Certainly, the most important aspect of the modification, for the business sector, is the introduction of the Binding Corporate Rules (“BCR”) into Hungarian law. Beside the introduction of BCR into Hungarian law, the Amendment also increases the penalty amount that can be imposed by the Authority up to HUF 20 million (app. EUR 67,000), which will certainly have an increase on the amount of fines imposed by the Authority. Furthermore, the Amendment also sets out that all data controllers will be obliged to keep internal register of data breach incidents, which previously was only an obligation for telecommunication service providers.
BCR are internal rules (such as a Code of Conduct) adopted by a group of multinational companies who enforce an international transfer of personal data (within the same corporate group) to external entities located in countries who do not provide an adequate level of protection. The BCR, therefore, acts as a solution for multinational companies, which export personal data from the European Economic Area to other group entities (located in third countries) who do not ensure an adequate level of protection.
Many multinational companies are already using BCR to make their day-to-day operation easier; you can find the full list here: http://ec.europa.eu/justice/data-protection/document/international-transfers/binding-corporate-rules/bcr_cooperation/index_en.htm.
Privacy professionals have welcomed the introduction of BCR into Hungarian law, as a lack of such regulation has, in the past, caused a significant competitive disadvantage for Hungary; however, the Amendment does suffer from certain deficiencies, such as:
The Amendment defines BCR as “binding organisational rules which are adhered by a data controller or group of data controllers carrying out activities in more countries but at least in one EEA country and approved by the Hungarian National Authority for Data Protection and Freedom of Information (Authority) and which is binding on the data controller or group of data controllers and provides protection for personal data in the case of transferring personal data to third countries by the unilateral undertaking of the data controller or the group of data controllers”. We deem this definition as overcomplicated and uncertain (in respect of BCR under Hungarian law). For example: What are the meanings of “group of data controllers”, “carrying out activities”, “unilateral undertaking”? There is also no reference that the BCR will be used by the same group of companies, while the BCR can only be applied by data controllers or the group of data controllers. This leaves out any further chance for data processors to apply for the approval of BCR for their future operations, which can cause a problem for multinational companies processing and transferring personal data on behalf of their clients as data processors.
Perhaps a more realistic alternative would have been the use of the definition of the draft EU General Data Protection Regulation, according to which: “binding corporate rules means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State of the Union for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings.”
The Amendment is notably silent on the mandatory content of the BCR, which will be reviewed by the Authority before approving the BCR. The application for the approval must contain:
a) the registration number of the data controller, or detailed data in respect of the data processing of the data controller or group of controllers such as the purpose of processing, the legal basis of processing, the data subjects involved, description of the data pertaining to the data subjects, the source, the duration of processing, the categories of data transferred, the recipients and the grounds for transfer, etc;
b) the draft BCR;
c) data for proving the binding nature of the BCR; and
d) if the BCR was approved by the authorities of any other EEA member states, the documents proving this approval.
The fee for the application is not yet known, and the application will be decided on (by the Authority) within 60 days. The Authority can then: Approve, suggest a modification, or reject the approval of the BCR. Interestingly enough the Amendment does not make any provision for what would happen if the Authority cannot make a decision within 60 days, which we would deem to be a rather probable scenario.
Finally, the Amendment does not provide further guidance in respect of the procedure for applying for authorisation of BCR. At present, it is uncertain if the Authority will apply the criteria set out in the working papers of the Article 29 Working Party on BCR. This, of course, would be of great assistance for data controllers when applying for authorisation, but more so for the Authority – who do not have extensive previous experience with BCR in Hungary.
One thing is certain however, Hungary is not part of the mutual recognition procedure, which has already been agreed upon by 21 other EU countries. Under this procedure, once the lead authority considers that BCR meet the requirements (as set out in the working papers) the Data Protection Authorities, under mutual recognition, accept this opinion as sufficient basis for providing their own national permit or authorisation for the BCR.
The above rules will come into force after 3 months of the official promulgation of the Amendment.