Tag: GDPR

AI in Hungary: Legal Considerations for Businesses

AI in Hungary: Legal Considerations for Businesses

Artificial Intelligence (AI) is rapidly transforming the business landscape in Hungary and across Europe. From customer service automation to predictive analytics, AI offers significant opportunities — but also introduces complex legal challenges that companies must address proactively.

 

Key Regulations Affecting Hungarian Businesses 

1. EU AI Act Implementation

Hungary is set to enforce the EU AI Act, which introduces a risk-based framework categorizing AI systems into:

        • Unacceptable Risk: Prohibited AI practices, such as systems that manipulate human behaviour or exploit vulnerabilities.
        • High Risk: AI applications in critical sectors like healthcare, education, and employment that require stringent compliance measures.
        • Limited or Minimal Risk: Lower-risk AI systems with fewer regulatory obligations.

 

From February 2, 2025, businesses must ensure AI literacy among their staff, assessing current knowledge levels and implementing tailored training programs. Additionally, transparency in AI usage, especially in consumer-facing services, is mandated.

2. Cybersecurity Act (Effective January 2025)

The new Cybersecurity Act consolidates Hungary's cybersecurity legislation, aligning with the EU's NIS2 Directive. It imposes obligations on organizations to classify information systems, conduct risk assessments, and implement security measures. Non-compliance may result in significant fines, potentially up to 2% of a company's global annual turnover.

3. Data Protection and Privacy

Under the General Data Protection Regulation (GDPR) and Hungary's Act CXII of 2011, businesses must ensure transparency in AI systems, especially regarding data sources and processing methods. The National Authority for Data Protection and Freedom of Information (NAIH) enforces these regulations, emphasizing the need for informed consent and accountability in data handling.

 

Legal Areas in focus

 1. Data Protection & GDPR

Any AI system processing personal data must comply with the General Data Protection Regulation (GDPR). This includes strict rules on profiling, automated decision-making, and data subject rights — all of which can carry significant financial and reputational risks if mishandled.

2. Contracting and Liability

At present, Hungary lacks dedicated AI liability laws. This creates uncertainty around who is accountable when AI causes harm or makes an error. Businesses should ensure contracts with AI vendors clearly define liability, responsibilities, and compliance measures.

3. IP and Innovation

As companies develop proprietary AI solutions, issues around intellectual property (IP) become critical. Protecting algorithms, data models, and outputs — while respecting third-party rights — should be a key part of any AI deployment strategy.

4. Ethical and Reputational Risk

Legal compliance alone is no longer enough. Increasingly, businesses are expected to ensure their AI systems operate fairly and without bias. Ethical use of AI can enhance brand reputation and build trust with clients, regulators, and the public.

 

Businesses should stay informed about evolving AI regulations — both at the EU level and locally. Conducting legal risk assessments, updating compliance policies, and reviewing AI-related contracts are essential steps for mitigating exposure.

New Europrivacy Certificate

In May, during the international Privacy Symposium, the Europrivacy certification was awarded to the French Centre d’accès sécurisé aux données (CASD), which also provides data hosting services. The evaluation focused on the methodology of accessing various data, including personal data for statistical and research purposes in secure environment. We congratulate CASD, TamCert, which carried out the certification, and our colleague Dr. Zoltán Temesi, who led the audit team.

GDPR policy review

The Act on the Right of Informational Self-Determination and on Freedom of Information stipulates that data processing based on the law must be reviewed every three years from the start of the Act in order to determine whether it is necessary for the achievement of the purpose of data processing (purpose limitation).
This regular review applies to data processing that is mandatory for the data controller, such as the processing of employee data.
The circumstances and results of the review must be documented in all cases, the documentation must be kept for 10 years and it must be made available at the request of the data protection authority.

Due to the above a regular review of data processing activities and related documentation is mandatory in every three years. As data processing activities are subject to rapid change, the related documentation and the data processing register must be continuously updated. This need for update is applicable for all data processing, i.e. not only for the activities that are based on legal requirement, so it is worth regularly reviewing all data processing activities, legal bases, purposes, retention periods, etc. (Although three years must be counted from the start of data processing, if the data controller has been processing the given personal data for e.g. seven years, then it must already have the documentation of at least two completed revisions.)

MENU