The Head of the Hungarian Data Protection Agency (DPA), the Data Protection and Information Commissioner currently functions as an ombudsman and notably, it had no particular administrative powers at the time of the adoption of the Hungarian Data Protection Act in 1992. This situation changed with the EU access of Hungary, when the Commissioner has been empowered to release binding decision on the blocking, deletion or destruction of unlawfully processed data, prohibit the unlawful processing of data, and suspend the transfer of data to foreign countries. The decision of the DPA cannot be remedied in an administrative way and a court action may be initiated for its judicial review before the Metropolitan Court. Although the Commissioner exercised administrative powers in connection with the release of its blocking / deletion order, remarkably, the procedure of the DPA had no formal boundaries at all which did not guarantee the rights of the clients and did no secure the enforcement powers of the DPA either.
Following the Commissioner’s proposal submitted to the Hungarian Parliament, the Act CXXVI of 2010 on the Metropolitan and County Government Offices amended with the effect of 1 January 2011 the Hungarian Data Protection Act and laid down that the Commissioner’s infringement actions shall be governed by the provisions of the Act on the General Rules of Administrative Procedure once a binding order shall be released on the prohibition of processing / transfer or on the blocking, deletion or destruction of unlawfully processed data. (Section 24/A (6) of the Act). In practical terms, if the DPA believes that processing of personal data is unlawful,
-
the DPA may release an opinion / recommendation and ask the data controller or processor to cease and desist from unlawful data processing; in this case, the data controller has 30 days to comply with the Commissioners’ request and inform the DPA in writing on the steps taken to remedy the situation.
- If the data controller does not comply with the Commissioner’s request, the provisions of the Act on the General Rules of Administrative Procedure apply and the Commissioner shall introduce an administrative action against the data controller and order in a decision the blocking, deletion or destruction of unlawfully processed data, prohibit the unlawful processing or technical processing of data, and suspend the transfer of data to foreign countries.
- The controller or data processor may initiate within 30 days the judicial review of the Commissioner’s order, however, until the final resolution of the case data cannot be deleted or destroyed and data processing shall be suspended and the data be blocked.
- If the data controller or data processor did not initiate court action within 30 days, he/she did not suspend data processing during the judicial review of the DPA’s decision, or if the court rules in favour of the DPA, the DPA may introduce the enforcement of its decision pursuant to the provisions of the Act on the General Rules of Administrative Procedure. If non-compliance with the DPA’s order is culpable, the Commissioner may impose procedural fines up to HUF 500,000.- (Ca EUR 1,800.-) in case of natural persons and up to HUF 1,000,000.- (Ca. EUR 3,600.-) in case of legal entities which fine may be imposed repeatedly in case of persistent non-compliance.
The above amendment of the Hungarian Data Protection Act clearly strengthened the DPA’s position in connection with the enforcement of decisions, since the Commissioner may introduce an infringement action against the data controller or data processor once non-compliance with its binding decision could be established. The DPA is therefore one step closer to the status of an administrative authority which may impose fines for the breach of data protection laws.