The Hungarian Parliament has recently adopted an amendment (Act No CXXIX of 2015) to the Information Act that will provide regulation regarding how data controllers must treat data breach incidents. Under the amendment, a data breach incident is any unauthorized processing of data, including the unauthorized access, alteration, unauthorized transfer, disclosure, deletion, accidental loss or breach of personal data. Data breach notification will apply only with regard to Hungarian telecom providers. However, the amendment requires all data controllers to keep an internal register of data breaches, including the scope of personal data and number of data subjects affected, the date, the circumstances, the effects of the incident, as well as the measures taken to eliminate the incident. If a data controller has a Data Protection Officer, then that officer must keep the internal register. If not, the amendment does not specify which internal rule within the data controller’s organization must or may be tasked with keeping that internal register. (The amendment does not require data controllers who do not have a Data Protection Officer to appoint one, however.) The amendment also says that if a data subject requires information concerning the data breach, the data controller must disclose the circumstances and the effects of the data breach incident, including the measures taken by the controller to remedy the situation. The new data breach registry requirements will apply only to controllers. But, existing data processing agreements must be amended, because data processors are required to register data breaches on behalf of the controller. Thus, processing agreements under Hungarian law – including existing agreements – should introduce detailed provisions regulating how the processor should comply with obligations relating to the recording of data breach incidents. The amendment will also introduce an authorization procedure for Binding Corporate Rules – which to date have been completely omitted from the list of recognized “adequacy” instruments under Hungarian data protection laws. Finally, the amendment will authorize the Hungary DPA to impose fines in case of the breach of data protection laws of up to HUF 20 million (approximately EUR 70,000.-), which is double the current maximum fine amount of HUF 10 million. The amendment will enter into force by 1 October 2015.
Author Adam Liber
Dr. Ádám Liber (LLM) is an associate in the Budapest office of Hegymegi-Barakonyi és Társa Baker & McKenzie Ügyvédi Iroda.