top of page

HUNGARY - Data Protection and GDPR Review

The history of data protection in Hungary is rooted in both national legislation and European Union directives and regulations. Here is a concise overview of the key milestones and developments:

Early Regulations (Before 1995): The Hungarian Constitution, even prior to formal data protection laws, recognized the right to privacy. During the early 1990s, Hungary took steps to address privacy issues in line with European directives.

Act LXIII of 1992: This act, commonly known as the Data Protection Act of 1992, marked the beginning of formal data protection regulation in Hungary. It established principles regarding the collection and processing of personal data and created the Parliamentary Commissioner for Data Protection and Freedom of Information.

EU Data Protection Directive (1995): The European Union Directive 95/46/EC aimed to harmonize data protection laws across member states. Hungary, which was in the process of joining the EU at that time, aligned its data protection regulations with the directive.

Hungary Joins the EU (2004): Upon joining the EU in 2004, Hungary continued to align its data protection laws with European standards, resulting in further legislative developments.

Act CXII of 2011: This act, known as the Informational Self-determination and Freedom of Information Act, replaced the 1992 Data Protection Act. It reflected the growing awareness of data privacy issues and created the National Authority for Data Protection and Freedom of Information (NAIH), responsible for overseeing data protection within Hungary.

General Data Protection Regulation (GDPR) - 2018: The GDPR came into effect on May 25, 2018, throughout the EU, including Hungary. It represents a major overhaul of data protection laws, focusing on individual rights, transparency, and stringent obligations for data controllers and processors. The GDPR superseded national laws, although member states, including Hungary, may enact specific provisions to modify or complement the GDPR in certain areas.

Recent Developments: Hungary continues to develop its data protection landscape in alignment with the GDPR and other EU regulations. The NAIH actively oversees compliance and provides guidance on interpretation and application of the regulation within the country.

Hungary's data protection history has evolved in alignment with European norms and values. The convergence of national and European data protection laws has shaped a framework that emphasizes individual rights, organizational accountability, and regulatory oversight. It has undergone significant transformation from early constitutional protections to contemporary regulations that reflect the complex challenges of the digital age.

Introduction to GDPR in Hungary

As an EU member state, Hungary complies with the GDPR, which was enforced on May 25, 2018. This regulation harmonizes data protection laws across the EU, offering enhanced protection for individuals and imposing specific obligations on data controllers and processors.

Key Principles of GDPR

  1. Lawfulness, Fairness, Transparency: Data processing must be lawful, fair, and transparent.

  2. Purpose Limitation: Data must be collected for specified and legitimate purposes.

  3. Data Minimization: Only necessary data must be collected.

  4. Accuracy: Data must be accurate and updated.

  5. Storage Limitation: Data must not be stored longer than necessary.

  6. Integrity and Confidentiality: Data must be protected against unauthorized access.

Rights of Data Subjects

  1. Right to Information: Individuals must be informed about data collection and processing.

  2. Right to Access: Individuals can request access to their data.

  3. Right to Rectification: Individuals can request the correction of inaccurate data.

  4. Right to Erasure: Individuals can request deletion of data.

  5. Right to Restriction of Processing: Individuals can request the limitation of data processing.

  6. Right to Data Portability: Individuals can request the transfer of data to another controller.

  7. Right to Object: Individuals can object to data processing.

Obligations of Data Controllers and Processors in Hungary

  1. Compliance with Principles: Adherence to GDPR principles.

  2. Notification of Data Breaches: Report within 72 hours to the National Authority for Data Protection and Freedom of Information (NAIH).

  3. Appointment of Data Protection Officer (DPO): If required.

  4. Maintain Records: Keep detailed records of data processing activities.

National Authority for Data Protection and Freedom of Information (NAIH)

NAIH is responsible for enforcing data protection laws in Hungary. It offers guidance, handles complaints, and can impose sanctions for non-compliance.


Fines can go up to €20 million or 4% of the annual global turnover, depending on the violation's severity.

Specific Provisions in Hungary

Hungary's Act CXII of 2011 includes specific national provisions related to GDPR, which might concern areas like data processing for journalistic, academic, artistic, or literary purposes, and the processing of employee data.


Data protection in Hungary is governed by the GDPR, along with specific national laws. Companies operating in Hungary must comply with these regulations, keeping in mind any unique local provisions. Regular consultation with legal experts familiar with Hungarian data protection law is often advised.


  1. National Authority for Data Protection and Freedom of Information (NAIH): Website

  2. EU GDPR Portal: Website

  3. Official Journal of the European Union: GDPR Text Link

Please note that this guide is provided for informational purposes only and should not be considered legal advice. Consult with a legal professional who specializes in Hungarian data protection law for tailored guidance.


bottom of page