The Hungarian Data Protection Act (Section 4/A (2)) generally prohibits sub-contracting / delegation by a data processor of processing services to other processors, which prohibition also applies within the context of international data transfers. Considering that this prohibition of the Data Protection Act is clearly in conflict with the Commission Decision 2010/87/EU on the new controller-processor model clauses which expressly authorize sub-processing on the part of processors, the Hungarian Data Protection Commissioner confirmed in its very recently released yearly report that the primacy of EU law over national law indeed requires the acceptance of the new controller-processor clauses in Hungary and the prohibition on sub-processing as laid down in the Hungarian Data Protection Act shall not apply to those cases where the parties – once international data transfer is effected – abide by the new Model Clauses of the European Commission.
In practice, this means that the data controller does not need to enter into a direct data processing agreement with the third country sub-processor once the parties (controller and third country processor) introduce the new Model Clauses in connection with international data transfer.