In accordance with the provisions of the Constitution of the Republic of Hungary, the National Assembly hereby enacts the following act on the fundamental rules governing the protection of personal data and the implementation of the right of access to data of public interest.

(1) The purpose of this Act is to guarantee the right of everyone to exercise control over his or her personal data and to have access to data of public interest, except as otherwise provided by law under this Act.

(2) Derogation from the provisions of this Act shall be allowed when such derogation is specifically provided for by this Act.

(3) Exceptions under this Act shall be made only for specific types of data and data controller together.

For the purposes of this Act:

1. "personal data" means any data relating to a specified natural person (hereinafter called data subject) and any conclusion drawn from such data with respect to him or her. As long as data subject can be identified by the data it preserves this personal characteristic;

2. "special categories of data" means any personal data relating to

a) racial origin, nationality, national or ethnic origin, political opinion or party affiliation, religious or other belief,

b) health, pathological addiction, sexual life and criminal conviction;

3. "data of public interest" means any information under processing by an authority performing state or local self-government functions or other public duties, except for personal data;

4. a) "data processing" means the collection, recording and storage, process, use (including transfer and disclosure) and deletion of personal data, regardless of the procedure employed. It also includes alteration of data and prevention of their further use,

b) " technical data processing" means any operation and technical activity performed upon personal data, irrespective of the method and means employed, as well as of the place of operation;

5. "transfer" means access by specified third person to data;

6. "disclosure" means access by anyone to data;

7. a) "data controller" means any natural or legal person, as well as any organization without legal personality, who determines the purpose of the processing of personal data, who makes the decisions upon data processing and implements them, who may entrust a data processor to perform the implementation. In case of compulsory data processing the purpose and means, as well as the data controller is determined by the law or decree of local self-government which ordered the processing in question,

b) " data processor" means any natural or legal person, as well as any organization without legal personality, who processes personal data on behalf of the data controller;

8. "deletion" includes any step taken for data being unidentified, with no possibility of their retaining;

9. "laws" is the act, and the decree of local self-government in para (1) of Art.1, para (1) of Art.6, para (1) of Art. 12, Art. 24, Art. 25 and para (2) of Art. 28.

(1) Personal data shall not be processed unless as

a) consented to by data subject;

b) ordered by law or - under special provisions of law - by decree of local self-government.

(2) Special categories of data shall not be processed unless as

a) consented to in writing by data subject;

b) ordered by law re to data defined in subpara 2.a) of Art. 2, in respect of international agreements or enforcement of basic rights guaranteed by the Constitution, as well as of the interest of national security, criminal investigation or prevention of crimes;

c) in all other cases ordered by law.

(3) Disclosure of specifically determined categories of personal data may be ordered by law in favour of public interest. In all other cases, disclosure of such data shall be subject to the consent or re to special categories of data to the written consent of data subject. In case of doubt the lack of such consent shall be presumed.

(4) No special consent is required with regard to personal data let known by data subject in the course of public appearance or turned over by him or her with the purpose of disclosure.

(5) Consent to processing of relevant data shall be presumed in proceedings commenced at the request of data subject, who shall be advised of such presumption.

Unless otherwise provided by law, the right of individuals to protection of personal data and privacy shall not be impaired by other interests involved in data processing, including the disclosure of data of public interest. (Art. 19)

(1) Rights and obligations of data processor concerning the processing of personal data is determined by the data controller according to the provisions of this Act and of other laws on data processing. Data controller is responsible for the legality of the instructions concerning the operations performed upon personal data.

(2) Data processor is responsible for the processing, alteration, deletion, transfer and disclosure of personal data within his competence and under the instruction of data controller. Fulfilling his functions data processor shall not entrust other processors.

(1) Personal data shall be processed only for a specified purpose, in exercise of a right or in compliance with an obligation. In the course of the entire processing this purpose shall be complied.

(2) No personal data shall be processed other than those indispensably required for satisfying the purpose of processing and only in a way compatible with that purpose. Data shall not be used excessively and longer than is required for that purpose.

(3) Data processing based on compulsory supply of information shall be ordered in favour of public interest.

(1) Before collecting any data the data subject shall be advised whether it is voluntary or compulsory. In case of compulsory supply the source of law ordering data processing shall also be named.

(2) Data subject shall be informed of the purpose of processing, as well as of the controllers and processors. The communication on data processing can also be accomplished by law providing for the collection of data from an existing file by way of transfer and file connection.

(1) Personal data undergoing processing shall be:

a) obtained and processed fairly and lawfully,

b) accurate, complete and where necessary kept up to date,

c) preserved in a form which permits identification of data subject for no longer than it is required for the purpose for which these data are stored.

(2) Unlimited, general and uniform personal identification code shall not be used.

(1) Data shall not be transferred and files shall not be connected unless consented to by data subject or provided for by law. The conditions for data processing shall meet in each case with regard to each personal data.

(2) Connection of files processed by the same controller, as well as those of state organization and self-governments shall likewise be governed as in para (1).

Personal data shall not be transferred from the country to data controller abroad, whatever the data medium or the mode of transmission is, except when consented to by data subject or permitted by law, provided that the same principles of data protection shall be obeyed by the foreign controller in respect of each data.

(1) Data controller and within its competence the data processor shall ensure data security and shall take all technical and organizational measures and develop rules of procedure, required to the enforcement of this Act and other regulations concerning data protection and secrecy.

(2) Data - specially those personal data which were classified as state or official secrets - shall be protected in particular against unauthorized access, alteration, disclosure or deletion and damage or destruction.

(1) Data subject may

a) request for communication on the processing of his or her personal data (Arts 12 and 13);

b) request for rectification of his or her personal data, or deletion thereof (Arts 14 to 16) except those processed according to provisions of law.

(2) Anyone may inspect the Data Protection Register (para (1) of Art. 28), make notes and request for extracts thereof. A fee shall be paid for the extracts.

(1) Data controller shall inform the data subject, at his or her request, of the processing of his or her personal data performed either by the data controller or by a data processor, the purpose of the processing, its legal basis and duration, the name and address and activity in connection with the data processing of a data processor, as well as of who received or will receive data and for what purpose. The length of records on transfer and, in the same measure, the duration of obligation to give information, may be restricted by laws on data processing. This limitation shall not be less than five years with regard to personal data and less than twenty years with regard to special categories of data.

(2) Data controller shall furnish information in writing, in an intelligible form, within 30 days from the submission of a request.

(3) Information referred to in para (2) is free, except for those repeatedly requested on the same area at the same controller within a year.

(1) Data controller shall not deny information to data subject except provided so by law in accordance with Art.16.

(2) Data controller shall state the reason for denial of the information requested.

(3) The controller shall annually report on applications denied to the Data Protection Ombudsman.

(1) Data controller shall correct inaccurate data.

(2) Personal data shall be deleted if

a) the processing is unlawful;

b) requested so by data subject in accordance with para (1) b) of Art. 11;

c) the purpose of processing has ceased.

(3) Personal data, which shall be presented for repository storage under law on protection of archivalia, are not subject to deletion.

Data subject and any other person to whom data were transferred for processing shall be informed of any rectification and deletion. Such information may be dispensed with, in view of the purpose of processing, if the legitimate interest of data subject is not infringed thereby.

Individual rights of data subject (Arts 11 to 15) may be restricted by law in the interest of the external and internal security of the State, in the areas of national defence, national security, crime prevention or criminal investigation, as well as in the monetary interest of the State and of the local self-government, or protecting the rights of data subject or of others.

(1) In case of infringement of his or her rights data subject may institute court proceedings against the controller.

(2) Data controller shall prove that the processing have complied with provisions of law.

(3) The court in the place of the controller's business shall have jurisdiction over the case. A person otherwise incapable of suing or being sued may also be a party to the lawsuit.

(4) If the application is granted, the court shall order the controller to provide the information requested, or to correct or delete the data involved, or oblige the Data Protection Ombudsman to enable inspection of the Data Protection Register.

(5) Court may order to record its decision to the Data Protection Register if necessary in respect of the interest of data protection principles and of significance number of persons whose rights protected by this Act.

(1) Data controller shall pay compensation for any damage caused to data subject with processing of his or her data or by violation of the technical requirements of data protection. Data controller is liable for any damage caused by a data processor. Data controller shall be discharged from liability upon proving that the damage was caused inevitable by reasons beyond control of data processing.

(2) No compensation shall be paid for that part of damage caused by the injured person's intentional or seriously negligent conduct.

(1) The person or body performing state or local self-government functions or other public duties (hereinafter referred to as authority) shall, within its sphere of competence, including its management, promote accurate and prompt information for the general public.

(2) The authority shall regularly publish or otherwise enable access to most important data relating to its activity in particular to the authority, competence and structure of it, as well as the categories of data possessed by it and the law governing its activity. The name and official position of a person acting on behalf of the authority is, as public data, accessible to anyone, unless otherwise provided by law.

(3) The authority shall grant access for anyone to the data of public interest processed by it, except for those data which are classified as state or official secret by authorities entitled to do so under provisions of law, furthermore provided that right to access of certain data of public interest is not specifically restricted by law in the interest of

a) national defence,

b) national security

c) criminal investigation and prevention of crimes,

d) monetary and currency policy of the State,

e) international relations and relations to international organizations,

f) judicial procedure.

(4) Access to data of public interest may not be restricted to protect those data of a person acting on behalf of the authority which are conjunctive to his or her duty

(5) Unless otherwise provided by law working documents and other data prepared for the authority's own use, or for the purpose of decision making are not public within 30 years of their creation. Upon request the head of the authority may permit access to these documents or data.

(1) An application for access to data of public interest shall be granted in an intelligible form by the authority, as soon as possible after being notified, but at the latest within 15 days. The applicant, bearing the charges, may ask for a copy of the document or a part of it containing the data, regardless of the way of its storage.

(2) The applicant shall be notified in writing, within 8 days, of the rejection of his application and of the reasons therefor.

(3) The head of the authority may charge expenses, to the actual extent thereof, for the communication of data of public interest. The applicant upon request shall be informed about the amount of expenses in advance.

(4) The authority shall annually report on applications denied and the reasons therefor to the Data Protection Ombudsman.

(1) The applicant may apply to the court if his or her application for data of public interest is refused.

(2) The authority shall prove that the refusal was reasonable and complied with law.

(3) Legal proceedings may be taken within 30 days from the notification of refusal, against the authority which denied the information requested.

(4) A person otherwise incapable of suing or being sued may also be a party to the case.

(5) Lawsuit against an authority with nation-wide competence shall be decided by the county (capital city) court. Cases within the competence of local courts shall be decided by the local court in the seat of the county court or by the Central District Court of Pest in Budapest. The jurisdiction of the court shall be determined by the seat (place of business) of the authority refusing to communicate data.

(6) The court shall conduct the proceeding with special dispatch.

(7) If the application is granted, the court shall order the authority to communicate the requested data of public interest.

The provisions of this Chapter shall not apply to communication of data from authentic records as regulated by separate provisions of law.

(1) In order to protect the constitutional rights to protection of personal data and to disclosure of data of public interest, the National Assembly shall elect a parliamentary commissioner for data protection (called Data Protection Ombudsman) from among Hungarian citizens with university degree, with clean record, with excellent academic knowledge or with at least 10 years of professional practice, who are of experience in conducting and supervising proceedings involving data protection or in related sciences and are well respected.

(2) Subject to the exceptions made by this Act, the Data Protection Ombudsman shall governed by the provisions of the Act on Parliamentary Commissioner for Citizen's Rights.

The Data Protection Ombudsman shall

a) observe the implementation of this Act and other laws on data processing;

b) examine complaints lodged with him;

c) ensure the maintenance of Data Protection Register.

(1) The Data Protection Ombudsman shall monitor the conditions for protection of personal data and for disclosure of data of public interest, present proposal for adoption or modification of legislation concerning data processing and disclosure of data of public interest, and give opinion on such draft legislation. The Ombudsman may initiate a decrease or an increase in categories of data classified as state or official secrets.

(2) The Data Protection Ombudsman observing an unlawful processing of data, shall require the controller to discontinue the processing. The controller shall take the necessary measures without delay and inform the Data Protection Ombudsman in writing within 30 days thereof.

(3) The Data Protection Ombudsman shall announce to the general public the existence of data processing unlawfully undertaken, the identity of data controller, and the categories of data processed, if the data controller does not stop unlawful processing.

(1) In exercising his functions the Data Protection Ombudsman may request the controller to furnish him information on any matter, and may inspect any documents and records likely to bear on personal data or data of public interest.

(2) The Data Protection Ombudsman may enter any premises where data are processed.

(3) State and official secrets shall not prevent the Data Protection Ombudsman from exercising his rights stated in this Article, but the provisions on secrecy shall bind him as well. In cases affecting state or official secrets the Data Protection Ombudsman shall exercise his rights in person or by way of those members of his staff, who passed national security control on the Ombudsman’s initiative.

(4) The Data Protection Ombudsman shall call the authority who classified the data for alteration or deletion thereof, if he considers the classification unreasonable. The authority may apply to the Capital City Court against the warning within 30 days of the notification thereof. The Court shall conduct the proceeding in camera and with special dispatch.

(1) Anyone may apply to the Data Protection Ombudsman in case of violation of his or her rights, or of a direct danger thereof, concerning the process of his or her personal data or his or her access to data of public interest, except when the particular case is in the course of judicial procedure.

(2) No one shall suffer any prejudice on grounds of his or her application to Data Protection Ombudsman. The applicant shall have the same protection as the persons submitting petitions of public interest.

(1) Prior to commencement of activity, the data controller shall notify the Data Protection Ombudsman, for registration, of

a) the purpose of the data processing;

b) the type of processed data and the legal basis therefor;

c) the range of data subjects;

d) the source of data;

c) the type of transferred data, the recipients of such data, and the legal basis of transfer;

f) the deadlines for deletion of certain types of data;

g) the name and address of data controller and of data processor, the actual place of data processing (including technical processing), as well as any activity of data processor related to the processing of personal data.

(2) Notice of data processing that is ordered by law shall be made by the competent minister, head of national agency, or mayor, chief mayor, or the president of the county assembly, within 15 days of the entry into force of the relevant legislation.

(3) The national security agencies shall notify the purpose of, and the legal basis for, their data processing.

(1) At initial registration, the data controller shall receive a registry number. The registry number shall be indicated at every transfer and disclosure of data, as well as their communication to the data subject.

(2) Any change in data specified in para (1) of Art. 28 shall be reported to the Data Protection Ombudsman within 8 days and the register shall be modified accordingly.

Registration is not required with regard to data processing that

a) covers the data of persons maintaining employment, membership, student or business relations with the data controller;

b) is governed by internal rules of churches, religious denominations or religious communities;

c) covers personal data relating to the sickness or health of persons receiving medical care, for purposes of medical treatment or preservation of health or claiming social insurance benefits;

d) covers data for the purpose of granting financial and other social benefits to a person;

e) covers personal data relative to conduct of administrative, prosecutorial and judicial proceedings;

f) covers personal data for the purpose of official statistics, provided that the possibility to identify an individual with such data can be conclusively eliminated in a manner specified by separate provisions of law;

g) covers data processed by companies and agencies under the Press Law for their unique informative activity;

h) serves the purposes of scientific research if relevant data are unpublished;

i) was transferred from the controller to archives;

j) serves the sole purpose of a natural person.

(1) Data collected and stored for purposes of scientific research shall not be used for other purposes.

(2) Personal data, as soon as it is possible with regard to the research, shall be unidentified. Data suitable to identify a specified or specifiable natural person shall be stored separately. These data shall not be connected with others except it is required so for the purpose of research.

(3) An organ or a person performing scientific research shall publish personal data if

a) consented by the data subject or

b) required to display the result of research relative to historic events.

+ Article 31 was annulled by Act No LXXV of 1994

Para (1) of Art. 83 of Act No IV of 1959 on the Civil Code shall be superseded by the following provision:

"(1) The use and processing of data by computer or otherwise shall not infringe individual rights."

(1) This Act - with the exception of paras(2) and (3) - shall enter into force on the 1st day of the 6th month following the date of its promulgation. *

(2) Chapter III (Arts 19 to 22) of this Act shall enter into force on the 15th day following the date of promulgation.**

(3) Chapter IV (Arts 23 to 31) of this Act shall enter into force concurrently with the entry into force of the Act on Parliamentary Commissioner for Citizen's Rights.***

(1) Regulations by law referred to in this Act shall - except for para (3) of Art. 3, Art. 4, para (1) of Art. 13 - be prepared by 31 December 1992.

(2) Legal guidelines for data processing shall cease to be applicable after the promulgation of this Act.

Data processing at the date of entry into force of this Act shall be reported at the Data Protection Register by data controller within 3 months of the election of the Data Protection Ombudsman.****

Minister of Finance is entitled to determine the fee referred to in para (2) of Art. 11 and the rules governing thereof.

* date of promulgation: 17 November 1992, entry into force: 1 May 1993

** entry into force: 2 December 1992

*** Act No LIX of 1993, entry into force: 22 June 1993

**** Data Protection Ombudsman was elected on 30 June 1995

(This Act was modified by Acts No LXV and No LXVI of 1995, Act No LXXII of 1999)