TL;DR
Hungary applies EU GDPR directly as of 25 May 2018. The national Infotv supplements GDPR with Hungarian-specific rules including a 16-year minimum age for consent. NAIH is the Hungarian supervisory authority — it has issued fines against banks, telecoms, and employers for GDPR violations. Every business processing personal data of Hungarian residents must comply, regardless of where the business is established.
GDPR in Hungary — Key Rules
GDPR (EU Regulation 2016/679) applies directly in Hungary as in all EU member states. Act CXII of 2011 (Infotv), substantially revised by Act XIII of 2018, supplements GDPR with national specifications and grants NAIH its investigative powers.
| Requirement | Rule | Legal basis |
|---|---|---|
| Maximum GDPR fine (serious breach) | €20M or 4% of global annual turnover | GDPR Art. 83(5) |
| Maximum GDPR fine (lesser breach) | €10M or 2% of global annual turnover | GDPR Art. 83(4) |
| Minimum age for consent (online services) | 16 years (stricter than some EU states) | Infotv § 5(1)(a) |
| Breach notification to NAIH | Within 72 hours of discovery | GDPR Art. 33 |
| Breach notification to individuals | "Without undue delay" if high risk | GDPR Art. 34 |
| DPO mandatory for | Public authorities; large-scale monitoring; special category data processors | GDPR Art. 37 |
| ROPA (Record of Processing Activities) | Required for controllers >250 employees OR high-risk processing | GDPR Art. 30 |
| Data subject rights response deadline | 30 days (extendable to 90 days for complex requests) | GDPR Art. 12 |
NAIH — Hungary's Data Protection Authority
NAIH (Nemzeti Adatvédelmi és Információszabadság Hatóság — National Authority for Data Protection and Freedom of Information) is Hungary's independent supervisory authority under GDPR Article 51. It investigates complaints, audits organisations, issues guidance, and levies fines.
⚡ Notable NAIH GDPR Enforcement Actions
| Organisation type | Violation | Fine (approx.) | Year |
|---|---|---|---|
| Major Hungarian bank | Unlawful credit scoring using excessive data | €1,100,000 | 2022 |
| National telecoms provider | Data breach — customer personal data exposed | €750,000 | 2021 |
| Debt collection company | Unlawful retention of debtor data post-limitation | €500,000 | 2023 |
| HR/recruitment firm | Excessive employee monitoring (keylogging) | €320,000 | 2022 |
| Healthcare provider | Failure to implement adequate security measures | €280,000 | 2023 |
NAIH's enforcement has increased significantly since 2021. Fines for Hungarian SMEs for minor breaches typically range from €5,000–€100,000. Cross-border cases (where Hungary is the lead supervisory authority) can result in larger coordinated EU-wide fines.
GDPR Compliance Checklist for Hungary
- ✅ Privacy policy — in plain Hungarian for Hungarian-resident data subjects (Art. 13–14)
- ✅ Cookie consent — compliant banner required; pre-ticked boxes invalid (NAIH guideline 2023)
- ✅ Lawful basis documented for each processing activity — consent, contract, legal obligation, legitimate interest, vital interest, or public task
- ✅ ROPA (Adatkezelési Nyilvántartás) — mandatory record of all processing activities
- ✅ Processor agreements (adatfeldolgozói megállapodás) with all third-party processors (Art. 28)
- ✅ Data subject rights procedure — process for handling access, erasure, and rectification requests within 30 days
- ✅ Breach response plan — 72-hour NAIH notification protocol in place
- ✅ International transfer safeguards — Standard Contractual Clauses (SCCs) for data sent outside EEA
Frequently Asked Questions
- What is NAIH and how does it enforce GDPR in Hungary?
- NAIH (Nemzeti Adatvédelmi és Információszabadság Hatóság) is Hungary's independent data protection authority under GDPR Article 51. It investigates complaints from individuals, conducts audits, issues guidance, and levies administrative fines up to €20 million or 4% of global annual turnover. NAIH has increased enforcement significantly since 2021, with notable fines against financial institutions, telecoms, and employers for employee monitoring violations.
- Does my Hungarian company need a Data Protection Officer (DPO)?
- Under GDPR Article 37, a DPO is mandatory if you: (1) process personal data as a public authority or body; (2) carry out large-scale systematic monitoring of individuals (e.g., CCTV, employee monitoring, behavioural advertising); or (3) process special category data (health, biometric, criminal records) at large scale. Most Hungarian SMEs do not need a formal DPO but should document their processing and have a privacy contact point. An external DPO service costs HUF 300,000–1,000,000 per year from specialist firms.
- My UK company processes data of Hungarian customers — do I need to comply with Hungarian rules?
- Yes. GDPR applies to any organisation offering goods or services to EU residents, regardless of where the organisation is established (GDPR Art. 3(2)). As a UK company post-Brexit, you are not subject to the EU GDPR but to the UK GDPR (retained in UK law). However, when processing data of Hungarian residents (EU data subjects), EU GDPR applies to that processing. You may need an EU representative under Art. 27 if you have no EU establishment. NAIH could investigate and fine you for violations affecting Hungarian residents.
- Can I use employee email monitoring in Hungary?
- Employee monitoring is heavily regulated under Infotv § 25 and GDPR Art. 6(1)(f). Requirements: (1) a written monitoring policy communicated to all employees before monitoring begins; (2) a documented proportionality assessment showing monitoring is necessary and limited to what is needed; (3) monitoring only of employer-provided devices and business email accounts; (4) prohibition on accessing personal email even on work devices. NAIH has fined employers for keylogging and excessive monitoring — even when employees consented, since consent given in an employment context is rarely considered freely given.
Need a Hungarian GDPR lawyer?
Find English-speaking data protection specialists (DPO consultants and privacy lawyers) across Hungary.
Find the right specialist →