Welcome to the Hungarian National Authority for Data Protection and Freedom of Information
Who we are
The National Authority for Data Protection and Freedom of Information (hereinafter "the Authority" or "the NAIH") is responsible for monitoring and promoting the enforcement of two fundamental rights: the right to the protection of personal data and the right to freedom of information (access to data of public interest and data accessible on public interest grounds) in Hungary, as well as promoting the free movement of personal data within the European Union.
Among others, the Authority is entrusted with duties in connection with the Schengen Information System (SIS), the Customs Information System (CIS), Europol, Eurodac and the Visa Information System (VIS) as well as represent Hungary in the common data protection supervisory bodies of the European Union.
Based on constitutional provision, the Act CXII of 2011 on the right to informational self-determination and on the freedom of information (hereinafter "the Act CXII of 2011") , which entered into force on 1 January 2012, established the Authority and regulated its operation in detail.
From an organisational perspective, the NAIH is an autonomous state administration organ; it may not be instructed in its functions and shall operate independently of other organs and of undue influence. The tasks of the NAIH may only be determined by an Act of Parliament.
The head of the NAIH is its president, appointed by the President of the Republic, on the proposal of the Prime Minister. The president of the NAIH is appointed for a term of nine years. After the termination of his mandate, the President may be reappointed on one occasion. On November 2011, Dr Attila PÉTERFALVI was nominated for the position of President of the NAIH.
The president shall appoint a vice-president for an indefinite period to assist his work. From 1 January 2012, the post of the Vice-President is held by Dr Endre Győző SZABÓ.
As of 2019 the NAIH is allocated a staff of 114. The president shall exercise the employer’s rights over the public officials and employees of the NAIH.
The Act CXII of 2011
The Act CXII of 2011 is comprehensive in scope, as it is applicable to all data processing operations undertaken in Hungary regardless of the public or private legal status of those performing such operations, including also law enforcement, national security and defence sectors, together with activities which relate to the data of a natural person, as well as data in the public interest and data made public on the grounds of being in the public interest.
This sector-neutral and generally applicable nature of the Hungarian data protection regime was, to the extent possible, consciously retained by the legislator when the necessary legislative steps were taken to align the Hungarian legal system with the EU data protection reform. The Hungarian lawmaker decided not to repeal the Act CXII of 2011 but to amend it substantially in order to implement the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”) and to transpose the Directive 2016/680, also known as the Law Enforcement Directive (hereinafter “LED”) into the Hungarian legal system. The Act CXII of 2011 supplements a directly applicable GDPR and continues to apply to all data processing operations (including law enforcement, national security and defence) under Hungarian jurisdiction.
a) In order to provide an unhampered application of the GDPR, the Act CXII of 2011 inter alia
- establishes the national supervisory authority, regulates its organisational structure and the procedural framework through which it exercises the tasks and powers specified in the Regulation;
- regulates the supervisory regime applicable to processing operations of courts acting in their judicial capacity;
- prescribes that data processing operations according to Article 6 (1)(c) and (e) of the GDPR shall be further regulated by sector-specific legislation.
b) With the aim to make use of a number of opening clauses incorporated in the GDPR, the Act CXII of 2011
- provides for rules designed to reconcile the right to access public information with the right to the protection of personal data;
- extends, to a limited extent, the scope of data protection rules to the processing of personal data of deceased persons;
- prescribes that, with regard to data processing operations according to Article 6 (1)(c) and (e) of the GDPR, a data protection impact assessment, as well as prior consultation shall be carried out during the process of drafting of the sector-specific legislation that requires processing.
What we do
Compared to the former ombudsman-type of institution , the new set of laws confer the Authority with broader competency to pursue violations of both informational rights. In particular:
a) The NAIH conducts two types of procedure in data protection cases: ‘inquiries’ which are less regulated from a procedural point of view and ‘administrative procedures for data protection’ regulated by administrative procedural rules. . Irrespective of the exact procedural form, the NAIH is basically obliged to deal with the complaints/application received from data subjects, except for such cases when the authority is entitled, or even obliged to reject the complainant’s submission. The legal grounds for refusing a complaint/application are determined in a detailed manner in the relevant laws for both types of the said procedure. In cases where the formal requirements are not met, the NAIH may launch an ex officio inquiry/administrative procedure for data protection if it is deemed reasonable on the basis of facts of the case.
- An inquirymight be initiated on the basis of the complaint of the data subject or a third party different from the data subject or the data controller/processor, or ex officio. Authority inquiries can also be initiated anonymously. The NAIH may dismiss such anonymous notifications without examining it on its merits, however, it is the consistent practice of the Authority, that it conducts the inquiry based on such notifications, unless it is not possible to investigate the infringement.
- An administrative procedurefor data protectionis started on the application of the data subject (or his or her representative) or ex officio. If the data subject considers that the processing of personal data relating to him infringes the GDPR, he can submit an application for commencing an administrative procedure for data protection. The application has to meet the substantive requirements prescribed by the Privacy Act and the rules laid down in the Administrative Code.
The corrective measures provided by Article 58 (2) and Article 83 of the GDPR have not invoked radical changes in the sanctioning practice of the NAIH due to the fact that the sanctions specified therein were available to the authority in the pre-GDPR-period, too. Of course, Article 83 (4)–(6) empowers the NAIH to impose significantly higher administrative fines, nevertheless, neither the maximum amount nor the percentage cap determined in the abovementioned articles has been reached.
The competence of the Authority do not cover the processing of personal data "when courts are acting in their judicial capacity" under GDPR Article 55(3) and LED Article 45(2). Hence, the Hungarian legislator, by the amendment of the Act CXII of 2011, established a mechanism according to which the oversight of such data protection operations are entrusted to courts specifically empowered to carry out such supervision activity.
b) Anyone is entitled to request an inquiry of the Authority concerning the exercise of the right to access data of public interest or data accessible on public interest grounds. The Authority will continue to vigorously protect rights to freedom of information.
c) The Authority is authorised to launch a procedure for the supervision of data classification, should, pursuant to information received, it may be presumed that national classified information has been illegally classified.
d) The Authority shall conduct a procedure for the authorisation in the following groups of cases:
- Approval of a code of conduct and the activity of a body monitoring compliance with a code of conduct;
- Approval of the criteria of certification;
- Authorization procedures for transfer of personal data to third countries.
e) The Authority no longer has the opportunity of providing data protection audit services. The Act CXII of 2011 however, taking into account Article 42 (5) of the GDPR, set down the fundamental provisions for conducting a certification procedure on the initiative of the data controller or processor .
f) Provides the possibility for consultation on Data Protection Impact Assessment.
g) Personal data breach notifications can be sent to the Authority by post or electronic mail (Ez az e-mail-cím a szpemrobotok elleni védelem alatt áll. Megtekintéséhez engedélyeznie kell a JavaScript használatát.), for which the form can be downloaded from the website of the Authority (http://naih.hu/adatvedelmi-incidensbejelent--rendszer.html); or on the notification surface specially dedicated to this purpose by the Authority (https://dbn-online.naih.hu/public/login). The personal data breach notification portal is exclusively meant to facilitate the process of personal data breach notification for data controllers, and not for submitting complaints.
h) The Authority makes recommendations with respect to new laws and to the amendment of laws pertaining to the processing of personal data, the access to data of public interest and to data accessible on public interest grounds, and shall give its opinion with respect to draft laws affecting its functions.
i) The Authority makes recommendations in general or recommendations to specific controllers, gives its opinion on sector-specific and organ-specific publication schemes under the Act CXII of 2011 and relating to the activities of the given organ performing public duties.
j) The Authority publishes a report on its activities each year, by 31 March, and shall submit this report to the National Assembly.
k) The Authority organise the conference of data protection officers.