Hungary data protection authority begins to apply GDPR standards

Through the second half of 2018, Hungary considered GDPR-related issues including photocopying ID cards, direct marketing subscriptions and general data transfers, which firms and employers within the European nation must integrate into all data processing activities.

The key areas addressed by the Hungarian Data Protection Authority (NAIH) were as follows:


The NAIH states that companies and employers must no copy personal documents (such as IDs, financial documents, etc.), unless told to by law. The body feels that as most firms and employers are not in a position to guarantee the authenticity of documentation in an official database, then copying is an irrelevance.

By means of alternative practice, an individual should declare through signature that they have submitted what they believe is the official relevant documentation, a process that can then be certified by another reviewer.

Benefits for newsletter subscriptions

Another question for NAIH to raise concerned whether a company that offers a marketing benefit for subscription to a newsletter is acting within compliance parameters of the GDPR.

It was decided by the NAIH that firms should take care to scrutinise how the benefit might influence the voluntary spirit of the newsletter “opt-in” function.

Importance was also attributed to the company deciding whether or not the “opt-out” function would be to the detriment of a subscriber. For example, if subscribing to a newsletter is not needed to obtain a service, those who do not subscribe should have equal access capabilities to the service.

The NAIH also noted that if a benefit, such as an exclusive content offer, is linked to the main function of a newsletter, then losing such a benefit when opting out might not go against the GDPR.

Data on recipients of personal information

The NAIH states that data controllers must name recipients of personal data transfers, what data is transferred and why, in their privacy notices. This information should ideally be presented in a clear table.

However, information need only be provided on categories of recipients where there are high numbers.

Furthermore, the data controller would not transfer data to them in each case, and providing a comprehensive list of recipients could endanger the clarity of the privacy notice. For example, a travel agency which arranges holidays to multiple countries should not list all the hotels to which it provides personal data, as this data may vary.

One case saw how the NAIH directed a recruitment website to verbalise in its privacy notice the specific Hungarian law that permits data storage of accounting purposes, and to highlight and give information on each recipient to whom it sends the personal data of employment candidates.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.