Management and organisation
Please identify the authority’s senior management.
The president of the authority is Dr Attila Peterfalvi and the vice president is Dr Endre Gyozo Szabó.
When was the head of the authority appointed?
1 January 2012.
How long is the term of office?
Under section 40 (3) of Act CXVII of 2011 (the Privacy Act), the president of the authority is appointed by the president of the Republic for a term of nine years.
What is the process for nominating the head of the authority?
The procedure for nominating the president of the authority is provided for by section 40 (1) of the Privacy Act, which states:
“The President of the authority shall be appointed by the President of the Republic on a recommendation by the Prime Minister from among those Hungarian citizens with a law degree, who have the right to stand as candidates in parliamentary elections, having at least ten years of experience in supervising proceedings related to data protection or freedom of information, or holding an academic degree in either of those fields.”
What was the authority's budget for the most recently available financial year?
The budget for 2017 was 642.3 million forints.
How many data protection/privacy-focused staff does the authority employ?
Out of the 114 staff of the authority, 62 persons focus on data protection/privacy.
Contacting the authority
How and where should companies or their advisers contact the authority to notify a data breach? Please specify individuals, email addresses, URLs for online forms, etc.
Data controllers should notify the authority of data breaches by emailing [email protected] or visiting http://naih.hu/adatvedelmi-incidensbejelent--rendszer.html.
How and where should companies or their advisers contact the authority to start the binding corporate rules approval process? Please specify individuals, e-mail addresses, URLs for online forms, etc.
With regard to the approval procedure of binding corporate rules (BCR), data controllers are to contact the authority via post, at 1025 Budapest, Szilagyi Erzsebet fasor 22/C.
There is no regular form for the BCR procedure.
What other contact information should companies and their advisers be aware of?
The authority may contact by email at [email protected]
Legal and enforcement framework
What are your investigative powers?
In the course of both ombudsman-type investigative proceedings under Title 30 of the Privacy Act, and administrative proceedings under the Privacy Act and Act CL of 2016 on General Public Administration Procedures (the Administration Procedures Act), the authority:
- has powers to inspect all documents – including those stored on electronic data carriers – of the data controller under inspection, presumed to have any bearing on the case at hand, and may request copies of such documents;
- is to be given access to any data processing operation presumed to have any bearing on the case at hand, and is authorised to enter any premises where data processing takes place;
- has the right to request information from the controller inspected, and from any employee or associate of the controller in writing or verbally; and
- has the right to hear witnesses, conduct inspections, and involve experts to clarify the facts of the case at hand.
Can you search premises or force the disclosure of information without having to approach the courts?
Yes, the authority may search premises without having to approach the courts, and may request the disclosure of information from the data controllers subject to proceedings.
What fines can you impose on companies that breach data protection rules?
The authority may impose administrative fines; their amounts are provided for by article 83 of the GDPR.
What other measures can you take against companies that breach data protection rules?
The authority can take the measures provided for by article 58(2) of the GDPR for cases subject to the GDPR.
In other cases, the authority may, within the meaning of section 61 of the Privacy Act:
- determine the fact of the unlawful processing of personal data;
- order the rectification of any personal data that is deemed inaccurate;
- order the blocking, erasure or destruction of personal data processed unlawfully;
- prohibit the unlawful processing of personal data;
- prohibit the transfer of personal data to other countries; and
- order the information of the data subject, if it was refused by the data controller unlawfully.
What emergency or interim measures can you take pending the full conclusion of your investigations?
Section 106(1) of the Administration Procedures Act states:
“The authority, irrespective of its competence and jurisdiction, shall take provisional measures of its own motion, without which any delay is likely to result in insurmountable damage, danger or irremediable violation of rights relating to personality.”
Priorities and the future
Are you working on any further data protection/privacy guidelines or guidance, or on amending any of your current guidance? If so, what?
The data concerning the future plans of the authority are data constituting parts of decision-making processes, the disclosure of which is restricted by section 27(5) of the Privacy Act.