Hungarian government overwrites the GDPR in its COVID-19 state-of-emergency decree

Hungary

In Decree No. 179/2020 issued on 4 May, the Hungarian government has restricted the protection and rights of data subjects concerning anti-pandemic measures as stipulated by the EU's General Data Protection Regulation (GDPR) and the Hungarian Act on Freedom of information and data protection (Info Act).

Furthermore, the decree restricts the right for claiming public information granted by the Hungarian Info Act related to COVID-19 measures.

The Hungarian government issued a state of emergency on 11 March for a 15-day period, which was extended for an indefinite period on 31 March. During the current state of emergency, the government has the authority to govern through the issuance of government decrees.

No law enforcement and data protection rights during the state of emergency

The government decree stipulates that data controllers’ measures under articles 15 to 22 of the GDPR as pertaining to personal data processed for the purpose of preventing, recognising and investigating the COVID-19 disease and stopping its spread are suspended until the termination of the state of emergency.

The 30-day GDPR deadline for answering COVID-19 - related data subject requests will start only on the first day after the termination of the state of emergency. This means that if a data subject submits a request for access to, erasure, rectification, and restriction of the processing of his personal data related to COVID-19, or lodges an objection against the processing of his personal data related to COVID-19, the data controller (i.e. hospitals, government bodies, emergency management offices) is not required to take any steps to erase, rectify the data or restrict the processing until the end of the COVID-19 state of emergency that is now in place for an indefinite period of time.

Furthermore, the new legislation does not define the exact categories of personal data and the type of data controllers that fall under the new law. As a result, any data controller taking part in the fight against COVID-19 or processing COVID-19 - related personal data can interpret the new legal provisions widely and broaden its restrictions as it applies to personal data as much as possible.

In addition, the decree contains other clauses restricting the rights of data subjects: data controllers falling under the new law now do not need to provide data subjects with personalised information as listed in articles 13 and 14 of the GDPR, such as the type of data processed, the purpose and legal basis of the data processing, and name of the data controller, notification of data transfers to third parties and to third countries, the guaranties of these data transfers, their retention periods, and all information about data protection rights and remedies for data subjects.

Instead, the data controller is required only to issue a privacy notice that contains the purpose and legal basis of the data processing and to publish this notice electronically so that it is available to the data subject. Consequently, a data subject's access rights are restricted since he cannot request personalised information on the processing of his personal data related to the COVID-19 situation during the state of emergency.

Furthermore, the decree restricts the rights of data subjects to lodge complaints with the data protection authority (DPA) and the right to an effective judicial remedy against the DPA and the data controller or processor by stipulating that the court and DPA are only entitled to start proceedings on the first day after the termination of the COVID-19 state of emergency even for complaints submitted now. It must be emphasised that it is currently not known how long the government will maintain the state of emergency.

Restrictions and delays regarding public-information requests

Until the termination of the COVID-19 state of emergency, requests for public information based on the Info Act must take into account the following differences:

  • Request for public information cannot be submitted personally or orally to any organisation with public-service functions.
  • The organisation with a public-service function must comply with an eligible request for public information within 45 days instead of 15 days, a deadline that can be prolonged for one time only by 45 days.

All provisions of the new government decree apply not only for future requests and procedures, but for requests and procedures that are currently on-going.

For more information on this decree and the provisions of the Hungarian state of emergency, contact your regular CMS advisor or local CMS experts: