Data Subjects’ Rights Under GDPR: Hungary Suspends in Hungary Due COVID-19 Pandemic

In Hungary the government has taken the decision to suspending the rights of data subjects under the European Union’s General Data Protection Regulation (GDPR).

This suspension will remain in place until such time as the COVID-19 state of emergency is brought to an end. In addition to this the government has also eased the legal requirement of public agencies to notify individuals when they are gathering their personal data and lengthens the duration of time that public bodies have to process freedom of information requests.

This move by the Hungarian government has led to some criticism and the decision has raised concern across the EU privacy protection community and the European Commission.  Speaking to reporters on publication of the European Data Protection Board’s 2019 annual report on Monday 18 May, Chair Andrea Jelinek noted her worry in relation to the recent move by the Hungarian government.

She said: “I am personally very worried at the suspension of several articles of the GDPR by the Hungarian government. She went on to say that this suspension of GDPR during the COVID-19 crisis is “not recommended” by the EDPB.

It was also revealed that the EDPB is aiming to release official guidelines on the application of Article 23 of the GDPR due to the COVID-19 state of emergency that has been declared in the majority of European Union member states. Prior to making this statement, the EDPB had been in receipt of a joint letter from the Civil Liberties Union for Europe, Access Now, and the Hungarian Civil Liberties Union in relation to the move made by the Hungarian government. It said: “The decision by the Hungarian government to limit the application of data subjects’ rights is disproportionate, unjustified, and potentially harmful to the public’s response to fight the virus.”

When GDPR was formulated – prior to being passed and becoming enforceable on May 25 2018 – it was envisaged that it would create data subjects’ right to access, rectify, object, restrict, and have their personal information erased. However, the Hungarian government were able to take this course of action thanks to Article 23 of the GDPR legislation which states that member states are permitted restrict those rights if it is necessary for the protection of public security.

Additionally, the European Data Protection Board (“EDPB”) indicated that it intends to publish guidelines on the application of Article 23 of the GDPR in light of the state of emergency in many member states of the European Union.

The full text of the decree made by the Hungarian government is available here (in Hungarian).