The Act No CXII of 2011 on Informational Self-Determination and Freedom of Information introduced excessively burdensome data protection registration requirements for data controllers. Under the new rules, notification of data processing to the DPA is a must, unless notification has been expressly exempted by the Data Protection Act (such as data processing relating to persons having an employment, membership, child care, student, student contract, student dormitory relationship with the controller). If notification is compulsory, data processing may be commenced by the controller after the registration has taken place. The Agency must register data processing within 8 days after submission of the DPA notification. However, in case of the notification of processing activities relating to customer data by financial institutions (banks, insurance companies), community service providers or relating to users of electronic communication service providers, the DPA has a deadline of 40 days to issue its decision on registration. The registration procedure is governed by the General Rules of Administrative Procedure.
On 19 January 2012 the new Hungarian DPA has released a communication on the processing of pending DPA notifications. This states that prior to 23 December 2011 there were around 3000 pending registration filings still not processed by the Commissioner’s Office and until today additional 2000 filings have been submitted to the Hungarian Agency on Data Protection and Freedom of Information. Due to this current heavy backlog of the Registration Department, the DPA asked for the patience of the registrants and announced that data controllers should preferably rely on Section 68 of the new Data Protection Act which states that data processing could be commenced in conformity with the DPA filing if the Agency does not respond within 8 days to the notification of the data controller. However, this rule does not apply to DPA filings relating to the processing of customer data by financial institutions (banks, insurance companies), community service providers as well as to the processing of user data by electronic communication service providers. Thus, these persons cannot commence data processing (such as direct marketing campaigns) until the decision on registration is released by the DPA.
The new Data Protection Act lays down that the Agency shall charge a fee for data protection registrations as determined in a separate decree of the Minister of Justice. However, considering that the respective decree still has not been adopted by the Minister, the DPA announced that only filings submitted after the entry into force of this decree shall be subject to the payment of a notification fee.