Last review date: December 2024
Yes.
Although not a strict legal requirement, encryption is considered by the GDPR as an appropriate technical and organizational measure. In practice, the authorities expect encryption to be used unless specific circumstances justify its absence.
Last review date: December 2024
The relevant general obligations of the EU General Data Protection Regulation and the Information Act are applicable to all controllers and processors of personal data.
In addition, Hungarian laws and regulations — together with certain EU laws — impose further data security related obligations on the following economic actors:
Last review date: December 2024
Yes.
"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
"Incident" means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.
Last review date: December 2024
Data protection authorities
Cybersecurity authorities
Due to the implementation of the NIS 2 Directive in Hungarian law, in line with Section 77 of Government Decree 418/2024 (XII. 23.), the following apply:
Affected individuals
Other
If the (direct and individual) communication to the data subjects would involve disproportionate effort, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner (compared to direct communication) without undue delay [GDPR Art. 34 Section 3 Point c)].
Last review date: December 2024
Controller/ owner
Last review date: December 2024
Yes.
Providers of services subject to notification requirement (e.g., operators of online marketplaces, location tool services and cloud computing services) pursuant to the E-Commerce Act.
Details regarding the identified data security breach notification requirements
Section 156 (2) of the Electronic Communications Act defines a “breach of the subscribers' personal data” as a breach of security leading to the accidental or unlawful use or processing of personal data, meaning, in particular, the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service. No exceptions apply to the breach notification obligation of service providers; any breach event must be reported promptly, but within 24 hours at the latest, to the NMHH.
Sections 156 (2)-(8) of the Electronic Communications Act establish a personal data breach notification obligation for providers of public electronic communication services to the NMHH. NMHH Decree No. 4/2012 (I.24.) establishes the details of the data breach notification obligation.
If the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or of other private individuals, the provider of electronic communications services must notify the concerned data subjects without undue delay, but within 24 hours at the latest. However, notification to a subscriber or private individual concerned is not required if the telecoms services provider has demonstrated to the satisfaction of the NMHH that it has implemented appropriate technological protection measures and that those measures were applied to the data affected by the security breach. Such technological protection measures must be capable of rendering the data unintelligible to any person who is not authorized to access it.
If the service provider has not notified the subscriber or private individual of the personal data breach, the NMHH, having evaluated the likely adverse effects of the breach and following consultation with the NAIH, may order the service provider to do so.
If a personal data breach occurs, firstly, the telecoms services provider must , notify the NMHH concerning that breach without undue delay, but within 24 hours at the latest. If the telecom services provider does not possess some of the data required to be included in that notification, the service provider must commence an internal investigation, and, within 24 hours from the occurrence of the breach, notify the NMHH (the first notification). Subsequently, the telecoms service provider must gather the information necessary for the second notification and, if necessary, update the content of the first notification which must be submitted without undue delay, but within 72 hours from the first notification (the second notification).
If the telecoms service provider cannot submit all of the information required to be submitted in the second notification, it must provide the information available at that point within 72 hours of the breach, explaining to the NMHH why it could not submit the remaining required information within the 72-hour timeframe. The telecoms service provider must inform the NMHH monthly about the findings arising from the provider's internal investigation in the past month, until the investigation is closed or the reasons due to which the data breach occurred have been addressed.
A public electronic communications service provider has the following reporting obligations in case of network outages:
If the controller is a payment service provider and the personal data breach is a major operational or security incident under Act LXXXV of 2009 on the Pursuit of the Business of Payment Services (“Payment Services Act”), the controller must notify the Hungarian National Bank without undue delay [Section 55/B (1) of the Payment Services Act)]. This obligation of the controller does not affect its reporting obligation to NAIH based on the GDPR. If the major operational or security incident has or may have an impact on the financial interests of its payment service users, the payment service provider must, without undue delay, inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident.
Financial entities in Hungary that are under the scope of Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 ("DORA") must report any unplanned event that compromises the security of the network and information systems, and has an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity ("major ICT-related incident") to the relevant competent authority referred to in DORA.