Last review date: December 2024

Yes.

The obligations are as follows:

• controllers must conduct due conduct diligence on the processor to ensure it will provide appropriate security and processing of the personal data
• controllers must only use processors subject to a written agreement that complies with specific requirements
• other

If the controller is a credit institution under Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises (“Credit Institutions Act”) and outsources an activity connected to financial services and financial auxiliary services as well as those statutory activities prescribed by law that relate to the processing or storage of data, the controller must notify the Hungarian National Bank (in Hungarian: Magyar Nemzeti Bank, “MNB”) (www.mnb.hu), within two business days after signing the outsourcing agreement, about the fact and duration of outsourcing, as well as the name and registered seat/address of the processor. The outsourcing agreement (i.e., the written engagement of the processor) must contain:

• provisions demonstrating compliance with data protection regulations;
• the outsourcing service provider’s consent for the supervision of the outsourced activity by the credit institution’s internal control department, its data protection officer or external auditor, and for any on-site or off-site inspections performed by the MNB;
• the outsourcing service provider’s responsibility to conduct the activity to an appropriate quality standard and a clause allowing the credit institution’s immediate cancellation of the contract in the event of the outsourcing service provider’s repeated or serious breach of the contract;
• the detailed quality service level requirements expected from the outsourcing service provider; and
• the rules to be applied in order to avoid insider trading on the part of the outsourcing service provider.

If the controller is an insurance or reinsurance company under Act LXXXVIII of 2014 on the Business of Insurance (the “Insurance Act”) and prepares to outsource an activity or function that qualifies as a key activity or function under the Insurance Act, the controller must notify the MNB, five days before the outsourcing agreement is scheduled to take effect, about the fact and duration of outsourcing as well as the name and registered address of the processor. This is also applicable to any changes in the outsourcing agreement regarding key activities or functions. Key functions and activities may not be outsourced, where such outsourcing arrangement (i.e., the engagement of the processor):

• is likely to impact the insurance or reinsurance company’s ability to meet its commitments stemming from insurance contracts:
  • in jeopardizing the system of governance,
  • by way of increasing operational risks;
• prevents the Authority in carrying out its duties; or
• is likely to jeopardize the interests of clients.

If the controller is an entity subject to the NIS 2 Directive, the controller must aim to protect network and information systems and the physical environment of those systems with incidents with an all-hazards approach, which includes supply chain security and the security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.

In cases where an entity subject to the Cybersecurity Act uses a contractor for the establishment, operation, maintenance or repair of an electronic information system, the contractor (i.e. the data processor) must also meet the basic requirements provided in the Cybersecurity Act. Therefore, the contractor must ensure the security of its electronic information systems and their physical environment in a manner proportionate to the extent of the damage caused by cyber threats.

This protection must include:

• the information security management system;
• the identification and management of risks to electronic information systems;
• the application of administrative, logical and physical measures to mitigate risks, appropriate to the level of security to be defined for each system in the organization's risk analysis;
• the prevention, detection, management and mitigation of security incidents;
• ensuring business continuity; and
• the acquisition, development and operation of electronic information systems and the software and hardware products used by them.

The head of the entity concerned must ensure that these basic requirements are provided for in a contract.

Last review date: December 2024

Yes.

The following provisions apply directly to processors:

Art. 28, 29, 30 para. 2, 31, 32, 33 para. 2, 37 et seq., 44 et seq. GDPR.

With respect to entities governed by the Credit Institutions Act, the processor (i.e., the outsourcing service provider) must meet — to a degree corresponding to the risk — the personnel, infrastructure and security requirements concerning the outsourced activities that are prescribed by law for credit institutions [Section 68 (2) of the Credit Institutions Act].

Regarding insurers and reinsurers governed by the Insurance Act, the controller (i.e., the insurance or reinsurance company) is responsible for ascertaining that the processor (i.e., the outsourcing service provider) is performing the activity in compliance with the relevant legislation and with due care and attention. If the processor performs the outsourced functions in serious breach of the outsourcing contract, or, in spite of a warning, continues to perform those functions in violation of the law or in breach of the outsourcing contract, the controller must terminate the outsourcing contract with immediate effect [Section 91 (2) of the Insurance Act].

With respect to entities subject to the Cybersecurity Act, the head of the relevant entity is responsible for ensuring that the basic requirements required by the Cybersecurity Act are provided for in a contract between the controller and contractors [Section 6 (5) of the Cybersecurity Act].