Pursuant to a specific provision in the Info Act (Sec. 75/A), NAIH will primarily warn a data controller or processor at the first infringement of the GDPR or local data protection laws. Such a rule only provides orientation to the NAIH, which may also use other measures in the case of a first breach that are necessary and fitting for the circumstances of the case. In the case of continuous breaches, the NAIH may impose fines even on private persons, individual entrepreneurs or SMEs.

Offences related to personal data

Any person who; is in violation of the statutory provisions governing the protection and processing of personal data; and is engaged in the unauthorised and inappropriate processing of personal data or fails to take measures to ensure the security of data is guilty of a misdemeanour punishable by imprisonment not exceeding one year.

The person is also guilty if – in violation of data protection law – he or she fails to notify the data subject as required and thereby imposes significant injury to the interests of another person(s). (Hungarian Criminal Code (Act C of 2012) Section 219 on Misuse of Personal Data.)