Page 1

New Directory Login Free Directory for 2 weeks
Coronavirus info

Legal library

Existing legislation New legislation Amended legislation Local government decree Laws of a thousand years

Legislation in force Search /

/ 2011 CXII. Act [Info tv. ]

Ask Opten
COVID19
experts impact
for helpanalyzes
for annual orfor
interim
reportsanalysis!
COVID19
impact
Sectoral impact
and partneror
strain
data addition 2021
Isanalysis
it necessary
mandatory?

✖

Taxation 2021

Related book: Explanation of GDPR
✖

Status of the legislation in force today (06/06/2021).
THE symbols indicate past and future changes in paragraphs.

Switch to the next state of the legislation (indefinite -)

Free Rights Library

I'll open it in the Rights Library

✖

Free Directory
IMPORTANT! Certain provisions of the legislation must be applied differently during an emergency.

2011 CXII. law
*
on the right to information self-determination and freedom of information
In order to ensure the right to information self-determination and freedom of information, the National Assembly
and the fundamental right to access and disseminate data in the public interest and in the public interest;
rules and the authority responsible for monitoring these rules for the implementation of the Basic Law, Article VI of the Basic Law. pursuant to Article
constitutes the following law:

CHAPTER I.
GENERAL PROVISIONS

1. Purpose of the Act
*
§ 1 The
purpose of this Act is to lay down the basic rules for the processing of data in the fields covered by it

respect for the privacy of natural persons by data controllers and the transparency of
public interest and the right to access and disseminate data in the public interest.
2. Scope of the Act
§ 2. (1) The* scope of this Act - with regard to personal data as defined in paragraphs (2) - (6) - shall apply to all
data processing, which concerns personal data as well as data of public interest or data of public interest.
*
2. Personal
data shall be subject to Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as the General Data Protection Regulation).

the General Data Protection Regulation in accordance with Articles III-V. and VI / A. Chapter and Section 3, Sections 3, 4, 6, 11, 12, 13, 16, 17,
21., 23-24. § 4 (5), § 5 (3) - (5), (7) and (8), § 13 (2), § 23, §, a
25 / G. § (3), (4) and (6), 25 / H. § (2), 25 / M. § (2), 25 / N. §, 51 / A. § (1), the
52-54. § 55 (1) - (2), 56-60. §, 60 / A. § (1) - (3) and (6), § 61 (1) a) and c) ,
Section 61 (2) and (3), Section (4) ( b) and (6) - (10), Sections 62-71. § 72, § 75 (1) - (5),
a 75 / A. Shall apply with the additions specified in Section 1 and Annex 1.
*
(3) This
Act shall apply to the processing of personal data for law enforcement, national security and defense purposes.
*
4. Processing
of personal data not covered by paragraphs 2 and 3

(a) Articles 4, II to VI and VIII to IX of the General Data Protection Regulation. and
b) Articles III-V of this Act. and VI / A. In addition, Section 3, Sections 3, 4, 6, 11, 12, 13, 16, 17, 21, 23-24. § 4 (5), § 5
(3) - (5), (7) and (8), Section 13 (2), Section 23, Section 25, Section 25 / G. § (3), (4) and (6), 25 / H. § (2)
paragraph 25 / M. § (2), 25 / N. §, 51 / A. § (1), Articles 52-54. §, § 55 (1) and (2), the
56-60. §, 60 / A. § (1) - (3) and (6), § 61 (1) a) and c) , § 61 (2) and (3), (4) b)
and paragraphs 6 to 10, paragraphs 62 to 71. § 72, § 75 (1) - (5) and Annex 1
specific provisions shall apply.
*

(5)

The processing of personal data falling within the scope of the General Data Protection Decree is set out in paragraph (2) of this Act

and other statutory provisions for the protection of personal data and personal data
unless otherwise provided by law or a binding act of the European Union
shall apply if
(a) the controller's center of activity as defined in Article 4 (16 ) of the General Data Protection Regulation or the European Data Protection Supervisor
The only place of activity within the Union is in Hungary, or
(b) if* the controller has its center of activity as defined in Article 4 (16) of the General Data Protection Regulation or
The only place of business within the European Union is not in Hungary, but on behalf of or at the request of the data controller
a data processing operation performed by a data processor acting on the basis of
ba) is related to the provision of goods or services to data subjects residing in Hungary, independently
whether the person concerned has to pay for them, or
bb) is related to the observation of the behavior of the data subject within the territory of Hungary.
*

(6)

The provisions of this Act shall not apply to a natural person serving exclusively his own personal purposes

data management.
*
(7) Regarding
the further use of public sector information, the law on the manner and conditions of data provision, in order to

may lay down rules different from this Act regarding the consideration to be paid and the legal remedy.
3. Interpretative provisions
§ 3 In applying this Act:
*
1. data
subject: a natural person identified or identifiable on the basis of any information;
*
1a. identifiable
natural person: a natural person who, directly or indirectly, in particular an identifier,

such as name, identification number, location data, online identifier or physical, physiological, genetic, mental,
identifiable by one or more factors relating to its economic, cultural or social identity;
*
2. personal
data: any information about the data subject;
*
3. Special
data: all data belonging to special categories of personal data, ie of racial or ethnic origin, are political

religious or worldview or trade union membership, as well as genetic data,
biometric data for the unique identification of natural persons, health data and sexual data of natural persons
personal data relating to your life or sexual orientation,
*
3a. genetic
data: any personal data relating to the genetic characteristics of a natural person inherited or acquired,

which carries specific information on a person 's physiology or state of health, and which is primarily that person' s
results from the analysis of a biological sample taken from a natural person;
*
3b. biometric
data: specific technical data relating to the physical, physiological or behavioral characteristics of a natural person

personal data obtained by procedures which enable or confirm the unique identification of a natural person, such as
portrait or dactyloscopic data;
*
3c. health
data: personal data concerning the physical or mental health of a natural person, including:

also data on health services provided to a natural person that carry information about the natural person
the state of health of the person;
4. criminal personal data: during or before criminal proceedings in connection with a criminal offense or criminal proceedings,
at bodies authorized to conduct criminal proceedings or to detect criminal offenses, as well as
personal data generated at your organization that can be contacted with the data subject, as well as personal data relating to a criminal record;
5. data of public interest: a body performing a state or local government task and other public tasks specified by law
or in the management of a person and arising in connection with his activity or the performance of his public duties, the personal
information or knowledge not covered by the concept of data, recorded in any form or by any means,
such as, in particular, competence, competence, organizational structure, professional
effectiveness, the types of data held and the legislation governing their operation, as well as
data on concluded contracts;
6. " public data in the public interest" means any data not covered by the concept of data of public interest, the disclosure of which,
its acquaintance or making available is required by law in the public interest;
*
Consent
7 : a voluntary, clear and well-informed statement of the will of the data subject

by means of a statement or other conduct which unequivocally expresses his or her will, that he or she consents to the
to handle personal data;
8.

*

9. "*controller" means the natural or legal person, or any entity without legal personality, who - or which is - by law
or within the framework set out in a binding act of the European Union, for the purpose of processing the data individually or together with others
make and implement decisions on data management (including the means used), or
executed by a data processor;
*
9a. joint
controller: a controller who is defined by law or a binding act of the European Union

the purposes and means of data management in conjunction with one or more other data controllers,
(including the instrument used) is taken and implemented jointly with one or more other data controllers, or
executed by the data processor;
10. "*data processing" means any operation or combination of operations carried out on data, whatever the procedure used, and in particular:
collecting, recording, recording, organizing, storing, altering, using, retrieving, transmitting, disclosing,
harmonization or interconnection, blocking, erasure and destruction of data and further use of the data
photograph, sound or image, and physical features that can be used to identify the person (eg finger or fingerprint).
palmprint, DNA sample, iris image);
*
10a. data
processing for law enforcement purposes: public order or public security within the scope of its tasks and competences defined by law

to prevent or eliminate threats, to prevent, detect, prosecute or
the prevention and detection of infringements and the conduct of infringement proceedings, or
participation in such proceedings and the legal consequences of criminal or infringement proceedings
(hereinafter collectively referred to as "law enforcement data processing agency")
within the framework and for the purpose of this activity - including archival, scientific and statistical data related to this activity
or for historical purposes (hereinafter collectively referred to as "law enforcement purposes");
*
10b. data
management for national security purposes: in the tasks and competences of the national security services defined by law

and the tasks and powers of the police counter-terrorism body as defined by law
data management carried out under the scope of the National Security Services Act;
*
10c. data
management for national defense purposes: the Act on National Defense Data Management, as well as on national defense and the Hungarian Armed Forces,

and the Act on Measures that May Be Introduced in the Special Legal Order, and for service purposes in the territory of the Republic of Hungary
foreign armed forces stationed in the territory of the Republic of Hungary and international military headquarters established in the territory of the Republic of Hungary; and
data management within the scope of the Act on the Registration of Their Stock and Certain Provisions Related to Their Legal Status;
11. " transfer of data" means making the data available to a specified third party;
*
11a. indirect
data transfer : the processing of personal data in a third country or in the framework of an international organization

in another third country or by an international organization
to a data controller or data processor
*
11b. international
organization : an organization governed by public international law and its subsidiary bodies, as well as any other body

established by or on the basis of an agreement between two or more States;
12. Disclosure: making the data available to anyone;
*
13. erasure:
making the data unrecognizable in such a way that it is no longer possible to recover it;

14.

*

*
15. Restriction
of data processing : blocking of stored data by marking it in order to restrict further processing of the data;

16. "* destruction" means the complete physical destruction of a data medium;
17.

*

data processing : data processing performed by a data processor acting on behalf of or at the request of the data controller

set of operations;
18. " *processor" shall mean any natural or legal person, or any entity without legal personality, who:
within the framework and under the conditions laid down by law or a binding act of the European Union - on behalf of the controller
or handles personal data pursuant to its order;
19. "data controller" means the body performing a public task which has produced public interest data which must be published by electronic means; or
during the operation of which this data was generated;
*
20. informant:
a body performing a public task which, if the data controller does not publish the data itself,

publish the transmitted data on a website;
21. data set: the totality of the data managed in one register;
22. "*third party" means any natural or legal person, or any entity without legal personality, who does not
the data subject, the controller, the processor or the persons who
carry out operations for the processing of personal data under its direct control;
23. EEA State: a Member State of the European Union and another State party to the Agreement on the European Economic Area, as well as
a State of which the European Union and its Member States are nationals and which is not a party to the Agreement on the European Economic Area
with a national of a State party to the Agreement on the European Economic Area under an international agreement concluded between
enjoys the same legal status;
24. " third country" means any State that is not an EEA State;
25.

*

*
26. data
protection incident: a breach of data security which involves the transfer, storage or other handling of personal data

accidental or unlawful destruction, loss, alteration, unauthorized transfer or disclosure, or
results in unauthorized access to them;
27. "*profiling" means the processing of personal data in any automated manner, in relation to the personal characteristics of the data subject;
in particular his job performance, economic situation, state of health, personal preferences or
to assess the characteristics of his interest, reliability, behavior, location or movement,
aimed at analyzing or forecasting;
*
28. consignee:
the natural or legal person or entity without legal personality to whom or for which

personal data is made available by the data controller or data processor;
*
29. pseudonymisation:
the processing of personal data in such a way that, stored separately from the personal data, additional information

without the use of it makes it impossible to determine to which data subject the personal data relate, as well as technical and organizational
take measures to ensure that it cannot be linked to an identified or identifiable natural person;

II. CHAPTER
*

PERSONAL DATA PROTECTION REQUIREMENTS

4. Principles of personal data processing

*

*
§ 4. (1) Personal
data only for a clearly defined, lawful purpose, in order to exercise a right and fulfill an obligation

manageable. At all stages of data management, the purpose of data management, data collection and management must be appropriate
it must be fair and lawful.
(2) Only personal data which is essential for the realization of the purpose of data processing and suitable for the achievement of the purpose may be processed. THE
personal data may be processed only to the extent and for the time necessary to achieve the purpose.
(3) Personal data shall retain their quality during data processing as long as the connection with the data subject can be restored. With the person concerned
the connection can be restored if the data controller has the technical conditions necessary for the restoration.
4. The processing shall ensure the accuracy, completeness and, where necessary for the purpose of the processing, the accuracy and completeness of the data.
up-to-date and that the data subject can only be identified for the time necessary for the purpose of the processing.
*
4a. The
processing of data shall be subject to appropriate technical or organizational measures, in particular the unauthorized or unlawful processing of data,

protection against accidental loss, destruction or damage
adequate security of personal data.
*
5. The
processing of personal data shall be considered fair and lawful if the data subject's freedom of expression

the person seeking the opinion of the data subject shall visit the data subject's place of residence or stay,
provided that the personal data of the data subject are processed in accordance with the provisions of this Act and the personal request is not for business purposes
is aimed at. Personal inquiries may not be made on a public holiday in accordance with the Labor Code.
*
5. Legal
basis and general conditions of data processing
*
§ 5. (1)
Personal data may be processed if

(a) it is authorized by law or - law, to the extent specified therein, as special data or criminal personal data
in the case of data that does not qualify as data - a local government decree orders for a purpose based on the public interest,
b) in the absence of the provisions of point a) , in order to perform the tasks of the data controller specified by law
necessary and the data subject has expressly consented to the processing of personal data,
(c) in the absence of the provisions of point ( a) , to protect the vital interests of the person concerned or of another person; and
necessary and proportionate to prevent or avert an imminent threat to the life, limb or property of persons,
obsession
(d) in the absence of the provisions of point (a) , the personal data have been explicitly disclosed by the data subject and
necessary and proportionate to achieve its objective.
(2) Special information
a) of paragraph (1) d) c) approval of two or
(b) may be dealt with if it is strictly necessary and proportionate for the performance of the international treaty promulgated by law, or
enforcement of a fundamental right guaranteed by the Basic Law, as well as national security, prevention, detection or prosecution of criminal offenses;
law or in the interests of national defense.
3. Paragraph 1 ( a) , paragraph 2 ( b) and Article 6 (1) ( c) and (e) of the General Data Protection Regulation
(hereinafter referred to as "mandatory data processing"), the types of data to be processed, the purpose of the data processing and
access to the data, the identity of the controller and the duration or necessity of
its review is determined by the law or local government decree ordering data management.
(4) Only a state or local government body may handle state measures for the prevention, detection and prosecution of criminal offenses,
and personal data processed in the course of the performance of its administrative and judicial tasks, and
civil, non-litigious and administrative litigation and non-litigious matters.
records.
(5) If the duration or necessity of the mandatory data processing is periodically reviewed by law, local government decree or
Not specified in a binding legal act of the European Union, the controller shall review it at least every three years from the start of the processing,
that the processing of personal data by him or on behalf of or at the
necessary for the purpose of data processing. The circumstances and results of this review shall be documented by the controller, e
documentation shall be kept for ten years after the review and shall be kept by the National Data Protection and Freedom of Information Authority
hereinafter "the Authority") shall be made available to the Authority upon request.
(6) In the case of processing of special data, the data controller or the data processor acting on its behalf or at its disposal shall
ensure by technical and organizational measures that, in the course of data processing operations, only
have access who is absolutely necessary for the performance of his task related to the data processing operation.
(7) In the case of the processing of criminal personal data - if it is required by law, an international treaty or a binding legal act of the European Union
unless otherwise provided, the rules on the conditions for the processing of specific data shall apply.
(8) A body or person conducting scientific research may disclose personal data if it relates to historical events
necessary to present the results of the research carried out.
*
§ 6 Based
solely on automated data processing, in particular profiling, on the person or legitimate interests of the data subject

a decision adversely affecting a person or having a significant effect on the person concerned may be taken only if
it is expressly permitted by law or a binding act of the European Union, and
(a) it does not infringe the requirement of equal treatment,
(b) the controller or the processor acting on his behalf or at his disposal
(ba) inform the data subject, upon request, of the method and criteria used in the decision-making mechanism,
(bb) at the request of the data subject, review the outcome of the decision using human assistance; and
(c) by using non-specific data, unless otherwise provided by law or a binding act of the European Union
will take place.
*
§ 7. (1)
In the case of data processing for law enforcement purposes, the data controller or a data processor acting on its behalf or on its basis -

disproportionate difficulty or cost, systematises the personal data
personal data of data subjects
(a) in respect of whom there are reasonable grounds for believing that a criminal offense or irregularity has been committed or is being committed;
to commit
(b) who have been held legally liable for a criminal offense or infringement,
(c) who have been the victims of a criminal offense or an offense or who can reasonably be expected to have committed a criminal offense or an offense;
may be victims of an infringement, or
(d) who , in addition to those set out in points (a) to ( c) , have been involved in a criminal offense or an offense or the perpetrators
in particular those who may be heard as witnesses in criminal proceedings, on the offense or the offense
information or are related to or related to the stakeholders referred to in points ( a) and (b)
can be brought.
(2) In the case of data processing for law enforcement purposes, the data controller or the data processor acting on its behalf or on its basis - if the
disproportionate difficulty or cost, makes a clear distinction between the facts
subjective assessments that can be linked to the data subject.
*
6. Terms
of data transfer

§8

*

1. Prior to the transfer, the controller or the processor acting on his behalf or at his disposal

examine the accuracy, completeness and up-to-dateness of the personal data to be transmitted.
(2) If, as a result of the investigation provided for in paragraph 1, the controller or on his behalf or at his disposal
that the data to be transmitted are inaccurate, incomplete or no longer up-to-date,
in the event that
(a) it is strictly necessary for the purpose of the transfer, and
(b) at the same time as the data are transmitted, inform the recipient of the accuracy, completeness and up-to-dateness of the data;
information available in this context.
(3) If, after the transfer of data, the data controller or the data processor acting on his or her behalf or on his or her behalf
that the transfer is provided for by law, an international treaty or a binding act of the European Union
conditions are not met, it shall immediately notify the consignee.
*
§ 9. (1)
If, pursuant to the provisions of a law, an international treaty or a binding legal act of the European Union, the controller or the

the data controller receives the personal data in such a way that the data controller or processor transmitting the data simultaneously with the data transmission
indicates personal information
a) the possible purpose of its management,
b) the possible duration of its treatment,
c) the possible recipients of its transmission,
(d) a restriction on the rights of the data subject under this Act, or
(e) other conditions for its handling
[ points (a) to (e) together hereinafter: data processing conditions], the controller and processor receiving the personal data
hereinafter referred to as "the recipient") handles the personal data to the extent and in the manner required by the data processing conditions,
provided in accordance with the data management conditions.
2. The recipient may process personal data and ensure the rights of the data subject, notwithstanding the conditions of data processing, if:
the data controller has given its prior approval.
(3) If, pursuant to a law, an international treaty or a provision of a binding act of the European Union, the controller or the
the data processor handles personal data with the obligation to apply data management conditions, at the same time as its transmission
inform the recipient of the conditions of data processing and the legal obligation to apply them.
(4) If the prior approval specified in subsection (2) and subsection 10 (2) ( c) (ca)
the data controller is entitled to the law, the data controller is entitled to grant this prior approval if it is the data transfer.
including the necessity and purpose of the data transfer, does not conflict with the
applicable to data subjects, in particular where the transfer of data, including indirect
with regard to the recipient, an adequate level of protection of personal data may be presumed on the basis of the provisions of Section 10 (4) a) -c) .
(5) Upon request, the data controller shall inform the data controller of the use of the personal data received.
*
§ 10. (1)
Personal data shall be processed by a data controller or data processor in a third country falling within the scope of this Act, as well as by an international data controller.

to a controller or processor processing data within the framework of an organization, including indirect data transmission, then
may be transmitted (hereinafter together referred to as international data transmission) if
(a) the data subject has expressly consented to the international transfer, or
(b) the international transfer is necessary to achieve the purpose of the processing; and
(ba) in doing so, the conditions for data processing provided for in Article 5 are met, and
(bb) a controller or processor carrying out data processing in a third country or within the framework of an international organization;
an adequate level of protection of the personal data transmitted is ensured, or
c) the international transfer of data is necessary in the exceptional cases specified in § 11.
(2) In the case of data processing for law enforcement purposes, for international data transfer even if the conditions specified in subsection (1) are met
can only take place if
(a) necessary for law enforcement purposes,
(b) its addressee
(ba) a law enforcement data processing authority, or
bb) a non-law enforcement data processing body and the conditions specified in Section 11 (3) are met, and
(c) in the case of the receipt of personal data involved in an international transfer from a controller of an EEA State,
(ca) the international transfer of such personal data is carried out by the controller or other body acting on behalf of the EEA State;
or with the prior approval of a person, or
(cb) with the exception of indirect data transfers, international data transfers are essential for Hungary or another EEA State.
necessary to prevent a serious and imminent threat to the interests of those States or to the public security of those States or third countries
and ( ca) without prejudice to those interests, prior to the international transfer.
possible.
3. The controller shall, immediately after the international transfer referred to in paragraph 2 ( c) ( cb) , inform the
inform the body or person authorized for prior approval pursuant to paragraph 2 ( c) ( ca) .
An adequate level of protection of personal data shall be deemed to be ensured until proven otherwise if:
(a) a binding act of the European Union states that
(b) in the absence of an act pursuant to point (a) or in the event of suspension, Article 14, Article 22 and Article 23
An international agreement containing guarantee rules for the enforcement of the rights contained in § shall apply to Hungary and
between a third country or an international organization whose jurisdiction extends to the recipient of the international transfer, or
(c) in the absence of an act specified in points (a) to ( b) or in the event of suspension, the international transfer
Prior to that, the controller examined all the circumstances of the transfer of personal data and concluded that
there are adequate guarantees regarding the adequate level of protection of personal data.
*
§ 11. (1)
If an adequate level of protection of personal data cannot be presumed on the basis of the provisions of § 10 (4) a) -c) ,

international transfers of data without the express consent of the data subject shall be possible only if:
(a) necessary to protect the vital interests of the data subject or of another person,
(b) necessary to address an imminent and serious threat to the public security of an EEA State or a third country,
(c) in an individual case, on a case-by-case basis, for the efficient and effective conduct of investigations or proceedings by the controller
necessary and does not involve a disproportionate restriction of the fundamental rights of the data subject, or
(d) in an individual case, on a case-by-case basis, in order to present, assert or defend the data subject's or other legal claims
necessary and does not constitute a disproportionate restriction of the fundamental rights of the data subject.

(2) In the case of data processing for law enforcement purposes, if the recipient of the international data transfer is a law enforcement data processing body and the
an adequate level of protection of personal data cannot be presumed on the basis of Section 10 (4) a) -c) , international
the transfer of data without the express consent of the data subject is only possible if the
a) of paragraph (1) a) and b) required for a purpose set out in point
(b) necessary to safeguard the legitimate interests of the data subject,
(c) is necessary for law enforcement purposes in an individual case, on a case-by-case basis and does not involve a disproportionate
by restricting, or
d) in a specific case for the submission, enforcement or defense of legal claims related to a law enforcement purpose,
necessary on a case-by-case basis and does not involve a disproportionate restriction of the fundamental rights of the data subject.
(3) In the case of data processing for law enforcement purposes, if the recipient of the international data transfer is not a body conducting law enforcement data processing,
international transfer without the express consent of the data subject only on a case-by-case basis, on a case-by-case basis
possible if
(a) strictly necessary for law enforcement purposes falling within the tasks and powers of the controller making the international transfer,
(b) it does not involve a disproportionate restriction of the fundamental rights of the data subject,
(c) the purpose of the international transfer through an international transfer to a law enforcement agency
not effectively achieved,
(d) the controller performing the international transfer is a third party with jurisdiction over the international transfer
a law enforcement body in the framework of a national or international organization on international data transfers without delay;
unless the purpose of the international transfer cannot be effectively achieved in the event of such communication, and
(e) the controller of the international transfer informs the recipient of the possible purpose of processing the transferred data.
*
§ 12. (1)
If the data controller or data processor is the international data transfer

a) is based on the presumption contained in Section 10 (4) ( c) , or
b) in the case of law enforcement data processing, to a recipient other than a law enforcement data processing body,
the controller for the same purpose, to the same recipient, immediately after the first international transfer of data
inform the Authority of the purpose of the international transfer, the recipient and the scope of the transferred data, and - in point ( a)
in certain cases, on the regularity of international data transfers.
(2) If the controller or processor processes the international data
a) is based on the presumption contained in Section 10 (4) ( c) , or
(b) in the case of data processing for law enforcement purposes
ba) for a body conducting law enforcement data processing as specified in Section 11 (2), or
bb) to a recipient other than a law enforcement body,
the conditions for the international transfer of data, in particular the data specified in paragraph 1, and
the date of the international transfer, the personal data transmitted and, in the case specified in point ( a) , the
documents the name of the guarantees examined and duly identified by the data controller, this documentation shall be documented in accordance with Article 25 / F. § (4)
shall keep it for a specified period and make it available to the Authority upon request.
§ 13

*

1. A body set up in accordance with Chapters 4 and 5 of Title V of the Treaty on the Functioning of the European Union

The transmission of data to agencies, offices and bodies shall be deemed to be within the territory of Hungary
data would be transferred.
(2) International data transfers in accordance with Article 96 of the General Data Protection Regulation and Article 61 of Directive 2016/680 / EU
on the basis of specific international agreements for the purposes, under the conditions and in the scope specified therein, pending their amendment,
until their termination, cessation or suspension of their application - in the absence of the conditions specified in this Act.
*
II / A. CHAPTER
*
RIGHTS OF THE PERSON
CONCERNED

*
7. Rights
of the data subject
*
§ 14 The
data subject has the right to have the data subject and the data processor acting on his or her behalf or on his or her behalf
*

in accordance with the conditions set out in this Act

(a) be informed of the facts relating to the processing prior to the commencement of the processing (hereinafter
right to information),
(b) upon request, provide the controller with personal data and information related to their processing (a
hereinafter referred to as "right of access"),
(c) at his request and in the other cases provided for in this Chapter, his personal data be rectified by the controller; or
supplement (hereinafter referred to as the right to rectification),
(d) at his request and in the other cases provided for in this Chapter, the processing of his personal data is restricted by the controller (a
hereinafter referred to as "the right to restrict data processing"),
(e) at his request and in the other cases provided for in this Chapter, his personal data are deleted by the controller (hereinafter:
right of cancellation).
*
8. Ensuring
the enforcement of the data subject's rights
*
§ 15. (1)
The data controller shall take appropriate technical and organizational measures in order to facilitate the enforcement of the rights of the data subject

does so in particular
(a) any notice and information to be provided to the data subject in the cases specified in this Act is easily accessible; and
in a legible form, with concise, clear and comprehensible content, and
(b) a request by the data subject to assert the rights to which he or she is entitled from the time it is lodged
assess the data subject in writing as soon as possible and in any case within twenty-five days or
submitted by electronic means.
(2) The data controller shall perform the tasks specified in this Act in connection with the enforcement of the rights specified in Section 14 - the (3)
with the exception set out in paragraph 1, free of charge.
(3) If the person concerned
a) in the current year, a repeated application for the enforcement of the rights specified in Section 14 b) -e) for the same data set
submits and
(b) personal data processed on the basis of that request by the controller or by a processor acting on his behalf or at his disposal;
rectification, erasure or restriction of data processing is lawfully waived by the data controller,
in connection with the repeated and unjustified exercise of the data subject's rights under points ( a) and (b)
may claim reimbursement of the costs directly incurred from the person concerned.
(4) If it can be reasonably assumed that the person submitting an application for the enforcement of the rights specified in Section 14 b) -e)
not a data subject, the controller shall provide credible proof of the identity of the person submitting the request.
after.
§ 16

*

1. In order to exercise the right of prior consultation, the controller shall, on his behalf or on his behalf or

before the start of the processing operations carried out by the
immediately after the start of the data processing operation
(a) the name and contact details of the controller and, if a processing operation is carried out by a processor, the processor,
(b) the name and contact details of the Data Protection Officer,
(c) the purpose of the intended processing; and
d) a description of the rights of the data subject under this Act and the manner of exercising them.
2. Simultaneously with the provisions of paragraph 1, in the same way or at the addressee, the controller shall provide the data subject with
provides information
a) the legal basis of the data processing,
b) the period of retention of the personal data processed, the criteria for determining this period,
(c) in the case of transfers or planned transfers of personal data processed, the recipients of the transfers, including third parties;
recipients and international organizations in the country,
(d) the source of the collection of the personal data processed; and
(e) any other relevant facts relating to the circumstances of the processing.
3. The execution of the information referred to in paragraph 2 may be delayed by the controller in proportion to the aim pursued,
restrict the content of the information or omit the information if such action is strictly necessary
(a) the investigations or proceedings carried out by him or with his participation, including in particular criminal proceedings, are effective and efficient
conducting
(b) the effective and efficient prevention and detection of criminal offenses,
(c) the enforcement of penalties and measures against perpetrators,
d) the effective and efficient protection of public security,
(e) the effective and efficient protection of the external and internal security of the State, in particular national defense and national security; or
(f) to ensure the protection of the fundamental rights of third parties.
*
§ 17. (1)
In order to enforce the right of access, the data controller shall, at the request of the data subject, inform him or her that personal

whether his data is handled by the data controller himself or by a data processor acting on his or her behalf or on his or her behalf.
2. Where the personal data of the data subject are processed by the controller or by a processor acting on his or her behalf or at his or her disposal, the
in addition to the provisions of paragraph 1, the controller makes it available to the data subject by and on behalf of the data subject; or
personal data processed by a data controller acting in accordance with
a) the source of the personal data processed,
b) the purpose and legal basis of the data processing,
c) the scope of the personal data processed,
(d) in the case of transfers of processed personal data, the recipients of the transfer, including third country recipients; and
international organizations,
e) the period of retention of the personal data processed, the criteria for determining this period,
f) a description of the rights of the data subject under this Act and the manner of exercising them,
(g) if profiling is used, the fact of it; and
(h) the circumstances in which data protection incidents have occurred in connection with the processing of the personal data of the data subject, their
effects and the measures taken to deal with them.
The exercise of the data subject 's right of access may be restricted by the controller in proportion to the aim pursued or
may refuse if such a measure is absolutely necessary in the interests of one of the interests specified in Section 16 (3) a) -f)
to ensure.
4. If a measure pursuant to paragraph 3 is applied, the controller shall immediately inform the data subject in writing.
(a) the fact that access is restricted or refused, and the reasons in law and in fact, if any;
does not jeopardize the exercise of any of the interests specified in Section 16 (3) a) -f) , and
(b) the rights of the data subject under this Act and the manner in which they are to be exercised, in particular that the data subject
may also exercise its right of access with the assistance of the Authority.
*
§ 18. (1)
In order to enforce the right to rectification, the data controller, if by or on behalf of or at the disposal of

personal data processed by a controller acting on the basis of an inaccurate, incorrect or incomplete
immediately clarify or correct it or, if it is compatible with the purpose of the processing,
additional personal data provided to him or her or a statement attached to the personal data processed by the data subject
(hereinafter collectively referred to as "Corrigendum").
The controller shall be released from the obligation set out in paragraph 1 if:
(a) accurate, correct or complete personal data are not available and are not provided by the data subject
available, or
(b) the veracity of the personal data provided to him by the data subject cannot be established beyond doubt.
3. If the controller acts in accordance with paragraph 1, acting on his behalf or on his behalf or at his disposal,
rectifies the personal data processed by the data controller, informs the
the controller to whom the personal data affected by the rectification were transmitted.
§ 19

*

1. In order to exercise the right to restrict data processing, the controller shall be defined in paragraph 2

limits data management to data management operations,
(a) if the data subject contests the personal data processed by the controller or by a processor acting on his behalf or at his request;
the accuracy, correctness or completeness of the data and the accuracy, correctness or completeness of the personal data processed
cannot be established beyond a reasonable doubt, for the duration of the clarification of the existing doubt,
b) if it would be necessary to delete the data as specified in Section 20 a) , but the data subject's written statement or
on the basis of the information available to the controller, it can be reasonably assumed that the deletion of the data would infringe the legitimate interests of the data subject.
the duration of the legitimate interest justifying the non-cancellation,
c) if it would be appropriate to delete the data as specified in Section 20 a) , but the data controller or other public service
in the course of investigations or proceedings provided for by law, including in particular criminal proceedings, carried out by or with the participation of a body
it is necessary to retain the data as evidence until the final or final conclusion of this investigation or proceeding,
d) if it would be appropriate to delete the data as specified in Section 20 a) , but the documentation set out in Section 12 (2)
In order to fulfill this obligation, it is necessary to retain the data, in accordance with Article 25 / F. § (4).
(2) During the period of the restriction of data processing, the personal data affected by the restriction shall be
trustee or acting on the basis of the order of the data processor in addition to storage other data processing operation only by the data subject is legitimate
or in a law, international treaty or binding act of the European Union
as specified.
3. In the event of the removal of a data processing restriction as defined in paragraph 1 ( a) , the data controller shall
inform the data subject in advance of the lifting of the restriction.
§ 20 In*order to enforce the right to delete, the data controller shall immediately delete the personal data of the data subject if
(a) the processing is unlawful, in particular if the processing
(aa) contrary to the principles set out in Article 4,
(ab) its purpose has ceased to exist or further processing of the data is no longer necessary for the purpose of the processing,
(ac) a period of time specified by law, international treaty or binding act of the European Union has elapsed, or
(ad) its legal basis has ceased to exist and there is no other legal basis for the processing of the data,
(b) the data subject withdraws his or her consent to the processing or requests the deletion of his or her personal data, unless the data
its management is based on Section 5 (1) ( a) or (c) or (2) ( b) ,
(c) the erasure of the data has been ordered by law, an act of the European Union, the Authority or a court, or
d) the period specified in Section 19 (1) ( b) - (d) has elapsed.
*
§ 21. (1)
If the request of the data subject is handled by the data controller or by a data processor acting on his or her behalf or on his or her behalf

the controller refuses to rectify, delete or restrict the processing of personal data in writing,
inform it without delay
(a) the fact of the refusal, the legal and factual grounds for it; and
b) the rights of the data subject under this Act and the manner of exercising them, in particular that the controller,
rectification, erasure or erasure of personal data processed by or on behalf of
may also exercise its right to restrict the processing of personal data with the assistance of the Authority.
2. The controller may delay the execution of the information referred to in paragraph 1 ( a) in proportion to the aim pursued,
may limit the content of the information or omit the information if this measure is absolutely necessary in accordance with Section 16 (3)
to secure an interest as defined in points ( a) to (f) of paragraph 1.
(3) If the controller processes personal data processed by him or her or by a processor acting on his or her behalf or at his or her disposal
rectifies, deletes or restricts the processing of such data, the controller shall notify the fact of that measure and its content to the
Page 2

controllers and processors to whom the data were transmitted prior to this measure in order to
rectification, erasure or restriction on the processing of data in respect of their own data processing.
§ 22 In* order to enforce his rights, the data subject shall As defined in Chapter
a) the Authority may initiate an investigation in order to examine the lawfulness of the measure of the data controller, if the data controller
restricts the exercise of certain of its rights or rejects its request for the exercise of those rights; and
(b) request the Authority to carry out an official data protection procedure if, in its opinion, the
the data controller or the data processor entrusted by him or acting on his or her behalf violates the processing of personal data
legislation or a binding act of the European Union.
*
§ 23. (1)
The data subject in connection with the data management operations falling within the scope of activities of the data controller or the data processor

- may take legal action against the data controller if, in his opinion, the data controller or on behalf of or on behalf of the data controller
processing of personal data is the processing of personal data in accordance with the law on the processing of personal data or mandatory legal acts of the European Union
in breach of the provisions laid down in its act.
(2) Whether the processing is in accordance with a law or a binding act of the European Union on the processing of personal data
specific requirements, in particular in the case of data processing falling within the scope of Section 2 (3), in Section 4 (1) - (4a)
meets the essential requirements laid down by the controller, the controller or processor must prove it.
(3) The person concerned may, at his or her choice, also institute proceedings before the court having jurisdiction over his or her place of residence or stay.
(4) A party who does not otherwise have legal capacity to sue may also be a party to a lawsuit. The action shall be brought by the Authority for the benefit of the person concerned
may intervene.
(5) If the court upholds the action, it shall establish the fact of the infringement and the controller or processor shall be informed.
a) to terminate the unlawful data processing operation,
(b) to restore the lawfulness of data processing; or
(c) to demonstrate well-defined conduct to ensure the exercise of the data subject's rights
obliges and, if necessary, also decides on the claim for damages.
(6) The court may order the publication of its judgment by publishing the identification data of the data controller or data processor.
the judgment concerns a wide range of persons, the defendant is a data controller or a
the gravity of the infringement justifies disclosure.
*
§ 24. (1)
If the data controller or the data processor commissioned by him or acting on the basis of his or her order for the processing of personal data

infringes the relevant provisions of law or a binding act of the European Union and thereby causes damage to others,
is obliged to reimburse it.
(2) If the data controller or the data processor entrusted by him or acting on his or her basis for the processing of personal data
infringes the requirements laid down in law or in a binding act of the European Union
the data subject's rights have been infringed by the data controller or by the data controller or on his behalf or at his disposal
claim damages from the data controller.
3. The controller shall be released from liability for damage and the obligation to pay damages if it proves that the
damage or infringement caused by a violation of the right to privacy was caused by an unavoidable cause outside the scope of data processing.
4. The processor shall be released from liability for damage and from the payment of damages if it proves that:
the processing of personal data in the course of its data processing operations is required by law or by the European Union
obligations imposed on data controllers and the lawful instructions of the controller
complied with.
5. The controller and the processor acting on his behalf or at his disposal, as well as the joint controllers and their
data controllers or acting on their behalf, in accordance with the law or the European
In breach of the rules laid down in a binding act of the Union
(a) are jointly and severally liable for damage against the person concerned; and
(b) jointly and severally pay the person concerned damages in the event of a personal injury.
(6) Damage shall not be compensated and damages may not be claimed to the extent that the damage is caused to the injured party or to the right of personality.
violation of the law caused by the intentional or grossly negligent conduct of a person who has violated the right to privacy
originated.
*
9. Enforcement
of rights related to personal data after the death of the data subject
*
§ 25. (1)
Within five years after the death of the data subject, in § 14 b) -e) or - subject to the general data protection regulation

in the case of data processing operations - Articles 15-18 of the General Data Protection Regulation. and the life of the deceased as defined in Articles 21 and 21
the person concerned by an administrative order or in an authentic instrument or a private document of full probative value,
a statement made to the controller - if the data subject has made more than one statement to a controller, a statement made at a later date authorized person is entitled to enforce.
(2) If the data subject has not made a declaration of rights in accordance with paragraph (1), his or her close relative under the Civil Code shall
§ 14 ( c) in the case of data processing operations falling within the scope of the General Data Protection Regulation.
Articles 16 and 21 of the General Data Protection Regulation and, if the processing has been unlawful in the life of the data subject or
the purpose of data processing ceased with the death of the data subject - in accordance with Section 14 d) and e) , the scope of the general data protection regulation
provided for in Articles 17 and 18 of the General Data Protection Regulation
within five years of the death of the data subject. It is close to enforcing the data subject's rights under this paragraph
the relative who first exercises that right.
3. The exercise of the rights of the data subject pursuant to paragraphs 1 or 2 shall be subject to the exercise of those rights, in particular by the controller.
in proceedings before the Authority or a court, the rights established by this Act for the person concerned and
obligations.
(4) The person exercising the rights of the data subject pursuant to subsection (1) or (2)
extract or a court decision, as well as his own identity and, in the case referred to in paragraph 2, his close relatives.
certified by an authentic instrument.
(5) Upon request, the data controller shall inform his / her close relative according to the provisions of paragraphs (1) and (2) of the relevant Civil Code.
unless prohibited by the data subject in a declaration as provided for in paragraph 1.
*
II / B. CHAPTER
*
OBLIGATIONS OF THE DATA CONTROLLER AND THE DATA PROCESSOR

*
10. General
tasks of the data controller
*
25 / A. § (1)
In order to ensure the lawfulness of data processing, the data controller shall comply with all the circumstances of data processing, in particular:

fundamental rights of data subjects in line with the risks to the fundamental rights of
take organizational measures, including, where appropriate, the use of pseudonymisation. These measures are taken by the data controller
it shall be regularly reviewed and, if necessary, amended accordingly.
The measures provided for in paragraph 1 shall be designed to:
(a) reasonably taking into account the current state of science and technology and the cost of implementing the measures
the requirements for the processing of personal data in an accessible way, in particular the principles of data processing and the rights of data subjects
effective enforcement, and
(b) be suitable and adequate to ensure that, by default
(ba) personal data are processed only to the extent and for the duration for which they were processed
necessary for the purposes of this Regulation, and
(bb) personal data processed by the controller may not be disclosed to the public without the express consent of the data subject
available.
3. Where the controller is required to designate a data protection officer, as part of the measures provided for in paragraph 1, the
the data controller develops and applies internal data protection and data security regulations.
(4) Who has access to personal data processed within the scope of the data controller's activities as a data processor or under the control of the data controller
unless otherwise provided by law, an international treaty or a binding act of the European Union
personal data affected by access for the sole purpose of carrying out the operations specified in the instructions of the controller
entitled.
(5) The data controller and the data processor shall conduct procedures related to the lawfulness of the data processing operations performed by them.
authorized bodies and persons, the information necessary for them to carry out their
to specify.
25 / B. §

*

(1) If it is carried out by joint controllers by law, international treaty or binding act of the European Union

fulfillment of data processing obligations, in particular the enforcement of the data subject's rights, and
does not, or does not fully, determine the division of their liability for non-compliance
to the extent not governed by the legal obligations applicable to them, the joint controllers shall
defined in the agreement reached.
(2) Unless otherwise provided by law, international treaty or binding act of the European Union, paragraph 1 shall apply
the joint data controller to be contacted to whom the data subject has
entitled to apply for the enforcement of his rights. In the absence of the designation or designation of a contact point, the
affected by his rights under this Act in respect of any data processing operation performed by joint controllers of any joint
against the data controller.
*
11. The
data processor

25 / C. §

*

1. Only a person or organization which provides adequate guarantees shall act as a processor

technical and organizational measures to ensure the lawfulness of data processing and the protection of data subjects' rights
to implement. These guarantees shall be certified to the controller by the data controller prior to the commencement of data processing.
2. A data processor may use an additional data processor only if it is not precluded by law and if the
the data controller may use an additional data processor in advance in an authentic instrument or in a private document with full probative value.
gave a general authorization.
(3) If the data processor uses the additional data processor on the basis of the general authorization of the data controller, the data processor shall
inform the controller of the identity of the further processor and the
the planned tasks to be performed by the data processor. If the data controller is based on this information, the additional data processor
the use of an additional processor, the processor shall only use the data specified in the objection.
if the conditions are met.
25 / D. §

*

(1) The detailed content of the legal relationship between the data controller and the data processor shall be determined in accordance with this Act and the European Union

within the framework set out in a binding legal act or in writing between the controller and the processor
including an electronically concluded contract. Granted by the data controller to the data processor
the controller is responsible for the lawfulness of the instructions.
(2) The legislation or contract specified in subsection (1) shall contain the subject matter, duration and nature of the data processing.
the type of personal data concerned, the range of data subjects and the data processor and controller in this Act, as well as the
Rights and obligations not covered by a binding act of the European Union.
3. The law or contract referred to in paragraph 1 shall provide in particular for the data controller
obligation to
(a) acts solely on the basis of a written instruction from the controller,
(b) in the course of its activities, ensure that the persons entitled to access the personal data concerned, if required by law
otherwise subject to an appropriate obligation of confidentiality based on the personal data of which they have access
undertake confidentiality,
(c) in the course of its activities, assist the controller by all appropriate means to facilitate the enforcement of the rights of data subjects, thereby
in order to fulfill its obligations in relation to
d) at the choice of the data controller, after the completion of the data processing operations performed by him / her - unless otherwise provided by law
immediately delete personal data obtained in the course of its activities or transmit them to the controller and
deletes existing copies after
(e) provide the controller with all information which is legal for the use of the processor
necessary to demonstrate compliance with the provisions of this Regulation, and
f) uses an additional data processor only if the conditions specified in this Act are met.
(4) If, by way of derogation from the provisions of this Act, a data processor determines the purposes and means of data processing, it shall
shall be considered a controller for the purposes of the data processing concerned.
*
12. The
register of data controllers and data processors and the electronic log
*
25 / E. § (1)
The data controller shall deal with the data processing related to the personal data in its processing, the data protection incidents and the

keep a register of the measures relating to the data subject's right of access (hereinafter collectively referred to as the "controller register"). The
recorded in the data controller register by the data controller
(a) the name and contact details of the controller, including each joint controller, and of the data protection officer;
b) the purpose or purposes of the data processing,
(c) in the case of transfers or planned transfers of personal data, to the recipients of the transfers, including third country
recipients and international organizations,
d) the scope of the data subjects and the data processed,
(e) where profiling is used, the fact that
f) in the case of international data transfers, the scope of the transferred data,
(g) the legal bases for data processing operations, including data transfers;
h) if known, the date on which the personal data processed were deleted,
i) a general description of the technical and organizational security measures implemented in accordance with this Act,
(j) the circumstances of the occurrence of data protection incidents in connection with the data which it processes, their effects and
measures taken to deal with them,
k) the legal and factual reasons for any measure restricting or denying the exercise of the data subject's right of access under this Act.
(2) The data processor shall keep records of the data processing carried out by it on behalf of or at the request of each data controller.
(hereinafter: data processor register). In the register of data processors, the data processor shall record:
(a) the names of the controller, the processor, the further processors and the data protection officer of the processor; and
contact details;
(b) the types of processing carried out on behalf of or at the request of the controller;
(c) in the case of an international transfer at the express instruction of the controller, the fact of the international transfer; and
the designation of the third country or international organization to which it is addressed;
d) a general description of the technical and organizational security measures implemented in accordance with this Act.

3. The register of controllers and processors shall be kept in written or electronic form and shall be made available on request.
shall be made available to the Authority.
4. The obligation to keep a register of data controllers shall be imposed on the bodies performing data processing for national security purposes.
registration and documentation obligations specified in the National Security Services Act - Section 23 (2)
and 25 / A. § (5) in a manner suitable for fulfilling the requirements
can perform.
*
25 / F. § (1)
For the purpose of verifying the lawfulness of data processing operations performed electronically with personal data, the

data controller and the data processor in an automated data management system (hereinafter: electronic log)
(a) the definition of the personal data concerned by the data processing operation,
b) the purpose and reason of the data processing operation,
c) the exact date of the data processing operation,
d) the identity of the person performing the data processing operation,
(e) in the case of a transfer of personal data, the recipient of the transfer.
(2) The data recorded in the electronic logbook shall be used only for checking the lawfulness of data processing, data security requirements
and for the purpose of criminal proceedings.
(3) The Authority shall provide the electronic journal with the activities specified in legislation for the purpose specified in subsection (2)
at the request of the controller and the processor,
transmits data to them.
(4) The data recorded in the register of data controllers and data processors, as well as in the electronic log, shall be deleted.
shall be kept for ten years following
(5) The obligation to keep an electronic log shall be imposed on the data processing bodies for national security purposes by the national security authorities.
registration and documentation obligations specified in the Services Act - Section 23 (2) and Section 25 / A. §
In a manner suitable to meet the requirements set out in paragraph 5.
*
13. Data
protection impact assessment and prior consultation
*

25 / G. §

1. The controller shall, prior to the commencement of the planned processing, assess whether the planned processing

circumstances, in particular its purpose, the range of data subjects, the technology used in the data processing operations
what effects it is expected to have on the exercise of the fundamental rights of data subjects.
2. If, on the basis of the risk assessment carried out pursuant to paragraph 1, the planned processing is likely to be the responsibility of the data subjects,
substantially affects the exercise of a fundamental right (hereinafter referred to as "high-risk data processing"), the controller
except in the case provided for in paragraph 1, shall make a written analysis of the
the expected effects of the processing on the exercise of the fundamental rights of data subjects (hereinafter:
data protection impact assessment).
(3) If the Authority classifies a specific type of data processing as high-risk data processing and publishes that finding,
and the intended data management is of the same or similar type as that used in the type of data management covered by this finding
operation or series of operations, a high risk of the planned data processing shall be presumed.
4. If the Authority finds that a particular type of data processing does not constitute a high-risk
and publish this finding, and the planned data management shall be limited to the type of data management covered by this finding.
involves the use of the same or a similar type of operation or sequence of operations as used in
should not be considered as high-risk data management.
5. The data protection impact assessment shall contain at least a general description of the planned data processing operations,
the description and nature of the risks identified by the controller to the
designed and used by the controller to ensure the exercise of the right to personal data
measures.
(6) In the case of mandatory data processing, including in particular the mandatory processing for the purposes specified in Section 2 (3)
data processing - the data protection impact assessment with the content specified in paragraph 5 is prepared by the legislation prescribing data processing
continues.
*
25 / H. § (1)
If the planned data management

(a) the results of the data protection impact assessment
in the absence of measures taken by the controller to mitigate the risks
would be or
(b) a high risk in accordance with Article 25 / G. § (3), it must be presumed that
within the framework of the controller or his activity, the data controller, with the exception specified in paragraph 2,
initiate a consultation with the Authority prior to the start of the investigation (hereinafter referred to as "prior consultation").
(2) In the case of mandatory data processing, including in particular the mandatory processing for the purposes specified in Section 2 (3)
data processing - prior consultation of the preparer of the legislation prescribing data management within the framework of the legislative preparation procedure
initiates and proceeds.
3. Within the framework of the controller or its activities, the processor shall, at the same time as initiating prior consultation,
make the results of the data protection impact assessment available to it and provide the Authority with information on any
which the Authority considers necessary for the effective conduct of the prior consultation.
4. If, in the course of the prior consultation, the Authority concludes that the
The requirements set out in the legislation are not fully enforced - especially if, in his opinion, the data controller is
risks of data processing have not been properly identified or mitigated,
identify, in addition to or instead of any other action, appropriate action to address the identified deficiencies; and
proposes their implementation to the data controller or, limited to its scope of activities, to the data processor.
5. The Authority shall submit the proposal referred to in paragraph 4 within six weeks of the initiation of the prior consultation,
do it in writing. This period may be extended by the Authority by up to one month, in which case it shall state the reasons for the extension and
within one month of the initiation of the prior consultation.
data processor.
*
14. Data
security measures
*
25 / I. § (1)
In order to ensure an adequate level of security of the processed personal data, the data controller and the data processor shall:

fundamental rights of data subjects, in particular the special data of data subjects
take technical and organizational measures commensurate with the level of risk involved in
2. In developing and implementing the measures provided for in paragraph 1, the controller and the processor shall take into account:
takes into account all the circumstances of data management, in particular the current state of science and technology, the measures
the nature, scope and purposes of the processing, as well as the rights of the data
risks of varying probability and severity reported by
3. Within the scope of the data controller and its activities, the data processor shall ensure the measures specified in paragraph 1
a) equipment used for data management (hereinafter: data management system) access by unauthorized persons
refusal,

Ask Optenimpact
COVID19
expertsanalyzes
for
annual
or interim reports
help
COVID19
for impact analysis!
Is it necessary or mandatory?
Sectoral impact analysis and partner body
data supplement 2021

(b) prevent the unauthorized reading, copying, modification or removal of data media;
(c) the unauthorized input of personal data into the data management system and the personal data stored therein are unauthorized
to prevent access to, modification or deletion of
d) prevent the use of data-processing systems by unauthorized persons using data communication equipment,
(e) that the persons authorized to use the data management system are personal only as specified in the access authorization
access to data,
(f) the ability to verify and establish to which recipients the personal data are transmitted
transmitted or transmitted or made available,
(g) that it is subsequently possible to verify and establish which personal data have been input by the controller, at what time
system,
h) unauthorized access to personal data during their transmission or during the transport of the data carrier,
prevent the copying, modification or deletion of
(i) that the data management system can be recovered in the event of a breakdown; and
(j) that the data management system is operational, that errors in its operation are reported and that the
personal data may not be altered by malfunctioning of the system.
(4) In order to protect the data files processed electronically in the various registers, the data controller or the activity
the data processor shall ensure, by an appropriate technical solution, that the data stored in the records, unless required by law,
allow them to be directly linked and assigned to the data subject.
*
15. Dealing
with data protection incidents
*
25 / J. § (1)
The data controller with the data managed by the data processor acting on his or her behalf or on his or her behalf

sets out the context of paragraph (5) of data protection in connection with the incident raised a) , c) and d) information within the meaning of, and the
data protection incident immediately, but no later than seventy-two hours after becoming aware of the data protection incident
notify the Authority.
2. A data protection incident need not be reported if it is likely that it will not jeopardize the rights of the data subject.
to prevail.
3. If the controller fails to comply with the notification obligation set out in paragraph 1 within the time limit due to its obstruction, it shall
it shall comply immediately after the removal of the obstacle and shall attach to the notification a statement setting out the reasons for the delay.
(4) If the data protection incident has occurred in connection with the activities of the data processor or is otherwise
it shall immediately inform the controller after becoming aware of the data protection incident.
(5) Within the framework of the notification obligation specified in subsection (1), the data controller
(a) describe the nature of the data protection incident, including, where possible, the range and approximate number of data subjects and the
the scope and approximate amount of data involved in the incident,
(b) provide information on the name of the Data Protection Officer or other contact person designated to provide further information; and
contact details,
(c) describe the likely consequences of the data protection incident; and
(d) describe any action taken or planned by the controller to deal with the data protection incident;
mitigation and other measures.
6. If any of the information referred to in points ( a) to (d) of paragraph 5 is not available to the controller at the time of notification,
by informing the controller of the availability of the information after the submission of the notification
immediately thereafter.
7. If, during the data protection incident, data transmitted by a controller of another EEA State to the controller
transmitted by the controller to a controller of another EEA State, the information specified in paragraph 5
the controller shall immediately communicate with the controller of that EEA State.
(8) The notification obligation specified in subsection (1) shall be complied with by the data controller, except for the notification containing classified data.
- on the electronic interface provided for that purpose by the Authority.
9. In the case of data processing for national security purposes, the provisions of paragraphs 1 to 8 shall apply with the exception that if
the obligation to notify imposed on the controller under paragraph 1 and the obligation to notify under paragraph 7
would be contrary to the national security interest, it must be fulfilled after the cessation of this national security interest.
*
25 / K. § (1)
If the data protection incident is likely to significantly affect the exercise of a fundamental right of the data subject

(hereinafter: high-risk data protection incident), data management for national security
except for the data controller, the data subject shall be informed of the data protection incident without delay.
2. The controller shall be released from the obligation to inform the data subject in accordance with paragraph 1 if:
(a) the controller is in good faith with regard to the data affected by the data protection incident prior to the data protection incident, so
in particular making the data incomprehensible in the event of unauthorized access, resulting in encryption,
applied technical and organizational security measures,
(b) the controller has ensured, through the measures taken after becoming aware of the data protection incident, that the
the consequences of a data protection incident which significantly affect the exercise of a fundamental right of the data subject
are unlikely to occur,
(c) the direct communication of the data subject pursuant to paragraph 1 would be possible only with the disproportionate effort of the controller, and therefore
appropriate information on the data protection incident to the data subject in a manner that is accessible to anyone;
by means of information, or
(d) by law, as specified in paragraph (6), exclude information.
3. Within the framework of the obligation to provide information set out in paragraph 1, the controller shall clearly and intelligibly describe:
the nature of the data protection incident and make it available to the data subject in accordance with Article 25 / J. § (5), b) , c) and d) as defined in
information.
(4) If the Authority complies with Article 25 / J. § (1), it establishes that the data protection
due to the high risk of an incident, the data subject needs to be informed, the controller has not yet complied with the information referred to in paragraph 1.
shall comply with its obligation to provide information immediately after that finding.
(5) The data controller shall not be obliged to comply with the information obligation set out in paragraph (1) if the Authority complies with Article 25 / J. § (1)
the existence of the circumstance specified in paragraph 2 ( a) to (d) on the basis of a notification made in accordance with paragraph 2
states.
(6) By way of derogation from the provisions of subsections (1) - (5), the law shall inform the data subject in accordance with the conditions set out in section 16 (3) and
may exclude, restrict or delay the provision of information for any reason.
*
16. The
Data Protection Officer
*
25 / L. § (1)
The data controller and the data processor shall comply with the legal regulations concerning the processing of personal data and the data subjects.

employ a Data Protection Officer to facilitate the exercise of his or her rights,
(a) if the controller or processor performs a public task or any other public task defined by law, except
courts - or
(b) if required by law or an act of the European Union.
(2) A data protection officer may be appointed who, in accordance with legal provisions and law enforcement practices concerning the protection of personal data,
has an adequate level of knowledge and is suitable for 25 / M. § (1).
(3) The Data Protection Officer may simultaneously provide 25 / M with respect to several data controllers or data processors. § (1)
certain tasks, provided that it does not jeopardize the professional and efficient performance of its tasks. The Data Protection Officer shall inform you
the controller or processor as to which other controller or processor he or she will be treated by his or her data protection officers;
tasks.
4. The controller or processor shall inform the Authority of the name, postal and electronic mail of the data protection officer.
address, change in this information and make this information public.
5. The controller and the processor shall involve the data protection officer in a timely manner in all matters relating to the protection of personal data.
and provide the Data Protection Officer with all the conditions,
resources and access to all data and information to be provided by the Data Protection Officer
necessary to carry out their duties and to keep the professional knowledge of the Data Protection Officer up to date.
*
25 / M. § (1)
The data protection officer shall facilitate the processing of personal data by the data controller or the data processor.

fulfillment of its obligations under legal provisions, in particular
(a) provide up-to-date information on the legal requirements for the processing of personal data and how they are enforced
advises the controller, the processor and the persons employed by them who carry out data processing operations
for;
(b) continuously monitor and control legal provisions on the processing of personal data, in particular legislation
and internal data protection and data security regulations, within this framework for each data management operation
clear terms of reference related to the data protection skills of employees involved in data management operations
and awareness-raising, as well as the implementation of regular inspections;
(c) facilitate the exercise of the data subject's rights, in particular by investigating data subjects' complaints and initiating
the data controller or the data processor to take the necessary measures to remedy the complaint,
d) facilitate and monitor the conduct of data protection impact assessments with professional advice,
(e) cooperate with the bodies and persons empowered to conduct proceedings concerning the lawfulness of data processing, so
in particular, liaise with the Authority in order to facilitate prior consultation and the procedures followed by the Authority,
(f) contribute to the development of internal data protection and data security regulations.
(2) The Data Protection Officer shall keep his or her activities secret during and after his or her legal relationship,
personal data, classified data, or confidentiality and profession protected by law in connection with its provision
any information, fact or circumstance which is
the data controller or data processor is not obliged to make it available to the public in accordance with the provisions of law.
*

25 / N. §

1. The Conference of Data Protection Officers (hereinafter referred to as the Conference) shall be composed of representatives of the Authority and of the Data Protection Officers.

regular professional contacts with a view to the protection of personal data and access to data of public interest
the development of uniform case law in the application of legislation.
2. The Conference shall be convened by the Chairperson of the Authority as necessary, but at least once a year, and shall set the agenda.
17-19.

*

*
III. CHAPTER

GETTING TO KNOW DATA OF PUBLIC INTEREST

20. General rules on access to data of public interest
§ 26. (1) A body performing a state or local self-government task, as well as other public tasks specified by law, or
(hereinafter collectively referred to as the "public body") must allow the public interest data and
public data may be disclosed to anyone in the public interest, with the exceptions specified in this Act, on the basis of a request to that effect.
(2) In* the public interest, the name, scope and position of a person acting within the scope of duties and competences of a body performing public duties shall be public data,
management assignment, other personal data related to the performance of the public task, as well as personal data that
its acquaintance is required by law. Public personal data in the public interest shall respect the principle of purposeful data management
can be distributed by keeping. In the public interest to publish public personal data on the website in Annex 1 and the public task
the provisions of a separate law on the legal status of the person providing care shall apply.
(3) Unless otherwise provided by law, in the public interest, public data shall be provided by law or by a state or local government body.
bodies or persons providing services which must be used compulsorily or otherwise cannot be satisfied under a contract concluded
non-personal data relating to these activities which are in the management of the
*
4. The
body or person referred to in paragraph 3 shall request access to the data referred to in paragraph 3

in the performance of 28-31. §.
§ 27. (1) Public data in the public interest or in the public interest shall not be disclosed if it is in accordance with the Classified Data Protection Act.
classified information.
(2) The right to access public data in the public interest and in the public interest - by defining the types of data - is provided by law.
(a) in the interests of national defense;
(b) in the interests of national security;
(c) for the purpose of prosecuting or preventing criminal offenses;
(d) in the interests of the environment or nature;
(e) for central financial or foreign exchange policy purposes;
(f) foreign relations, with regard to relations with international organizations;
(g) in the context of judicial or administrative proceedings;
(h) with regard to intellectual property rights
you can limit.
*
3. The
central and local government budgets or the European budget shall not be considered a business secret in the public interest.

the use of EU support, budget allocations, discounts, management of state and municipal property,
possession, use, exploitation, disposal, encumbrance, any right affecting such property
data relating to the acquisition of information, as well as data the disclosure or disclosure of which is required by a separate law in the public interest
to order. However, disclosure may not result in access to data, in particular proprietary knowledge
access, the disclosure of which would be disproportionate to the conduct of the business, provided that it is not
prevent access to public data in the public interest.
*
3a. A natural
person, legal person or unincorporated

establish a financial or business relationship with a person belonging to its subsystem, shall be bound by that legal relationship and shall comply with the provisions of paragraph 3.
to provide information on public data in the public interest on request. For information
obligation to disclose public data in the public interest or previously in electronic form
may also be done by indicating a public source containing the data
*
3b. If the
person required to provide information pursuant to paragraph 3a refuses to provide the information, the person requesting the information shall

may initiate proceedings against a body authorized to exercise legal supervision over the debtor.
4. Access to data of public interest may be restricted on the basis of a Union act
including monetary, budgetary and fiscal interests.
(5) In the course of the procedure for taking a decision falling within the tasks and competence of a body performing public tasks, the
the data used to substantiate the decision shall not be public for ten years from the date of its occurrence. Getting to know this data - the data
weighing up the weight of the public interest in obtaining and excluding access - the head of the body
you can enable it.
*
6. The
request for access to the data on which the decision is based shall, within the period specified in paragraph 5, be

may be rejected after a decision has been taken if the data also serve as a basis for a further future decision, or if the data
knowledge of the lawful operation of the body performing public tasks or of its tasks and powers free from unauthorized external influence
in particular the free expression of the data originator's position during the preparation of decisions.
(7) Legislation restricting the disclosure of certain information on which a decision is based shall be provided for in paragraph 5.
may set a shorter period than specified.
(8) The provisions of this Chapter shall not apply to the removal from the public credit register, which is regulated by a separate law.
data provision.
21. The need to know public interest data
§ 28. (1) Anyone may submit a request for access to data of public interest orally, in writing or electronically. It is in the public interest
*

the provisions on access to data of public interest shall apply to access to such data.

*
(2) Unless
otherwise provided by law, the personal data of the data requester may be processed only to the extent that the request

examination of the claim on the basis of the criterion specified in Section 29 (1a), or for the fulfillment of the claim
necessary to pay the established reimbursement. The expiration of the time specified in Section 29 (1a) and the costs
the applicant's personal data must be deleted immediately after payment.
(3) If the data request is not clear, the data controller shall call the requester to clarify the request.
*
§ 29. (1) Upon
receipt of the request, the body performing the public task handling the data shall request access to the data of public interest.

in the shortest possible time, but not later than 15 days.

*

*
1a. The
request shall not be complied with by the body performing the public task of processing the data in so far as the same

within one year of a request for the same set of data, provided that the
there was no change in the data.
*
1b. The
request shall not be complied with by the body performing the public task of processing the data if the requester does not provide his name,

the name of the natural person requesting the data and the contact details for which the data request is made
any information and notification may be given.
(2) If* the data request concerns a significant amount of data or a large number of data, or the fulfillment of the data request
disproportionate use of the human resources needed to carry out the core business of the
the time limit may be extended once by 15 days. The claimant shall be notified within 15 days of receipt of the claim
*

be informed.

2a. If *the request concerns data produced by an institution or a Member State of the European Union, the controller shall:
it shall immediately contact the institution or Member State of the European Union concerned and inform the applicant accordingly. The information
the response of the institution or Member State of the European Union concerned to the
does not count towards the time available to comply with a data request.
*
(3) The
requesting copy of a document or part of a document containing data, regardless of the method of its storage

you can get. The body performing the public task handling the data for the fulfillment of the data request - up to the amount of the related costs
may set a reimbursement, the amount of which shall be communicated to the claimant before the claim is settled.
*
3a. The
applicant shall, within 30 days of receipt of the information received pursuant to paragraph 3, declare that his application:

maintains. The period between the provision of the information and the receipt of the requester's statement by the controller shall be
does not count towards the time available to comply with a data request. If the claimant maintains his claim, the reimbursement is
shall be obliged to pay the controller within a period of at least 15 days set by the data controller.
(4) If* the fulfillment of the data request is disproportionate to the labor resources necessary for the performance of the core business of the body performing the public task
or the document or part of a document from which the claimant has requested a copy is of a significant size,
or the amount of the reimbursement exceeds the amount specified in the government decree, the data request shall be
must be paid within 15 days of payment by the claimant. About the fulfillment of the data request is the body performing the public task
disproportionate use of the manpower required to carry out its core business or the
document or part of a document is of a significant volume, as well as the amount of reimbursement and the fulfillment of the data request
*

the applicant shall be informed of his non-copying options within 15 days of receipt of the request.
*
5. The
following cost elements may be taken into account in determining the amount of reimbursement:

a) the cost of the medium containing the requested data,
(b) the cost of delivering the data medium containing the requested data to the applicant; and
(c) if the fulfillment of the data request is disproportionate to the manpower required to carry out the core business of the public service body
the cost of manpower associated with fulfilling the data request.
*
(6) The
identifiable extent of the cost elements specified in subsection (5) shall be determined by law.

§ 30. (1) If a document containing data of public interest also contains data which cannot be known to the claimant, the copy shall contain
unknown data must be rendered unrecognizable.
*
2. The
request for data shall be made in a comprehensible form and - if the body performing the public task handling this data is disproportionately difficult

able to perform without - in the form or manner desired by the claimant. If the requested data has previously been electronic
the request can also be fulfilled by indicating the public source containing the data. Data requests cannot be made
*

rejected on the ground that it cannot be complied with in an intelligible form.
(3)

*

The refusal to fulfill the claim, the reasons therefor and the legal remedies available to the claimant under this Act

together with information on the possibilities, in writing or, if the request is electronic, within 15 days of receipt of the request
e-mail address - the applicant must be notified by e-mail. Rejected applications and reasons for rejections
*

the controller shall keep a register and inform the Authority of its contents by 31 January each year.
(4) The fulfillment of the demand for access to data of public interest may not be refused because the non-Hungarian-speaking claimant
in his mother tongue or in another language he understands.

(5) If the law makes the discretion of the data controller with regard to the refusal to fulfill the request for access to data of public interest
the ground for refusal should be construed narrowly and the need for access to
may be refused if the public interest on which the refusal is based outweighs the need to know the public interest data.
in the public interest.
(6) The body performing the public task shall establish regulations laying down the procedure for fulfilling the requests for access to data of public interest.
to make.

*

*
(7) Data
knowledge for the comprehensive, account-level and item-by-item control of the management of a body performing a public task

the provisions of separate laws shall apply. With reference to this, the data controller is a copy of the document that is the subject of the request
the subject of the legal relationship, the type of legal relationship, the subject of the legal relationship, the extent of the service and consideration, and
by indicating the date of completion.
*
§ 31. (1) The
requester shall reject the request for access to the data of public interest, either the data subject is open for performance or the data controller

in the event of an unsuccessful expiry of the time limit extended by the Commission pursuant to Section 29 (2), and for the fulfillment of the data request
may apply to a court to review the amount of the reimbursement established.
(2)

*

*

The lawfulness of the refusal and the reasons for the refusal, as well as the reimbursement for the execution of the data request

the controller must prove that the amount is justified.
*
(3) The
action shall be brought against the notification of the rejection of the claim, the failure to meet the time limit or the payment of the costs.

shall be instituted against the body performing the public task rejecting the claim within 30 days of the expiry of the time limit. If the need
rejection, non-compliance or the amount of the reimbursement for the execution of the data request, the
notify the Authority of the rejection of the merits of the
notification of the termination of the investigation, its closure pursuant to Section 55 (1) ( b) or pursuant to Section 58 (3)
may be initiated within thirty days of receipt. Failure to comply with the time limit for bringing proceedings

there is room.
(4) A party who does not otherwise have legal capacity to sue may also be a party to a lawsuit. The lawsuit is filed by the Authority in order to win the claimant
may intervene.
*
(5) With
the exception of a lawsuit filed against a body performing a public task of national competence, the lawsuit shall fall within the jurisdiction of the district court and

the district court of the seat of the tribunal, in Budapest the Central District Court of Pest has jurisdiction. The jurisdiction of the court is the defendant
Page 3

established by the seat of the public body.
(6) The court shall act out of turn.
(6a) If* the data controller refuses to comply with the request for access to data of public interest pursuant to Section 27 (1) and the data is
in order to review the rejection of a request for access to data in the public interest
the court shall initiate the Authority's secrecy authority proceedings, at the same time suspending the litigation.
There is no separate appeal against an order initiating proceedings and suspending proceedings.
(7) If* the court grants a request for the request of data of public interest, in its decision the data controller shall
obligation to provide the requested information of public interest. The court is the data request
the amount of the reimbursement for the performance of the public service or the body performing the public service
may require a new procedure for

ARC. CHAPTER
PUBLICATION OF DATA OF INTEREST

22. Obligation to provide information on data of public interest
§ 32. The body performing public tasks in matters falling within its remit - in particular the state and local government budget and its
management of state and municipal property, the use of public funds and contracts,
private or private organizations and individuals
and to ensure accurate and prompt information to the public.
23. Obligation to publish electronically
§ 33. (1) The data of public interest to be published on the basis of this Act on a website, in digital form, for anyone,
without identification, without restrictions, in a printable and reproducible form without loss of data or distortion,
also be made available free of charge for viewing, downloading, printing, copying and network data
hereinafter referred to as "electronic publication"). Access to the published data is not linked to the disclosure of personal data.
(2) Unless otherwise provided by law, it shall publish the data specified in the publication lists pursuant to Section 37 on its own website.
*
a) the
Office of the President of the Republic, the Office of the National Assembly, the Office of the Constitutional Court, the Office of the Commissioner for Fundamental Rights,

State Audit Office, the Hungarian Academy of Sciences, the Hungarian Academy of Arts, the National Courts Office, the General Prosecutor's Office,
b)

*

(c) *the central government, with the exception of the government committee, and the national chamber; and
*
d) the
capital and county government offices.

(3) Bodies performing public tasks not included in subsection (2) shall choose their electronic disclosure obligation pursuant to Section 37.
jointly by themselves or their associations, or in their supervision, professional management or
published on a central website set up by the coordinating bodies and set up for that purpose.
*
(4) The
public education institution and the vocational training institution shall be subject to the sectoral obligation of electronic publication under this Act

by providing data to the information system specified in the legislation.
§ 34. (1) The data controller who does not publish the data on his own website - applying § 35 - shall inform the data provider of the data to be published.
ensure that the data is published on a website and that it is clear that
from which body the data of public interest come or to which they refer.
2. The reporting agent shall set up the website for publication in such a way that it is suitable for the publication of the data.
continuous operation, troubleshooting and updating of data.
(3) The website for publication shall provide information in an intelligible form on the rules for the individual request for data of public interest.
The information shall also include a description of the remedies available.
(4) In addition to the information of public interest specified in the publication lists, other information may be published electronically on the website for publication.
public and public interest data.
§ 35. (1) The head of the body responsible for data subject to electronic publication shall ensure the publication lists specified in § 37.
accurate, up-to-date and continuous publication of the data contained therein and their transmission to the informant.
2. For the electronic publication, continuous availability, authenticity and updating of the data transmitted, the
informant is responsible.
(3) The data controller shall comply with the detailed rules for the fulfillment of the obligation under paragraph 1 and the reporting agent with the detailed rules for the fulfillment of the obligation under paragraph 2.
laid down in the rules of procedure.*
(4) Electronically published data may not be removed from the website, unless otherwise provided by this Act or other legislation.
In the event of termination of the body, the obligation to publish shall be incumbent on the successor to the body.
§ 36 The publication of data included in the publication lists specified in § 37 shall not affect the public interest or
obligations in the public interest relating to the disclosure of public data laid down in other legislation.
24. Publication Lists
§ 37. (1) The bodies specified in § 33 (2) - (4) (hereinafter together: the body obliged to publish) - in paragraph (4)
with the specific exceptions, the information specified in the general disclosure list in Annex 1 in relation to their activities
shall be published as set out in Annex 1.
2. Legislation may specify other information to be published for certain sectors, the type of body performing the public function (the
hereinafter referred to as the "special publication list").
(3) The head of the body obliged to publish - by requesting the opinion of the Authority - and legislation on the body performing public tasks,
additional mandatory disclosure with effect to the bodies under their management, supervision or a part thereof
(hereinafter referred to as the "individual publication list").
*
(4) The
scope of data to be published by the national security services shall be determined by a decree of the Government, seeking the opinion of the Authority.

states.
(5) In the case of a body subject to disclosure as a corporate body, the establishment and amendment of the individual disclosure list - the Authority
within the remit of the panel.
*
(6) The
head of the body obliged to disclose the data of data requests concerning data of public interest which are not included in the disclosure list.

at least annually on the basis of the publication list issued by it pursuant to paragraph 3 and
supplement it on the basis of requests for data.
(7) Depending on the nature of the data to be published, the frequency of publication may also be determined in the publication list.
(8) The Authority may propose to establish or supplement specific and individual publication lists.
24 / A. Central electronic register of data of public interest and unified public data retrieval system
*

37 / A. §

*

(1) In order to make electronically published data easily and quickly available, data of public interest pursuant to this Act

the public interest websites of the bodies required to publish them electronically and the database maintained by them; and
is responsible for ensuring the infrastructural feasibility of administrative informatics
in a central electronic register operated by the Minister and published on a website set up for that purpose.
Electronic access to the public interest data of the body referred to in paragraph 1 in accordance with uniform criteria and
is responsible for ensuring the infrastructural feasibility of public administration informatics
provided by a unified public data search system operated by the Minister.
*

37 / B. §

1. The data controller shall ensure that the websites, databases and

to the Minister responsible for ensuring the infrastructural feasibility of administrative informatics
regular updating of the public interest data transmitted and is responsible for the integrated public data retrieval system.
the content of the data of public interest transmitted and the regular updating of the data of public interest transmitted.
(2) Maintaining a list of databases or registers containing data of public interest and
connection to the system does not release the data controller from the obligation of electronic publication.

CHAPTER V.
NATIONAL DATA PROTECTION AND FREEDOM OF INFORMATION AUTHORITY

25. Legal status of the Authority
§ 38. (1) The Authority is an autonomous state administration body.
*
2. The
Authority shall have the task of protecting personal data and of accessing data in the public and public interest.

monitoring and facilitating the free movement of personal data within the European Union.
*
2a. Hungary
shall exercise the tasks and powers conferred on the supervisory authority by the General Data Protection Regulation

with regard to legal entities under the jurisdiction of the General Data Protection Regulation and this Act a
Authority exercises.
*
2b. The
Authority's tasks in relation to personal data as set out in paragraph 2

in court and non-litigation proceedings, data processing operations carried out by a court in accordance with the relevant provisions
does not cover the exercise of the powers set out in paragraph 3.
*
(3) In
the scope of its functions under subsections (2) and (2a), the Authority shall, in particular, as specified in this Act

(a) *conduct investigations on the basis of a notification and of its own motion;
(b) *at the request of the data subject and of his or her own motion, conduct an official data protection procedure;
(c) *conduct an ex officio official surveillance procedure;
(d) bring an action for infringement of data relating to the public interest and public data in the public interest;
(e) intervene in proceedings brought by another;
f)

*

(g) *conduct a data processing authorization procedure upon request;
*
(h) in
a binding act of the European Union, in particular the General Data Protection Regulation and Regulation (EU) No 2016/680;

other tasks laid down in this Directive for the supervisory authority of a Member State and other tasks provided for by law.
4. In*its tasks under paragraphs 2 and 2a, the Authority shall in particular:
(a) may propose measures concerning the processing of personal data and access to data of public interest and public data in the public interest;
to create or amend legislation, to give opinions on draft legislation affecting its area of ​responsibility;
b) publish a report on its activities by 31 March each year and submit the report to the National Assembly;
(c) issue a recommendation of a general nature or to a specific controller;
d) give an opinion on the data to be published in accordance with this Act in connection with the activities of the body performing the public task
special or individual publication lists;
e) the European Union represents Hungary in co-operation with bodies or persons specified by law
data protection supervisory bodies;
*
(f) organize
a conference of data protection officers;

g) -h)

*

(5) The Authority shall be independent, subject only to law, and may not be instructed in its tasks, its task shall be separate from other bodies,
without interference. A task for the Authority can only be established by law.
26. Budget and management of the Authority
§ 39. (1) The Authority is a central budgetary body endowed with chapter powers, the budget of which is approved by the Parliament.
forms a separate title within its budget chapter.
(2) The total amounts of expenditure and revenue of the budget of the Authority for the year in question - as defined in the Public Finance Act,
and a temporary measure taken to deal with an elemental disaster endangering the security of property and its consequences,
and measures taken by the Authority in its own or governing body's competence - exclusively by the Parliament
can be reduced.
(3)

*

4. The remainder of the revenue from the previous year may be used by the Authority in the following years to carry out its tasks.
27. The Chairperson of the Authority
*
§ 40. (1) The
Authority shall be headed by a chairman. The President of the Authority shall be appointed by the President of the Republic, including a lawyer, on the proposal of the Prime Minister

Hungarian citizens who are eligible for election to parliamentarians
have at least ten years' professional experience in auditing procedures relating to freedom of information, or these areas
they obtained a scientific degree in one of them.

*

*
2. The
Chairperson of the Authority shall not be appointed for a period of four years prior to the date of the proposal for appointment.

Member of Parliament, Advocate for Nationalities, Member of the European Parliament, President of the Republic, Member of the Government, State Secretary, Local
municipal representative, mayor, deputy mayor, mayor, deputy mayor, chairman of a county assembly or
he was a vice-president, a member of a national self-government, or an official or employee of a party.
*
3. The
President of the Republic shall appoint the President of the Authority for a term of nine years. The Chairperson of the Authority shall, after leaving the service:

He may be reappointed once as the Chairperson of the Authority.
4. The President of the Authority shall, after his appointment to the President of the Republic, take an oath before the President of the Republic on the oath and pledge of each public official.
swears by law.
§ 41. (1) The chairman of the Authority may not be a member of a party, may not engage in political activities, his or her mandate is incompatible with all
with other state or municipal positions and mandates.
*
(2) The
President of the Authority may not engage in any other gainful occupation and may not engage in any other activity - scientific, educational, artistic, copyright or other.

except for activities covered by legal protection, in the framework of the employment relationship with proofreaders, editors and foster parents - remuneration
cannot accept.
(3) The chairman of the Authority may not be a senior executive of a company, a member of its supervisory board or a company
person required to contribute personally.
§ 42. (1) The President of the Authority shall, within thirty days after his appointment, and thereafter until 31 January each year, and
within thirty days of the termination of his term of office, the same content as the declaration of assets of the members of parliament.
make a declaration of assets.
(2) In the event of failure to make a declaration of assets, he or she may not exercise the office of the Chairperson of the Authority until the declaration of assets has been submitted,
he is not remunerated.
(3) A public, faithful copy of the declaration of assets shall be published on the website of the Authority without delay. The declaration of assets a
may not be removed from the website until one year after the expiry of the term of office of the Chairperson of the Authority.
(4) The procedure related to the declaration of assets of the President of the Authority may be initiated by the Prime Minister by the declaration of assets.
a statement of facts concerning the specific content of the declaration of assets which specifically indicates the contested part and content of the declaration of assets. If the
initiative does not meet the requirements of this paragraph, is manifestly unfounded or has been resubmitted
initiative does not contain any new facts or information, the Prime Minister shall reject the initiative without proceeding. THE
the Prime Minister shall verify the reality of the contents of the declaration of assets.
(5) During the procedure related to the declaration of assets, the President of the Authority shall, at the invitation of the Prime Minister,
to notify the Prime Minister in writing without delay of the data certifying the indicated property, income and interest relations.
The Prime Minister shall inform the President of the Republic of the results of the inspection by sending the data. Only the
the Prime Minister and the President of the Republic.
6. The supporting information submitted by the Chairperson of the Authority shall be provided on the thirtieth day after the closure of the procedure relating to the declaration of assets.
it has to be deleted.
*
§ 43. (1) The
President of the Authority shall comply with the provisions of Act XXXVI of 2012 on the Parliament. equivalent to 2.5 times the statutory parliamentary fee

entitled to a salary.
*
1a. The
Chairperson of the Authority shall be entitled to a ministerial allowance in addition to the salary provided for in paragraph 1.

2. The Chairperson of the Authority shall be entitled to forty working days per calendar year.
§ 44. (1) The President of the Authority shall be employed in a public service capacity in terms of entitlement to social security benefits.
is considered insured.
(2) The term of office of the President shall be the time spent in a public service relationship with an administrative body.
§ 45. (1) The term of office of the Chairman of the Authority shall terminate
(a) at the end of his term of office;
b) by resignation;
(c) by his death;
(d) *by finding that there are no conditions for his appointment or that there has been a breach of the declaration requirements;
(e) a declaration of conflict of interest;
f) -g)

*

(2) The President of the Authority may at any time resign by written declaration addressed to the President of the Republic through the Prime Minister.
mandate. The term of office of the Chairperson of the Authority shall be the day following the notification of the resignation, failing which the
shall terminate on the date of notification of the resignation. A declaration of acceptance is not required for the waiver to be valid.
(3) If* the President of the Authority does not terminate his or her conflict of interest pursuant to Section 41 within thirty days of his or her appointment, or
in the exercise of his or her duties, the President of the Republic shall decide on the motion of the Prime Minister.
on the issue of finding a conflict of interest.
(4) - (5) *
*
(6) The
President of the Republic shall establish the absence of the necessary conditions for the appointment of the Chairman of the Authority on the motion of the Prime Minister.

The President of the Republic, on the motion of the Prime Minister, shall establish a violation of the rules of declaration of assets if the Authority
in the declaration of assets of the President, he deliberately discloses material data or facts.
*
6a. The
Prime Minister shall submit a motion made pursuant to paragraphs 3 and 6 to the President of the Republic and the President of the Authority at the same time.

send.
*
6b. The
Chairperson of the Authority may institute administrative proceedings to establish that the motion is unfounded. The time - limit for bringing an action

in the event of failure to do so, no certificate shall be required. The court shall act in accordance with the rules of civil service litigation in order to:
a lawsuit shall be brought against the Prime Minister and the court of the place of employment shall have exclusive jurisdiction over the lawsuit. The court a
he shall also communicate the application and the final decision on the merits of the case to the President of the Republic.
6c. If,*on the basis of an action brought by the President of the Authority under paragraph 6b, the court or tribunal finds in a final judgment that:
the motion of the Prime Minister made pursuant to paragraphs 3 and 6 is unfounded, the President of the Republic shall terminate the term of office of the President of the Authority
does not establish its termination.
*
6d. The
President of the Republic on a motion made by the Prime Minister pursuant to paragraphs 3 and 6

(a) if the President of the Authority does not bring an administrative action, within 15 days of the expiry of the time limit for bringing an action,
(b) if the President of the Authority institutes administrative proceedings, within fifteen days of receipt of a final decision on the merits of the case.
decide.
(7) In* the event of termination of the mandate pursuant to points ( a) and (b) of paragraph 1, the President of the Authority shall
three times the amount of the special salary.
(8) A* countersignature is not required for a decision of the President of the Republic referred to his or her competence by subsections (3) and (6) and section 40.
*
45 / A. § The
President of the Authority may attend and address meetings of the committees of the National Assembly.

28. Deputy Chairperson of the Authority
§ 46. (1) The work of the Chairman of the Authority shall be assisted by a deputy appointed by him for an indefinite period. Above the Vice - President of the Authority
president exercises employer rights.
*
(2) The
Deputy Chairperson shall comply with the conditions laid down in Section 40 (1) and (2) for the appointment of the Chairperson of the Authority.

five years of professional experience in auditing procedures relating to data protection or freedom of information
must have.
(3) The provisions of Section 41 shall apply mutatis mutandis to the conflict of interest of the Deputy Chairman.
4. In the event of the President being prevented from attending or if the office of President is not filled, the Vice-President shall exercise the powers and duties of the President.
perform its duties.
§ 47. The provisions of § 42 on the obligation of the vice-president to make a declaration of assets and on the procedure related to his declaration of assets
duly governed by the fact that the President of the Authority shall act in place of the Prime Minister in the procedure relating to his declaration of assets,
and the President of the Republic need not be informed of the result of the inspection.
*
§ 48. (1) The
Deputy Chairman shall comply with the provisions of Act CXXV of 2018 on Government Administration. The Salary Table set out in Annex 1, point I of the Act

is entitled to a salary corresponding to the upper limit of the salary of the Deputy Secretary of State.
1a. In*addition to the salary provided for in paragraph 1, the Vice-President shall be entitled to the allowance of Deputy Secretary of State.
(2) The Vice-President shall be entitled to forty working days of leave per calendar year.
3. The Vice-President shall be employed in the public service in order to be entitled to social security benefits.
is considered insured.
(4) The term of office of the Deputy Chairman shall be considered as the time spent in a public service legal relationship with an administrative body.
§ 49. (1) The term of office of the Deputy Chairman of the Authority shall be terminated
(a) by resignation;
(b) by his death;
(c) establishing the absence of the conditions necessary for his appointment;
(d) by establishing a conflict of interest;
(e) by dismissal;
(f) by deprivation of office.
2. The Deputy Chairperson of the Authority may resign at any time by a written statement addressed to the Chairperson of the Authority. The Authority
on the day following the notification of the resignation, failing which the resignation shall be
ceases on the day of. A declaration of acceptance is not required for the waiver to be valid.
(3) If the Vice-Chairperson of the Authority does not terminate his or her conflict of interest pursuant to Section 41 within thirty days of his or her appointment
conflict of interest arises in the exercise of his office, the President of the Authority shall
on the issue of
4. The Chairperson of the Authority shall dismiss the Vice-Chairperson of the Authority if, for reasons not attributable to him or her, the
in addition, he is unable to perform the duties arising from his mandate.
(5)

*

The Chairperson of the Authority may dismiss the Vice-Chairperson of the Authority, at the same time as the Vice-Chairperson of the Authority.

a civil servant position and, even in the absence of the conditions specified in Section 51 (1), an investigative mandate
offer.
6. The Chairperson of the Authority shall remove the Vice-Chairperson of the Authority from office if, for reasons attributable to him or her, the Vice-Chairperson of the Authority:
fails to perform his / her duties arising from his / her duties or intentionally materially disclose data or facts in his / her declaration of assets
misrepresents.
7. The Chairperson of the Authority shall establish the absence of the conditions necessary for the appointment of the Deputy Chairperson of the Authority.
8. In the event of termination of office pursuant to points ( a) and (e) of paragraph 1, the Vice-Chairperson of the Authority shall be
is entitled to a special salary equal to three times his salary.
29. Staff of the Authority
§ 50 The rights of employers over the civil servants and employees of the Authority shall be exercised by the President of the Authority.
*
§ 51. (1)
The Chairman of the Authority may appoint an examiner for up to twenty percent of the basic staff of the Authority at the highest level of the Authority.

civil servants and employees with at least five years' public service or employment with the Authority
exists.
2. The term of office of an investigator shall be for an indefinite period of time, which may be revoked at any time by the Chairperson of the Authority, without giving any reason.
(3) The amount of the examiner's salary and additional leave, as well as other remuneration to the head of the independent organizational unit
shall be determined on the basis of the relevant

VI. CHAPTER
PROCEDURES OF THE AUTHORITY

30. Examination by the Authority
51 / A. § *(1) If the initiation of official proceedings is not mandatory pursuant to this Act, the Authority may initiate an investigation ex officio.
(2) The person concerned may initiate an investigation with the Authority in the case specified in Section 22 a) . The notification states
the data subject shall indicate the data used to substantiate that the rights specified in Section 14 have been exercised by the data controller;
attempted to validate.
§ 52. (1) Anyone may initiate an investigation with the Authority on the grounds that the processing of personal data or the
Infringement of the right to access data of public interest or public data in the public interest
occurred or is in imminent danger.
(1a)

*

*

Examination by the Authority is a requirement in the case of a notification based on one of the grounds specified in Section 31 (1)

unsuccessful expiry of the time limit or the expiry of the time limit for payment of the reimbursement
may be initiated within one year of
*
2. An
investigation by the Authority shall not constitute an administrative procedure.

(3) No one shall be adversely affected by a notification to the Authority. The identity of the notifier may be disclosed by the Authority only if so
in its absence, the investigation would not be possible. If the notifier so requests, the Authority shall not disclose his identity even if, failing that, the
test cannot be performed. The Authority shall inform the notifier of this consequence.
(4) The examination of the Authority shall be free of charge, the costs of the examination shall be advanced and borne by the Authority.
Section 53 (1) The Authority is obliged to examine the merits of the application, with the exceptions set out in subsections (2) and (3).
The Authority may reject the notification without substantive examination if:
(a) the infringement identified in the notification is minor, or
(b) the notification is anonymous.
The Authority shall reject the notification without substantive examination if:
(a) the case is pending before a court or has previously been the subject of a final court decision,
b) notwithstanding the information pursuant to Section 52 (3), the notifier continues to request that his identity not be disclosed,
c) the notification is manifestly unfounded,
d) the re-submitted application does not contain a substantially new fact or data,
*
e) the
notification has been submitted after the deadline specified in Section 52 (1a),
*
(f) the
notification is made in accordance with Article 51 / A. Does not meet the conditions specified in § (2),

(g) *carry out official controls or proceedings in respect of the notification; or
*
(h) the
subject of the notification does not fall within its remit and, on the basis of the information available, does not fall within the scope of the notification

the identity of the competent body cannot be established.
4. Where the notification has been made by the Commissioner for Fundamental Rights, the Authority may refuse the notification without a substantive examination only if:
if court proceedings are pending in the case or a final court decision has previously been rendered in the case.
The Authority shall terminate the investigation if:
a) (3) - on the basis of paragraph (4) of the application was rejected without substantive examination it would place the reason for refusal, however, the test
came to the attention of the Authority after the
(b) the circumstances justifying the continuation of the investigation no longer exist.
6. The Authority shall reject the substantive examination of the notification, the termination of the examination and the rejection or termination.
notify the notifier of the reasons.
7. The Authority shall, in addition to notifying the notifier,
referred to the competent body for the purposes of this Regulation if, on the basis of the information available, the competent body
the identity of the organ can be established. If, on the basis of a notification of a matter outside the Authority 's competence, the Authority finds that:
there is a need to initiate legal proceedings in the case, it shall notify the notifier thereof.
(8) If* the participant has participated in the investigation, the Authority shall also notify the data controller or data processor examined.
Section 54 (1) The Authority during the investigation
*
a) get
acquainted with all the data in the management of the examined data controller that can be related to the examined case, a copy of it

all such documents, including those stored on an electronic medium, and a copy thereof
you can ask
*
(b) learn
about the data processing that may be related to the case under investigation, enter the room where the data processing takes place,

access the tools used to perform data management operations,
c) request written and oral information from the data controller under investigation or from any employee of the data controller,
*
(d) written
information from any organization or person that may be involved in the case under investigation, or

request a copy of the data or records that may be linked, including those stored on an electronic medium, and
(e) request the head of the supervisory body of the controlling authority to carry out an investigation.
2. The request of the Authority pursuant to paragraph 1 shall be made by the controller under investigation or by any other body or entity involved in the procedural act.
person shall comply within a time limit set by the Authority. The time limit set by the Authority shall be set in accordance with paragraph 1 ( d) and (e).
shall not be less than fifteen days in the case of
3. The person referred to in paragraph 1 ( c) and (d) may be refused information if:
(a) *the person concerned by the application on which the Authority is based is or has been a relative under the Civil Code;
spouse;
*
b) during
the information, he or she or a relative or former spouse according to the Civil Code has committed a criminal offense

accuse him of committing an offense in that regard.
*
§ 55. (1) The
Authority shall, within two months from the initiation of the investigation ex officio or from the day following the receipt of the notification,

within
(a) establishes that in connection with the exercise of the rights set out in the General Data Protection Regulation and this Act
an infringement has occurred or is imminent, and

an infringement has occurred or is imminent, and
aa) take the measure specified in Section 56 and Section 57, respectively,
(ab) close the investigation and initiate official data protection proceedings pursuant to Section 60, or
ac) closes the investigation and initiates official secrecy proceedings pursuant to Section 62;
(b) establish that there has been no or imminent threat of an infringement and close the investigation.
*
1a. The
time limit laid down in paragraph 1 shall not include:

(a) the time between the request for communication of the information necessary to clarify the facts and its completion,
(b) the time required for the translation of the document relating to the investigation; and
(c) a circumstance, disruption or other unavoidable event preventing the operation of the Authority for at least one full day
duration.
*
(2) The
results of the investigation, the reason for the termination of the investigation, possible measures and the initiation of official proceedings shall be

The Authority shall notify the notifier and, if involved in the investigation, the controller or processor subject to the investigation.
(3) If* the Authority complies with Article 51 / A. Examination carried out pursuant to § notification (2) pursuant to paragraph (1) b) on the basis of
at the same time as the notification provided for in paragraph 2, inform the notifier of his right to a judicial remedy.
the possibility of exercising that right.
*
Section 56 (1)

If the Authority is processing personal data, or data of public interest or public data of public interest

establishes the existence of an infringement or an imminent threat thereof in connection with the exercise of the rights of access,
calls on the data controller to remedy the breach or to eliminate the imminent threat thereof.
2. The controller shall, if it agrees, without delay take the necessary steps indicated in the notice referred to in paragraph 1.
measures taken and, in the event of disagreement, its position from the date of receipt of the request.
inform the Authority in writing within thirty days.
3. In the case of a data processing authority with a supervisory body, the Authority shall, if the request under paragraph 1 has not been issued:
result - may at the same time inform the data controller of the recommendation to the supervisory body of the data controller. The Authority is
may make a direct recommendation to the supervisory body of the controller, even in the absence of a request under paragraph 1, if the breach is remedied,
or, in his view, the elimination of the imminent threat of an infringement can be done more effectively in this way.
4. The supervisory body shall state its position on the substance of the recommendation and the action taken on the recommendation.
shall inform the Authority in writing within thirty days of receipt.
§ 57. If the Authority, on the basis of its investigation, establishes that the infringement or its imminent threat of a law or
unnecessary, unclear or inadequate disposal of a public regulatory instrument or related to data management
due to the lack or incompleteness of the legal regulation of the issues, the infringement or its imminent threat is in the future
make a recommendation to the body empowered to legislate or to issue a regulatory instrument on public bodies in order to avoid
or the draftsman of the legislation. In the recommendation, the Authority may propose a legal instrument or a regulatory instrument for public bodies
amendment, repeal or creation. The requested body shall state its position and the recommendation
notify the Authority of its action within sixty days.
§ 58. (1) If, on the basis of a summons or recommendation pursuant to § 56, the remedy of the infringement or the imminent danger of the infringement
the Authority has not been terminated in accordance with Section 56 (2) or, if a recommendation has been made, in accordance with Section 56 (4).
Within thirty days of the expiry of the information period provided for in
2. In the case referred to in paragraph 1, the Authority shall take the necessary further action
*
a) initiates
or may initiate data protection official proceedings in accordance with the provisions of Section 60,
*
b) initiates
or may initiate a secret supervision authority proceeding in accordance with the provisions of Section 62,

c) may institute legal proceedings in accordance with Section 64, or
d) may prepare a report in accordance with the provisions of Section 59.
(3) The Authority shall inform the Authority of the outcome of the measures pursuant to Section 56 and Section 57 and of the taking of further measures pursuant to subsection (2).
notifies the notifier.
31. Report of the Authority
§ 59. (1) The Authority may prepare a report on the investigation carried out on the basis of the notification if the matter is subject to official proceedings or
no court proceedings have been instituted.
2. The report shall contain the findings of the investigation, the findings and conclusions drawn therefrom.
3. The Authority's report shall be made public. The report containing classified information shall be qualified by the President of the Authority or the classification mark
repeats. A report containing classified information or a secret protected by law shall be disclosed as classified information
or other secrets protected by law shall not be disclosed.
*

(4)

The bodies authorized by the Authority to continue to collect confidential information or to use disguised devices

The report of its investigation into its activities may not contain information from which its conduct in the case is secret
information gathering or the use of covert devices.
(5) The report of the Authority may not be challenged before a court or other authority.
*
32. Data
protection authority procedure
*

§ 60

1. In order to exercise the right to the protection of personal data, the Authority shall, at the request of the data subject

initiate data protection authority proceedings and may initiate ex officio data protection authority proceedings.
2. The request to initiate the data protection authority procedure shall be made in accordance with Article 77 (1) of the General Data Protection Regulation and
It may be submitted in the case specified in Section 22 ( b) .
The Authority shall initiate ex officio data protection authority proceedings if:
(a) establishes, on the basis of its investigation, that there has been an infringement or a direct breach of the processing of personal data
on the basis of a summons or recommendation pursuant to Section 56 to remedy the infringement or to
has not been terminated within the time limit set by the Authority,
(b) on the basis of its investigation, finds that a personal data breach has occurred or is directly related to it
there is a risk and a fine may be imposed under the provisions of the General Data Protection Regulation.
(4) If the data protection authority procedure has been preceded by an investigation by the Authority based on a notification, the notifier shall be notified to the data protection authority.
the Authority shall be notified of the initiation or termination of the procedure.
(5) In the case specified in subsection (2), the application shall be as specified in the Act on General Administrative Procedure
too included
(a) an indication of the alleged infringement,
(b) a description of the specific conduct or situation which led to the alleged infringement,
(c) the information available to the applicant to identify the controller or processor committing the alleged infringement;
data,
(d) the facts and evidence supporting the allegations of an alleged infringement; and
(e) a firm request for a decision to remedy the alleged infringement.
(6) In proceedings before the data protection authority, the applicant shall be entitled to legal aid, the Authority shall advance the costs of the procedure
the advance payment of which would be borne by the applicant.
*
*
60 / A. § (1)
In administrative
data protection proceedings, the administrative deadline is one hundred and fifty days.

(2) The Authority shall establish a data protection authority procedure in accordance with the General Data Protection Regulation
a) cooperation process and as defined in paragraph (5) - Article 60 (3)
b) 63-66. the coherence mechanism set out in Article
the Authority shall carry out the cooperation procedure during the period of suspension.
and the procedural steps required in the coherence mechanism.
3. If the Authority finds that it lacks jurisdiction at any stage of the procedure on the application, it shall reject the application or
terminate the procedure.
4. If it is beyond doubt that the supervisory authority of another EEA State has jurisdiction in the matter, the Authority shall:
it shall send the request to the supervisory authority having jurisdiction. In this case, the application is rejected or the procedure
the termination order shall also include the name of that supervisory authority.
5. The application shall be submitted to the supervisory authority having jurisdiction as set out in paragraph 4
At the request of the data subject, the Authority shall provide the data subject with the information of the supervisory authority having jurisdiction
on the means of enforcement before the competent authority.
6. If the Authority has not terminated the data protection authority proceedings within ninety days of the request or
shall notify the applicant of the procedural steps taken up to the date of notification.
*
§ 61. (1)
In its decision made in the data protection official procedure, the Authority

a) in connection with the data processing operations specified in Section 2 (2) and (4) in the General Data Protection Decree
may apply certain legal consequences,
b) in connection with the data processing operations specified in Section 2 (3)
(ba) establish the unlawful processing of personal data,
bb) order the correction of inaccurate personal data,
bc) order the blocking, erasure or destruction of unlawfully processed personal data,
bd) prohibit the unlawful processing of personal data,
(be) prohibit the transfer or transfer of personal data abroad,
(bf) order the data subject to be informed if it has been unlawfully refused by the controller; and
(bg) impose a fine,
(c) against an organization carrying out an audit activity as defined in Article 41 (1) of the General Data Protection Regulation
may apply the legal consequences set out in Article 41 (5) of the General Data Protection Regulation.
2. The Authority may order that its decision be published by publishing the identification data of the controller or processor.
disclosure if
(a) the decision affects a wide range of persons,
(b) it was made in the context of the activities of a public body, or
(c) the seriousness of the infringement justifies disclosure.
3. The application of a warning and bail in proceedings before the Authority shall be precluded if, in accordance with the rules governing its discretion, the Authority:
the need to impose a fine.
(4) The amount of the fine may range from one hundred thousand to twenty million forints
a) of paragraph (1) b) point bg) subsection, and
(b) if the budgetary authority liable to pay a fine imposed in a decision taken in a data protection
Article 83 of the General Data Protection Regulation
in the case of a fine imposed pursuant to
5. In deciding whether to impose a fine pursuant to paragraph 1 ( b) (bg) or
account of all the circumstances of the case, in particular the number of persons involved in the infringement
the gravity of the infringement, the imputability of the conduct and whether the infringer has been
personal data breach.
(6) Until the expiry of the time limit for bringing an action against the decision, or in the event of the initiation of an administrative action, the court shall have a final
Until its decision, the data affected by the disputed data processing may not be deleted or destroyed.
(7) Execution of the decision of the Authority for the performance of a specific act, specific conduct included in the decision,
tolerance or cessation obligation shall be exercised by the Authority.
(8) The reduction of the payment obligation established in the decision of the Authority (hereinafter: reduction) shall not be applied at the request of the debtor.
place. The debtor may request a deferral or payment of the obligation to pay as well as the obligation specified in paragraph 7
the authorization of performance in installments (hereinafter together: performance discount). In the application, the debtor shall certify that:
a reason beyond its control would make it impossible to meet the deadline or would impose a disproportionate burden on it.
9. If the debtor submits the application pursuant to paragraph 8 after the enforcement of the decision of the Authority has been ordered, the Authority shall:
may grant a performance discount only if the performance of the obligation on time was caused by a cause beyond the control of the debtor
impossible.
(10) Reduction submitted in respect of the payment obligation established in the decision of the Authority, as well as a performance benefit
In examining the application for a tax, the State Tax and Customs Authority shall issue a decision on the implementation procedures to be carried out by the tax authority in 2017.
évi CLIII. Act in accordance with Section 110 of the Act.
33. Confidentiality Authority Procedure
Section 62*(1) If, on the basis of an investigation by the Authority or otherwise, it is probable that the classification of national classified information is unlawful, the
Authority may initiate confidentiality proceedings.
1a. If *the court initiates a secret supervisory authority proceeding of the Authority as specified in Section 31 (6a), the
Authority shall initiate confidentiality proceedings.
*
(1b) The
Authority's confidentiality supervision procedure in the National Security Supervision Act on the Protection of Classified Data

does not affect its specific tasks.
(2)

*

*
2a. Classified
information shall be used in proceedings under the secrecy procedure and in actions brought against a decision taken in these proceedings.

in accordance with the security requirements set out in the Classified Data Protection Act and this Act
to be carried out.
*
3. Proceedings
under official secrecy may be initiated only of their own motion, nor shall they be deemed to have been initiated upon request if:

the secrecy procedure was preceded by a notification investigation by the Authority, or the secrecy procedure was
initiated on the basis of the provisions of Section 31 (6a). However, if the confidentiality is an official procedure of the Authority
the notifier shall be notified of the initiation and termination of the confidentiality procedure.
*
(4) In
the confidentiality supervision procedure, the client is the qualifier.
*
(5) During
the clarification of the facts in the secret supervision authority proceedings, the witness, the expert and the holder of the object of examination may be heard.

even if it has not been exempted from the obligation of confidentiality with regard to the national classified information examined.
*
(6) In
administrative proceedings under the supervision of secrecy, the administrative period shall be ninety days.

§ 63. (1) In* its decision made in a secrecy official procedure, the Authority
(a) in the event of a breach of the legislation on the classification of national classified information, the classifier shall be designated by the national
to change the classification level or validity period of classified information in accordance with the legislation or the classification
call to terminate, or
(b) establish that the classifier has acted in accordance with national legislation on the classification of classified information.
*
2. The
qualifier may challenge the decision of the Authority under paragraph 1 ( a) within sixty days of its notification. THE

the filing of an application has suspensory effect on the entry into force of the decision. If the qualifier is sixty from the date of notification of the decision
national classified information within sixty-one days of the notification of the decision.
shall be terminated in accordance with the provisions of the decision, or its rating level or period of validity shall be changed in accordance with the provisions of the decision.
*

(2a)

*
(3) In
the proceedings specified in subsection (2), the court shall hold a closed hearing.

(4)

*

5. The decision of the court or the Authority shall not affect the decision of the rating agency to revise the national classified information.
obligation under the Data Protection Act.
*
(6) Only
a judge whose national security control pursuant to the Act on National Security Services may act in a lawsuit

carried out.
7. In* the proceedings provided for in paragraph 2, persons other than the judge, the plaintiff and the defendant shall
if they have a personal security clearance corresponding to the classification level of the data.
34. An action may be brought by the Authority
Page 4

§ 64. (1) If the data controller does not comply with the request contained in § 56 (1), the data in the public interest and the public interest
due to an infringement related to public data, the Authority expires the deadline for information pursuant to Section 56 (2)
within 30 days of the request, request the court to instruct the controller to act on the request of the Authority.
obligation.
*
(2) Paragraph
(5) of Section 31 shall apply to the determination of the competence and jurisdiction of the court.

(3) The data controller shall prove that the data processing complies with the provisions of law.
(4) A party who does not otherwise have legal capacity to sue may also be a party to a lawsuit.
(5) The court may, upon request, order the publication of its judgment by publishing the identification data of the data controller,
if it is protected by data protection or the interests of freedom of information and the rights of a larger number of data subjects protected by this Act
requires.
34 / A. *The data authorization procedure
*
64 / A. § (1)
The Authority is the general data protection decree

(a) approving draft, supplementing or amending codes of conduct provided for in Article 40,
(b) the authorization of the inspection activity provided for in Article 41,
(c) approval of the certification criteria set out in Article 42 (5),
(d) the authorization of contractual provisions as defined in Article 46 (3) ( a) ,
(e) to authorize the provisions set out in Article 46 (3) ( b) ,
(f) the approval of binding corporate rules as set out in Article 47
conducts a data processing authorization procedure in the case of applications for
(2) In addition to the provisions of the General Administrative Procedure Act, subsection (1)
(a) the request referred to in point ( a) includes a draft code of conduct or a supplement or amendment thereto,
(b) the request referred to in point (b) of Article 41 (2) of the General Data Protection Regulation and the
data to demonstrate the fulfillment of the conditions set out in the permit requirements published by the
(c) the application referred to in point (c) shall include a general description of the certification mechanism and draft certification criteria,
(d) the request referred to in point (d) shall include the draft contractual provisions,
(e) the application referred to in point (e) shall include draft provisions,
(f) The application referred to in point (f) shall include a document certifying the binding nature of the binding corporate rules
data and draft binding corporate rules.
*
64 / B. § An
administrative service fee of the amount specified in a ministerial decree is required for the data processing authorization procedure

to pay.
*
64 / C. § (1)
The administrative deadline in the data management authorization procedure

a) a 64 / A. In the case of applications specified in § (1) a) -c) and f) , one hundred and eighty days,
b) 64 / A. In the case of applications specified in § (1) d) and e) , ninety days.
(2) The Authority shall establish a data processing authorization procedure in accordance with the General Data Protection Regulation
a) cooperation process and as defined in paragraph (5) - Article 60 (3)
b) 63-66. shall be suspended for the duration of the application of the uniformity mechanism provided for in Article
also carry out the necessary procedures in the cooperation procedure and the coherence mechanism during the period of suspension
acts.
(3) In the data processing authorization procedure, Article 64 / A. In the case of applications specified in § (1) a) -c) and f) , the Authority shall a
the application and the drafts to which it relates, as appropriate, in order to obtain approval or authorization
may invite the applicant to make a statement regarding the amendment or supplementation.
(4) There is no place for a summary procedure in the data processing authorization procedure.
*
64 / D. § In
its decision in the data processing authorization procedure, the Authority

(a) the General Data Protection Regulation
(aa) approve the draft, supplement or amend the codes of conduct provided for in Article 40;
(ab) authorize the inspection activity provided for in Article 41,
(ac) approve the certification criteria set out in Article 42 (5),
(ad) authorize the application of the contractual provisions set out in Article 46 (3) ( a) ,
(ae) authorize the application of the provisions set out in Article 46 (3) ( b) ,
(af) approve the binding corporate rules provided for in Article 47, or
(b) reject the application.
*
35. International
cooperation
*
§ 65. (1)
The Authority shall cooperate with the authorities of third countries and international organizations, in particular Article 50 of the General Data Protection Regulation.

and Article 40 of Directive 2016/680 / EU, in the manner provided for therein.
2. In the framework of the cooperation provided for in paragraph 1, the Authority shall provide legal assistance to a third country authority or internationally
organization and, with the exception of Article 67, from a third country authority or an
an application for legal aid, if the administrative legal aid agreement between the third country or international organization and Hungary is different
an international treaty, law or act of the European Union allows it.
*
§ 66. The
Authority shall refuse to comply with a request for assistance from an authority of a third country or an international organization and

inform the authority of the third country or the international organization of the reasons for the refusal if the execution of the request for assistance
a) does not fall within its tasks and competences,
b) would harm Hungary's national security interests or public security,
(c) would infringe the fundamental rights of the person concerned, or
(d) would be contrary to law.
*

§ 67

1. With the supervisory authorities of an EEA State, the Authority shall act in a manner specified in a binding act of the European Union, such as:

in particular reciprocity as defined in Article 61 of the General Data Protection Regulation and Article 50 of Directive 2016/680 / EU
within the framework of assistance, cooperate as provided for therein.
2. As provided for in Article 62 of the General Data Protection Regulation, in conjunction with the supervisory authority of an EEA State
operations
(a) a* civil servant of the Authority's staff designated by the President of the Authority to contribute to the joint operation;
or an employee in the territory of another EEA State, the tasks and powers delegated by the supervisory authority of the other EEA State,
(b) a person acting under the authority and competence of a supervisory authority of another EEA State and designated by that supervisory authority Hungary
to the extent specified in writing by the Chairperson of the Authority
contributes to the exercise of
(3) The procedure of the person specified in subsection (2) b) shall be governed by Hungarian law.
§ 68. If *the authority of a third country or other EEA State or an international organization
not directly related to the procedure - obtaining data, documents or carrying out another procedural act in order to fulfill a request
necessary, the Authority shall carry out official controls for that purpose. In such a case, the verification of the transmission of the evidence obtained to the Authority
concludes with an order on
*
36. Certification
*
§ 69. (1)
The certification specified in Article 42 of the General Data Protection Decree shall be issued by the Authority to the data controller or the data processor.

on the basis of an agreement concluded with the data controller or the data processor.
2. The conditions for concluding an agreement to carry out certification, the consideration to be provided for certification and the
The Authority shall publish the certification process and the certification criteria.
3. The conditions for concluding an agreement on the conduct of certification, the consideration to be provided for certification proportionate to the extent of the activity to be performed. Remuneration for carrying out the certification process
revenue of the Authority.
4. Where the Authority issues a certificate of certification or a European data protection stamp, it shall publish
(a) the name of the controller authorized to use it; and
(b) the data processing operations covered by the certificate or the European Data Protection Seal.
37. Initiation of criminal, infringement and disciplinary proceedings
*
§ 70. (1) If the
Authority detects a suspicion of a criminal offense during its proceedings, it shall initiate criminal proceedings to initiate it.

competent body. If, in the course of its proceedings, the Authority detects a suspected irregularity or disciplinary offense,
initiate proceedings before the body authorized to conduct infringement or disciplinary proceedings.
(2) The position of the body specified in subsection (1) regarding the initiation of proceedings is a different provision of law
within 30 days of the outcome of the procedure, and within 30 days of its conclusion
Authority.
38. Other rules, data management and confidentiality of the Authority's procedures

*

*
70 / A. § (1)
At the request of the data controller or the data processor, there is no place for conducting an official inspection.

(2) Whether the processing is in accordance with a law or a binding act of the European Union on the processing of personal data
specific requirements, in particular in the case of data processing falling within the scope of Section 2 (3), in Section 4 (1) - (4a)
meets the essential requirements laid down by the controller, the controller or processor must prove it.
*
70 / B. § (1)
In order to facilitate the information of data subjects and data controllers, the Authority shall publish

a) in accordance with the decisions published pursuant to Section 61 (2)
aa) the identification data of the data controller or the data processor,
(ab) an indication of the infringement,
(ac) an indication of the legal sanction applied,
b) 64 / D. § a) in accordance with the decisions referred to in point
(ba) the identity of the applicant,
(bb) an indication of the subject matter of the Authority's decision;
(bc) if the decision of the Authority is valid for a specified period, an indication of the temporal effect of the decision,
(c) a Data Protection Officer notified to the Authority
(ca) his name,
cb) postal and electronic mail address,
(cc) the name of the controller or processor represented by.
2. The data referred to in paragraph 1 shall be in the public interest.
(3) The Authority
a) of paragraph (1) a) the information specified in the Decision
(aa) until the date of expiry, or
(ab) ten years after its publication,
(b) the information specified in paragraph 1 ( b) until the date of expiry of the decision,
(c) publish the data specified in paragraph 1 ( c) until the change is notified.
*
70 / C. § To
be published or made public by the Authority in accordance with a binding legal act of the European Union and this Act

ordered data on the Authority's own website, in digital form, to anyone, without identification, without restriction,
can be printed and copied in detail without data loss and distortion, insight, download, print, copy
and also makes it available free of charge for network data transmission.
§ 71. (1) In the course of the proceedings of the Authority, to the extent and for the time necessary for the conduct thereof, it may process all personal data
and information which is covered by legal professional secrecy and professional secrecy relating to the proceedings,
or the handling of which is necessary for the efficient conduct of the proceedings.
1a. If *the controller complies with Articles 13 to 18 of the General Data Protection Regulation, and Article 21 and Article 14 respectively
lawfully restricted by law or by a binding act of the European Union
the Authority in the context of its procedures
(a) secures the rights of the data subject in such a way and at such a time that he:
(b) the notification obligations imposed on the Authority by this Act in such a way and and in such a way that
fulfills on time
that the interests which may justify a legitimate restriction of the data subject's rights are not adversely affected.
1b. At*the request of the Authority, the clerk of the local authority shall verify the activities carried out in the area of ​competence by the Authority.
the actual circumstances of the data processing indicated in the request, in particular the scope of the personal data processed, with the personal data
the operations carried out and the means of those operations, as well as the technical and organizational measures applied by the controller.
(2)

*

The Authority has lawfully obtained a document, data or other means of proof in the course of its proceedings in another proceeding

you can use.
2a. In *the case of a document prepared for the purpose of defense, the provisions of subsections (1) and (2) of the Law on the Activity of Lawyers
shall apply with certain derogations.
*
2b. Following
the closure of an investigation or the finalization of a decision terminating an official procedure, the Authority shall

personal data processed during the procedure and protected data shall be blocked. The blocked data until the file of the case that is the subject of the proceedings is discarded
or archival, they shall be kept, except for use in accordance with paragraph 2, solely as a result of the decision which has become final.
enforcement of the decision which has become final, review of the decision or decision relating to the decision which has become final.
may be processed for the purpose of review and only for the purpose of processing or accessing such data, in the manner prescribed by law and
may be made available to a competent court, other body or person.
*
(3) In
the course of the procedures specified in this Act, the Authority shall comply with Act CXI of 2011 on the Commissioner for Fundamental Rights. Act (hereinafter:

Ajbtv.) Section 23 (1) a) -f) and i) , (2), (3) c) -f) , (4) c) -g) , and (5) )
The data specified in paragraph d) of the Ajbtv. You can get to know it as defined in Section 23 (7).
*
(3a) Notwithstanding
paragraph 3, the Authority may become acquainted with the Ajbtv. Section 23 (3) e) , (4) f) and

The data specified in paragraph 5 ( d) if it was initiated in connection with the protection of the personal data of the cooperating person
(a) in an investigation procedure,
(b) in an official data protection procedure; or
(c) in official secrecy proceedings
required.
*
(3b) Notwithstanding
paragraph (3), the Authority may become acquainted with the provisions of the Ajbtv. § 23 (3), f) and (4) g) of

specific means used to continue the collection of secret information or the use of covert means; and
data enabling the identification of persons using such methods in relation to the protection of their personal data
started

(a) in an investigation procedure,
(b) in an official data protection procedure; or
(c) in official secrecy proceedings
required.
*
3c. Where
a document which the Authority intends to examine also contains information which is accessible to the Authority only in accordance with paragraph 3, the

access to the document shall be made possible by making the unrecognizable data unrecognizable to the Authority.
*

(4)

During the procedure related to the data management concerning classified data, the Deputy Chairman of the Authority, in a managerial position

civil servant and examiner, if he has an appropriate level of personal security
even without a user license as defined in the Classified Data Protection Act.
5. The Chairperson, the Vice-Chairperson of the Authority and any other public service and public-sector staff
legal persons or persons, except for the provision of data to another organization required by law,
during its existence and after its termination, they are obliged to keep it in connection with the activities of the Authority and its performance
personal data, classified data which have come to their knowledge or which are protected by law and secrets connected with the exercise of a profession
as well as any data, facts or circumstances which the Authority is not required by law to
made available to the public.
6. The retention obligation of the persons listed in paragraph 5 shall include that, in connection with the performance of their duties:
data, fact or circumstance of which they become aware may not be unauthorizedly disclosed, used or
person.
*
VI / A. CHAPTER
*
CONTROL OF JUDICIAL DATA PROCESSING OPERATIONS

71 / A. § *(1) In litigation and non-litigation proceedings for the adoption of a court decision (hereinafter: main proceedings), the relevant
the right to the protection of personal data in connection with data processing operations carried out by courts
shall be verified by means of a data protection objection (hereinafter: objection).
2. In accordance with the rules of procedure applicable to the main proceedings, the
(a) if the rules of criminal or infringement proceedings apply to the main proceedings, Article XC of the Code of Criminal Procedure 2017 Act 143.
§ (3) and § 144 (3) and (8) a) ,
b) if the rules of administrative procedure are applicable to the main case, Article CXXX of 2016 on Civil Procedure. Act 157.
§ (3) and § 158 (3) and (6) of Act I of 2017 on Administrative Procedure Procedure § 36 (2)
paragraph
c) in cases not covered by points a) and b), Act CXXX of 2016 on the Code of Civil Procedure. Section 157 (3) of the Act and
Section 158 (3) and (6) or - if in the main proceedings Act III of 1952 on the Code of Civil Procedure. Act (hereinafter: Pp. 1952)
applicable - the 1952 Pp. 114 / A. § (4) and 114 / B. § (3) and (6)
it shall apply with the derogations provided for in this Chapter.
(3) An objection may be lodged in writing with the court having jurisdiction to hear the objection before the court seised of the main proceedings.
addressed.
4. The statement of opposition shall be submitted by the party, the accused and the other party to the proceedings, in particular the victim, the private party, the witness and the expert, and
the right holder who has a probable legal interest at the same time as the opposition is filed.
*

71 / B. §

1. On the basis of the objection, the court shall examine whether the acting judge, presiding judge or judicial officer

in accordance with legal and EU law provisions on the protection of personal data.
An objection may be raised by the person concerned on the grounds that:
(a) the processing of your personal data has been infringed or is in imminent danger, or
b) during the enforcement of the data subject's rights specified in the general data protection decree or in Section 14, the data controller
acted unlawfully.
3. In the objection referred to in paragraph 2 ( b) , the person concerned shall provide information to substantiate that the
attempted to enforce the data subject's rights with the controller.
4. The court seised of the main proceedings shall, on the basis of the objection, if it considers it well founded, take action within eight days.
the measures necessary to mitigate the consequences of the infringement and to eliminate the risk of an infringement, and
inform the objector at the same time of the action taken and inform him that if, despite the action taken,
also maintains its objection, it may submit a statement to that effect in writing within eight days of receipt of the notification.
5. If the court seised of the main proceedings has not taken the measure provided for in paragraph 4 or the
the court hearing the case in the main proceedings has eight days in which to
together with its statement of objections, to the court seised of the objection.
(6) An objection raised in the course of proceedings shall be considered on the merits even if the litigation or non-litigation has in the meantime
completed.
71 / C. § *(1) The court adjudicating the objection by a reasoned decision
a) rejects the objection in the cases pursuant to Section 53 (2), Section 53 (3) a) -d) and (4),
(b) reject the objection if the objection would have been rejected under point ( a) , but the reason for the rejection shall be substantive;
after the initiation of the investigation.
2. The court hearing the objection shall, if it has not rejected the objection or has not rejected it in accordance with paragraph 1,
by reasoned decision within two months of the date on which the
(a) establishes the unlawful processing of personal data or that the general data protection regulation or this
an infringement has occurred in connection with the exercise of the rights of the data subject specified by law,
(b) establishes the existence or imminent danger of the provisions of point (a) ; and
(ba) order the cessation of an unlawful data processing operation or the elimination of an imminent threat of unlawful data processing; or
restoring the lawfulness of data processing,
bb) order the enforcement of the rights of the data subject provided for in the General Data Protection Decree or in this Act
taking data management measures, or
(c) declare that there has been no infringement or that there is no imminent threat thereof and reject the objection.
3. The court seised of the main proceedings and the court hearing the objection shall, in its objection proceedings,
In order to ensure uniform application of these provisions, it may request the opinion of the Authority.
(4) The court shall not count towards the time limit open for resolving the objection
(a) a request to provide information necessary to clarify the facts and to request the Authority in accordance with paragraph 3;
time to completion,
(b) the time required for the translation of the document relating to the proceedings; and
(c) the day on which the circumstance, impediment or other disruption of the court for at least four hours
there was an unavoidable event.
(5) The procedure of the court adjudicating in matters not regulated in this Chapter shall be governed by Section 52 (3) and (4), Section 53 (1) and (7).
and the provisions of Section 54 (1) ( a) - (d) , (2) and (3) shall apply.

VII. CHAPTER
FINAL PROVISIONS
Section 72* (1) The Government shall be empowered to issue a decree
a) lay down detailed rules for the electronic publication of data of public interest,
*
b) determine
the amount of compensation to be paid for the fulfillment of the request for data in the public interest and in accordance with Section 29 (4)

the amount referred to in

*
*

(c) establish a specific publication list,

(d) determine the data content of the unified public data retrieval system and the central register, as well as the data integration
rules
(e) *determine the scope of the data to be published by the national security services, seeking the opinion of the Authority.

*

(2) You are authorized
(a) the Minister in charge shall, by regulation, issue special regulations for bodies under his authority or supervision;
establish a list
(b) the Minister responsible for e-Government to lay down in a regulation the conditions for the publication of data on publication lists;
necessary publication patterns,
c)

*

*
(3) The
Minister responsible for justice shall be empowered, in consultation with the Authority, to

in agreement with the Minister, the amount of the administrative service fee to be paid for the
*

lay down detailed rules for the collection, management, registration and reimbursement of fees.
§ 73. (1) This Act - with the exceptions specified in subsections (2) and (3) - shall enter into force on the day following its promulgation.
(2) Figures 1-37. §, § 38 (1) - (3), § 38 (4) a) -f) , § 38 (5), § 39, 41-68. §, a 70-72. §, a 75-77. § and the
79-88. § and Annex 1 shall enter into force on 1 January 2012.
(3) Section 38 (4) ( g) and (h) and Section 69 shall enter into force on 1 January 2013.
*
73 / A. § Act
CXII of 2011 on the right to information self-determination and freedom of information. amending the law

XCI of 2013 § 26 (2) and § 30 (7) on the right to information self-determination and
CXII of 2011 on freedom of information. Act XCI of 2013 on the amendment of Act pending at the time of entry into force of this Act
procedures.
§ 74. The Prime Minister shall propose the first President of the Authority to the President of the Republic by 15 November 2011. The first Chairperson of the Authority shall be:
appointed by the President of the Republic with effect from 1 January 2012.
§ 75. (1) On the basis of a petition received by the Data Protection Commissioner before 1 January 2012, the provisions of this Act
according to the Authority.
2. Data processed before 1 January 2012 in the area of ​responsibility of the Data Protection Commissioner shall be managed by the Authority as of 1 January 2012.
*

(3)

With regard to data processing commenced before 25 May 2018, it is specified in Section 5 (5)

review shall be completed by 25 May 2021.
*
(4) Act
CXII of 2011 on the right to information self-determination and freedom of information. European Union Data Protection Act

XXXVIII of 2018 on the amendment related to the reform of the Act (a
investigation and data protection authority proceedings initiated by the Authority prior to the entry into force of
VI. Chapter on Mod. in accordance with the provisions in force on the day before its entry into force.
*
(5) The
Mod. Prior to the entry into force of this Regulation, the data processed in the data protection register shall be blocked by the Authority and shall be used only for the purposes of

Mod. in proceedings instituted in respect of data processing operations carried out before its entry into force.
(6) If*the controller is likely to be in breach of Article 25 / F. § (1) of the Act
2016/680 (EU) used for data processing operations carried out by or on behalf of a data controller
disproportionate for automated data management systems as defined in Article 63 (2) of this Directive
would involve difficulty or cost, 25 / F. § (1) until 31 December 2022.
75 / A. §

*

The Authority shall exercise the powers provided for in Article 83 (2) to (6) of the General Data Protection Regulation in accordance with the principle of proportionality.

in particular the law on the processing of personal data or the European Union
in the case of a first-time breach of the rules laid down in a binding legal act, to remedy the breach
in accordance with Article 58 of the Data Protection Regulation, in particular by alerting the controller or processor.
*
§ 76. Chapter
V of this Act and Article VI of the Basic Law. is considered to be crucial under Article 4 (4).

Section 77 This Act
the)*
(b) January 2003 on public access to environmental information and repealing Directive 90/313 / EEC
Directive 2003/4 / EC of the European Parliament and of the Council of 28
(c) Directive 2003/98 / EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public sector information
Directive
*
(d) the
processing of personal data by the competent authorities for the purposes of the prevention, investigation, detection, prosecution and prosecution of criminal offenses;

the protection of natural persons with regard to the conduct of criminal proceedings or their treatment for the purpose of enforcing criminal sanctions, and
of 27 April 2016 on the free movement of such data and repealing Council Framework Decision 2008/977 / JHA
Directive 2016/680 of the European Parliament and of the Council
*
(e) Directive
2013/37 / EU of 26 June 2013 amending Directive 2003/98 / EC on the re-use of public sector information

Directive of the European Parliament and of the Council
for compliance.
77 / A. § *A III-V. and VI / A. Chapter and Sections 3, 4, 6, 11, 12, 13, 16, 17, 21, 23-24 of Section 3. § 4 (5), § 5 (3) - (5), (7) and
(8), Section 13 (2), Section 23, Section 25, Section 25 / G. § (3), (4) and (6), the 25 / H. § (2), the 25 / M. § (2), a
25 / N. §, 51 / A. § (1), Articles 52-54. §, § 55 (1) and (2), §§ 56-60. §, a 60 / A. § (1) - (3) and (6), § 61 (1)
a) and c) , § 61 (2) and (3), (4) ( b) and (6) - (10), 62-71. §, § 72, § 75 (1) - (5) and 1.
Annex I on the protection of individuals with regard to the processing of personal data and on the free movement of such data
of the European Parliament and of the Council of 27 April 2016 repealing Directive 95/46 / EC
(General Data Protection Regulation).
Section 78 (1)*- (2)
(3) In Section 9 (7) of Legislative Decree 17 of 1982 on birth registers, marriage proceedings and naming, the
"Originating" is replaced by "originating found".
4. The European Police Office, the protection of persons and property and private investigation, firearms and
Act XXIV of 2011 amending the laws related to pyrotechnics for the purpose of legal harmonization Section 25 (3) of the Act is as follows
enters into force with:
„(3) The SZVMt. Section 38 (1) ( g) is replaced by the following provision:
(A chamber)
"(G) in compliance with the data protection rules of the Law on the Right to Self-Determination of Information and Freedom of Information,
a register of members of a natural person, a register of enterprises is kept by the membership of the chamber or the obligation to register
and provide statistics on them in a non-personally identifiable manner; "
5. The European Police Office, the protection of persons and property and the private investigation, firearms and
Act XXIV of 2011 amending the laws related to pyrotechnics for the purpose of legal harmonization Section 41 (3) ( b) of the Act a
shall enter into force with the following text:
(Repeals)
„B) the SZVMt. Section 27 (4), the words “, gas and alarm weapons”, Section 40 (2), the words “which, at the request of a member
renewable every two years ”and in Section 54 (1) and (2), the words“ for a period of time. ”
(6) The European Police Office, the protection of persons and property and private investigation, firearms and
Act XXIV of 2011 amending the laws related to pyrotechnics for the purpose of legal harmonization Section 42 ( j) of the Act is as follows
enters into force with:
(The SZVMt.)
" J) In Section 26 (1) ( e), the words" security technology "shall be replaced by the words" electronic security ".
§ (2) ( d), the words “electronic security technology” shall be replaced by the words “electronic
Act LXIII of 1992 on the protection of personal data and the disclosure of data of public interest. (hereinafter: the Act) ”
"Law on the right to information self-determination and freedom of information", § 32 (5)
"Security" is replaced by "electronic security", § 74 (7) is replaced by "security
"Security" is replaced by "electronic security", "
(7) The European Police Office, the protection of persons and property, and private investigation, firearms and
Act XXIV of 2011 amending the laws related to pyrotechnics for the purpose of legal harmonization Section 42 ( l) of the Act is as follows
enters into force with:
(The SZVMt.)
"(L) in Section 30 (1) and (4), Section 32 (1), the words" the Avtv. " replaced by “on the right to information self-determination and
the Act on Freedom of Information ”, in Section 63 (4), the words“ Act No. 218/1999 Coll. (XII. 28.) Korm.
unauthorized protection of persons and property or private investigators in accordance with Article 13 of
protection of persons and property ", in Section 39 (3) the words" upon presentation of his
"In the application for membership of the Chamber", "
(8) Act CXXXIII of 2005 on the rules for the protection of persons and property and the rules of private investigation. Act of the European
Police Office, Personal and Property Protection, Private Investigation, Firearms and Pyrotechnics
Act XXIV of 2011 amending the laws related to § 34 (1) c) established by § 23 of the Act
shall enter into force with the following text:
(Private investigator to perform the contract)
"(C) video and audio recordings in the framework of the contract defining his obligations, the right to information self-determination and the
in compliance with the rules on data protection and privacy rights of the Freedom of Information Act, and
may use it; "
(9) Act LXXVII of 2011 on World Heritage. Section 15 (3) of the Act does not enter into force.
Section 79 (1)*- (4)
(5)

*

(6) - (11) *
Section 80 (1) Act CXII of 1996 on Credit Institutions and Financial Undertakings. The following point n) is added to Section 51 (2) of the Act
Who:
[There is no obligation of bank secrecy under paragraph 1 (b)]
"(N) the National Data Protection and Freedom of Information Authority acting within its remit"
(as opposed to a written request from these bodies to the financial institution.)
(2) Act LX of 2003 on Insurers and Insurance Activities. The following point r) is added to Section 157 (1) of the Act :
(There is no obligation to maintain insurance secrecy)
"(R) the National Data Protection and Freedom of Information Authority acting within its remit"
[on the other hand, if the body or person referred to in points (a) to (j), (n) and (s) makes a written request
the name of the insurance contract, the type of data requested, the purpose of the request for information and the legal basis,
The body or person indicated in point 1 shall indicate only the type of data requested, the purpose of the request and the legal basis. The purpose and
the indication of a legal provision granting access to the data shall also constitute proof of the legal basis.]
(3) Act LVII of 2004 on the Status of Members of the European Parliament in Hungary. Section 8 (2) of the Act with the following point m)
the following is added:
(Furthermore, a Member of the European Parliament may not be)
"(M) the Chairperson and Vice-Chairperson of the National Authority for Data Protection and Freedom of Information."
(4) The 2007 Regulation on Investment Firms and Commodity Exchange Service Providers and the Rules on the Activities They May Carry Out.
évi CXXXVIII. The following point k) is added to Section 118 (3) of the Act :
[No obligation of confidentiality set out in paragraph 1 applies]
"(K) the National Data Protection and Freedom of Information Authority acting within its remit"
(as opposed to a written request from these bodies to the investment firm or the commodity exchange service provider.)
(5) Article CLIX of 2007 on reinsurance. The following point q) and the following final text are added to Section 88 (1) of the Act
Who:
(There is no obligation to maintain insurance secrecy under this Act)
"(Q) the National Data Protection and Freedom of Information Authority acting within its remit
against."
(6) CLV of 2009 on the protection of classified information. The following point h) is added to Section 13 (3) of the Act :
(To perform state or public duties)
"(H) the Chairperson of the National Authority for Data Protection and Freedom of Information"
[without national security clearance, personal security clearance and privacy statement and user license
are entitled to the classified information belonging to their tasks and competences - as defined in Section 18 (2) a) and b) exercise their right of disposal.]
Section 81 (1) Act I of 1988 on Road Transport 21 / H. § “the Minister for the professional supervision of the registration body, the
Data Protection Supervisor or their delegate "is replaced by" professional supervisor of the
the Minister and the person authorized by him and the President of the National Authority for Data Protection and Freedom of Information,
Vice-President and Civil Servant ’.
(2) Act XXIII of 1992 on the Status of Civil Servants. (hereinafter: the Act) in Section 1 (2) of the Act “Constitutional Court
Office ”is replaced by“ Office of the Constitutional Court, National Data Protection and Freedom of Information Authority ”.
(3) In Section 44 (1) of the Act, the words “at the Economic Competition Office” shall be replaced by the words “at the Economic Competition Office, the National Competition Authority”.
Data Protection and Freedom of Information Authority ”.
(4) In Section 63 (1) ( i) of the Act, the words “the Data Protection Commissioner” shall be replaced by the words “the National Data Protection and
Freedom of Information Authority ”.
(5) Act XLVI of 1993 on Statistics. In Section 7 (3) of the Act, the text “the Data Protection Commissioner” is replaced by the words “the National
Chairman of the Data Protection and Freedom of Information Authority ”, in Section 19 (3), the words“ the Data Protection Commissioner ”shall be replaced by the words“ the Data Protection Commissioner ”.
National Data Protection and Freedom of Information Authority ”.
*
(6) Act
CXIX of 1995 on the management of name and address data for the purpose of research and direct business acquisition. Section 5 (1) of the Act

the words “in the Avtv.” are replaced by the words “on the right to information self-determination and freedom of information”.
Act ”, in Section 19 the words“ the Avtv. ” replaced by “on the right to information self-determination and freedom of information
in Section 19, the words “the Data Protection Commissioner” shall be replaced by the words “the National Data Protection and Freedom of Information
Authority ”.
(7) Act LXIX of 1999 on Infringements. Act 27 / F. § “the professional supervisor of the infringement registration body
Minister, the Data Protection Commissioner and the person authorized by them "is replaced by" the
the Minister responsible for professional supervision and the person authorized by him, as well as the National Data Protection and Freedom of Information
President, Vice-President and Civil Servant of the Authority ”.
(8) The rules for combating organized crime and certain related phenomena and related measures
Act LXXV of 1999 on Amendments to the Act Act 4 / G. § (2) ( b) , “the data protection commissioner is the data protection procedure
"National Data Protection and Freedom of Information Authority" is replaced by "National Data Protection and Freedom of Information Authority".
(9) Act LXXXIV of 1999 on the road traffic register. In Section 32 (4) and (7) of the Act, the “Data Protection Commissioner”
the words “the National Data Protection and Freedom of Information Authority”, in Section 32 (8) the words “The Data Protection
Commissioner "is replaced by" National Data Protection and Freedom of Information Authority ".
(10) Act CXXX of 2003 on Criminal Cooperation with the Member States of the European Union. Act 75 / O. § “on data protection
Commissioner "is replaced by" National Data Protection and Freedom of Information Authority ".
(11) Act CXL of 2004 on the general rules of administrative authority procedure and service. Section 164 (5) and Section 174 of the Act
In paragraph 3 ( a), the words "the Data Protection Commissioner" are replaced by "the National Data Protection and Freedom of Information Authority".
text enters.
(12) Section 85 (3) of Act I of 2007 on the Entry and Residence of Persons with the Right of Free Movement and Residence
In paragraph 1, the words "the Data Protection Commissioner" are replaced by the words "the National Data Protection and Freedom of Information Authority".
(13) CI of 2007 on ensuring the availability of data necessary for the preparation of decisions. In Section 6 of the Act, “the
Data Protection Commissioner in the procedure provided for in the Act on the Protection of Personal Data and the Disclosure of Data of Public Interest "
is replaced by "the National Data Protection and Freedom of Information Authority".
(14) CV of 2007 on cooperation and exchange of information under the Schengen Implementing Convention. Section 18 (6) of the Act
and Section 20 (2), the words “the Data Protection Commissioner” shall be replaced by the words “the National Data Protection and
Freedom of Information Authority ”, in Section 20 (1), the words“ on the protection of personal data and data of public interest
the text of the Data Protection Commissioner ”is replaced by“ the National Data Protection and
Freedom of Information Authority ”.
(15) Criminal records system against Hungarian citizens by the courts of the Member States of the European Union
XLVII of 2009 on the registration of convictions and the registration of criminal and law enforcement biometric data. Section 88 (2) of the Act
“the Act on the Protection of Personal Data and the Disclosure of Data of Public Interest, as well as personal data
the Data Protection Commissioner acting in his / her capacity to monitor compliance with the legal provision
replaced by “acting in its capacity to monitor compliance with legal provisions on the processing of personal data
National Data Protection and Freedom of Information Authority ”text, 91 / A. § (2), the words “with the Data Protection Commissioner”
replaced by "with the National Data Protection and Freedom of Information Authority", 91 / A. § (3), the words “The Data Protection Commissioner”
is replaced by "The National Data Protection and Freedom of Information Authority".
(16) The transfer of Passenger Name Record (PNR) data between air carriers between the European Union and the United States of America
processing and transfer to the United States Department of Homeland Security
XCVII of 1995 on the promulgation of Act CIV of 2009 amending Act in Section 7 (8) of Act no
"And - Act LXIII of 1992 on the protection of personal data and the disclosure of data of public interest. provided by law
"Data Protection Commissioner" is replaced by "and on the right to information self-determination and freedom of information
the National Data Protection and Freedom of Information Authority ”.
(17) CLV of 2009 on the protection of classified information. In Section 6 (8) of the Act, the text “the Data Protection Commissioner” is replaced by the words “a
National Data Protection and Freedom of Information Authority ”, Section 20 (2) ( r), the words“ with the Data Protection Commissioner ”
replaced by "with the National Data Protection and Freedom of Information Authority".
(18) Act CXXII of 2010 on the National Tax and Customs Administration. In Section 76 (1) ( j) of the Act, the “Data Protection Commissioner and the
"Chairman, Vice-Chairman and Vice-Chairman of the National Data Protection and Freedom of
civil servant ’.
(19) The Convention on the Law Enforcement Center for South-Eastern Europe, done at Bucharest on 9 December 2009, and
Protocol on the Privileges and Immunities of the European Police Center, done at Bucharest on 24 November 2010
LVI of 2011 on the promulgation of Section 7 (5) of the Act “Supervision - the protection of personal data and data of public interest
Act LXIII of 1992 on the publicity of in the competence provided by law - the text “Data Protection Commissioner” is replaced by “supervision of
National Data Protection and Freedom of Information Authority ”.
*

§ 82

Section 83 (1) -*(29)
*

(30)

Section 84 (1) *- (2)
(3)

*

(4)

*

Section 85* (1)
(2)

*

86-87. §

*

Section 88 (1) *- (5)
(6)

*

§ 89

*

Annex 1 to the 2011 CXII. to the law
GENERAL DISCLOSURE LIST
I. Organizational, personnel data
Data
1.

Preservation

Update

Official name, registered office, postal address of the body performing the public function, Immediately after the changes

The previous state must be deleted

telephone and fax numbers, e-mail address, website,
contact customer service
2.

The organizational structure of the body performing the public task is organizational units Immediately after the changes

The previous state must be deleted

tasks of each organizational unit
3.

To the heads of the body performing the public task and to the individual organizational unitsImmediately after the changes

The previous state must be deleted

the names, positions, contact details (telephone and fax numbers,
email address)
4.

Name and contact details of the competent customer relationship manager within the organization
Immediately after the changes

The previous state must be deleted

(telephone and fax numbers, e-mail address) and customer reception
order
5.

In the case of a body, the number and composition of the body, the names of its members,

Immediately after the changes

The previous state must be deleted

Immediately after the changes

The previous status is archived for 1 year

position, contact information
6.

Under the direction, supervision or control of a public body
other public bodies acting under its authority or subordinate to it

holding

and the particulars specified in point 1
7.

Immediately after the changes

Majority owned or controlled by a public body
the name and registered office of the economic operator participating in the

The previous status is archived for 1 year
holding

contact details (postal address, telephone and fax numbers, electronic
mailing address), scope of activity, name of the representative, the public task
the extent of the share of the supplying body
8.

Names of public foundations established by the body performing the public function,

Immediately after the changes

registered office, contact address (postal address, telephone and fax numbers,

The previous status is archived for 1 year
holding

e-mail address), articles of association, members of its governing body
9.

Name of the budgetary body set up by the public service body,

Immediately after the changes

the seat of the budget, an indication of the law establishing the budgetary authority, and

The previous status is archived for 1 year
holding

the decision establishing it, the charter of the budgetary body, the head,
availability and operating license of the website
10.

The names, editorial offices and pages of the boards set up by the public service body

Immediately after the changes

the name and address of the publisher and the name of the editor-in-chief
11.

The superior or supervisory body of the body performing the public task,

The previous status is archived for 1 year
holding

Immediately after the changes

has the right to appeal against its decisions

The previous status is archived for 1 year
holding

or, failing that, over the body performing the public task
the body exercising legality control in point 1
specified data

II. Activity and operation data
Data
1.

The task, competence and core activity of the body performing the public task
determining the basic legislation of the body, public law
organizational tools as well as organizational and operational

Preservation

Update
Immediately after the changes

The previous status is archived for 1 year
holding

policy or rules of procedure, the data protection and data security policy
current and complete text
*

2.

Bodies with national jurisdiction, as well as the capital and counties

Immediately after the changes

The previous state must be deleted

Quarterly

The previous status is archived for 1 year

in the case of a government office, the task of the body performing the public task,
information on its activities in Hungarian and English
3.

Voluntary responsibilities of the local government

Page 5

holding
4.

In state administration, municipal, and other official matters

Immediately after the changes

The previous state must be deleted

Immediately after the changes

The previous status is archived for 1 year

the competent body for each type of case and type of procedure
in the case of a transfer of powers, a
the name and area of ​competence of the body actually acting, the
documents, documents, procedural fees necessary for the administration
(administrative service fees), basic procedural
rules, the method of submitting the document instituting the proceedings (place,
time), time of client reception, deadline of administration (settlement,
time limit for appeal), case management guidelines,
case information and used for administration
downloadable forms, available electronically
access to programs, appointment booking, related to case types
a list of legislation, information on the client 's rights and
on the obligations incumbent on the customer
Provided by or from the budget of a public body

5.

the name and content of the public services financed, a

holding

order of using public services, for public service
the amount of the fee to be paid, the discounts granted therefrom
6.

Immediately after the changes

Databases maintained by the public service body, respectively

The previous status is archived for 1 year

descriptive data of records (name, format, purpose of data management,

holding

legal basis, duration, scope of stakeholders, source of data, questionnaire
questionnaire to be completed in case of data collection), data protection
the records to be registered in accordance with this Act
identification data; by the body performing the public task - its core business
types of data collected and processed, the mode of access,
the cost of making a copy
7.

The title and subject of the public publications of the body performing the public task, a Quarterly

The previous status is archived for 1 year

method of access, free publication and reimbursement

holding

extent
The order of preparation of the decisions of the collegial body, the citizen

8.

Immediately after the changes

The previous status is archived for 1 year

method of participation (opinion), rules of procedure, corporate

holding

the place and time of the meetings of the body, as well as their publicity, decisions,
minutes and summaries of the meeting; the corporate body
details of your vote, unless restricted by law
9.

10.

Draft legislation to be published under the Act and related

Unless otherwise provided by law

The previous status is archived for 1 year

documents; to the local government representative body

after the date of submission

holding

submissions to a public meeting from the date of submission

immediately

Announcements and announcements published by the body performing the public task Ongoing

For at least 1 year
archiving

11.

12.

Professional description of the tenders announced by the body performing the public task,Constantly
they

The previous status is archived for 1 year

results and justification

holding

Related to the core business of the public service body

On the investigation

The previous status is archived for 1 year

public findings of inspections and audits

report

holding

getting to know each other
following
immediately
*

13.

Management of requests for access to data of public interest

Quarterly

The previous state must be deleted

Quarterly

The previous status is archived for 1 year

order, name of the competent organizational unit, contact details,
the name of the person dealing with information rights
14.

Legislation on the activities of a body performing a public function
results of statistical data collection based on them, their change over time
Mandatory statistics on data of public interest

15.

holding
The previous status is archived for 1 year

Quarterly

data on a given body for the provision of data

holding

List of contracts for the exploitation of data of public interest

16.

The previous status is archived for 1 year

Quarterly

in which the public authority is one of the contracting parties

holding

Data of public interest held by a public body

17.

Immediately after the changes

The previous status is archived for 1 year

general contract for the use and utilization of

holding

conditions
18.

Specific and individual disclosure for the public service body

Immediately after the changes

The previous state must be deleted

Within 15 days of the changes

The previous status is archived for 1 year

list
*

19.

Public data managed by a body performing a public task
for recycling under the Recycling Act

holding

list of available cultural public data in available formats
managed by a body performing a public function,
under the Public Data Recycling Act
information on types of reusable public data,
indicating the available formats
*

20.

For the recycling of public data and cultural public data according to line 19

Within 15 days of the changes

The previous state must be deleted

Within 15 days of the changes

The previous state must be deleted

Within 15 days of the changes

The previous state must be deleted

Within 15 days of the changes

The previous state must be deleted

Within 15 days of the changes

The previous state must be deleted

Within 15 days of the changes

The previous state must be deleted

the general terms and conditions of the contract electronically
editable version
*

21.

Recycling of public data and cultural public data according to line 19
The fees payable for the provision of
together with the factors on which the fee is based

*

22.

Remedies under the Public Data Recycling Act
information

*

23.

The public data concluded by the body performing the public task
an exclusive right under the Recycling Act
designation of the parties to insurance agreements,
the duration and subject matter of the exclusivity and the agreement
indication of other essential elements

*

24.

Concluded by the body performing the public task, the public data
under the Recycling Act
granting the exclusive right to digitize cultural public data
text of agreements

*

25.

According to the Act on the Recycling of Public Data
legislation, public regulatory instrument, public service
contract or other binding document (or its
for the purpose of recycling
by collecting and producing public data that can be made available,
processing and distribution costs are significant
requires the public service provider to cover part of it from its own revenue
body

III. Management data
Data
l.

*

Preservation

Update

Annual budget of the public body, Accounting Act

Immediately after the changes

For 10 years after publication

Quarterly

For a period specified in separate legislation, but

according to its accounts or annual budget report
2.

The number of staff employed by the public service body and
aggregated data on personal benefits, and

archived for at least 1 year

in total, the salaries of managers and senior executives,
wages and regular allowances and reimbursement of expenses, the
the nature and extent of benefits provided to other employees
in total
3.

*

After the decision is made

On public finances provided by a public body
solo

law

according to

budgetary

subsidies

For 5 years after publication

until the sixtieth day

the names of the beneficiaries, the purpose and amount of the aid,
and the location of the support program
data, unless prior to the publication of budget support
revoked or waived by the beneficiary
4.

*

Using general government funds, the

After the decision is made

management of public assets

until the sixtieth day

For 5 years after publication

related, amounting to five million forints or more
procurement of goods, construction investment, ordering services,
sale of property, use of property, property or assets
transfer of a right of value and the award of a concession
name (type), subject of contracts, parties to the contract
name, value of the contract, fixed-term contract
its duration and the data referred to
changes in defense and security procurement data and
classified data, as well as the Public Procurement Act of 2015
CXLIII. Procurements pursuant to Section 9 (1) ( b) of Act no
with the exception of data on contracts resulting from them
Below the value of the contract stipulated for the subject of the contract - general
calculated without turnover tax, shall be understood as
in the case of a free transaction, the market or book value of the property
the higher of these shall be taken into account. The
recurring - for a period of more than one year
in the case of contracts, the consideration for calculating the value is one
shall be based on the amount calculated for the year. That's a budget
the same subject matter concluded with the same contracting party
the value of the contracts must be added together
5.

Public data as defined in the Concession Act

Quarterly

For a period specified in separate legislation, but

(calls for proposals, details of applicants, prepared on the evaluation

archived for at least 1 year

reminders, tender results)
6.

*

By a body performing a public task not to perform its basic tasks (thus

Quarterly

For a period specified in separate legislation, but

in particular to support association, employees professional and
employees

interest representation

organs

archived for at least 1 year
for,

employees, providers of educational, cultural, social and
to support an organization supporting sports activities, foundations
payments related to the tasks performed by the
payments exceeding HUF
7.

8.

Description of the developments implemented with the support of the European Union,
Quarterly

For at least 1 year

the contracts relating to them

archiving

Procurement information (annual plan, summary of tenders

Quarterly

For at least 1 year

assessment of the contracts concluded)

archiving

Related book: Explanation of GDPR
Back to top

About Wolters Kluwer

Informations

Our pages

Company history

F.A.Q

Wolters Kluwer

Our core values

Data management

Legal library

Sales representatives

information

Trainings

Customer service

Media offer

Tax Online

Cookie settings

Legal world

Follow us

Because it's important to make the right decision!

Contact Cookie Management Information

Imprint

© Wolters Kluwer

