Firm Profile > VJT & Partners > Budapest, Hungary

VJT & Partners

Hungary > Employment Tier 1

VJT & Partners fields an experienced team, which is led by Zoltán Csernus, who provides a 'practical and down-to-earth approach to the problem' and can handle each case 'thoroughly and very efficiently'. The practice advises on all aspects of contentious and non-contentious employment matters. It is noted for its strengths in the employment aspects of M&A and outsourcing transactions, and also represents employers and employees in contract negotiations and litigation (often arising from dismissals). János Tamás Varga is the other leading partner.

Practice head(s):

Zoltán Csernus

Other key lawyers:


‘The partner responsible for HR matters is very highly skilled and experienced. Based on his advice we had to realize the complexity of our HR problem particularly from cross border taxation point of view.’

‘Zoltan Csernus delivers excellent quality and is always ready to assist.’

‘Zoltan Csernus, very pleasant and nice attorney to work with!’

‘The team members have a wide range of theoretical and practical knowledge. Not only do they know the rules, but they can also apply them. They are also familiar with European practice. They express their legal position in an understandable, concise manner, supported by examples.’

‘VJT & Partners – Employment is a team of experienced practitioners who have been providing assistance in the field of labour law for many years. Their great advantage is a practical and down-to-earth approach to the problems of their clients. Individual cases are processed thoroughly and at the same time very efficiently, which significantly affects the decision-making and accuracy of actions taken by the clients of the law firm.’

‘The lawyers which I worked, are trustworthy, communicative, substantive and professional in each case. They are distinguished by an individual approach to the client and professional legal assistance to the full extent.’

Key clients

NN Insurance (formerly ING Insurance)

Hungary > Commercial, corporate and M&A Tier 2

VJT & Partners, which has 'the right person for all M&A deal segments', recently secured new M&A mandates from clients in the automotive, energy, technology and professional services industries. The corporate practice, which is jointly led by managing partner János Tamás Varga and András Lovretity, benefits from synergies with other areas; Andrea Belényi is knowledgeable about competition issues, while Tamás Virág is experienced in IP and IT sector deals. Zoltán Csernus has extensive company law experience.

Practice head(s):

János Tamás Varga; András Lovretity


‘In addition to the qualities of the individuals working in the practice, they have the right person for all M&A deal segments. Also, it is very good working with them in the human sense. They generally understand business and they do translate legal into business. I do not come across legal advisory service at such high level elsewhere. ’

‘Acting as a family.’

‘Whenever I have a legal problem within 1 hour the very latest one of the relevant partners is always contacting and assisting me.’

‘They fully understand our operations and our business goals. I am not forced to bring decision in every small issue, which makes my own work easy. They provide the same quality service in all legal matters not only M&A and corporate. I do not remember receiving this kind of advisory service from other firms. ’

‘VJT is an ideal partner of mid-sized multinational companies in Hungary. The team specialized for corporate affairs including employment, commercial contracts, regulatory, real estate plus data protection, highlighting only those areas in which we have ever cooperated.’

Key clients

Prohumán Group

Profólió Group

ANDGO Partners

Wine & More

Human Investors


NN Insurance

4Life Direct

Hungary > Data privacy and data protection Tier 2

Praised for its expertise across the whole spectrum of data protection, the team at VJT & Partners 'matches its high professional expertise with a client focused approach'. The team advises on complex audit projects, representing clients before the Hungarian Data Protection Authority, and is involved in the latest software developments, including advising Simplexxy on its development of Data Hawk, an automated solution for SMEs for GDPR  data compliance. János Tamás Varga, Endre Várady and Andrea Belényi are the key partners in the 'impressive team'. 

Practice head(s):

János Tamás Varga; Endre Várady

Other key lawyers:


‘We are always able to sit down in a timely manner to talk about our data protection and GDPR process.’

‘VJT & Partners are in my view the “go to” law firm for data protection advice. I have referred clients to them over many years and their advice is timely and practical.’

‘Availability, quality of product and delivery. ’

‘Endre Varady and Andrea Belenyi. They are exceptional lawyers. They are always available to help. They give good comments and draft great responses to the HU Data Protection Authority.’

‘Impressive team. Both quality and knowledge are outstanding. ’

‘VJT & Partners is a go-to firm in data protection matters. VJT team has outstanding knowledge combined with client care and commercial mindedness. The team is capable of making operational even the most difficult GDPR issues.’

‘The team members have a wide range of theoretical and practical knowledge. Not only do they know the rules, but they can also apply them. They are also familiar with European practice. They express their legal position in an understandable, concise manner, supported by examples.’

‘In depth knowledge about data protection laws as well as value for money’

VJT team is unique as it perfectly matches its high professional expertise with a client focused approach. Key strengths:  Excellent communication: Masters of GDPR: Highly knowledgeable and up to date both in Hungarian and international data protection issues.’

Key clients



NN Insurance



Hungary > TMT Tier 2

VJT & Partners' team stands out for its strong reputation working with leading tech companies on a range of TMT matters, including advice on advertising and ISP liability. Technology M&A is a growth area and the practice advises venture capitalists on investments in tech start-ups and established companies. Practice head János Tamás Varga and data protection expert Endre Várady are the key individuals; the duo focus on acting on corporate transactions, cloud computing-based deals and outsourcing deals for information technology outsourcing services providers.

Practice head(s):

János Tamás Varga; Endre Várady


‘In addition to the qualities of the individuals working in the practice, they are traditionally very strong in TMT and they have the right person for all deal segments of TMT related transactions too. Also, it is very good working with them in the human sense. They generally understand tech business and translate legal into business. I do not come across legal advisory services at such high level elsewhere. ’

‘Absolutely impressive and first-class team. Both quality of service and knowledge are outstanding.’

‘In a word, first-class team. VJT & Partners always delivers values to our tech business projects which is essential for our growth. I would single out four top traits which makes VJT & Partners stand above the rest: inspiring leadership, advisory mindset, commitment to high-quality work and client-driven approach. ’

‘The team members have a wide range of theoretical and practical knowledge. Not only do they know the rules, but they can also apply them. They are also familiar with European practice. They express their legal position in an understandable, concise manner, supported by examples.

‘In-depth knowledge about TMT sectors as well as telecommunication laws in Hungary. Their service has real value for money.’

‘Endre Varady has done outstanding performance in our clients’ telecommunication regulation matters in Hungary. He is responsive, provides value for money, and has in-depth knowledge about telecommunication laws in Hungary.’

‘VJT team always provides an outstanding client experience. They have an outstanding client focused approach, it is truly easy to work with them. They are masters in grasping the most complex technology related matters.’

‘Each VJT team member has strong expertise with a business savvy and client-focused approach. Yet, their diverse set of experience, perspective, and background makes their team extremely valuable.’

Key clients


NN Insurance (formerly ING Insurance)

Andgo Partners


4Life Direct



Hungary > Competition Tier 3

VJT & Partners undertakes a mix of transactional and contentious competition work, and its practice has seen an increase in mandates relating to competition compliance and dawn raid due diligence. Andrea Belényi heads up the practice, which demonstrates 'a high level of professional knowledge'. The firm generates work from clients in the technology, professional services and insurance sectors, among others.

Practice head(s):

Andrea Belényi


‘Andrea is very patient, very detail-oriented and overall thorough, always on time, always there to help.’

‘What makes them better: immediate reaction in case of any issue, high level of professional knowledge.’

My contact is Andrea Belényi who has an open personality and proactive approach to the issues – even to small topics, besides her wide legal knowledge.’

Key clients



4Life Direct


Hungary > Dispute resolution Tier 3

VJT & Partners has a strong track record in administrative proceedings and commercial disputes before the Data Protection Authority, the Hungarian Competition Office and the Consumer Protection Authority. Employment law disputes, real estate, insurance and tax are among the mainstays of the practice. Zoltán Csernus is 'superb, knowledgeable and highly competent in dispute resolution and employment law'.

Practice head(s):

Zoltán Csernus


‘I have dealt primarily with Zoltan Csernus at VJT. He is superb, knowledgeable, and highly competent in the fields of both dispute resolution and employment law’

‘The team members have a wide range of theoretical and practical knowledge. Not only do they know the rules, but they can also apply them. They are also familiar with European practice. They express their legal position in an understandable, concise manner, supported by examples.’

‘The team members are flexible, accessible. They focus on the needs of the client.’

Key clients

NN Insurance (formerly ING Insurance)

ERSTE Vienna Insurance Group

4Life Direct

Department Name Email Telephone
Mergers and acquisitions
Dispute resolution
Commercial contracts
Data protection
Intellectual property
Private equity
Restructuring and insolvency
Photo Name Position Profile
Dr Andrea Belényi photo Dr Andrea Belényi Andrea Belényi is leading the firm’s competition law practice. Andrea’s whole professional…
Dr Emőke Buzogány photo Dr Emőke Buzogány Emőke is a member of the firm’s Corporate/M&A team. She gained significant…
Dr Zoltán Csernus photo Dr Zoltán Csernus Zoltán is an attorney-at-law at VJT & Partners. He is a committed…
Dr Krisztina Lakner  photo Dr Krisztina Lakner Krisztina has more than 10 years of experience in employment law. During…
Dr András Lovretity photo Dr András Lovretity András Lovretity is the partner heading the firm’s Corporate/M&A practice. András has…
Dr Hoa Tünde Nguyen  photo Dr Hoa Tünde Nguyen Hoa Nguyen is a counsel working in the firm’s Commercial, Corporate and…
Dr Endre Várady photo Dr Endre Várady Endre Várady is leading VJT & Partners’ data protection practice. Endre has…
Dr János Tamás Varga photo Dr János Tamás Varga János Tamás Varga is the founder and managing partner of VJT &…
Dr Eszter Vezse  photo Dr Eszter Vezse Eszter has been working with VJT & Partners since the beginning of…
Dr Tamás Virág  photo Dr Tamás Virág Tamás has advised domestic and international clients across a wide range of…
Number of lawyers : 11
Contact : János Tamás Varga (managing partner)


It would be incorrect to say that it was solely the GDPR that led to modern-day Hungarian data protection. Hungary has had close to a 30-year long data protection practice which has been long enough to develop an established approach to data protection supported by numerous decisions and guidelines…

Contributed by VJT & Partners


It would be incorrect to say that it was solely the GDPR that led to modern-day Hungarian data protection. Hungary has had close to a 30-year long data protection practice which has been long enough to develop an established approach to data protection supported by numerous decisions and guidelines.

As regards approach, the Hungarian Data Protection Authority (DPA) has been always considered as one of the strictest privacy watchdogs in the EU due to its strict interpretation of data protection laws. It is especially strict in interpreting basic data protection principles and having a very granular approach on data processing purposes resulting in a much heavier documentation requirement (e.g. a much longer privacy policy) than other EU countries.

This can pose problems as many foreign companies simply expect to localise their Hungarian data processing operations and automatically ensure a consistent approach across different jurisdictions (e.g. one uniform local privacy policy across jurisdictions). In short, meeting Hungarian data processing rules is a challenging task as, despite the uniform GDPR rules, the DPA still interprets the GDPR in its own way by adding its ’local flavours’ which makes the Hungarian data protection environment unique.

Moreover, the Hungarian Data Protection Act itself also adds some specific requirements including extending the GDPR to manual data processing even where personal data is not a part of the filing system and, in some instances, even to the processing of a deceased person’s personal data.

Last but not least, as part of the GDPR implementation package, Hungary amended 86 sectoral acts in numerous sectors (including the employment, CCTV, finance, healthcare and marketing sectors) making room for plenty of GDPR derogations.

Overall, despite the GDPR’s intention to introduce uniformity, many Hungarian peculiarities still do not allow a cross-border uniform approach in Hungary.

In our guide, we provide a basic survival kit by focusing on the specialities of the Hungarian data protection practice that businesses must address when commencing any data processing activity in Hungary. First, we will provide an overview of the most important local Hungarian data protection flavours irrespective of the type of data processing. Secondly, we will present the Hungarian specialities in the context of employment and business data processing. Finally, we consider it important to touch upon the outlook of the Hungarian data protection practice.


In this part, we present a general overview of the most important issues that regularly present a challenge in Hungarian data protection practice.

Data localisation

The GDPR applies not just to structured electronic data, but also to unstructured data (e.g. data in e-mails, PDFs and spreadsheets). Moreover, the Hungarian Data Protection Act extends the GDPR’s reach to include manual data processing even where personal data is not part of the filing system (e.g. business cards).  The bottom line is that businesses must identify all their data processing activities.

Purpose specification

It is not enough to locate the data processing activities; they must be also specified. For each data processing purpose, the data processing circumstances (e.g. the legal grounds, the scope of data, the duration of data processing, the persons authorised to processing, etc) may be determined only if the data processing purpose is correctly identified. The DPA requires the purpose to be as specific as possible so that the purpose can be interpreted only in one way (e.g. “sending a newsletter” is satisfactory as it could be not interpreted differently; however, “marketing” is unsatisfactory as it could be interpreted in numerous ways).


The DPA considers that privacy policies must be written in a way that every layman could understand. At the same time, the DPA expects a controller to have a detailed privacy policy so that a data subject can gain a comprehensive understanding of the data processing circumstances for each data processing purpose. This means that the data controller must first identify the data processing purpose based on a purpose specification requirement and then all other data processing circumstances must be provided for each data processing purpose (e.g. in a table where each specified purpose is connected with the relevant data processing circumstances). This could result in long privacy policies, longer than businesses are used to.

Data minimisation

The DPA takes data minimisation requirements very strictly. Only data that is strictly necessary for the reason to process data may be processed. For example, the DPA has fined marketing companies for collecting unnecessary online marketing data, i.e. collecting e-mail addresses is permitted but collecting one’s phone number and date of birth data is not. If the scope of data is not set by law for the given data, the data controller decides for itself on the scope of the collected data but the data controller must strictly follow the logic of the data minimisation requirement. If the scope of collected data is set by law for the given purpose, the data controller may collect only that data.

Storage limitation

The DPA also keeps an eye on storage limitation requirements. In several rulings, the DPA has fined a company due to a breach of storage limitation rules (e.g. storing CCTV files for an unjustifiable time). If a specific law has set a retention period for the given purpose, those retention periods apply. If a specific law sets the data processing circumstances for the given purpose (e.g. the scope of the data that may be collected or the authorised persons who may collect the data) but without the retention period(s), the necessity of processing must be reviewed and documented every 3 years. In other cases, the controller decides the duration of the processing on its own but must strictly follow the storage limitation requirement.

Legal grounds

Obviously, the GDPR intended to make the application of legal grounds more flexible by providing room to apply various legal grounds to process data. However, the DPA applies quite a restrictive interpretation of those legal grounds. The following are the most important:

  • Consent – The DPA is very consistent in requiring ’voluntary’ consent. Thus, a data subject must have the opportunity to give its consent separately for each data processing purpose. This means that the data controller must work out the proper check-box mechanism (e.g. if there are 5 various marketing purposes, 5 checkboxes must be provided).
  • Legitimate interest – In business, it has become common to refer to legitimate interest as providing legal grounds to process data. Still, in the Hungarian data protection practice, the controller may rely on legitimate interest only if a proper balance test is carried out and documented. The balance test must demonstrate why the controller’s interest overrides the privacy interest of the data subject. The test must answer some basic questions, e.g.:
  1. What is the interest of the parties?
  2. Is there any alternative to data processing or a less privacy-invasive solution? and
  3. What guarantees are taken to protect the data subject’s rights?

For each data processing purpose, a separate balance test must be conducted; this could result in a significant additional administrative burden.

  • Fulfilment of contract – The Hungarian DPA accepts this very narrowly, i.e. where the data processing is necessary to fulfil the contract. For example, if the data subject breaches the contract, and the data controller assigns its claim to a debt collector agency, the debt collector agency may not rely on the fulfilment of the contract rationale as it is outside the scope of the original contract (concluded between the controller and the data subject).
  • Legal obligation – The Hungarian Data Protection Act provides that a legal obligation as legal grounds may only be accepted if Hungarian law specifies the data processing circumstances (e.g. the scope of data, the purpose of the processing or the duration of the processing). If the law does not provide the circumstances of the processing and makes too much room for the controller to determine such circumstances, the controller must instead rely on legitimate interest and carry out and document a balance test.

Data security requirements

In general, there are no special Hungarian flavours. But it is worth investing in data security measures as there is a shift from traditional GDPR to cyber-security and data breach issues; further, the Hungarian DPA has imposed its highest fine (approx. EUR 300,000) in this area. For certain organisations (e.g. critical service providers in the financial, energy or health sectors), the Information Security Act also applies (apart from the GDPR) which imposes additional security requirements (e.g. logging, data localisation or reporting security breaches).

Data breach management

The Hungarian DPA sets a very low threshold for data breach notifications. In general, controllers must file a notification to the DPA each time there is a reasonable certainty that a breach has occurred and the breach may have had an adverse effect on data subjects. Although it could be argued that the GDPR is more nuanced in this regard, the DPA has a strict approach and anything beyond the “not occurred” category is practically reportable.


Hungarian employment data processing also has specialities in all cases from recruitment and selection through establishing and maintaining employment relationships to employee monitoring.

The Hungarian GDPR implementation has also brought important changes in the workplace environment by presenting new rules that present hardships for employers in practice (e.g. not allowing copies to be made of employee documents).

In this part, we present the key Hungarian data protection challenges in the employment context:


Candidates must get a company’s privacy policy together with the job description. Anonymous offers are not accepted. If a recruiter company is engaged, the candidate must give consent to the transfer of the CV to the employer. As a general rule, candidates’ background checks are not allowed. The exceptions to this are the need to request clear criminal records and check social media under certain conditions. Personality tests are not permitted.

Employment relationships

In the employment context, the basic data protection principles apply even under some stricter settings:

  • Legal grounds – Businesses must be careful that, in principal, consent is not an acceptable legal ground for employment data processing as consent cannot be voluntary due to the subordinate nature of the employment. The main legal grounds to process data remain legitimate interest and legal obligation. In some instances, the performance of a contract can also be used.
  • Data minimisation – This principle is very strongly reflected under employment relationships. The employer may require only data that is necessary to establish, complete or terminate the employment relationship, or that is important in relation to exercising employment claims. Moreover, during the onboarding process, employers may only ask the employee to show their documents (e.g. ID, driving licence, address card, tax card and qualification documents) and the employer may not make electronic or hard copies.
  • Confidentiality – Only the relevant authorised people within the employer’s organisation may have access to employee data. For company groups, the parent company and the affiliates are qualified as separate entities; thus, to disclose data within the group, lawful legal grounds must be provided.
  • Storage limitation – In principle, employee data may not be processed after the end of the employment relationship. But the employer may keep any records that may be important in an employment dispute for a further 3 years (i.e. for the limitation period set for employment-related claims) based on its legitimate interest. The employer may also retain any documents relevant to pension entitlement up to 5 years after the employee has reached pension age.

Strict conditions for employment monitoring

Even before the GDPR implementation package, it was clear that an employer may monitor an employee’s work (e.g. monitoring e-mail, laptop or internet use) only if the employer provides prior notice of this activity. But, the GDPR implementation package made it clear that such notice must be made in writing and it must cover why the employer’s measures are necessary and proportionate in comparison to limiting the employee’s personal rights.

The key takeaways are the following:

  • The employer may not store the employee’s private files;
  • The employer must provide the possibility to the employee to be present before the inspection. The employer must always act in light of the proportionality and gradual approach (e.g. if websites are blocked, website monitoring may not be needed); and
  • The employee must be properly notified before each respective monitoring.


The business data processing environment also remains a challenging field as the DPA strictly interprets this area as well. The DPA requires data controllers in this field to strictly follow the basic data protection principles (see the MOST IMPORTANT LOCAL DATA PROTECTION SPECIALITIES)

The Hungarian GDPR implementation package aimed at harmonising the sectoral data protection legislation with the GPDR has not brought particular easement either.

In this part, we present the key Hungarian data protection challenges in the business context:


In the e-commerce world, businesses tend to rely on the performance of a contract as providing the legal grounds to process data in a broad way as it makes their data processing operations practical.

However, this is not a sustainable solution in Hungary as the E-Commerce Act states that, for any data processing operation that does not strictly stem from the provision of the service (e.g. improving performance or marketing research) the service provider must specify any sub-data processing operations in advance.

In practice, this means that, prior to introducing a new e-commerce business, the service providers must examine whether the ‘provision of the service’ can be broken down into further sub-purposes and then examine the compliance of each sub-purpose against basic data protection requirements.

The data minimisation principle has a special dimension in Hungarian e-commerce. Apart from assessing which data is strictly necessary for a given purpose, service providers must pay attention to the requirement that the data collected for purposes other than ‘the provision of a service’ may not be linked with the user’s identification data.

Electronic marketing

To prevent client or lead dropouts, businesses regularly try to avoid consent in promoting their business, especially by using legitimate interest as the legal ground for data processing, because they consider that the GDPR is more flexible on legitimate interest. However, the Hungarian electronic marketing sector has been largely unaffected in this regard, as Hungarian law did not remove the consent requirement. In principle, electronic marketing (via email, fax or SMS) is allowed only if the user’s prior, explicit and unambiguous consent has been obtained.

The DPA recognises electronic marketing communication without consent only for offering similar products/services to existing customers. In such case, obtaining consent can be avoided if the business carries out and documents a legitimate interest test in which it explains why its business interest overrides the user’s interest and the user has the right to opt out from future marketing communication at any time.

Internet use & social media

Website operators remain liable for any third-party cookies used on their website. Thus, they should only use cookies that they are fully aware of. Only functional cookies (that are strictly necessary for the website’s operation) do not require explicit consent but, even in this case, a legitimate interest test must be carried out and documented. For non-functional cookies (e.g. marketing cookies), the cookies may be placed on the user’s device only based on prior and explicit consent (e.g. a cookie wall appears where the user can read the full cookie information and individually choose the cookies they want to be placed on their device)

A website operator who uses embedded social media modules (e.g. tracking pixels) is qualified as a data controller. Thus, the DPA expects such operators to examine how the social media modules involve transferring personal data to social media and to reflect this adequately in the privacy policy. It is also crucial to ensure a free consent mechanism for social media modules. If the user can access a website content only by clicking ’accept all cookies’, the consent will be not valid.

Retail sector

To comply with the GDPR, retail stores must remove pages containing customer comments/complaints from the public consumer complaint registry (so the general public can no longer view them). The retail stores must provide the serial numbers to the removed pages and only keep them in their internal records for inspection purposes.


As presented, the Hungarian data protection practice has many local flavours.

The key issue remains whether the DPA will keep its own practice or rely more on the interpretation of the European Data Protection Board (EDPB) that has the role of making guidelines uniform across the EU.

There are some signs that the DPA is trying to avoid conflict with EDPB/WP29 international guidelines and thus, it has started to focus more on areas that dictate more uniform logic (e.g. data subject rights) instead of the privacy policy area which, for a long time, was an enforcement priority and was the main source of headaches for businesses in Hungary.

Still, the Hungarian DPA will continue to use its old practice in all issues that are not explicitly regulated by the EDPB guidelines. Currently, there are still many such unregulated areas.

The GDPR implementation of more than 80 sectoral laws also deserves special attention. It provides many additional special sectoral data protection rules and raises questions about where the GDPR alignment with the local laws has not been fully reached.

Overall, the Hungarian data protection environment must be treated carefully and it is worth investing efforts in complying with the local Hungarian flavours.