Hungary Data Privacy Laws: GDPR, NAIH Enforcement & Compliance Guide (2026)

Hungary enforces data privacy through the GDPR and Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (the Info Act), supplemented by Article VI of the Fundamental Law of Hungary. The National Authority for Data Protection and Freedom of Information (NAIH) supervises compliance and can impose fines up to EUR 20 million for serious violations.

Hungary enforces EU data privacy law through a framework rooted in constitutional principle: informational self-determination, a right the Hungarian Constitutional Court recognised in 1991, more than a decade before the GDPR existed. The NAIH supervisory authority applies this heritage to modern enforcement, covering everything from AI-powered emotion analysis to CCTV signage and university scholarship forms.

Information last verified on 2026-05-19. This article has not yet been reviewed by a licensed lawyer.

Quick Answer: What Governs Data Privacy in Hungary?

Hungary's data protection framework rests on three layers. First, the GDPR (Regulation (EU) 2016/679) applies directly as EU law with no transposition required; where GDPR and national rules conflict, GDPR prevails. Second, Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (the Info Act, or "Infotv" in Hungarian) supplements the GDPR with national procedural rules, freedom-of-information obligations, and sector-specific adjustments. Third, the Fundamental Law of Hungary (the constitution, effective 1 January 2012) guarantees the right to personal data protection in Article VI, giving the entire framework constitutional status. The NAIH enforces all three layers and holds all enforcement powers the GDPR assigns to national supervisory authorities, including administrative fines, corrective orders, and processing bans.

Jurisdiction scope: This article addresses Hungary's national data-protection framework under the GDPR, the Info Act, and NAIH enforcement. It does not address Hungary's recording-consent rules; for those, see Hungary recording laws. For the broader EU framework underlying Hungary's obligations, see EU data privacy laws.

Constitutional Foundation: Article VI and Informational Self-Determination

Hungary's data-protection consciousness predates the GDPR by decades. In Decision 15/1991 (IV. 13.) AB, the Hungarian Constitutional Court held that the right to informational self-determination is a fundamental right derived from the constitutional guarantee of human dignity. The decision established that individuals have the right to control when, how, and to whom their personal data is disclosed. This doctrine shaped Hungarian data-protection legislation from 1992 onward and continues to inform how the NAIH and Hungarian courts interpret GDPR provisions today.

The Fundamental Law of Hungary, adopted in 2012, codified this heritage. Article VI(3) states: "Everyone shall have the right to the protection of personal data and to access and disseminate data of public interest." The provision grants both data-protection rights and a distinct freedom-of-information right in the same constitutional text, which explains why the NAIH holds a dual mandate covering both areas.

This constitutional grounding has practical consequences. Hungarian courts and the NAIH treat data-protection violations as constitutional infringements, not merely regulatory non-compliance. Proportionality analysis, a core constitutional law technique, appears explicitly in NAIH enforcement decisions even where the GDPR does not require it.

The Info Act (Act CXII of 2011): Hungary's National Data Protection Statute

The Info Act is Hungary's primary national data-protection statute. Parliament originally enacted it in 2011 and has amended it multiple times, most significantly in 2018 and 2019, to align with the GDPR and abolish the former data-protection registry system.

The Info Act is notably broad in scope. It applies to all data processing operations conducted in Hungary, whether by public or private entities, and explicitly covers law enforcement, national security, and defence. This is wider than many EU member states' national implementing acts, which exempt certain security-sector processing from the standard framework.

The Act's supplementary function under the GDPR covers several areas:

• Procedural rules for NAIH investigations, including timelines and procedural rights of controllers.
• Freedom-of-information obligations, including the right of access to data of public interest and the NAIH's role in enforcing transparency against public bodies.
• Employee data processing, where the Act and NAIH guidance set stricter standards than the GDPR baseline.
• Age of digital consent, fixed at 16 years in line with the GDPR's default (Article 8(1)).
• DPO notification, requiring DPOs to be registered with the NAIH regardless of whether appointment is mandatory or voluntary.

The full text of the Info Act is published in English on the NAIH's website at naih.hu/files/Privacy_Act-CXII-of-2011_EN_201310.pdf. Readers should note that the English version lags amendments; the authoritative Hungarian text is published on the National Legal Database at njt.hu.

The NAIH: Powers, Structure, and Independence

The National Authority for Data Protection and Freedom of Information (NAIH) is Hungary's supervisory authority under Article 51 of the GDPR. It operates independently from the government and is headed by a President appointed by the President of Hungary for a nine-year, non-renewable term. This is a deliberately long mandate intended to insulate the NAIH from political cycles.

The NAIH holds the complete enforcement toolkit assigned to supervisory authorities under GDPR Articles 57 to 63:

• Conducting investigations and audits, including own-initiative investigations without a complaint.
• Issuing warnings, reprimands, and binding orders to controllers and processors.
• Ordering controllers to fulfil data-subject requests (access, erasure, rectification).
• Imposing temporary or permanent processing bans.
• Imposing administrative fines.
• Suspending data flows to third countries.
• Referring matters to national courts.

Beyond GDPR enforcement, the NAIH also enforces freedom-of-information rights under the Info Act, giving it a dual mandate shared by very few EU data-protection authorities. This means the NAIH simultaneously defends personal privacy and compels public-sector transparency, a tension it must navigate in every decision touching public officials' data.

Independence Caveats: National Security and Rule-of-Law Context

The NAIH's independence is formally guaranteed by its statute and the GDPR, but observers have noted structural limits. In national security matters, the NAIH has limited power to conduct external, independent scrutiny of intelligence-service data processing. The European Parliament's inquiry into the Pegasus spyware scandal in 2022 found that Hungary's oversight mechanisms for surveillance operations were inadequate and recommended restoring safeguards and complying with European Court of Human Rights judgments.

More broadly, the European Commission's rule-of-law reports and the European Parliament have documented concerns about judicial independence and Hungary's compliance with EU Court of Justice judgments. The Commission's December 2024 assessment concluded that Hungary had not sufficiently addressed breaches of rule-of-law principles, maintaining measures to protect the EU budget. For foreign organisations subject to NAIH enforcement, this context is relevant background: the NAIH operates within an institutional environment that the EU's own oversight bodies consider partly compromised, even though the authority itself has maintained active enforcement activity in commercial and public-sector data processing.

Legal Bases for Processing: What Justifies Data Collection?

Hungary does not add legal bases beyond GDPR Article 6. The six standard grounds apply: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Each requires a separate analysis; Hungary does not rank them by preference.

Consent Under Hungarian Practice

For consent to be valid under GDPR Article 7 and Hungarian practice, it must be freely given, specific, informed, and indicated by an unambiguous affirmative action. Pre-ticked boxes are not acceptable. Bundling consent to data processing with acceptance of general terms and conditions violates the "freely given" requirement unless the processing is genuinely necessary for the contract.

The NAIH has repeatedly found that two categories of consent are structurally defective in the Hungarian context:

Employee consent. The NAIH has declared that employee consent cannot be freely given due to the inherent power imbalance in the employment relationship. An employee who feels economic pressure to agree to workplace monitoring cannot validly consent. This position has been enforced in multiple decisions. Employers must identify alternative legal bases, typically legitimate interests under GDPR Article 6(1)(f) subject to a balancing test, or contractual necessity under Article 6(1)(b).

Cookie consent on websites. The NAIH has taken enforcement action against website operators using dark-pattern cookie banners that make refusal difficult or unclear.

Sensitive Data (Special Category Data)

GDPR Article 9 governs special-category data in Hungary: health data, biometric data, genetic data, racial or ethnic origin, political opinions, religious beliefs, trade-union membership, and data on sex life or sexual orientation. Processing requires both a GDPR Article 6 legal basis and a specific Article 9(2) ground. The NAIH has taken a strict approach to biometric data in the workplace, requiring that less intrusive alternatives be used wherever possible.

Data Subject Rights in Hungary

All eight GDPR data-subject rights apply in Hungary without restriction beyond the derogations the GDPR itself permits. The NAIH enforces these rights actively.

In 2024, a healthcare provider was fined HUF 10 million by the NAIH specifically for denying a data-subject access request and failing to provide adequate information, demonstrating that access-right violations carry meaningful penalties.

For 2025, the NAIH participated in the EDPB's Coordinated Enforcement Framework (CEF) action on the right to erasure under GDPR Article 17. The EDPB's February 2026 report on that exercise identified systemic weaknesses across EU member states: most controllers lack automated deletion procedures, do not address backup-data erasure, and sometimes substitute weak anonymisation for actual deletion. Hungarian banking-sector controllers were among those monitored through joint EDPB questionnaires.

For 2026, the EDPB has launched a new CEF action on transparency and information obligations under GDPR Articles 13 and 14. The NAIH is expected to participate, meaning Hungarian controllers should audit whether their privacy notices satisfy the specificity requirements of Articles 13 and 14, including precise retention periods and the identity of all recipients.

Data Breach Notification Requirements

Standard GDPR breach-notification rules apply in Hungary. Controllers must notify the NAIH within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. Notification is submitted through the NAIH's Personal Data Breach Reporting System on its website, and must be submitted in Hungarian.

If the breach poses a high risk to individuals, the controller must also notify affected data subjects directly, in clear and plain language, describing: the nature of the breach, the contact details of the DPO or other contact point, the likely consequences of the breach, and the measures taken or proposed to address the breach.

In September 2025, the NAIH published specific guidance on breach management and website security. The guidance emphasised that controllers must maintain documented internal breach-response procedures and that technical security measures, including encryption of data in transit and at rest, must satisfy GDPR Article 32. The NAIH noted that website security obligations include patching known vulnerabilities, securing session management, and deploying appropriate access controls.

The 2024 Cybersecurity Act (Act LXIX of 2024) adds a parallel incident-reporting obligation for essential and important entities. The Act confirms that cybersecurity incident reports do not substitute for GDPR breach notifications: both obligations must be fulfilled independently.

DPO Requirements in Hungary

Under GDPR Article 37, a Data Protection Officer is mandatory for:

1. Public authorities and bodies (except courts acting in their judicial capacity).
2. Controllers or processors whose core activities require large-scale, regular, and systematic monitoring of individuals.
3. Controllers or processors whose core activities involve large-scale processing of special-category data or criminal-conviction data.

Hungary applies these thresholds without modification. The NAIH adds one procedural requirement: DPO contact details must be registered with the NAIH online, regardless of whether the appointment is mandatory or voluntary. This registration is enforced; failure to register is treated as a compliance failure separate from the substantive DPO appointment obligation.

The DPO must be accessible to data subjects, report to the highest level of management, and must not receive instructions regarding the performance of DPO tasks. The NAIH has issued guidance that DPOs must have sufficient resources, time, and access to data-processing activities to carry out their functions effectively. A DPO shared across a group of companies is permitted provided the DPO is accessible from each entity.

Employee Monitoring: Hungary's Strict Approach

Employee data processing is one of the areas where the NAIH has developed the most distinctive national jurisprudence, going significantly beyond what the GDPR alone requires.

The Consent Prohibition

The NAIH's foundational position is that employee consent cannot serve as the legal basis for workplace data processing. The authority's reasoning mirrors the EDPB's Guidelines 05/2020 on consent: the power imbalance between employer and employee means that consent given in the employment context is structurally not free. Organisations that have historically relied on employee consent forms, for example for workplace monitoring policies or background-check authorisations, must transition to alternative legal bases.

The most commonly available alternatives are:

• Legitimate interests (GDPR Art. 6(1)(f)): requires a three-part balancing test (purpose test, necessity test, balancing test) and typically requires that a Legitimate Interests Assessment be documented before processing begins.
• Contractual necessity (GDPR Art. 6(1)(b)): available where processing is genuinely necessary to perform the employment contract, not merely convenient.
• Legal obligation (GDPR Art. 6(1)(c)): available where a specific Hungarian or EU law requires the employer to collect the data.

CCTV Surveillance in the Workplace

CCTV cameras in the workplace are subject to strict conditions under NAIH guidance. Cameras must serve a documented legitimate security purpose. Cameras cannot be used for general performance monitoring of employees. Employees must be informed before surveillance begins, including the purpose, the areas covered, the retention period, and who has access to footage.

Warning signs must be placed at entrances to monitored areas. In a 2024 enforcement case, the NAIH fined a bank approximately EUR 145,000 for deficiencies in CCTV warning signs in branch-office lobbies. The NAIH held that a simple pictogram is insufficient: signs must contain detailed information about the processing, including a reference to where the full privacy notice can be found.

Email and Internet Monitoring

The NAIH requires employers to adopt clear, written workplace data-processing policies before implementing any monitoring of company email or internet use. Employees must be informed about what is monitored, how it is conducted, who has access, and for how long data is retained. The NAIH has pursued multiple enforcement actions against employers who accessed employee email accounts without these policies in place, finding that the absence of a transparent policy constitutes a violation independent of whether the underlying access was legitimate.

GPS Tracking and Biometric Data

GPS tracking of company vehicles is permitted only when it serves a genuine business purpose (fleet management, security, or route verification) and employees are informed. Tracking must cease outside working hours unless a specific operational justification exists. Biometric data in the workplace, such as fingerprint access systems, requires a specific legal basis and must be strictly necessary; the NAIH expects organisations to consider less-intrusive alternatives first.

Cross-Border Data Transfers

Hungary follows the standard GDPR framework for transfers of personal data outside the European Economic Area (EEA).

Transfers to third countries require one of the following:

1. Adequacy decision under GDPR Article 45: the European Commission has recognised a country as providing an essentially equivalent level of protection. Current adequacy decisions cover countries including Japan, the UK (decision extended to 2031 per EDPB opinion, October 2025), South Korea, New Zealand, Canada (commercial sector), Israel, and others. A Commission draft adequacy decision for Brazil was published in September 2025.

2. Appropriate safeguards under GDPR Article 46: Standard Contractual Clauses (SCCs) adopted by the Commission (updated SCCs issued in 2021); Binding Corporate Rules; codes of conduct; certification mechanisms. Where SCCs are used, a Transfer Impact Assessment (TIA) is required to evaluate the legal framework of the recipient country.

3. Derogations under GDPR Article 49: explicit consent, contract performance, public interest, legal claims, vital interests, or compelling legitimate interests. Derogations are reserved for occasional, non-repetitive transfers.

The NAIH has authority to authorise ad-hoc contractual clauses under Article 46(3)(a) and must be notified of certain Article 49(1) derogation-based transfers. As a member of the EDPB, the NAIH participates in developing common transfer guidance.

Since January 2025, Act LXIX of 2024 on Cybersecurity introduces data-localisation requirements for administrative bodies, state-owned enterprises, and entities designated as essential or important under the cybersecurity framework. These entities must keep defined categories of operational data on infrastructure located within Hungary.

Penalties and NAIH Enforcement

The NAIH can impose administrative fines under the GDPR's two-tier structure:

• Tier 1 (up to EUR 10 million or 2% of worldwide annual turnover, whichever is higher): violations of controller/processor obligations, DPO obligations, and certification body obligations.
• Tier 2 (up to EUR 20 million or 4% of worldwide annual turnover, whichever is higher): violations of the basic principles of processing, data-subject rights, consent conditions, and international transfer rules.

In fixing the amount, the NAIH considers the nature, gravity, and duration of the violation; whether the violation was intentional or negligent; measures taken to mitigate damage; prior violations; and the controller's cooperation.

NAIH Enforcement Statistics

In 2024, the NAIH issued 38 enforcement decisions involving fines, totalling HUF 335 million across all cases. Individual fines ranged from HUF 8 million to HUF 50 million. The total volume of fines increased compared to prior years even though no single 2024 case approached the 2022 Budapest Bank record.

Notable Enforcement Decisions

Budapest Bank AI Fine (2022): The NAIH imposed its record fine of HUF 250 million (approximately EUR 653,000) against Budapest Bank for deploying AI technology to analyse customer emotions and moods during telephone calls. The bank used the system without providing adequate privacy notices, obtaining consent, or conducting a legitimate-interests assessment. The NAIH found that the bank lacked any valid legal basis and that the AI processing was inherently opaque to customers. This case became a reference enforcement action cited by other EU data-protection authorities considering AI-processing cases.

Aldi Age Verification (2024): The NAIH fined Aldi HUF 80 million for non-transparent age verification practices in the context of alcohol sales, ordering corrective measures to standardise procedures and improve transparency disclosures.

Bank CCTV Signage (2024): A bank was fined approximately EUR 145,000 for inadequate CCTV warning signs in branch lobbies. The NAIH specified that warning signs at monitored entrances must contain detailed processing information; a pictogram alone is insufficient.

Healthcare Access Denial (2024): A healthcare provider was fined HUF 10 million for denying a data-subject access request and failing to provide required information.

Public-Sector Transparency (2024): The NAIH imposed its maximum fine for transparency violations, HUF 50 million, against a budgetary institution that failed to publish required financial data.

University Scholarship Data Minimisation (2026): The NAIH fined a private university EUR 5,000 for collecting medical documentation from students applying for accommodation scholarships without enforcing data-minimisation obligations. The NAIH held that allowing students to self-redact sensitive data before submission was insufficient: the controller bore the obligation to ensure that unnecessary data was not processed at all, regardless of whether data subjects had the opportunity to limit what they submitted.

AI Banking Sector Investigation (2024): The NAIH conducted a targeted investigation into AI-based data processing in the Hungarian banking sector, focusing on the transparency of algorithmic decision-making and customer data handling, driven by the adoption of the EU AI Act.

EU AI Act Interaction: Act LXXV of 2025

The EU AI Act (Regulation (EU) 2024/1689), which entered into force on 2 August 2024, is directly applicable in Hungary as EU law. Hungary enacted Act LXXV of 2025 on the Domestic Implementation of the European Union Regulation on Artificial Intelligence to establish the national institutional and enforcement framework. Most provisions of Act LXXV took effect on 1 December 2025.

Hungary's AI Governance Structure

Act LXXV designates:

• The National Accreditation Authority (NAH) as Hungary's notifying authority under EU AI Act Article 28, responsible for assessing and designating conformity assessment bodies for high-risk AI systems.
• A ministerial AI Market Surveillance Authority as the general market oversight body for AI systems in Hungary, responsible for investigating compliance with the EU AI Act, conducting inspections, imposing administrative fines, and operating Hungary's AI Regulatory Sandbox.
• A Hungarian Artificial Intelligence Council as an advisory body.

The Act instructs cooperation between these new AI bodies and sectoral regulators, including the NAIH, to manage overlapping competences.

NAIH's Role in AI Governance

The NAIH remains a central cooperative body wherever AI systems process personal data, which covers the vast majority of practical AI deployments. The NAIH has issued guidance requiring Data Protection Impact Assessments for any AI system that processes personal data, a more expansive requirement than the GDPR baseline (which requires DPIAs only for high-risk processing under Article 35). The NAIH's position is that general-purpose AI models processing personal data of Hungarian citizens require a DPIA even when not individually classified as high-risk under the EU AI Act.

Where processing by an AI system falls within the EU AI Act's prohibited-use categories, the AI Market Surveillance Authority leads enforcement. Where the AI system is permitted but processes personal data in violation of the GDPR, the NAIH leads. In cases of overlap, Act LXXV requires the two bodies to coordinate.

AI Risk Categories in Hungary

The Budapest Bank case (2022), though predating the EU AI Act, remains the most cited Hungarian example of AI-processing enforcement. An emotion-recognition system deployed without transparency fell squarely into what the EU AI Act now classifies as a limited-risk system requiring disclosure, and what the NAIH treated at the time as lacking any valid GDPR legal basis.

Data Localisation: The 2024 Cybersecurity Act

Act LXIX of 2024 on Hungary's Cybersecurity (effective 1 January 2025) transposes the EU's NIS2 Directive and introduces data-localisation requirements that affect a significant portion of Hungarian organisations.

Entities subject to localisation obligations include administrative bodies, state-owned enterprises, and entities designated as essential or important under the Act. These organisations must retain defined categories of operational data on infrastructure physically located within Hungary.

The Act also requires organisations to classify their systems and data into three security categories: "basic," "significant," or "high." Classifications must be reviewed every two years or after regulatory changes or significant incidents. Entities reporting cybersecurity incidents under the Act retain separate GDPR breach-notification obligations; Act LXIX confirms that the two reporting channels are independent.

Practical Compliance Guide for Businesses

Organisations operating in Hungary or processing the personal data of Hungarian residents should address the following areas:

Legal basis audit. Review whether any employee-data processing currently relies on consent. If so, identify and implement alternative legal bases before the next NAIH inquiry cycle. Document Legitimate Interests Assessments for processing that relies on Article 6(1)(f).

Workplace monitoring policies. Ensure written policies exist for every form of monitoring in place: CCTV, email monitoring, GPS tracking, and biometric access systems. Policies must precede monitoring, not follow it. CCTV warning signs must contain detailed information, not just pictograms.

AI system DPIA. For every AI system deployed that processes personal data, conduct and document a DPIA before or immediately after deployment. The NAIH requires this regardless of whether the system is classified as high-risk under the EU AI Act.

Data-minimisation controls. The 2026 university case makes clear that allowing data subjects to self-redact is not sufficient. Controllers must build processing workflows that structurally prevent unnecessary data from entering the system.

Right-to-erasure procedures. Following the EDPB's 2025 CEF action, NAIH will increase scrutiny of erasure practices in the banking sector and beyond. Audit whether deletion procedures cover backup systems, third-party processors, and archived data. Weak anonymisation is not a substitute for deletion.

DPO registration. If your organisation has appointed a DPO, whether mandatory or voluntary, register the DPO's contact details with the NAIH through its online portal.

Cross-border transfer documentation. Where transfers outside the EEA rely on SCCs, complete and retain Transfer Impact Assessments. Where transfers use Article 49 derogations, notify the NAIH as required.

Cybersecurity classification. Organisations that qualify as essential or important entities under Act LXIX of 2024 must complete their security-class classifications and review them on the prescribed two-year cycle.

2026 CEF preparation. The EDPB's 2026 CEF action focuses on transparency obligations (GDPR Arts. 13 and 14). Review all privacy notices for completeness: precise retention periods, specific processing purposes, and identified recipients are the most commonly deficient elements.

Watch out: Hungary's NAIH treats the data-minimisation obligation as a controller-side duty that cannot be delegated to data subjects. Providing a form that allows self-redaction satisfies neither Article 5(1)(c) (data minimisation) nor Article 25 (privacy by design and default). Controllers must design collection processes that structurally limit intake to what is necessary.

Disclaimer: This article provides general legal information about Hungary's data privacy framework and is not legal advice. The GDPR and Hungarian national implementing legislation are subject to ongoing amendment and enforcement development. Laws cited reflect their in-force versions as of May 2026. Organisations and individuals should consult a lawyer qualified and licensed in Hungary for advice on their specific situation.