Data & Privacy · Hungary
Data protection & privacy laws in Hungary (2026)
Hungary shaded by its data & privacy status
Hungary applies the GDPR as the primary data protection law, supplemented by Act CXII of 2011 (Infotv), which was overhauled on 26 July 2018 to introduce national procedural rules, derogations, and coverage of areas outside GDPR scope (law enforcement, national security, national defence). The NAIH is the fully independent supervisory authority with the complete set of investigative, corrective, and sanctioning powers under GDPR Article 58. NAIH enforcement activity rose sharply in 2025, with investigation procedures up 37% and inspection proceedings up 52% year-on-year.
Key points
GDPR (EU) 2016/679 applies directly and takes precedence over national law in case of conflict. Act CXII of 2011 (Infotv), amended by the Act adopted at the extraordinary parliamentary session of 17 July 2018, provides supplementing procedural and substantive rules, including the authority procedure for data-subject complaints, in areas where the GDPR permits national specification.
NAIH (naih.hu) is Hungary's independent data protection and freedom-of-information authority. It holds the full range of GDPR Article 58 powers: issuing warnings/reprimands, ordering compliance with data-subject rights, imposing temporary or permanent processing bans, suspending international transfers, withdrawing certifications, and imposing administrative fines — all without requiring a court order. Its 2026 budget is approximately EUR 6.4 million (HUF 2.4 billion) under Act LXIX of 2025.
Infotv extends Hungarian data protection rules to processing for law enforcement, national security, and national defence purposes — areas explicitly excluded from GDPR scope. These provisions implement Directive (EU) 2016/680 for law enforcement and contain specific national rules for intelligence and defence processing.
The Hungarian Labour Code contains express lex specialis rules on employee monitoring, which take precedence over Infotv in the employment context. Employers may monitor employees within the limits set by the Labour Code; NAIH guidance and the GDPR's proportionality principle still apply to the handling of data obtained through monitoring.
NAIH enforcement rose sharply in 2025 (investigations +37%, inspections +52% year-on-year). Notable 2024 EDPB-reported decisions include a finding against a foundation for breach of Article 26(1) GDPR (joint-controller obligations), with NAIH ordering future compliance. NAIH publishes all decisions on naih.hu and participates in EDPB cross-border cooperation.
As an EU member state, Hungary is subject to the full stack of EU digital regulation enforced alongside GDPR: DSA (Digital Services Act), EU AI Act (phased from 2024–2026), NIS2 Directive, and PSD2/PSD3. NAIH is designated as the competent authority for AI Act obligations that intersect with data protection, and coordinates with the relevant sectoral regulators for DSA and NIS2.
Hungary - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →