(None): and information exchange carried out within the framework of the Convention implementing the Schengen Agreement
p.(None): shall be replaced by the text “the National Authority for Data Protection and Freedom of Information”; the
p.(None): text “pursuant to regulations set out under the Act on the protection of personal data and the disclosure of data of
p.(None): public interest, the data protection commissioner” in Article 20 (1) shall be replaced by the text “the National
p.(None): Authority for Data Protection and Freedom of Information”.
p.(None): (15) The text “the data commissioner competent to act in respect of Act on the protection of personal data and the
p.(None): disclosure of data of public interest and controlling compliance with the Act on the control of personal data” in
p.(None): Article 88 (2) of Act XLVII of 2009 on the criminal database, the registration of verdicts brought against
p.(None): Hungarian nationals in the courts of
p.(None):
p.(None): European Union Member States and the registration of criminal and biometric data shall be replaced by the text “the
p.(None): National Authority for Data Protection and Freedom of Information competent to act in respect of controlling compliance
p.(None): with provisions governing the Act on the control of personal data”; the text “together with data protection
p.(None): commissioner” in Article 91/A (2) shall be replaced by the text “together with the National Authority for
p.(None): Data Protection and Freedom of Information”; the text “data protection commissioner” in Article 91/A (3) shall be
p.(None): replaced by the text “the National Authority for Data Protection and Freedom of Information”.
p.(None): (16) The text “as well as within the scope of authority ensured in Act LXIII of 1992 on the protection of personal data
p.(None): and the disclosure of data of public interest, the data protection commissioner” in Article 7 (8) of Act CIV
p.(None): of 2009 on the proclamation of the agreement regarding processing the data of passenger number records
p.(None): (PNR) between the European Union and the United States of America and the transfer of this data to the
p.(None): Department of Home Security amending Act XCII of 1995 on air transport shall be replaced by the text “as well as
p.(None): within the scope of authority ensured in the Act on the right of informational self- determination and
p.(None): freedom of information, the National Authority for Data Protection and Freedom of Information”.
p.(None): (17) The text “the data protection commissioner” in the eighth paragraph of Article 6 of Act CLV of 2009 on the
p.(None): protection of classified information shall be replaced by the text “the National Authority for Data Protection
p.(None): and Freedom of Information”; the text “together with the data protection commissioner” in Point r) of the second
p.(None): paragraph of Article 20 shall be replaced by the text “together with the National Authority for Data Protection and
p.(None): Freedom of Information”.
p.(None): (18) The text “the data protection commissioner and an authorised associated employee” in Point j) of the first
p.(None): paragraph of Article 76 of Act CXXII of 2010 on the National Tax and Customs Authority shall be replaced by the text
p.(None): “President, Vice-President and civil servant of the National Authority for Data Protection and Freedom of Information”.
p.(None): (19) The text “the data protection commissioner shall undertake supervision within their respective scope of
p.(None): authority ensured by Act LXIII of 1992 on the protection of personal data and the disclosure of data of public
p.(None): interest” in the fifth paragraph of Article 7 of Act LVI of 2011 on the proclamation of the Convention on the
p.(None): South-East European Law Enforcement Centre signed in Bucharest on 9 December 2009 and the Protocol on the
p.(None): privileges and immunities of the South-East European Law Enforcement Centre signed in Bucharest on 24 November 2010
p.(None): shall be replaced by the text “the National Authority for Data Protection and Freedom of Information shall undertake
p.(None): the supervision”.
p.(None):
p.(None): Section 82-89
p.(None):
p.(None): Annex No. 1 to Act CXII of 2011
p.(None):
p.(None): STANDARD DISCLOSURE LIST
p.(None):
p.(None): I. Organizational information, staff particulars
p.(None):
p.(None):
p.(None): Data description
p.(None): 1. Official name, registered office, postal address, telephone and fax number, electronic mail address, website
p.(None): and customer service contact information of
p.(None): Updating Immediately upon the change taking effect
p.(None): Duration of processing Previous data shall be deleted
p.(None):
p.(None): the body with public service functions
p.(None): 2. Organizational structure of the body with public service functions, showing the departments, and the tasks and
p.(None): duties of each department
p.(None): 3. Name and title of the executive employees of the body with public service functions and its departments,
p.(None): including contact information (telephone and fax number, electronic mail address)
p.(None): 4. Name of the head of customer relations, including contact information (telephone and fax number, electronic
p.(None): mail address) and customer service hours
p.(None): 5. In respect of collegiate bodies, number of members and composition, name, title and contact information of
p.(None): members
p.(None): 6. Name of any other body with public service functions under the control, supervision or oversight of, or
p.(None): subordinated to the body with public service functions, including the particulars specified in Point 1
...
Orphaned Trigger Words
Appendix
Indicator List
| Indicator | Vulnerability |
|---|
| access | Access to Social Goods |
| access to information | Access to information |
| age | Age |
| authority | Relationship to Authority |
| crime | Illegal Activity |
| criminal | criminal |
| education | education |
| educational | education |
| employees | employees |
| freedom of information | Access to information |
| home | Property Ownership |
| language | Linguistic Proficiency |
| minor | Youth/Minors |
| minority | Racial Minority |
| nation | stateless persons |
| native | Indigenous |
| officer | Police Officer |
| opinion | philosophical differences/differences of opinion |
| party | political affiliation |
| police | Police Officer |
| political | political affiliation |
| property | Property Ownership |
| racial | Racial Minority |
| religious | Religion |
| restricted | Incarcerated |
| single | Marital Status |
| student | Student |
| threat | Threat of Stigma |
| undue influence | Undue Influence |
| union | Trade Union Membership |
| unlawful | Illegal Activity |
Indicator Peers (Indicators in Same Vulnerability)
| Indicator | Peers |
|---|
| access to information | ['freedomXofXinformation'] |
| crime | ['unlawful'] |
| education | ['educational'] |
| educational | ['education'] |
| freedom of information | ['accessXtoXinformation'] |
| home | ['property'] |
| minority | ['racial'] |
| officer | ['police'] |
| party | ['political'] |
| police | ['officer'] |
| political | ['party'] |
| property | ['home'] |
| racial | ['minority'] |
| unlawful | ['crime'] |
Trigger Words
capacity
consent
cultural
harm
protect
protection
self-determination
Applicable Type / Vulnerability / Indicator Overlay for this Input