VJT & Partners > Budapest, Hungary > Firm Profile

VJT & Partners

Hungary > Employment Tier 1

VJT & Partners has a strong track record acting for high-profile domestic and international clients on sensitive and complex employment matters, both in an advisory and contentious context. Highly regarded Zoltán Csernus and János Tamás Varga are both recognised for their breadth and depth of expertise. Krisztina Lakner left the firm.

Practice head(s):

János Tamás Varga; Zoltán Csernus


‘VJT has considerable substantive expertise in Hungarian employment law and in related fields. VJT can argue an employment law case effectively at any level-from direct party-to-party negotiations, to the lower court, appeals court, and finally to the Supreme Court. Just as important, VJT has exhibited a capability to be creative and adaptive.’

‘Zoltan Csernus – Zoltan is a tenacious, disciplined, and highly informed attorney with regard to employment law.

‘Janos Tamas Varga – Tamas is head and founder of VJT. He has a superior capacity for understanding all relevant aspects of a case and he is very knowledgeable on a diverse range of Hungarian law practices.’

‘I love working with the employment law team, especially Zoltán Csernus. He is a great lawyer and knows what he is doing.’

‘I have a long history of cooperation with VJT, and they have always delivered on-time, within budget and with great, creative ideas, even in matters requiring a high degree of specialisation. They are great problem solvers!’

‘Zoltán Csernus is my sole cooperating partner with VJT, so all the above opinions are actually addressed at him. I believe that he is an outstanding, experienced and creative lawyer.’

Hungary > Commercial, corporate and M&A Tier 2

VJT & Partners’ practice, which is jointly led by János Tamás Varga and András Lovretity, has a strong position in the Hungarian M&A market. It has a growing corporate client base and is regularly involved in multijurisdictional deals and restructurings. Varga acts for international private equity and venture capital firms on their investments into and divestments from Hungarian companies. Lovretity has 'a very pragmatic approach and is excellent in managing foreign advisers in cross-border deals'. Counsels Zoltán Csernus and Emőke Buzogány are also central figures in the highly regarded group.

Practice head(s):

János Tamás Varga; András Lovretity

Other key lawyers:

Zoltán Csernus; Emőke Buzogány


‘Good set of experienced, senior professionals who have past experience with international law firms, but one can have access to their direct involvement in this company. No frills, but efficient, client-oriented, dedicated work.’

‘The law firm is an ideal partner for medium-sized, multinational companies that expect fast and efficient service. They are experts in Hungarian company law but also have an international legal perspective and a network of contacts.’

‘János is an excellent project manager, is exceptional in supporting business strategic decisions and also preserved his legal knowledge. András is the leader in most of the transactions, has a very pragmatic approach and is excellent in managing foreign advisers in cross-border deals. He is very easy to work with. Emőke is excellent in corporate housekeeping and in handling smaller deals.’

‘János Tamás Varga – a lawyer who is ready to spend the time to understand before starting an iteration of legal drafting. Efficient and very diligent person, taking responsibility for the work. András Lovretity – very experienced in M&A transactions, committed to be clear. Zoltan Csenus – very experienced in employment law, fair but tough who can deliver his advice even in the court room.’

‘Zoltán Csernus – Zoltán is precise and quick beyond measure when it comes to creating corporate governance structures and implementing the corporate changes. Emőke Buzogány – She is efficient and easy to work with.’

Key clients

Profólió Group


Hungary > Data privacy and data protection Tier 2

The team at VJT & Partners is noted for its ‘outstanding knowledge, combined with client care and commercial mindedness.’ The ‘first-class team‘ includes managing partner and ‘seasoned expertJános Tamás Varga. Also of note are Endre Várady and Andrea Belényi, both of whom have ‘extensive experience of supporting businesses in the e-commerce and fashion sectors’. The group advises on the full-range of data protection and privacy issues, such as sector-specific concerns, complex GDPR audit projects and matters before the Hungarian Data Protection Authority.

Practice head(s):

János Tamás Varga; Endre Várady

Other key lawyers:


‘VJT & Partners is a go-to firm in data protection matters. VJT team has outstanding knowledge combined with client care and commercial mindedness. The team is capable to make operational even the most difficult GDPR issues. ‘

‘VJT has standout privacy practitioners: – János Tamás Varga (Managing Partner): Very strategic and forward-thinking privacy expert. – Endre Várady (Partner): Very notable expert in Hungarian and EU data protection laws. He offers practical and business-oriented solutions for whatever privacy issue the client is facing. – Andrea Belényi (Partner): Very responsive with client focused and problem-solving approach.’

‘Janos Tamas Varga is a seasoned expert and very reliable and responsive to client needs.’

‘Partner Andrea Belényi and Endre Várady are communicative, committed with extensive experience in supporting business in the e-commerce and fashion sectors.’

‘Endre Varady knows the regulators’ perspective well and has a deep expertise in data protection and IT law, online product related legal issues. Andrea Belenyi is very reliable with delivering work products and is also responsive to client needs.’

‘The team at VJT & Partners consists of exceptionally skilled legal professionals. They work effectively as a team and contribute with their wide knowledge of local law complexities to support the whole CEE team.’

‘Absolutely first-class team. Both quality and knowledge are outstanding.’

‘VJT team is unique as they perfectly match their high professional expertise with client focused approach.’

Key clients

NN Insurance





Work highlights

  • Advised Google on RTBF cases.
  • Advised CCC on marketing and other privacy matters.

Hungary > TMT Tier 2

VJT & Partners has a strong track record in the Hungarian TMT market. It is well-known for its longstanding relationship with Google CEE, for whom it advises on various IP, telecoms and media issues, such as the implementation of AVMS or DSM Directive in the context of YouTube, block-listing and geolocation issues. It also assists with issues concerning copyright law, advertising regulations and data protection. The firm is also a strong choice for TMT related asset acquisitions and investments. János Tamás Varga advises IT outsourcing services providers on their biggest Hungarian projects in the financial services, telecoms, energy and utility sectors. Endre Várady is noted for his expertise in digital media, advertisement, e-commerce and data protection. Andrea Belényi is active in regulatory mandates.

Practice head(s):

János Tamás Varga; Endre Várady

Other key lawyers:


‘The practice has traditionally been very strong in TMT and they have the right people to handle all segments of TMT related transactions too. They understand the complex tech business and translate legal aspects into workable and accurate solutions.’

‘Absolutely first-class team. Both quality of service and knowledge are outstanding. They understand the nuances of modern technologies making them capable to provide tailor-made advice. We fully trust them, not only as lawyers but as advisers to our businesses.’

‘The team at VJT & Partners consists of exceptionally skilled legal professionals. They work effectively as a team and contribute with their wide knowledge of local law complexities to support the whole CEE team.’

‘János Tamás Varga and Endre Várady. János is an excellent project manager, is exceptional in supporting business strategic decisions and also preserved his legal knowledge. His technology acumen is outstanding. Endre is a partner whose experience in and understand of the technology sector is a great add-on in technology-related transactions. He provides very considered and focused advice.’

‘Endre Varady knows the regulators’ perspective well and has deep expertise in data protection and IT law, online product-related legal issues. Andrea Belenyi is very reliable with delivering work products and is also responsive to client needs.’

‘Andrea Belényi (Partner) –She is extremely competent in various compliance issues with excellent problem-solving skills. She is reliable, accurate and super friendly. We feel very comfortable around her even in high-pressure situations.’

‘János Tamás Varga (Managing Partner): Extremely professional, very commercial, and always down-to-earth and fast-moving. Andrea Belényi (Partner): Very professional, extremely friendly, superb in communication with excellent problem-solving skills and the unique ability to get to the commercial point as well. Endre Várady (Partner): He is the team’s TMT star. He is very committed with excellent problem-solving skills and pragmatic approach.’

Key clients



NN Insurance (formerly ING Insurance)




Work highlights

  • Advised Google on digital products.
  • Advised Simplexxy on implementing law-tech solutions.

Hungary > Competition Tier 3

Owing to its ‘familiarity with the practice and procedures of the competition regulator’, VJT & Partners is often instructed to represent clients in merger control proceedings, cartel investigations and unfair commercial practice investigations. On the non-contentious side, the Andrea Belényi–led team is also experienced in drafting agreements restricting competition and commercial contracts with non-compete clauses in line with the Hungarian and European competition regulation and requirements.

Practice head(s):

Andrea Belényi


‘The team functions well as a team, which is rare amongst legal offices. They are passing tasks between them according to their knowledge, but I as a client do not suffer from that as the answer is coming in timely manner.’

‘I work closely with Andrea and Eszter, both has very good personalities and and utmost respect towards me, even though my legal knowledge is very little, I always understand their explanation.’

‘The VJT team is familiar with the practice and procedures of the competition regulator.’

‘Andrea Belenyi has experience also as an official at the competition regulator, Andrea advises us about practicalities and supports our regulatory readiness.’

‘Deep knowledge of legal environment. Good personal contacts within their team.’

‘Focusing on providing solutions, instead of highlighting barriers and challenges. Openness towards industry specifics.’

Key clients



4Life Direct

Work highlights

  • Successfully represented Prohumán in proceeding before the Hungarian Competition Authority, which was started by a dawn raid and against the Association of Hungarian HR Consulting Agencies. The scale of the proceedings was huge, there were more than 20 defendants in the case.

Hungary > Dispute resolution Tier 3

Displaying ‘excellence from top to bottom’, VJT & Partners‘ lawyers are ‘tough but flexible litigators’ in corporate disputes, particularly in cases involving shareholders, coupled with an impressive background in commercial, competition, administrative, insurance and employment disputes. ‘Hands-on and strategic’ counsel Zoltán Csernus and ‘excellent corporate dispute lawyer’ András Lovretity are key contacts.

Practice head(s):

András Lovretity; Zoltán Csernus


‘Litigation lawyers have a high level of theoretical and practical knowledge for conducting litigation. They are proactive and come up with ideas for successful litigation.’

‘Excellence from top to bottom. They are tough but flexible litigators, very knowledgeable, and very organized on the procedural front. I am positive that we could not be successful in litigations without their innovative legal thinking.’

‘The following litigators stand out: András Lovretity – András is an excellent corporate dispute lawyer.  Zoltán Csernus – Very tough litigator, hands-on and strategic. He has a good sense of humour and he is very helpful.’

Key clients

NN Insurance

UNION Vienna Insurance Group

Mergers and acquisitions
Dispute resolution
Commercial contracts
Data protection
Intellectual property
Private equity
Restructuring and insolvency
Andrea Belényi photoDr Andrea BelényiAndrea Belényi is leading the firm’s competition law practice. Andrea’s whole professional…
Zoltán Csernus photoDr Zoltán CsernusZoltán is an attorney-at-law at VJT & Partners. He is a committed…
András Lovretity photoDr András LovretityAndrás Lovretity is the partner heading the firm’s Corporate/M&A practice. András has…
Hoa Tünde Nguyen photoDr Hoa Tünde NguyenHoa Nguyen is a counsel working in the firm’s Commercial, Corporate and…
Endre Várady photoDr Endre VáradyEndre Várady is leading VJT & Partners’ data protection practice. Endre has…
János Tamás Varga photoDr János Tamás VargaJános Tamás Varga is the founder and managing partner of VJT &…
Eszter Vezse photoDr Eszter VezseEszter has been working with VJT & Partners since the beginning of…
Number of lawyers : 11
Contact : János Tamás Varga (managing partner)


It would be incorrect to say that it was solely the GDPR that led to modern-day Hungarian data protection. Hungary has had close to a 30-year long data protection practice which has been long enough to develop an established approach to data protection supported by numerous decisions and guidelines…

Contributed by VJT & Partners


It would be incorrect to say that it was solely the GDPR that led to modern-day Hungarian data protection. Hungary has had close to a 30-year long data protection practice which has been long enough to develop an established approach to data protection supported by numerous decisions and guidelines.

As regards approach, the Hungarian Data Protection Authority (DPA) has been always considered as one of the strictest privacy watchdogs in the EU due to its strict interpretation of data protection laws. It is especially strict in interpreting basic data protection principles and having a very granular approach on data processing purposes resulting in a much heavier documentation requirement (e.g. a much longer privacy policy) than other EU countries.

This can pose problems as many foreign companies simply expect to localise their Hungarian data processing operations and automatically ensure a consistent approach across different jurisdictions (e.g. one uniform local privacy policy across jurisdictions). In short, meeting Hungarian data processing rules is a challenging task as, despite the uniform GDPR rules, the DPA still interprets the GDPR in its own way by adding its ’local flavours’ which makes the Hungarian data protection environment unique.

Moreover, the Hungarian Data Protection Act itself also adds some specific requirements including extending the GDPR to manual data processing even where personal data is not a part of the filing system and, in some instances, even to the processing of a deceased person’s personal data.

Last but not least, as part of the GDPR implementation package, Hungary amended 86 sectoral acts in numerous sectors (including the employment, CCTV, finance, healthcare and marketing sectors) making room for plenty of GDPR derogations.

Overall, despite the GDPR’s intention to introduce uniformity, many Hungarian peculiarities still do not allow a cross-border uniform approach in Hungary.

In our guide, we provide a basic survival kit by focusing on the specialities of the Hungarian data protection practice that businesses must address when commencing any data processing activity in Hungary. First, we will provide an overview of the most important local Hungarian data protection flavours irrespective of the type of data processing. Secondly, we will present the Hungarian specialities in the context of employment and business data processing. Finally, we consider it important to touch upon the outlook of the Hungarian data protection practice.


In this part, we present a general overview of the most important issues that regularly present a challenge in Hungarian data protection practice.

Data localisation

The GDPR applies not just to structured electronic data, but also to unstructured data (e.g. data in e-mails, PDFs and spreadsheets). Moreover, the Hungarian Data Protection Act extends the GDPR’s reach to include manual data processing even where personal data is not part of the filing system (e.g. business cards).  The bottom line is that businesses must identify all their data processing activities.

Purpose specification

It is not enough to locate the data processing activities; they must be also specified. For each data processing purpose, the data processing circumstances (e.g. the legal grounds, the scope of data, the duration of data processing, the persons authorised to processing, etc) may be determined only if the data processing purpose is correctly identified. The DPA requires the purpose to be as specific as possible so that the purpose can be interpreted only in one way (e.g. “sending a newsletter” is satisfactory as it could be not interpreted differently; however, “marketing” is unsatisfactory as it could be interpreted in numerous ways).


The DPA considers that privacy policies must be written in a way that every layman could understand. At the same time, the DPA expects a controller to have a detailed privacy policy so that a data subject can gain a comprehensive understanding of the data processing circumstances for each data processing purpose. This means that the data controller must first identify the data processing purpose based on a purpose specification requirement and then all other data processing circumstances must be provided for each data processing purpose (e.g. in a table where each specified purpose is connected with the relevant data processing circumstances). This could result in long privacy policies, longer than businesses are used to.

Data minimisation

The DPA takes data minimisation requirements very strictly. Only data that is strictly necessary for the reason to process data may be processed. For example, the DPA has fined marketing companies for collecting unnecessary online marketing data, i.e. collecting e-mail addresses is permitted but collecting one’s phone number and date of birth data is not. If the scope of data is not set by law for the given data, the data controller decides for itself on the scope of the collected data but the data controller must strictly follow the logic of the data minimisation requirement. If the scope of collected data is set by law for the given purpose, the data controller may collect only that data.

Storage limitation

The DPA also keeps an eye on storage limitation requirements. In several rulings, the DPA has fined a company due to a breach of storage limitation rules (e.g. storing CCTV files for an unjustifiable time). If a specific law has set a retention period for the given purpose, those retention periods apply. If a specific law sets the data processing circumstances for the given purpose (e.g. the scope of the data that may be collected or the authorised persons who may collect the data) but without the retention period(s), the necessity of processing must be reviewed and documented every 3 years. In other cases, the controller decides the duration of the processing on its own but must strictly follow the storage limitation requirement.

Legal grounds

Obviously, the GDPR intended to make the application of legal grounds more flexible by providing room to apply various legal grounds to process data. However, the DPA applies quite a restrictive interpretation of those legal grounds. The following are the most important:

  • Consent – The DPA is very consistent in requiring ’voluntary’ consent. Thus, a data subject must have the opportunity to give its consent separately for each data processing purpose. This means that the data controller must work out the proper check-box mechanism (e.g. if there are 5 various marketing purposes, 5 checkboxes must be provided).
  • Legitimate interest – In business, it has become common to refer to legitimate interest as providing legal grounds to process data. Still, in the Hungarian data protection practice, the controller may rely on legitimate interest only if a proper balance test is carried out and documented. The balance test must demonstrate why the controller’s interest overrides the privacy interest of the data subject. The test must answer some basic questions, e.g.:
  1. What is the interest of the parties?
  2. Is there any alternative to data processing or a less privacy-invasive solution? and
  3. What guarantees are taken to protect the data subject’s rights?

For each data processing purpose, a separate balance test must be conducted; this could result in a significant additional administrative burden.

  • Fulfilment of contract – The Hungarian DPA accepts this very narrowly, i.e. where the data processing is necessary to fulfil the contract. For example, if the data subject breaches the contract, and the data controller assigns its claim to a debt collector agency, the debt collector agency may not rely on the fulfilment of the contract rationale as it is outside the scope of the original contract (concluded between the controller and the data subject).
  • Legal obligation – The Hungarian Data Protection Act provides that a legal obligation as legal grounds may only be accepted if Hungarian law specifies the data processing circumstances (e.g. the scope of data, the purpose of the processing or the duration of the processing). If the law does not provide the circumstances of the processing and makes too much room for the controller to determine such circumstances, the controller must instead rely on legitimate interest and carry out and document a balance test.

Data security requirements

In general, there are no special Hungarian flavours. But it is worth investing in data security measures as there is a shift from traditional GDPR to cyber-security and data breach issues; further, the Hungarian DPA has imposed its highest fine (approx. EUR 300,000) in this area. For certain organisations (e.g. critical service providers in the financial, energy or health sectors), the Information Security Act also applies (apart from the GDPR) which imposes additional security requirements (e.g. logging, data localisation or reporting security breaches).

Data breach management

The Hungarian DPA sets a very low threshold for data breach notifications. In general, controllers must file a notification to the DPA each time there is a reasonable certainty that a breach has occurred and the breach may have had an adverse effect on data subjects. Although it could be argued that the GDPR is more nuanced in this regard, the DPA has a strict approach and anything beyond the “not occurred” category is practically reportable.


Hungarian employment data processing also has specialities in all cases from recruitment and selection through establishing and maintaining employment relationships to employee monitoring.

The Hungarian GDPR implementation has also brought important changes in the workplace environment by presenting new rules that present hardships for employers in practice (e.g. not allowing copies to be made of employee documents).

In this part, we present the key Hungarian data protection challenges in the employment context:


Candidates must get a company’s privacy policy together with the job description. Anonymous offers are not accepted. If a recruiter company is engaged, the candidate must give consent to the transfer of the CV to the employer. As a general rule, candidates’ background checks are not allowed. The exceptions to this are the need to request clear criminal records and check social media under certain conditions. Personality tests are not permitted.

Employment relationships

In the employment context, the basic data protection principles apply even under some stricter settings:

  • Legal grounds – Businesses must be careful that, in principal, consent is not an acceptable legal ground for employment data processing as consent cannot be voluntary due to the subordinate nature of the employment. The main legal grounds to process data remain legitimate interest and legal obligation. In some instances, the performance of a contract can also be used.
  • Data minimisation – This principle is very strongly reflected under employment relationships. The employer may require only data that is necessary to establish, complete or terminate the employment relationship, or that is important in relation to exercising employment claims. Moreover, during the onboarding process, employers may only ask the employee to show their documents (e.g. ID, driving licence, address card, tax card and qualification documents) and the employer may not make electronic or hard copies.
  • Confidentiality – Only the relevant authorised people within the employer’s organisation may have access to employee data. For company groups, the parent company and the affiliates are qualified as separate entities; thus, to disclose data within the group, lawful legal grounds must be provided.
  • Storage limitation – In principle, employee data may not be processed after the end of the employment relationship. But the employer may keep any records that may be important in an employment dispute for a further 3 years (i.e. for the limitation period set for employment-related claims) based on its legitimate interest. The employer may also retain any documents relevant to pension entitlement up to 5 years after the employee has reached pension age.

Strict conditions for employment monitoring

Even before the GDPR implementation package, it was clear that an employer may monitor an employee’s work (e.g. monitoring e-mail, laptop or internet use) only if the employer provides prior notice of this activity. But, the GDPR implementation package made it clear that such notice must be made in writing and it must cover why the employer’s measures are necessary and proportionate in comparison to limiting the employee’s personal rights.

The key takeaways are the following:

  • The employer may not store the employee’s private files;
  • The employer must provide the possibility to the employee to be present before the inspection. The employer must always act in light of the proportionality and gradual approach (e.g. if websites are blocked, website monitoring may not be needed); and
  • The employee must be properly notified before each respective monitoring.


The business data processing environment also remains a challenging field as the DPA strictly interprets this area as well. The DPA requires data controllers in this field to strictly follow the basic data protection principles (see the MOST IMPORTANT LOCAL DATA PROTECTION SPECIALITIES)

The Hungarian GDPR implementation package aimed at harmonising the sectoral data protection legislation with the GPDR has not brought particular easement either.

In this part, we present the key Hungarian data protection challenges in the business context:


In the e-commerce world, businesses tend to rely on the performance of a contract as providing the legal grounds to process data in a broad way as it makes their data processing operations practical.

However, this is not a sustainable solution in Hungary as the E-Commerce Act states that, for any data processing operation that does not strictly stem from the provision of the service (e.g. improving performance or marketing research) the service provider must specify any sub-data processing operations in advance.

In practice, this means that, prior to introducing a new e-commerce business, the service providers must examine whether the ‘provision of the service’ can be broken down into further sub-purposes and then examine the compliance of each sub-purpose against basic data protection requirements.

The data minimisation principle has a special dimension in Hungarian e-commerce. Apart from assessing which data is strictly necessary for a given purpose, service providers must pay attention to the requirement that the data collected for purposes other than ‘the provision of a service’ may not be linked with the user’s identification data.

Electronic marketing

To prevent client or lead dropouts, businesses regularly try to avoid consent in promoting their business, especially by using legitimate interest as the legal ground for data processing, because they consider that the GDPR is more flexible on legitimate interest. However, the Hungarian electronic marketing sector has been largely unaffected in this regard, as Hungarian law did not remove the consent requirement. In principle, electronic marketing (via email, fax or SMS) is allowed only if the user’s prior, explicit and unambiguous consent has been obtained.

The DPA recognises electronic marketing communication without consent only for offering similar products/services to existing customers. In such case, obtaining consent can be avoided if the business carries out and documents a legitimate interest test in which it explains why its business interest overrides the user’s interest and the user has the right to opt out from future marketing communication at any time.

Internet use & social media

Website operators remain liable for any third-party cookies used on their website. Thus, they should only use cookies that they are fully aware of. Only functional cookies (that are strictly necessary for the website’s operation) do not require explicit consent but, even in this case, a legitimate interest test must be carried out and documented. For non-functional cookies (e.g. marketing cookies), the cookies may be placed on the user’s device only based on prior and explicit consent (e.g. a cookie wall appears where the user can read the full cookie information and individually choose the cookies they want to be placed on their device)

A website operator who uses embedded social media modules (e.g. tracking pixels) is qualified as a data controller. Thus, the DPA expects such operators to examine how the social media modules involve transferring personal data to social media and to reflect this adequately in the privacy policy. It is also crucial to ensure a free consent mechanism for social media modules. If the user can access a website content only by clicking ’accept all cookies’, the consent will be not valid.

Retail sector

To comply with the GDPR, retail stores must remove pages containing customer comments/complaints from the public consumer complaint registry (so the general public can no longer view them). The retail stores must provide the serial numbers to the removed pages and only keep them in their internal records for inspection purposes.


As presented, the Hungarian data protection practice has many local flavours.

The key issue remains whether the DPA will keep its own practice or rely more on the interpretation of the European Data Protection Board (EDPB) that has the role of making guidelines uniform across the EU.

There are some signs that the DPA is trying to avoid conflict with EDPB/WP29 international guidelines and thus, it has started to focus more on areas that dictate more uniform logic (e.g. data subject rights) instead of the privacy policy area which, for a long time, was an enforcement priority and was the main source of headaches for businesses in Hungary.

Still, the Hungarian DPA will continue to use its old practice in all issues that are not explicitly regulated by the EDPB guidelines. Currently, there are still many such unregulated areas.

The GDPR implementation of more than 80 sectoral laws also deserves special attention. It provides many additional special sectoral data protection rules and raises questions about where the GDPR alignment with the local laws has not been fully reached.

Overall, the Hungarian data protection environment must be treated carefully and it is worth investing efforts in complying with the local Hungarian flavours.