Security Requirements and Breach Notification
Jump to
Security Requirements and Breach Notification Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

Last review date: December 2024

Yes.

  • general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
  • obligation to take specific security measures e.g., encryption
  • requirement to undertake third party due diligence (security assessment of third party providers)
  • reasonable security controls
  • encryption

Although not a strict legal requirement, encryption is considered by the GDPR as an appropriate technical and organizational measure. In practice, the authorities expect encryption to be used unless specific circumstances justify its absence.

Do other laws or regulations impose obligations to protect systems from cyberattack?

Last review date: December 2024

  • network information security requirements (broader than telecommunications)
  • financial services requirements
  • telecommunication requirements
  • providers of critical infrastructure
  • digital or connected (IoT) products
  • other

The relevant general obligations of the EU General Data Protection Regulation and the Information Act are applicable to all controllers and processors of personal data.

In addition, Hungarian laws and regulations — together with certain EU laws — impose further data security related obligations on the following economic actors:

  • Various types of financial service providers (e.g., financial institutions, insurance companies and investment firms);
  • Providers of online marketplaces, location tool services and cloud computing services (in light of the Country-of-Origin principle);
  • Service providers involved in the operation of critical infrastructures and/or the provision of essential services; and
  • Manufacturers of IoT devices, which are elements or groups of elements of a network or information system that interact with the environment through signal conversion.
Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?
  • financial services
  • telecommunications
Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

Last review date: December 2024

Yes.

"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

"Incident" means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.

Controllers/Owners have to notify:

Last review date: December 2024

Data protection authorities

  • in case of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
  • without undue delay and, where feasible, not later than 72 hours after having become aware of it

Cybersecurity authorities

  • without undue delay

Due to the implementation of the NIS 2 Directive in Hungarian law, in line with Section 77 of Government Decree 418/2024 (XII. 23.), the following apply:

  • an early warning must be reported without undue delay and in any event within 24 hours;
  • early warnings must be followed by an incident notification, without undue delay and in any event within 72 hours.

Affected individuals

  • if the personal data breach is likely to result in a high risk to the rights and freedoms of the data subjects, the controller shall communicate the personal data breach to the data subject without undue delay (GDPR Art. 34 Section 1); unless any of the following conditions are met:
    • the controller has implemented technical and organizational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
    • the controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize;
    • it would involve disproportionate effort.

Other

If the (direct and individual) communication to the data subjects would involve disproportionate effort, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner (compared to direct communication) without undue delay [GDPR Art. 34 Section 3 Point c)].

Processors/Agents have to notify:

Last review date: December 2024

Controller/ owner

  • in case of a personal data breach irrespective of a risk to the rights and freedoms of the data subjects
  • without undue delay after becoming aware of it
Are there any additional sector-specific or non-personal data security breach notification requirements?

Last review date: December 2024

Yes.

  • cybersecurity authorities
  • financial services requirements
  • telecommunication requirements
  • providers of critical infrastructure
  • other

Providers of services subject to notification requirement (e.g., operators of online marketplaces, location tool services and cloud computing services) pursuant to the E-Commerce Act.

Details regarding the identified data security breach notification requirements

  • Security incident notification requirements for entities subject to the Cybersecurity Act are determined by 418/2024 (XII.23.) Government Decree. The Cybersecurity Act and its implementing government decree set different obligations on organizations of the public administration, on state owned entities and other relevant entities.
  • Entities under the scope of the Cybersecurity Act must submit an early warning to the NBSZ without undue delay and in any event within 24 hours. This must be followed by an incident notification without undue delay and in any event within 72 hours.
  • Sector-specific data breach notification requirements in Hungary relative to electronic communications:
    • The providers of public electronic communication services in Hungary must file a notification if the personal data of telecom services subscribers is breached. The notification must be provided to the National Media and Infocommunications Authority ("NMHH") by the public electronic communication services provider via NMHH's online platform ("Adatkapu").

Section 156 (2) of the Electronic Communications Act defines a “breach of the subscribers' personal data” as a breach of security leading to the accidental or unlawful use or processing of personal data, meaning, in particular, the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service. No exceptions apply to the breach notification obligation of service providers; any breach event must be reported promptly, but within 24 hours at the latest, to the NMHH.

Sections 156 (2)-(8) of the Electronic Communications Act establish a personal data breach notification obligation for providers of public electronic communication services to the NMHH. NMHH Decree No. 4/2012 (I.24.) establishes the details of the data breach notification obligation.

If the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or of other private individuals, the provider of electronic communications services must notify the concerned data subjects without undue delay, but within 24 hours at the latest. However, notification to a subscriber or private individual concerned is not required if the telecoms services provider has demonstrated to the satisfaction of the NMHH that it has implemented appropriate technological protection measures and that those measures were applied to the data affected by the security breach. Such technological protection measures must be capable of rendering the data unintelligible to any person who is not authorized to access it.

If the service provider has not notified the subscriber or private individual of the personal data breach, the NMHH, having evaluated the likely adverse effects of the breach and following consultation with the NAIH, may order the service provider to do so.

If a personal data breach occurs, firstly, the telecoms services provider must , notify the NMHH concerning that breach without undue delay, but within 24 hours at the latest. If the telecom services provider does not possess some of the data required to be included in that notification, the service provider must commence an internal investigation, and, within 24 hours from the occurrence of the breach, notify the NMHH (the first notification). Subsequently, the telecoms service provider must gather the information necessary for the second notification and, if necessary, update the content of the first notification which must be submitted without undue delay, but within 72 hours from the first notification (the second notification).

If the telecoms service provider cannot submit all of the information required to be submitted in the second notification, it must provide the information available at that point within 72 hours of the breach, explaining to the NMHH why it could not submit the remaining required information within the 72-hour timeframe. The telecoms service provider must inform the NMHH monthly about the findings arising from the provider's internal investigation in the past month, until the investigation is closed or the reasons due to which the data breach occurred have been addressed.

A public electronic communications service provider has the following reporting obligations in case of network outages:

  • without undue delay, to the Government Incident Response Team, about any security incident affecting their electronic communications networks, including any threat of which they are aware, and which are likely to result in potentially unfavorable changes or any previously unknown situations in the Electronic Communication Networks or Electronic Communication Services, or in consequence of which the confidentiality, integrity, authenticity, functionality or availability of information carried via the Electronic Communication Networks or Electronic Communication Services is either lost or compromised; and
  • without delay, to the General Informatics and Electronic Communication Inspectorate of the NMHH, via an electronic form provided by the Office of NMHH regarding any network security incidents affecting the operation of the network and of the services.

If the controller is a payment service provider and the personal data breach is a major operational or security incident under Act LXXXV of 2009 on the Pursuit of the Business of Payment Services (“Payment Services Act”), the controller must notify the Hungarian National Bank without undue delay [Section 55/B (1) of the Payment Services Act)]. This obligation of the controller does not affect its reporting obligation to NAIH based on the GDPR. If the major operational or security incident has or may have an impact on the financial interests of its payment service users, the payment service provider must, without undue delay, inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident.

Financial entities in Hungary that are under the scope of Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 ("DORA") must report any unplanned event that compromises the security of the network and information systems, and has an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity ("major ICT-related incident") to the relevant competent authority referred to in DORA.