The National Authority for Data Protection and Freedom of Information (hereinafter "the Authority" or "the NAIH") is responsible for monitoring and promoting the enforcement of two fundamental rights: the right to the protection of personal data and the right to freedom of information (access to data of public interest and data accessible on public interest grounds) in Hungary, as well as promoting the free movement of personal data within the European Union.
Among others, the Authority is entrusted with duties in connection with the Schengen Information System (SIS), the Customs Information System (CIS), Europol, Eurodac and the Visa Information System (VIS) as well as represent Hungary in the common data protection supervisory bodies of the European Union.
Based on constitutional provision, the Act CXII of 2011 on the right to informational self-determination and on the freedom of information (hereinafter "the Act CXII of 2011") , which entered into force on 1 January 2012, established the Authority and regulated its operation in detail.
From an organisational perspective, the NAIH is an autonomous state administration organ; it may not be instructed in its functions and shall operate independently of other organs and of undue influence. The tasks of the NAIH may only be determined by an Act of Parliament.
The head of the NAIH is its president, appointed by the President of the Republic, on the proposal of the Prime Minister. The president of the NAIH is appointed for a term of nine years. After the termination of his mandate, the President may be reappointed on one occasion. On November 2011, Dr Attila PÉTERFALVI was nominated for the position of President of the NAIH.
The president shall appoint two vice-president for an indefinite period to assist his work. From 10 July 2023, the post of the Vice-President for General affairs is held by Dr Tamás BENDIK. From 16 August 2023, the post of the Vice-President for International affairs is held by Dr Júlia SZIKLAY.
As of 2019 the NAIH is allocated a staff of 114. The president shall exercise the employer’s rights over the public officials and employees of the NAIH.

The Act CXII of 2011 is comprehensive in scope, as it is applicable to all data processing operations undertaken in Hungary regardless of the public or private legal status of those performing such operations, including also law enforcement, national security and defence sectors, together with activities which relate to the data of a natural person, as well as data in the public interest and data made public on the grounds of being in the public interest.
This sector-neutral and generally applicable nature of the Hungarian data protection regime was, to the extent possible, consciously retained by the legislator when the necessary legislative steps were taken to align the Hungarian legal system with the EU data protection reform. The Hungarian lawmaker decided not to repeal the Act CXII of 2011 but to amend it substantially in order to implement the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”) and to transpose the Directive 2016/680, also known as the Law Enforcement Directive (hereinafter “LED”) into the Hungarian legal system. The Act CXII of 2011 supplements a directly applicable GDPR and continues to apply to all data processing operations (including law enforcement, national security and defence) under Hungarian jurisdiction.
a) In order to provide an unhampered application of the GDPR, the Act CXII of 2011 inter alia
- establishes the national supervisory authority, regulates its organisational structure and the procedural framework through which it exercises the tasks and powers specified in the Regulation;
- regulates the supervisory regime applicable to processing operations of courts acting in their judicial capacity;
- prescribes that data processing operations according to Article 6 (1)(c) and (e) of the GDPR shall be further regulated by sector-specific legislation.
b) With the aim to make use of a number of opening clauses incorporated in the GDPR, the Act CXII of 2011
- provides for rules designed to reconcile the right to access public information with the right to the protection of personal data;
- extends, to a limited extent, the scope of data protection rules to the processing of personal data of deceased persons;
- prescribes that, with regard to data processing operations according to Article 6 (1)(c) and (e) of the GDPR, a data protection impact assessment, as well as prior consultation shall be carried out during the process of drafting of the sector-specific legislation that requires processing.
Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act)
The Data Governance Act seeks to increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data. For this purpose it introduces a single information point for each member state for easy access of public registers. (In Hungary, this will be the National Data Asset Management Agency https://navu.hu/ as from 1 April 2024.)
The Data Governance Act regulates the registration and operation of data intermediation services providers and data altruism organisations, as well as their supervision. It also allows public authorities to access private sector data in case of emergency situations, in case it is necessary to solve such emergency situations (e.g. floods, diseases). In order to ensure a harmonized and successful implementation of the Data Governance Act across the European Union, the newly established European Data Innovation Board coordinates between member state supervisory authorities and other stakeholders.
In Hungary, the Authority is appointed as competent national authority for the Data Governance Act and to represent Hungary at the meetings of the European Data Innovation Board and its subgroups.
Tasks under the Data Governance Act:
The Authority registers data intermediation services providers and data altruism organisations, whose main establishment is in Hungary, or who do not have a main establishment in the European Union and wish to provide their services also in Hungary.
The Authority also provides a certificate to data intermediation services on compliance with the Data Governance Act, upon their petition and after a supervision of their activity.
The Authority also supervises the compliance with the Data Governance Act of data intermediation services providers and data altruism organisations registered in Hungary, either in case of a complaint, or any time ex officio.