Hungary's data protection authority has intensified its enforcement activity. Fines are rising, investigations are opening faster, and international businesses operating in Hungary are increasingly in scope. For companies that assumed passive regulatory conditions in this market, the shift demands immediate attention.
The Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information. Known as the NAIH) has moved to stricter enforcement of data protection legislation in Hungary, issuing significant administrative penalties and audit-driven decisions with effect from the current regulatory cycle. Any business established in Hungary or directing services at Hungarian residents qualifies as a data controller subject to NAIH jurisdiction. Companies must review GDPR compliance posture and consent mechanism structures without delay.
This alert sets out what has changed, which business categories face the greatest exposure, and the concrete steps that international companies should take now.
What changed and when it took effect
The NAIH has adopted a more active enforcement posture across several areas of data protection legislation. This shift is visible in three ways.
First, the authority has increased its use of own-initiative investigations. Rather than waiting for complaints, the NAIH is now auditing sectors it considers high-risk. Financial services, healthcare, e-commerce, and technology platforms have been the primary targets. Cross-border data transfer arrangements – particularly those relying on standard contractual clauses – have attracted close scrutiny.
Second, the NAIH has tightened its position on consent mechanisms. A consent mechanism that bundled multiple processing purposes into a single click has been found non-compliant in a series of decisions issued in the past twelve months. The authority now expects granular, purpose-specific consent that meets the freely given, specific, informed, and unambiguous standard set out in data protection legislation.
Third, the authority has clarified accountability expectations for the data processor relationship. Where a data controller delegates processing operations to a third party. The NAIH has confirmed that the controller remains fully liable for the processor's GDPR compliance failures unless the controller can demonstrate adequate due diligence and contractual controls.
These positions reflect the current enforcement cycle and carry immediate practical consequences for businesses that have not audited their data processing arrangements recently. For companies managing AI-driven data workflows in Hungary, the intersection with technology regulation adds further complexity – see our analysis of AI and technology law in Hungary for a parallel assessment.
To receive an expert assessment of your GDPR compliance exposure in Hungary, contact us at info@ferrazwhitmore.com.
Who is affected and what the threshold criteria are
NAIH enforcement jurisdiction attaches to any entity that qualifies as a data controller or data processor under data protection legislation and that operates within Hungarian territory or processes the personal data of Hungarian residents.
The following categories face the highest immediate exposure:
- E-commerce and retail platforms collecting customer data in Hungary
- Financial services providers and fintech operators using automated profiling
- Healthcare organisations and medical technology companies processing sensitive personal data
- Technology companies relying on cross-border data transfer arrangements to non-EEA countries
- Employers processing employee data through HR systems hosted outside the EU
Threshold criteria for formal investigation include inadequate consent mechanism documentation, absence of a lawful basis for processing, incomplete records of processing activities, and deficient data processor contracts. The NAIH has also flagged data transfer gaps where standard contractual clauses have not been supplemented by transfer impact assessments.
Mid-size and smaller businesses are not exempt. The authority has explicitly stated that scale does not reduce the compliance obligation. International groups that handle Hungarian resident data through a parent entity outside the EU are particularly exposed if no local representative or EU-established data controller has been formally designated.
Full details on the scope of data protection obligations applicable to businesses in Hungary are set out in our data protection service page for Hungary.
Immediate actions for international companies
Companies with Hungarian operations or with processing activities directed at Hungarian residents should address the following items without delay.
Audit consent mechanisms. Review every active consent mechanism. Confirm that each consent request is purpose-specific, unbundled from other terms, and recorded with a timestamp and version reference. Consent obtained through pre-ticked boxes or silence is not valid under Hungarian data protection practice.
Review data processor contracts. Identify all third-party vendors acting as data processors. Confirm that each contract includes the mandatory clauses required by data protection legislation – scope, instructions, security obligations, sub-processor controls, and return or deletion of data on termination. Processors that cannot demonstrate their own GDPR compliance should be replaced or contractually constrained.
Map and document cross-border data transfers. For any data transfer to a country outside the European Economic Area, confirm the transfer mechanism in use. Where standard contractual clauses apply, ensure a transfer impact assessment has been completed and documented. The NAIH has treated the absence of transfer impact assessments as a standalone compliance failure.
Update records of processing activities. The NAIH has cited incomplete or outdated records of processing activities as a finding in a number of recent decisions. Each data controller and data processor in scope must maintain current records covering processing purposes, categories of data, retention periods, and security measures.
Designate a contact point. Where no data protection officer has been formally appointed and where one may be required under data protection legislation, address this gap immediately. International companies without an EU establishment should also confirm whether a local representative must be designated under applicable rules.
Engaging a lawyer in Hungary with cross-border data protection experience allows businesses to prioritise these actions in proportion to actual exposure and to respond effectively if the NAIH initiates contact. A law firm in Hungary with EU regulatory expertise can also assist with authority communications and, where necessary, represent the data controller in formal proceedings before the NAIH. For comparable regulatory developments in another EU market, see our alert on data protection enforcement in Portugal.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection and technology law practice supports data controllers and data processors operating across EU and non-EU markets, including Hungary, in managing GDPR compliance, regulatory investigations, and cross-border data transfer structures. The firm combines Portuguese civil law expertise with English common law tradition, offering a dual-perspective approach that is particularly effective in cross-border enforcement and multi-jurisdictional compliance matters. Our IP and technology practitioners have advised on data protection matters before European supervisory authorities and have experience structuring consent mechanisms and data processor frameworks for international technology companies. To discuss your specific situation in Hungary or across the EU, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.