The General Data Protection Regulation (GDPR) and Hungarian data protection legislation (Act CXII of 2011 on Informational Self-Determination) impose strict obligations on e-commerce operators handling personal data. The NAIH (Nemzeti Adatvédelmi és Információszabadság Hatóság – National Authority for Data Protection and Freedom of Information) oversees compliance in Hungary and has become increasingly active in enforcement actions, particularly targeting online retailers and webshops that fail to meet their data protection obligations.
Cookie management and consent
Prior explicit consent is required before placing non-essential cookies including analytics trackers, marketing pixels, and remarketing tags. The cookie consent banner must provide clear options to accept, reject, or customize cookie preferences by category (necessary, analytics, marketing, preferences). Google Analytics, Facebook Pixel, and other tracking tools may only be activated after the user grants consent. Cookie consent must be documented and stored as proof of compliance, and users must be able to withdraw their consent at any time through an accessible mechanism. The cookie policy must detail each cookie's name, purpose, expiration period, and the identity of the provider setting the cookie.
Privacy policy requirements
Every webshop must publish a comprehensive, transparent privacy policy in clear Hungarian language. The policy must cover: what personal data is collected (name, address, email, phone number, payment details, IP address), the purposes of processing (contract fulfillment, marketing, analytics, fraud prevention), the legal basis for each processing activity (contract performance, consent, legitimate interest), recipients of data (courier services like GLS and FoxPost, payment providers like SimplePay and Barion, accounting software, marketing platforms), data retention periods for each category, and a full description of data subject rights. The privacy policy must be accessible from every page of the webshop, typically via a footer link.
Data subject rights and record-keeping
Customers have the right to access their personal data, request rectification of inaccurate data, request erasure (right to be forgotten), data portability in a machine-readable format, object to processing based on legitimate interest, and request restriction of processing. Requests must be responded to within 30 days, extendable by an additional 60 days in complex cases with proper notification. A Data Protection Officer (DPO) must be appointed if the controller's core activities involve regular and systematic monitoring of data subjects on a large scale. Every e-commerce operator must maintain a Record of Processing Activities (ROPA) documenting all processing purposes, legal bases, data categories, recipients, and international transfers.
Penalties and practical compliance
The NAIH can impose fines of up to €20 million or 4% of annual global turnover for serious violations. In practice, Hungarian fines typically range from HUF 100,000 to several million HUF, but the NAIH is trending toward stricter enforcement. The most common violations include inadequate cookie consent mechanisms, incomplete or missing privacy policies, sending marketing emails without proper consent, and failing to respond to data subject access requests within the legal timeframe. Zunapro ensures complete GDPR compliance for your e-commerce platform, including cookie banner configuration, privacy policy drafting, NAIH compliance documentation, and ongoing monitoring of regulatory changes.
