Gruppe 29: Opinion 6/99 concerning the level of personal data protection in Hungary.

The Working Party[1] was informed of the preparation by the European Commission of a draft decision based on Article 25(6) of Directive 95/46/EC, noting that, by virtue of its national legislation, Hungary ensures an adequate level of protection within the meaning of Article 25(2) of the aforesaid directive.

With a view to delivering an opinion to the European Commission, assisted by the Committee created by Article 31 of Directive 95/46/EC, the Working Party, carried out an analysis of data protection provisions applicable in Hungary[2] .

1. The legislative situation as regards protection of personal data is governed by Act LXIII promulgated on 17 November 1992, which entered into force on 1 May 1993 and was subsequently amended[3]. The scope of this law is broader than the protection of personal data, since the Act also lays down the procedure applicable to public access to administrative documents. The Ombudsman, whose powers are established by the Act and who was appointed by Parliament on 30 June 1995, is responsible for monitoring the application of these two regulations.

- Hungary's international commitments resulting from the ratification, on 8 October 1997, of the Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (Convention N° 108),

- the protection of privacy at constitutional level, in particular with regard to the processing of personal data[4],

-the existence of sectoral laws containing provisions on the protection of personal data in fields as diverse as the secret services, statistics, commercial canvassing, scientific research and, more recently, the health sector.

2. In the Working Party's opinion, the Hungarian law on data protection ensures an adequate level of protection.

In its working paper adopted on 24 July 1998 on transfers of personal data to third countries[5], the Working Party explained the requirements of the directive and listed the specific elements which should be taken into account for evaluation of an adequate level of protection.

In the light of a table of equivalence between the requirements of the directive and provisions of the Hungarian[6] law, it transpires that the Hungarian law applying to automatic and manual data processing[7] lays down all the principles listed in the working paper referred to above, relating to the protection of individuals and the mechanisms designed to ensure effective application of the basic principles.[8]

In conclusion, the Working Party recommends the Commission and the Committee established by Article 31 of Directive 95/46/EC to note that Hungary ensures an adequate level of protection within the meaning of Article 25(6) of this directive.

[1] Set up by Article 29 of Directive 95/46/EC of the European Parliament and Council of 24 October 1995 on the Protection of Individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23 November 1995, p. 31. Available at the following site: ^{http://www.europa.eu.int/comm/dg15/en/media/dataprot/index.htm.}

[2]With a view to obtaining more precise information on certain matters, an exchange of correspondence took place between the Chairman of the Working Party and the Hungarian ombudsman (letters of 22 March and 19 April 1999 and replies of 25 March and 23 April 1999 respectively).

[3 ]See the recent Act LXXII of 22 June 1999 which introduces the concept of "subcontractor" into Hungarian legislation.

[4 ]the English translation, drawn up by the Hungarian authorities, of Article 59 of the constitution reads as follows: "(1) In the Republic of Hungary everyone is entitled to the protection of his or her reputation and to privacy of the home, of personal effects, particulars, papers, records and data, and to the privacy of personal affairs and secrets. (2) For the acceptance of the law on the protection of the security of personal data and records, the votes of two thirds of the MPs present are necessary. "

[6 ]Document 5002/99, available from the European Commission, Directorate-General XV departments "Internal market and financial services", Unit E1 "Free movement of information, data protection", Rue de la Loi 200, B - 1049 Brussels.

[7 ]It was clarified that the definition of processing includes the gathering of the data ("adatok felvétele" in Hungarian).

: - trade-union membership, although not included in the list of sensitive data established by Article 2(1) of the law, is regarded in practice as sensitive data owing to the political opinions that it reveals;

- the Ombudsman has powers to take action before the courts or before the competent authorities when it observes a criminal infringement or disciplinary fault;

- in accordance with Articles 4 and 16 of the law, exemptions from persons' rights can result only from a legislative act. In this respect, legal texts were provided concerning the police force (Act XXXIV of 1994), and the services responsible for national security and taxation;

- where personal data are gathered from an existing file, the persons concerned can be informed thereof, in accordance with Article 6 (2), second sentence of the Act, by a publication in the Official Journal of the Hungarian Republic.


	5070/EN/99/final WP 24 Working Party on the protection of individuals with regard to the processing of personal data. Opinion 6/99 Concerning The level of personal data protection in Hungary. Adopted on 7 September 1999 Opinion 6/99 on the level of personal data protection in Hungary The Working Party[1] was informed of the preparation by the European Commission of a draft decision based on Article 25(6) of Directive 95/46/EC, noting that, by virtue of its national legislation, Hungary ensures an adequate level of protection within the meaning of Article 25(2) of the aforesaid directive. With a view to delivering an opinion to the European Commission, assisted by the Committee created by Article 31 of Directive 95/46/EC, the Working Party, carried out an analysis of data protection provisions applicable in Hungary[2] . 1. The legislative situation as regards protection of personal data is governed by Act LXIII promulgated on 17 November 1992, which entered into force on 1 May 1993 and was subsequently amended[3]. The scope of this law is broader than the protection of personal data, since the Act also lays down the procedure applicable to public access to administrative documents. The Ombudsman, whose powers are established by the Act and who was appointed by Parliament on 30 June 1995, is responsible for monitoring the application of these two regulations. As regards the protection of personal data, the following should also be noted: - Hungary's international commitments resulting from the ratification, on 8 October 1997, of the Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (Convention N° 108), - the protection of privacy at constitutional level, in particular with regard to the processing of personal data[4], -the existence of sectoral laws containing provisions on the protection of personal data in fields as diverse as the secret services, statistics, commercial canvassing, scientific research and, more recently, the health sector. 2. In the Working Party's opinion, the Hungarian law on data protection ensures an adequate level of protection. In its working paper adopted on 24 July 1998 on transfers of personal data to third countries[5], the Working Party explained the requirements of the directive and listed the specific elements which should be taken into account for evaluation of an adequate level of protection. In the light of a table of equivalence between the requirements of the directive and provisions of the Hungarian[6] law, it transpires that the Hungarian law applying to automatic and manual data processing[7] lays down all the principles listed in the working paper referred to above, relating to the protection of individuals and the mechanisms designed to ensure effective application of the basic principles.[8] In conclusion, the Working Party recommends the Commission and the Committee established by Article 31 of Directive 95/46/EC to note that Hungary ensures an adequate level of protection within the meaning of Article 25(6) of this directive. Done at Brussels, 7 September 1999 By the Working Party Chairman Peter HUSTINX [1] Set up by Article 29 of Directive 95/46/EC of the European Parliament and Council of 24 October 1995 on the Protection of Individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23 November 1995, p. 31. Available at the following site: ^{http://www.europa.eu.int/comm/dg15/en/media/dataprot/index.htm.} [2]With a view to obtaining more precise information on certain matters, an exchange of correspondence took place between the Chairman of the Working Party and the Hungarian ombudsman (letters of 22 March and 19 April 1999 and replies of 25 March and 23 April 1999 respectively). [3 ]See the recent Act LXXII of 22 June 1999 which introduces the concept of "subcontractor" into Hungarian legislation. [4 ]the English translation, drawn up by the Hungarian authorities, of Article 59 of the constitution reads as follows: "(1) In the Republic of Hungary everyone is entitled to the protection of his or her reputation and to privacy of the home, of personal effects, particulars, papers, records and data, and to the privacy of personal affairs and secrets. (2) For the acceptance of the law on the protection of the security of personal data and records, the votes of two thirds of the MPs present are necessary. " [5 ]Available at the site indicated in footnote 1. [6 ]Document 5002/99, available from the European Commission, Directorate-General XV departments "Internal market and financial services", Unit E1 "Free movement of information, data protection", Rue de la Loi 200, B - 1049 Brussels. [7 ]It was clarified that the definition of processing includes the gathering of the data ("adatok felvétele" in Hungarian). [8 ]From the information provided by the Ombudsman it transpires, in particular, that: : - trade-union membership, although not included in the list of sensitive data established by Article 2(1) of the law, is regarded in practice as sensitive data owing to the political opinions that it reveals; - the Ombudsman has powers to take action before the courts or before the competent authorities when it observes a criminal infringement or disciplinary fault; - in accordance with Articles 4 and 16 of the law, exemptions from persons' rights can result only from a legislative act. In this respect, legal texts were provided concerning the police force (Act XXXIV of 1994), and the services responsible for national security and taxation; - where personal data are gathered from an existing file, the persons concerned can be informed thereof, in accordance with Article 6 (2), second sentence of the Act, by a publication in the Official Journal of the Hungarian Republic.