Skip to content
World Watch/Hungary/Data & Privacy

Data & Privacy · Hungary

Data protection & GDPR compliance in Hungary (2026)

Comprehensive lawGDPR (Regulation (EU) 2016/679) directly applicable; Act CXII of 2011 on the Right of Informational Self-Determination and the Freedom of Information (Infotv), as substantially amended in July 2018 to align with GDPR; supervisory authority: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH, National Authority for Data Protection and Freedom of Information)Country index 96 · A+

Hungary shaded by its data & privacy status

Data protection in Hungary: comprehensive law, under GDPR (Regulation (EU) 2016/679) directly applicable; Act CXII of 2011 on the Right of Informational Self-Determination and the Freedom of Information (Infotv), as substantially amended in July 2018 to align with GDPR; supervisory authority: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH, National Authority for Data Protection and Freedom of Information).

Hungary applies the GDPR as the primary data protection law, supplemented by Act CXII of 2011 (Infotv), which was overhauled on 26 July 2018 to introduce national procedural rules, derogations, and coverage of areas outside GDPR scope (law enforcement, national security, national defence). The NAIH is the fully independent supervisory authority with the complete set of investigative, corrective, and sanctioning powers under GDPR Article 58. NAIH enforcement activity rose sharply in 2025, with investigation procedures up 37% and inspection proceedings up 52% year-on-year.

GDPR & data protection in Hungary

In Hungary, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the National Authority for Data Protection and Freedom of Information (NAIH).

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the National Authority for Data Protection and Freedom of Information (NAIH)
Applies to
any organisation processing the personal data of people in Hungary, wherever the organisation is based
Maximum fine
€20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Hungary supplements it with a national data-protection act and its own supervisory authority.

GDPR in Hungary: FAQ

Does the GDPR apply in Hungary?

Yes. As an EU/EEA member, Hungary applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the National Authority for Data Protection and Freedom of Information (NAIH).

Who enforces data protection law in Hungary?

The National Authority for Data Protection and Freedom of Information (NAIH).

What are the GDPR fines in Hungary?

Up to €20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Hungary?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Hungary?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Primary legal basis

GDPR (EU) 2016/679 applies directly and takes precedence over national law in case of conflict. Act CXII of 2011 (Infotv), amended by the Act adopted at the extraordinary parliamentary session of 17 July 2018, provides supplementing procedural and substantive rules, including the authority procedure for data-subject complaints, in areas where the GDPR permits national specification.

Supervisory authority, NAIH

NAIH (naih.hu) is Hungary's independent data protection and freedom-of-information authority. It holds the full range of GDPR Article 58 powers: issuing warnings/reprimands, ordering compliance with data-subject rights, imposing temporary or permanent processing bans, suspending international transfers, withdrawing certifications, and imposing administrative fines, all without requiring a court order. Its 2026 budget is approximately EUR 6.4 million (HUF 2.4 billion) under Act LXIX of 2025.

Scope beyond GDPR

Infotv extends Hungarian data protection rules to processing for law enforcement, national security, and national defence purposes, areas explicitly excluded from GDPR scope. These provisions implement Directive (EU) 2016/680 for law enforcement and contain specific national rules for intelligence and defence processing.

Employment & employee monitoring

The Hungarian Labour Code contains express lex specialis rules on employee monitoring, which take precedence over Infotv in the employment context. Employers may monitor employees within the limits set by the Labour Code; NAIH guidance and the GDPR's proportionality principle still apply to the handling of data obtained through monitoring.

Enforcement activity & recent decisions

NAIH enforcement rose sharply in 2025 (investigations +37%, inspections +52% year-on-year). Notable 2024 EDPB-reported decisions include a finding against a foundation for breach of Article 26(1) GDPR (joint-controller obligations), with NAIH ordering future compliance. NAIH publishes all decisions on naih.hu and participates in EDPB cross-border cooperation.

EU digital-legislation overlay

As an EU member state, Hungary is subject to the full stack of EU digital regulation enforced alongside GDPR: DSA (Digital Services Act), EU AI Act (phased from 2024-2026), NIS2 Directive, and PSD2/PSD3. NAIH is designated as the competent authority for AI Act obligations that intersect with data protection, and coordinates with the relevant sectoral regulators for DSA and NIS2.

Hungary - other topics

Data & Privacy in other countries

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →