Hungarian Data Protection Snapshot 2026 — Quick Read
Hungarian e-commerce operates under GDPR (Regulation EU 2016/679) + the Info Act of 2011 (Act CXII of 2011 on Informational Self-Determination and Freedom of Information, abbreviated Infotv.), enforced by NAIH (Nemzeti Adatvédelmi és Információszabadság Hatóság). Every webshop needs: (1) a compliant cookie consent banner with a Reject All button equal in prominence to Accept All, (2) a privacy policy in Hungarian (Adatkezelési Tájékoztató) covering GDPR Art. 13–14, (3) procedures to honor the eight data subject rights within one month, (4) a 72-hour breach notification process aligned to NAIH's online form, and (5) SCC + TIA for any data transfer outside the EU/EEA. NAIH fines can reach €20 million or 4% of global annual turnover.
The 2026 Hungarian Data Protection Landscape at a Glance
No European country layers its data protection rules in quite the way Hungary does. The cards below summarise the six compliance pillars covered in this guide — keep them in mind as you read each deep-dive section.
GDPR — Regulation (EU) 2016/679
Directly applicable since 25 May 2018 · 99 Articles · binds every Hungarian data controller and processor
NAIH — The Hungarian Data Protection Authority
Founded 2012 (replaced the Parliamentary Commissioner) · Headquarters: Falk Miksa utca, Budapest
Info Act 2011 (Infotv.) — Act CXII of 2011
Hungarian implementation + freedom of information · last major amendment Act XXXVIII of 2018
Cookie & ePrivacy — Act C of 2003 (Eht.)
Transposes EU ePrivacy Directive 2002/58/EC · prior consent required for non-essential cookies
Privacy Policy — Adatkezelési Tájékoztató
Mandatory under GDPR Art. 13–14 + Info Act 2011 · Hungarian language for HU customers
DPO — Data Protection Officer (GDPR Art. 37)
Required for public authorities + large-scale monitoring or special-category data processing
Ready to make your Hungarian webshop GDPR & NAIH ready?
Connect your store to Zunapro and get the Hungarian compliance pack — CMP cookie banner, privacy policy generator, DSAR workflow, breach notification template and SCC registry — pre-configured.
1. GDPR + Hungarian Info Act 2011 — The Two-Layer Foundation
GDPR — The Pan-EU Layer
The General Data Protection Regulation (Regulation (EU) 2016/679) became directly applicable on 25 May 2018 and replaced the patchwork of national laws created by the 1995 Data Protection Directive. Because GDPR is a regulation rather than a directive, it has direct effect in Hungary without any need for transposition — every Hungarian e-commerce business is bound by its 99 Articles and 173 recitals.
For webshops the most operationally significant Articles are: Article 5 (principles — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, accountability), Article 6 (legal bases — consent, contract, legal obligation, vital interests, public task, legitimate interests), Articles 13–14 (information to be provided to data subjects), Articles 15–22 (data subject rights), Article 28 (data processor contracts), Article 30 (records of processing activities), Article 32 (security), Articles 33–34 (breach notification), Article 35 (DPIA) and Articles 44–49 (international transfers).
The Info Act 2011 — The Hungarian Layer
Act CXII of 2011 on Informational Self-Determination and Freedom of Information — known by its abbreviation Infotv. or simply "the Info Act" — is Hungary's foundational data protection statute. It predates GDPR by seven years but was extensively amended in 2018 by Act XXXVIII of 2018 to harmonise with GDPR while preserving the Hungarian specifics that GDPR explicitly leaves to member states.
The Info Act's role in 2026 can be summarised as: (a) it codifies the structure, powers and procedures of NAIH — GDPR Chapter 6 requires every member state to designate an independent supervisory authority but leaves the details to national law, (b) it regulates public-sector data and freedom of information requests that fall outside GDPR's scope, (c) it provides national-security and law-enforcement exemptions permitted by GDPR, and (d) it imposes Hungarian-language documentation and notification requirements where GDPR is language-neutral.
How the Two Interact
In practice, Hungarian e-commerce operators should read GDPR first for the substantive obligations and the Info Act second for procedural specifics — how to lodge a complaint with NAIH, how NAIH conducts investigations, what fines and decisions look like, and how Hungarian courts review NAIH decisions on appeal. The Info Act also fills GDPR's gaps on processing for journalistic, academic, artistic and literary purposes (Article 85 GDPR), employment-context processing (Article 88 GDPR) and the age of digital consent (Hungary set this at 16 years under Article 8 GDPR).
📜 Read the full Info Act 2011 reference
Section-by-section commentary on Act CXII of 2011, the 2018 amendments, and how each provision interacts with GDPR for Hungarian e-commerce operators.
2. NAIH — The Hungarian Data Protection Authority
From Parliamentary Commissioner to Independent Authority
NAIH (Nemzeti Adatvédelmi és Információszabadság Hatóság — National Authority for Data Protection and Freedom of Information) was established on 1 January 2012 by the Info Act 2011, replacing the former Parliamentary Commissioner for Data Protection and Freedom of Information (Adatvédelmi Biztos). The change moved Hungarian data protection oversight from a single-officeholder ombudsman model to a fully institutional authority with its own staff, budget and decision-making powers.
NAIH is headquartered in Budapest on Falk Miksa utca and is led by a President appointed by the President of the Republic for a nine-year term, on the proposal of the Prime Minister. The current President (Dr. Attila Péterfalvi has held the office since the authority's founding in 2012 and was reappointed for further terms) heads a staff of roughly 130 lawyers, IT specialists and administrative personnel.
NAIH's Powers Under GDPR + Info Act
NAIH exercises every supervisory power listed in GDPR Article 58, including:
- Investigative powers — order any controller / processor to provide information, conduct on-site inspections, obtain access to all premises, data processing equipment and means
- Corrective powers — issue warnings, reprimands, orders to comply with data subject requests, orders to bring processing into compliance, temporary or definitive limitation including a ban on processing, orders to rectify or erase data, and impose administrative fines
- Authorisation and advisory powers — issue opinions on draft legislation, accredit certification bodies, approve binding corporate rules (BCRs) and codes of conduct
On top of GDPR powers, the Info Act gives NAIH the right to initiate proceedings ex officio (without a complaint), to request court orders to suspend processing, and to refer suspected criminal offences (e.g. unauthorised access to special-category data under Section 219 of the Hungarian Criminal Code, Act C of 2012) to the prosecution service.
Filing a Complaint with NAIH
Any data subject — whether Hungarian resident or visitor — can file a complaint with NAIH if they believe their personal data has been unlawfully processed. The complaint procedure is free of charge, available in Hungarian and (limited) English on naih.hu, and NAIH typically issues a first-instance decision within two months of receiving a complete complaint. NAIH publishes anonymised decisions in its quarterly bulletins and on its website, making it one of the more transparent DPAs in the EU.
Practical NAIH tip: NAIH treats how you respond to a data subject's initial request as a major factor in fine calibration. Sellers who answered late, evasively or not at all face significantly heavier fines than those who responded promptly and fully — even if the underlying issue was identical. Set up the Zunapro DSAR workflow →
3. Cookie Consent Banner — Mandatory and Strictly Regulated
The Legal Basis — ePrivacy + GDPR
Cookie consent in Hungary rests on two pillars: Article 5(3) of the EU ePrivacy Directive (2002/58/EC) as transposed into Act C of 2003 on Electronic Communications (Eht.), and Article 6(1)(a) GDPR defining what valid consent looks like. The combined rule is simple to state and easy to violate: before storing or accessing any cookie or similar tracker on a user's terminal device, the controller must obtain freely given, specific, informed and unambiguous prior consent. Strictly necessary cookies (session, cart, security, basic load balancing) are exempt; everything else — analytics, advertising, social plug-ins, A/B testing, heatmaps — needs consent.
What a Compliant Banner Looks Like in 2026
NAIH has issued numerous enforcement decisions clarifying its expectations. The 2026 minimum-viable Hungarian banner has the following features:
- Layer 1 (banner) — appears before any non-essential cookie fires, lists categories (Necessary, Functional, Analytics, Marketing) and gives three options of equal visual prominence: Accept All, Reject All, Customize
- Layer 2 (preferences modal) — granular per-category toggles, individually rejectable; lists every third-party provider, its purpose, retention and a link to its own privacy policy
- Layer 3 (cookie policy page) — full table of every cookie, lifetime, type, purpose, party, and a link to the broader privacy policy
- Withdrawal of consent — must be "as easy to withdraw as to give" (GDPR Recital 42); a persistent floating button or a footer link is the typical pattern
- No dark patterns — pre-ticked boxes, colour contrast tricks, scrolling-as-consent and cookie walls are explicitly unlawful per NAIH and EDPB Guidelines 03/2022
The Reject-All Visual Parity Rule
The single most-litigated point in 2025–2026 NAIH cookie enforcement is whether the Reject All button is genuinely as prominent as Accept All. "Equal prominence" means the same colour intensity, the same size, the same position weight and the same number of clicks. A common pre-2024 dark pattern — a bright blue "Accept All" button beside a thin grey text link "More options" — is now treated as a per-se violation in Hungary, and Zunapro's CMP enforces visual parity automatically.
4. Privacy Policy (Adatkezelési Tájékoztató) — A Mandatory Document
GDPR Articles 13 & 14 — The Information Duties
A privacy policy is not optional in Hungary. GDPR Article 13 obliges the controller to inform a data subject at the moment of data collection of: the identity and contact details of the controller (and the DPO, if any), the purposes and legal basis of the processing, the recipients or categories of recipients, any intent to transfer to a third country and the safeguards used, the retention period, the data subject's rights including the right to lodge a complaint with NAIH, whether providing the data is contractual or statutory and the consequences of refusing, and the existence of automated decision-making including profiling.
Article 14 covers the parallel duties for data collected from sources other than the data subject — typically marketplace order feeds, loyalty program transfers and B2B partner lists — adding a duty to inform the data subject within one month or at first communication, whichever comes first.
The Hungarian-Specific Add-Ons
The Info Act requires the privacy policy to be provided in a format and language accessible to the data subject — for Hungarian consumers that means Hungarian. Many Hungarian e-commerce operators publish a Hungarian-primary policy with an English secondary version for cross-border customers. Best practice is also to include:
- The NAIH registration number if you operate any data processing requiring formal NAIH registration (mostly legacy / public sector)
- An explicit reference to the Info Act 2011 alongside GDPR Articles in the legal-basis section
- The full postal address and contact email of the controller — NAIH expects easy contactability
- The retention period in concrete years — vague phrases like "as long as necessary" have been criticised in NAIH decisions
Layered Notice — A Practical Pattern
EDPB Guidelines 5/2020 endorse "layered notice" — a short, plain-language summary linking to the full detailed policy. For Hungarian webshops the typical layered pattern is: (1) a one-paragraph plain-Hungarian summary at the checkout form, (2) the full Adatkezelési Tájékoztató linked from the footer of every page, and (3) topic-specific notices for newsletter signup, account registration and cookie consent. Zunapro generates all three layers from a single privacy policy template, automatically synchronised across the Hungarian webshop, mobile app and marketplace storefronts.
📝 Generate your Hungarian privacy policy
Zunapro's Adatkezelési Tájékoztató generator pre-fills the GDPR Art. 13–14 + Info Act 2011 boilerplate; you customise the controller details, retention periods and processors in under 15 minutes.
5. Data Protection Officer (DPO) — When You Must Appoint One
The Three GDPR Article 37 Triggers
Hungarian e-commerce operators do not automatically need a Data Protection Officer. GDPR Article 37(1) sets three cumulative triggers, any one of which is sufficient:
- Public authority or body — applies to ministries, municipalities, state-owned companies; not relevant to private e-commerce
- Core activities consist of regular and systematic large-scale monitoring of data subjects — applies to behavioural advertising networks, location-tracking apps, large loyalty programmes that profile shoppers across channels, ad-tech intermediaries
- Core activities consist of large-scale processing of special-category data (Art. 9) or criminal-conviction data (Art. 10) — applies to online pharmacies, fertility / dietary specialists, health-tech, certain political or religious affinity retailers
Pure transactional e-commerce — selling physical products to consumers, processing their delivery and billing data — generally does not meet these thresholds. A 5,000-order/month homeware shop need not appoint a DPO; a 50,000-member subscription pharmacy almost certainly must.
What "Large Scale" and "Core Activity" Mean
EDPB Guidelines (formerly WP29 Opinion 03/2017) suggest assessing: (a) the number of data subjects concerned, (b) the volume of data, (c) the duration and permanence of the processing, and (d) its geographic extent. "Core activities" means activities essential to achieving the controller's objectives — payroll processing is rarely a "core activity"; profiling shoppers to personalise ads is.
Voluntary DPO Appointment
Hungarian retailers that fall below the GDPR Article 37 threshold can — and many do — appoint a DPO voluntarily. The advantages are substantial: a single accountable contact for NAIH, a clear internal escalation point for data subject requests and breaches, and a credibility signal for B2B partners. Zunapro can assign your in-house counsel or an outsourced DPO partner to your Hungarian tenant; their contact details auto-populate the privacy policy and NAIH notification fields.
Notifying NAIH of the DPO
Where a DPO is appointed (mandatorily or voluntarily), GDPR Article 37(7) requires the controller to publish the DPO's contact details and to communicate them to NAIH. NAIH provides an online DPO notification form. The DPO must enjoy operational independence, cannot be dismissed or penalised for performing DPO tasks, and reports directly to the highest management level.
6. Data Subject Rights — The Eight GDPR Entitlements
The Eight Rights at a Glance
GDPR Chapter 3 confers eight rights on every individual. Hungarian webshops must build operational processes to satisfy each of them within one calendar month of receiving a verified request (extendable by two months for complex requests, with reasoned notice to the data subject).
The DSAR Workflow — Verifying Identity
A Data Subject Access Request (DSAR) can arrive by email, web form, postal letter or even social media DM. Before responding, the controller must reasonably verify the identity of the requestor — GDPR Article 12(6) — without collecting more data than necessary. For a registered customer the verification is usually a logged-in account confirmation plus an email loop; for a non-customer it might involve a national ID hash or an existing-order reference. Over-verification is itself a violation: NAIH has fined controllers for demanding a colour photocopy of a passport just to verify a webshop subscriber.
The Response — Format, Channel, Cost
The response must be in writing, in a "concise, transparent, intelligible and easily accessible form, using clear and plain language" (GDPR Article 12(1)) — Hungarian for Hungarian data subjects unless they explicitly requested another language. The response is free of charge; charging an "administrative fee" is permitted only for manifestly unfounded or excessive requests, and only at NAIH-supervised rates. For portability requests under Article 20, the format must be structured, commonly used and machine-readable — CSV or JSON, not a flat PDF.
🛂 Automate your DSAR workflow
Zunapro's DSAR module routes incoming requests to a verified queue, applies the 30-day SLA timer, generates the structured CSV/JSON export for portability, and stores the response with audit trail for NAIH inspections.
7. Personal Data Breach Notification — The 72-Hour Rule
When a Breach Exists
GDPR Article 4(12) defines a personal data breach broadly: "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data". This includes everything from a ransomware attack that locks order data, to a misconfigured cloud bucket exposing customer addresses, to an employee emailing a customer list to a personal Gmail, to a courier losing a printed delivery manifest.
Notification to NAIH (Article 33)
Where the breach is likely to result in a risk to the rights and freedoms of natural persons, the controller must notify NAIH without undue delay and, where feasible, not later than 72 hours after becoming aware of it. NAIH provides an online breach notification form on naih.hu in Hungarian; the form requires:
- Nature of the breach including, where possible, categories and approximate number of data subjects and data records concerned
- Contact point — typically the DPO or a senior data protection contact
- Likely consequences for the data subjects
- Measures taken or proposed to address the breach and mitigate adverse effects
If the full information is not available within 72 hours, the notification can be provided in phases — but the initial notification must be made on time, and supplementary information provided as it becomes known.
Notification to Data Subjects (Article 34)
Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must additionally notify the affected data subjects directly, in clear and plain Hungarian language, describing the nature of the breach, the likely consequences, and the measures taken. The notification to data subjects is not required if the controller has implemented appropriate technical and organisational protection measures (e.g. encryption rendering the data unintelligible), or has taken subsequent measures ensuring the high risk no longer materialises, or it would involve disproportionate effort (in which case a public communication is acceptable).
Record-Keeping (Article 33(5))
Regardless of whether a breach is notified to NAIH or the data subjects, the controller must document every breach — facts, effects, remedial action — in an internal breach register. NAIH routinely inspects this register during audits, and the absence of a register is a per-se violation.
Breach drill recommendation: Run a tabletop simulation at least twice a year. The 72-hour clock starts from "awareness", which has been interpreted strictly by NAIH — typically from the moment the IT team identifies an incident as personal-data-related, not from the moment the legal team gets involved. Configure your breach-response workflow →
8. Cross-Border Transfers — SCCs After Schrems II
The Chapter V Framework
GDPR Chapter V (Articles 44–49) governs transfers of personal data outside the European Economic Area (EEA — EU + Iceland, Liechtenstein, Norway). The basic rule is straightforward: any transfer to a "third country" is prohibited unless one of the specific safeguards applies. Hungarian e-commerce operators routinely make Chapter V transfers — to US-hosted analytics, to UK-based fulfillment partners, to Turkish or Indian customer support providers.
The Safeguard Toolkit
The available mechanisms, in descending order of practical use for e-commerce:
- Adequacy decisions (Art. 45) — the European Commission has declared the legal frameworks of the UK, Switzerland, Japan, South Korea, Canada (commercial), New Zealand, Argentina, Israel, the Faroe Islands, Guernsey, Jersey, the Isle of Man, Uruguay and Andorra as providing adequate protection. Transfers to these countries are treated as intra-EU.
- Standard Contractual Clauses (Art. 46(2)(c)) — the European Commission's 2021 modular SCCs are the workhorse of e-commerce cross-border compliance. Modules 1–4 cover controller-to-controller, controller-to-processor, processor-to-processor and processor-to-controller transfers.
- EU-US Data Privacy Framework — for transfers to US recipients certified under the Framework (published list on the US Department of Commerce site), transfers are treated as adequate; for non-certified recipients, SCCs + Transfer Impact Assessment remain mandatory.
- Binding Corporate Rules (Art. 47) — used by multinational groups for intra-group transfers; require NAIH (or another EU DPA's) approval.
- Derogations (Art. 49) — explicit consent, contractual necessity, important public interest. These are interpreted narrowly and cannot be used for regular, large-scale transfers.
The Schrems II Overlay
The CJEU's Schrems II judgment (C-311/18, 16 July 2020) invalidated the old EU-US Privacy Shield and imposed an additional obligation on controllers: a Transfer Impact Assessment (TIA) evaluating whether the law of the recipient country provides "essentially equivalent" protection to GDPR — particularly with respect to government surveillance access. Where the assessment finds shortcomings (typical for US transfers absent the Data Privacy Framework certification), the controller must implement supplementary measures — encryption with EU-held keys, pseudonymisation, or split-data architectures — to remediate.
Documenting the Transfer
Every cross-border transfer must be recorded in the Article 30 register of processing activities, with: the country of destination, the legal mechanism (adequacy, SCC, BCR, derogation), the date of the SCC signature, the modular configuration used, and the TIA outcome. Zunapro maintains a cross-border transfer registry automatically populated from the integrated services your tenant uses — every payment provider, every CRM connector, every marketplace bridge logs its transfer chain.
9. NAIH Fines — How Much, How Often, How to Avoid
The GDPR Article 83 Fine Tiers
GDPR caps administrative fines at two levels:
- Tier 1 — €10 million or 2% of total worldwide annual turnover, whichever is higher, for breaches of obligations relating to records of processing, security, breach notification, DPIA and DPO designation (Articles 8, 11, 25–39, 42, 43)
- Tier 2 — €20 million or 4% of total worldwide annual turnover, whichever is higher, for breaches of the basic principles (Article 5), the lawfulness of processing (Article 6), conditions for consent (Article 7), special categories (Articles 9–10), data subject rights (Articles 12–22) and international transfers (Articles 44–49)
Crucially, GDPR fines are capped against global, not local, turnover — a Hungarian subsidiary of a multinational can face a fine calibrated against the group's worldwide revenue.
The 11 Article 83(2) Calibration Factors
NAIH must consider each fine against eleven factors: the nature, gravity and duration of the infringement; the number of data subjects affected; the level of damage suffered; the intentional or negligent character; mitigation actions; degree of responsibility (technical and organisational measures); previous infringements; degree of cooperation with NAIH; the categories of data concerned; how the infringement became known (self-reporting matters); adherence to approved codes of conduct or certification; and any other aggravating or mitigating factor.
NAIH's Enforcement Track Record
Selected published Hungarian fines (illustrative, not exhaustive):
- DPD Hungary — HUF 250M (~€650K, 2022) for unlawful voice-analytics processing on customer service calls — a leading EU precedent on AI/voice profiling
- Hungarian political party — HUF 11M (2019) for unlawful direct-marketing emails to non-members
- Telecoms operator — HUF 100M+ (2020) for inadequate access controls leading to a breach
- Multiple SME webshops — HUF 1–10M each for missing or unlawful cookie banners, missing privacy policies, late breach notifications
- Bank — HUF 250M (2021) for unlawful profiling of customers without a lawful basis
Practical Fine-Avoidance Stack
The published reasoning of NAIH decisions points to a recurring "mitigation discount" pattern. Controllers that exhibit the following typically receive fines 30–70% below the tariff:
- Working DPIA for any high-risk processing (loyalty profiling, behavioural ads, biometric checkouts)
- Documented Article 30 records of processing activities, kept current
- Working DSAR workflow that has actually been used and meets the 30-day SLA
- Encrypted personal data at rest and in transit, with key management evidence
- Annual staff training records, refreshed on hire and after any incident
- Working breach register and at least one documented breach drill per year
- Proof of self-reporting within 72 hours when a real breach occurred
- Cookie banner with Reject All visually equal to Accept All
10. The 2026 Hungarian E-Commerce GDPR Checklist
A 25-Point Implementation Roadmap
The checklist below distils the prior nine sections into a practical, prioritised roadmap. Most Hungarian SMEs can complete it in three to six weeks of part-time effort, or one focused fortnight with Zunapro's compliance pack auto-configured.
Foundation (Weeks 1–2)
- Map every personal-data flow — input, storage, processor, output, retention
- Compile your Article 30 Records of Processing Activities (ROPA)
- Identify the legal basis under Article 6 for each processing activity
- Identify any special-category data (Article 9) and confirm the additional legal basis
- Decide whether a DPO is mandatory or voluntary; appoint and notify NAIH if so
- Set up an internal data protection mailbox (e.g. [email protected])
Documentation (Weeks 2–3)
- Publish the Hungarian Adatkezelési Tájékoztató (GDPR Articles 13–14 + Info Act references)
- Publish a separate cookie policy with every cookie listed
- Publish terms & conditions (Általános Szerződési Feltételek — ÁSZF) aligned with Hungarian Civil Code
- Sign data processing agreements (DPAs) under Article 28 with every processor — hosting, email, analytics, CRM, payment, courier, marketplace bridges
- Sign SCC modules with every non-EEA processor and complete a Transfer Impact Assessment for each
- Document a retention schedule per data category (8 years for invoices, marketing consent + 5 years for proof, cookies per declared expiry)
Cookie Consent Layer (Week 3)
- Deploy a CMP cookie banner with Accept All / Reject All / Customize visually equal
- Block all non-essential cookies until consent is given
- Provide a persistent "Cookie preferences" link in the footer for withdrawal of consent
- Log every consent event with timestamp, banner version, choice — for audit by NAIH
Operational Workflows (Weeks 4–5)
- Build a DSAR workflow with identity verification and 30-day SLA timer
- Build a breach response playbook aligned to the NAIH online form, 72-hour timer
- Set up a breach register for every incident, notifiable or not
- Configure marketing consent capture with double opt-in for newsletter signup
- Configure granular consent per processing purpose at checkout — no bundled consent
Verification (Week 6)
- Run a tabletop breach drill with IT, legal, customer service and DPO
- Conduct an internal audit of the cookie banner using browser dev tools
- File a test DSAR from a friendly customer and validate the 30-day workflow end-to-end
- Schedule the next annual GDPR refresher training for all staff handling personal data
Centralize Hungarian GDPR + NAIH compliance in one panel
Privacy policy generator + cookie consent banner + DSAR workflow + breach register + SCC registry + retention rules — pre-configured for the Hungarian Info Act 2011 and NAIH's published expectations. 15-minute setup, automatic NAIH-form alignment.
Activate Hungarian Compliance Pack →Legal References — Quick Index
The full statutory and decisional basis of this guide, for reference by counsel and DPOs:
| Source | Reference | Relevance |
|---|---|---|
| GDPR | Regulation (EU) 2016/679 of 27 April 2016 | Direct EU regulation — full text |
| Info Act 2011 | Act CXII of 2011 (Infotv.) — last amended Act XXXVIII of 2018 | Hungarian implementing law + NAIH structure |
| ePrivacy | Directive 2002/58/EC — Hungarian transposition: Act C of 2003 (Eht.) | Cookie consent + electronic communications |
| Marketing | Act XLVIII of 2008 on Commercial Advertising (Grtv.) | Hungarian opt-in rules for marketing |
| Accounting | Act C of 2000 on Accounting, Section 169 | 8-year invoice retention |
| Civil Code | Act V of 2013 (Polgári Törvénykönyv) | General limitation + civil liability |
| Criminal Code | Act C of 2012, Section 219 | Unlawful processing of personal data — criminal offence |
| Schrems II | CJEU Case C-311/18 (16 July 2020) | SCC + Transfer Impact Assessment doctrine |
| SCCs 2021 | Commission Decision (EU) 2021/914 | Standard Contractual Clauses modular set |
| EDPB Guidelines | Guidelines 03/2022 on dark patterns; 5/2020 on consent; many more | Authoritative interpretation across EU DPAs |
Reading the table: GDPR is the operational foundation; the Info Act layers in Hungarian procedure and NAIH structure; the ePrivacy and Marketing acts govern the consent flows for cookies and email; the Accounting and Civil Codes set retention floors; the Criminal Code is the last-resort backstop for egregious breaches. Zunapro's compliance module references every line of this table behind the scenes.
Hungarian GDPR & NAIH FAQ 2026
Is GDPR applicable to Hungarian e-commerce stores in 2026?
Yes — without exception. GDPR (Regulation (EU) 2016/679) applies directly to every Hungarian e-commerce business that processes personal data, which in practice means every webshop, every marketplace seller and every B2B sales platform. Hungary's Act CXII of 2011 (the Info Act, Infotv.) implements GDPR domestically and adds specific rules for public-sector data, national security and freedom of information.
NAIH (Nemzeti Adatvédelmi és Információszabadság Hatóság) is the supervisory authority enforcing both, with the power to issue binding decisions and administrative fines up to €20M or 4% of global turnover.
What is NAIH and what powers does it have?
NAIH — Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information) — is the Hungarian Data Protection Authority established under the Info Act on 1 January 2012. It replaced the former Parliamentary Commissioner for Data Protection and Freedom of Information.
NAIH investigates complaints, conducts on-site audits, issues binding decisions, orders data processing to be suspended or terminated, and can impose GDPR-level administrative fines up to €20M or 4% of global annual turnover. Its decisions are published on naih.hu.
Are cookie consent banners mandatory in Hungary in 2026?
Yes. Under the EU ePrivacy Directive (2002/58/EC), transposed via Act C of 2003 on Electronic Communications, and GDPR Article 6, every Hungarian website must obtain prior, freely given, specific, informed and unambiguous consent before storing or accessing non-essential cookies on a user's device.
NAIH has issued multiple enforcement decisions clarifying that pre-ticked boxes, cookie walls, "continue browsing = consent" patterns and visually-subdued Reject buttons are unlawful. The Reject All button must be as prominent as Accept All.
Do I need a privacy policy on my Hungarian webshop?
Yes — it is mandatory under GDPR Articles 13 and 14 plus the Info Act 2011. Your privacy policy (Adatkezelési Tájékoztató) must identify the data controller, list every processing purpose and legal basis, name all data processors and third-country recipients, state retention periods, and inform data subjects of their rights and the right to lodge a complaint with NAIH.
The Hungarian-language version is required for Hungarian customers; an English secondary version alongside is best practice for cross-border sales.
When do I need to appoint a Data Protection Officer (DPO)?
GDPR Article 37 requires a DPO when (a) the controller is a public authority, (b) core activities consist of regular and systematic large-scale monitoring of data subjects, or (c) core activities involve large-scale processing of special-category data (health, biometric, criminal). Most pure e-commerce SMEs do not need a formal DPO.
However, Hungarian retailers operating large loyalty programs, behavioral profiling, or selling sensitive products (pharmacy, health, political affinity) should appoint one and notify NAIH of the contact details. Voluntary appointment is common as a credibility signal.
What data subject rights must my Hungarian webshop honor?
GDPR Chapter 3 grants eight data subject rights: information (Art. 13–14), access (Art. 15), rectification (Art. 16), erasure / right to be forgotten (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21) and rights related to automated decision-making and profiling (Art. 22).
Hungarian webshops must respond to verified requests within one calendar month (extendable by two months for complex cases with reasoned notice). NAIH receives hundreds of complaints per year about ignored or late responses.
What is the 72-hour breach notification rule?
GDPR Article 33 requires data controllers to notify the competent supervisory authority — in Hungary, NAIH — of personal data breaches without undue delay and, where feasible, within 72 hours of becoming aware of the breach. NAIH provides an online breach notification form on naih.hu.
If the breach is likely to result in high risk to data subjects, GDPR Article 34 also requires direct notification of affected individuals in clear, plain Hungarian language. A breach register documenting every incident (notifiable or not) is mandatory under Article 33(5).
Can I transfer personal data outside the EU?
Only under GDPR Chapter 5 conditions. The most common mechanism for Hungarian e-commerce is the European Commission's Standard Contractual Clauses (SCCs) — the 2021 modular set — supplemented by a Transfer Impact Assessment (TIA) after the Schrems II ruling (C-311/18).
Adequacy decisions cover the UK, Switzerland, Japan, South Korea, Canada (commercial), Israel and others. Transfers to the US can use the EU-US Data Privacy Framework certified recipients, but Hungarian operators should scrutinise US transfers carefully and document supplementary measures (encryption with EU-held keys, pseudonymisation) where US-government access risk remains.
How high can NAIH fines actually go?
GDPR Article 83 caps administrative fines at €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher, for the most serious violations (consent, special categories, data subject rights, international transfers). A lower tier caps fines at €10M or 2% for documentation, security and breach-notification violations.
NAIH has issued multi-hundred-million HUF fines against telecoms, banks, retailers and political parties since 2018. Even SMEs routinely receive HUF 1–10M fines for missing privacy policies, broken cookie banners or unanswered data subject requests.
What is the Hungarian Info Act 2011 (Infotv.) and how does it relate to GDPR?
Act CXII of 2011 on Informational Self-Determination and Freedom of Information — the Info Act, Infotv. — is Hungary's foundational data protection law. It predates GDPR by seven years and was extensively amended in 2018 by Act XXXVIII of 2018 to harmonise with GDPR while preserving Hungarian-specific provisions on public data, freedom of information and NAIH's structure.
GDPR applies directly to substantive data protection; the Info Act fills the gaps GDPR leaves to member states and codifies NAIH's investigative, corrective and procedural powers. Reading both together is essential for any Hungarian compliance program.
Do I need separate consent for marketing emails?
Yes. Under Act XLVIII of 2008 on Commercial Advertising (Grtv.) and GDPR Article 6(1)(a), Hungarian e-commerce can send marketing emails only to recipients who have given prior, separately documented opt-in consent.
The B2C "soft opt-in" exception from the ePrivacy Directive is narrowly construed in Hungary: it covers existing customers, the same controller, similar products, and only if a clear unsubscribe link is present in every message. Pre-ticked checkboxes at checkout are explicitly unlawful. Double opt-in (confirmation email after signup) is best practice and almost universally enforced by NAIH in decisions.
How long can I keep customer data after a sale?
GDPR Article 5(1)(e) requires storage limitation — data may be kept only as long as necessary for the original purpose. Hungarian accounting law (Act C of 2000 on Accounting, Section 169) requires invoice-related data to be retained for 8 years. Marketing consent data should be kept only while consent is valid, plus the limitation period for proof (typically 5 years under the Hungarian Civil Code, Act V of 2013).
Cookies covered by ePrivacy should respect their declared expiry. Zunapro automatically applies retention rules per data category — invoices kept 8 years, marketing data purged on consent withdrawal + 5-year proof buffer, anonymous analytics retained per declared cookie lifetime.
What language must my privacy policy and cookie banner be in?
Hungarian — at least for customers in Hungary. GDPR requires information to be provided in "clear and plain language" accessible to the data subject (Article 12(1)). For Hungarian-resident consumers this means a Hungarian-language Adatkezelési Tájékoztató and Hungarian cookie banner copy.
Best practice for cross-border webshops is a Hungarian primary version with English (and any other relevant CEE languages) as alternate selectable versions. NAIH has cited English-only privacy policies as a violation in multiple enforcement decisions involving Hungarian consumer data.
Does Zunapro help with GDPR & NAIH compliance for Hungarian webshops?
Yes. Zunapro ships with a Hungarian-specific compliance pack: a configurable cookie consent banner (CMP) with Reject All visually equal to Accept All, a privacy policy generator pre-filled with Info Act 2011 references, a Data Subject Access Request (DSAR) workflow, a 72-hour breach notification template aligned to the NAIH form, an SCC-backed third-country transfer registry, and automated retention rules tied to Hungarian accounting (8-year) and marketing (consent + 5-year) periods.
Setup typically takes 15 minutes per tenant. The compliance pack is bundled with Zunapro's Hungarian marketplace and webshop integrations — see the full Hungarian Hub →.
Make your Hungarian webshop NAIH-audit-ready in 15 minutes
Cookie banner · Privacy policy · DSAR workflow · Breach register · SCC registry · Retention rules — all pre-configured for GDPR + Info Act 2011 + ePrivacy. No legal-tech expertise required, NAIH-form-aligned templates included.
🇭🇺 Activate Compliance Now →Need help with this?
Related service: E-Commerce