VJT & Partners > Budapest, Hungary > Firm Profile

VJT & Partners

Hungary > Employment Tier 1

Composed of ‘experts with a deep knowledge in labour law‘, the employment team at VJT & Partners handles the gamut of contentious and non-contentious matters. The group’s strong contentious practice sees the team represent clients before the Constitutional Court and the Hungarian Supreme Court in matters ranging from terminations to internal investigations and whistleblowing cases. With a growing list of both Hungarian and multinational clients, the practice counts both employers and executive employees among its clientele. András Lovretity leads the team alongside Zoltán Csernus; the latter has over 18 years of experience in the employment sector and is praised for his ‘clear and high quality‘ advice. With over 23 years’ experience, János Tamás Varga counts major companies with operations across Hungary as regular clients.

Practice head(s):

András Lovretity; Zoltán Csernus

Other key lawyers:


‘Clear and concise.’

‘Outstandingly responsive and delivered exactly what the client needed.’

‘Top-notch responsiveness and work together as a team.’

‘Zoltán Csernus’ advice and work product were clear and high quality. He was also very responsive to my questions.’

‘Excellent knowledge and clear communication. Quick and accurate answers. Attention to every detail and aspect.’

‘Mainly we cooperate with Zoltán Csernus on labour law issues. His uniquely diverse knowledge ensures detailed solution options and his exceptional communication skills (clear, exact, polite with good sense of humor) support us to understand every detail. He has the strong ability to underline the most relevant facts and explain the possible effects of each step.’

‘The team is composed of experts with a deep knowledge in labour law and capability to focus on the needs of client and find an appropriate solution. The team and the firm are capable to provide also a full service in the area of corporate governance issues, including necessary representations before governmental bodies. The team is capable to respond to tasks very quickly and give full support also in international transactions.’

‘Excellent knowledge, experience, capability to find solutions and to hear the needs of clients.’

Hungary > Commercial, corporate and M&A Tier 2

VJT & Partners specialises in M&A, private equity and venture capital transactions. The commercial, corporate and M&A team handles domestic and cross-border transactions, from joint ventures to restructurings. ‘Charismatic and respected’ János Tamás Varga advises national and international private equity, venture capital and strategic investors across the technology, finance and HR services industries, and leads the team alongside ‘outstanding’ András Lovretity. Hoa Tünde Nguyen is adept at drafting transactional corporate documentation, while Eszter Vezse focuses on commercial matters.

Practice head(s):

János Tamás Varga; András Lovretity

Other key lawyers:


‘András Lovretity is an outstanding lawyer with very strong ability to solve issues by first understanding what the counterparty concern is and then offering alternative legal solutions and constructs that can address the requirements of both negotiating parties. Time management is another strong point and he has consistently delivered ahead of expectations.’

‘ András Lovretity, János Tamás Varga and Eszter Vezse are the well prepared, motivated and experienced legal experts we can always count on. The fast and efficient response, the flexibility and dynamism, the useable, practical output, the thorough and complete investigation of cases, and the straightforward communication makes their service really outstanding and unique.’

‘The team at VJT & Partners can best be described as a boutique expert team. They strive for maximum precision in their work, thoroughly examine and analyse questions and tasks from all angles to find the most perfect legal solution possible. They are readily available, and each team member has a high capacity to handle heavy workloads, delivering on their commitments even under tight deadlines.’

‘They are more than a legal advisor and I fully trust them – this makes them stand out. They have an exceptional understanding of our business. They have dedicated experts for all issues that may come up in M&A matters.’

‘I maintain that János Tamás Varga’s input and creativity in strategic decision-making is invaluable. He is a charismatic and respected lawyer with extraordinary project management skills. András Lovretity is business-minded, quick, efficient, pragmatic with a friendly attitude, which can also become useful in negotiations. Hoa Tünde Nguyen is very precise and very good in executing the deals.’

‘János Tamás Varga is an excellent project manager, is exceptional in supporting business strategic decisions and also preserved his legal knowledge. András is the leader in most of the transactions, has a very pragmatic approach and is excellent in managing foreign advisers in cross-border deals. He is very easy to work with.’

‘András Lovretity is a highly qualified and experienced lawyer on whose expertise we have relied on in both corporate and M&A cases for the past nine years – a great cooperation. Hoa Tünde Nguyen is a perfectionist, very much aware of the details. In the course of our corporate life, she stands out in punctuality and precise understanding for small details, too.’

‘VJT & Partners distinguish themselves through their exceptional expertise, diverse skill sets, client-centric approach, strong work ethic, collaborative spirit, and adaptability.’

Key clients




Hungary > Data privacy and data protection Tier 2

The expertise of the data privacy and protection team at VJT & Partners ranges from GDPR audits to representation before the Hungarian Data Protection Authority. Established data protection and privacy expert János Tamás Varga co-heads the team alongside Endre Várady, who is involved in the development of GDPR compliance software. Andrea Belényi has over a decade of experience in both regulatory and compliance matters, and heads the firm’s data protection officer training programme.

Practice head(s):

János Tamás Varga; Endre Várady

Other key lawyers:


‘It is always our pleasure to work with them. Very responsive, collaborative, client-oriented and knowledgeable team. They are very good in working out sophisticated and carefully considered IP strategies.’

‘János Tamás Varga is very commercial, pragmatic and easy to work with. He always sees the bigger picture and masters strategic thinking.’

‘Endre Várady has the perfect ability to grasp the commercial and legal aspects of IP-related agreements. He always offers us clear and tailor-made advice.’

‘The team is quick, responsive, and on point with their legal advice.’

‘The team is very knowledgeable, responsive and thorough in its analyses, and is pragmatic in its advice.’

‘Endre Várady is very proactive.

‘Superb team. They are in-depth specialists with client care and commercial mindedness. The team can make operational even the most difficult GDPR issues. Their automatised GDPR compliance solutions can make the legal work smoother and faster.’

‘VJT has standout privacy practitioners. János Tamás Varga is very strategic and forward-thinking. Endre Várady has unique know-how with always clear guidance and practical solutions. Andrea Belényi is very responsive, with client focus and a problem-solving approach.’

Key clients


4Life Direct


World Bank

Fém & Arts Cafe


Work highlights

  • Advising Google on right to be forgotten matters.
  • Advising World Bank on the Hungarian data protection legal environment.

Hungary > TMT Tier 2

Google is a standout client for the dedicated TMT practice at VJT & Partners, and the team advises a growing list of such key sector players on the full range of TMT matters, as well as related M&A, IP and commercial issues. János Tamás Varga and Endre Várady jointly leads the team; the former is noted for assisting ITO services providers with their Hungarian projects, while the latter provides data protection and digitalisation expertise. Andrea Belényi brings nearly 20 years’ experience in regulatory matters to the group. Eszter Vezse has a wealth of knowledge in emerging technologies. AI expert Attila Menyhárt joined the team from Oppenheim Ugyvedi Iroda in February 2023.

Practice head(s):

János Tamás Varga; Endre Várady


‘Unique expertise with all the legal issues related to online services, excellent understanding of how online platforms and services work, together with the related legal risks and issues to be resolved.’

‘Andrea Belényi is super responsive to client inquiries and has a deep understanding of the operational and economic perspective of the clients. Endre Várady has an excellent understanding of data protection and other TMT legal issues and has an outstanding capability to provide legal analysis of complex and novel legal issues.’

‘Superb team, it delivers value to our tech business projects. VJT & Partners stand above the rest with their inspiring leadership, advisory mindset, commitment to high-quality work and client-driven approach. With their innovative thinking, they can always find the right solutions from both M&A and technology perspective.’

‘János Tamás Varga has decades of experience in technology transactions. He is a tough, but flexible negotiator. He is very good in seeing the “big picture”. János fully understands the operation of tech products, which is not typical in the Hungarian legal market.’

‘Endre Várady is very practical and knowledgeable. He has a very good mindset for tech regulatory matters. Andrea Belényi is very friendly, practical and full of common sense.’

‘VJT & Partners provides outstanding services in more complex contractual areas. Their unique skills are accuracy and understanding of business logic.’

‘Excellent team. It is very good to work with them: clear communication and always flexible and responsive approach. With their tech-savvy team, they are able to deliver us tailor-made solutions for any digital transformation challenges that may come up.’

‘János Tamás Varga is a very experienced, pragmatic technology lawyer, with a unique ability to see the bigger picture of digitalisation. Endre Várady knows the digital law inside out. He always offers practical and business-oriented advice. Andrea Belényi has a strong client understanding and great process management ability.’

Key clients


World Bank

4Life Direct



Work highlights

  • Advising Google on the launch of Bard.
  • Advising Google on right-to-be-forgotten matters.

Hungary > Competition Tier 3

The competition team at VJT & Partners has seen a recent increase in consumer protection and compliance matters. The practice also continues to handle abuse of dominant position cases and merger control proceedings. Leveraging over 20 years’ experience, practice head Andrea Belényi leads all the firm’s competition matters and is adept at handling cases before the HCA. Kinga Kálmán advises on consumer protection matters, while Fanni Fehér is typically involved in unfair commercial matters. Eszter Vezse is another key name to note.

Practice head(s):

Andrea Belényi


‘Great teamwork and varied knowledge within the team.’

‘Andrea Belényi is kind and very straightforward.’

‘The team is a highly responsive and motivated group of people with great expertise.’

‘Andrea Belényi is a great competition specialist.’

‘Always open to cooperation and have good ideas regarding legal problems arising from the client’s activity.’

‘Knowledge of consumer and financial institution law.’

Key clients

Google Ireland Ltd.

Google Kft.

Hungary > Dispute resolution Tier 3

Insurance litigation is a key focus for the dispute resolution team at VJT & Partners; practice co-head Zoltán Csernus has extensive experience in disputes involving distressed companies and assets, and Andrea Belényi is also active in the insurance space. Csernus leads the team alongside András Lovretity, who represents clients in corporate disputes before both state courts and arbitral bodies. Eszter Vezse regularly handles employment disputes as part of the firm’s employment litigation practice.

Practice head(s):

András Lovretity; Zoltán Csernus

Other key lawyers:


‘A well-prepared team with practical and theoretical knowledge in various areas of law. In addition to high professional standards, they are also characterised by a good atmosphere. ’

‘In addition to high professionalism, team members are characterised by helpfulness and proactivity. They are result-oriented, looking for solutions.’

‘Good partners that are experienced.’

‘Zoltán Csernus is the best lawyer. Calm under pressure and gives good advice.’

Key clients

Vienna Insurance Group

NN Insurance (former ING Insurance)

Hungary > Intellectual property

VJT & Partners‘ growing IP practice covers both advisory and contentious IP work. Endre Várady leads the team.

Founded in 2010, VJT & Partners is an independent Hungarian law firm based in Budapest with expertise across multiple practice areas and ranked by leading international legal directories.

The firm serves Fortune 1000 companies, large multinational conglomerates as well as leading Hungarian companies. Besides providing domestic law advice in local and cross-border matters, the firm often acts as lead counsel in multi-jurisdictional matters in the Central Eastern European region organising one-stop shop legal service for clients.

While VJT & Partners is independent, it is connected worldwide through various referral and best friend foreign law firms that are excellent in their own jurisdictions.

Main areas of practice
Commercial, corporate and M&A : VJT & Partners’ commercial, corporate and M&A team specialises in advising on M&A, private equity and venture capital transactions and on complex corporate matters. Members of the team have over 25 years’ experience in leading both domestic and multi-jurisdictional deals and in advising on the creation of joint ventures, across a wide variety of industries. They have unique experience in corporate disputes, which includes representation at shareholders’ meetings and before courts. VJT & Partners’ M&A advisory receives strong cross-practice support from the firm’s competition law, employment law, data protection and IP law experts.
Head of the team: János Tamás Varga and András Lovretity
Email: vargajt@vjt-partners.com; lovretitya@vjt-partners.com

TMT / data protection: VJT & Partners is expert in advising on TMT cases and specialises in digital matters. The firm regularly advises on hot digital issues such as AI, IoT or Big Data and has substantial experience in reviewing digital products for Fortune 500 IT companies.

VJT & Partners has longstanding and in-depth expertise of data protection of key industry sectors going back to pre-GDPR. Their professional support includes resolving various privacy issues from niche challenges through complex GDPR audit projects to legal representation of clients before the Hungarian Data Protection Authority and courts. They won the Wolters Kluwer award “Best data protection team” in 2018 and 2019.
Head of the team: János Tamás Varga and Endre Várady
Email: vargajt@vjt-partners.com; varadye@vjt-partners.com

Employment: VJT & Partners’ employment practice specialises in contentious and non-contentious labour matters and has been advising local and multinational employers, as well as executive employees for over a decade. The team advises on employment litigations, which includes representation before the Supreme Court, TUPE matters, employment agreements and terminations, employer policies, internal investigations and disciplinary measures. VJT & Partners’ senior employment expert Zoltán Csernus is member of the Board of the European Employment Lawyers Association (EELA).
Head of the team: János Tamás Varga and Zoltán Csernus
Email: vargajt@vjt-partners.com; csernusz@vjt-partners.com

Competition / antitrust and regulatory matters: VJT & Partners is expert on both non-contentious and contentious competition matters. The firm’s competition expertise includes advice on agreements restricting competition, cases of abuse of dominant position, cartel matters, unfair commercial practices and consumer protection as well as advisory on and representation in merger control procedures. The head of VJT & Partners’ competition practice Andrea Belényi worked for over a decade at the Hungarian Competition Authority, where she held executive position for several years.

The team has vast experience in a broad scale of other regulated areas, such as insurance and health care/pharma, and other areas in general that require liaising with authorities. In addition to general legal advice, the team assists businesses in internal audits, in-house trainings, representation before regulators, litigations and whichever, which need level-headed legal evaluation.
Head of the team: Andrea Belényi
Email: belenyia@vjt-partners.com

Dispute resolution: VJT & Partners’ dispute resolution practice specialises in employment, insurance, commercial and corporate disputes both before state and arbitration court, as well as in procedures before the registry court initiated against corporate actions. The firm’s dispute resolution team includes civil law university professor and highly regarded arbitrator Attila Menyhárd.
Head of the team: András Lovretity and Zoltán Csernus
Email: lovretitya@vjt-partners.com; csernusz@vjt-partners.com

Intellectual property: VJT & Partners is an experienced adviser in various areas of IP law, including trademarks, software and copyright, and specialises in digital IP matters, advising Fortune 500 IT companies.
Head of the team: Endre Várady
Email: varadye@vjt-partners.com

Practice areas

  • Corporate and M&A
  • Employment
  • Digital
  • Dispute resolution
  • Commercial contracts
  • Competition
  • Data protection
  • Banking, insurance, investments
  • Immigration
  • Intellectual property
  • Private equity
  • Regulatory and compliance
  • Restructuring and insolvency
  • Aviation
Department Name Email Telephone
Digital; Corporate and M&A; Employment; Private Equity János Tamás Varga vargajt@vjt-partners.com +3615019900
Corporate and M&A; Commercial Contracts; Dispute Resolution; Private Equity; Restructuring & Insolvency; Aviation András Lovretity lovretitya@vjt-partners.com +3615019900
Competition; Banking, Insurance, Investments; Regulatory & Compliance Andrea Belényi belenyia@vjt-partners.com +3615019900
Immigration; Intellectual Property; Data Protection Endre Várady varadye@vjt-partners.com +3615019900
Employment; Dispute Resolution Zoltán Csernus csernusz@vjt-partners.com +3615019900
Photo Name Position Profile
Nándor Beck photo Dr Nándor Beck Nándor Beck is a counsel in the firm’s Corporate and M&A team,…
Andrea Belényi photo Dr Andrea Belényi Andrea Belényi is leading the firm’s Regulatory & Compliance practice. Having worked…
Zoltán Csernus photo Dr Zoltán Csernus Zoltán Csernus is a senior employment lawyer, expert in contentious and non-contentious…
András Lovretity photo Dr András Lovretity Corporate/M&A practice leader András Lovretity is expert in leading M&A, private equity…
Endre Várady photo Dr Endre Várady Endre has substantial international experience in data protection, digital transformation and other…
János Tamás Varga photo Dr János Tamás Varga János Tamás Varga is the founder and managing partner of VJT &…
Eszter Vezse photo Dr Eszter Vezse Counsel Eszter Vezse has been working with VJT & Partners since the…
Number of lawyers : 11
International Bar Association
European Employment Lawyers Association
Hungarian Venture Capital and Private Equity Association
Hungarian Lawyers Association
Budapest Bar


It would be incorrect to say that it was solely the GDPR that led to modern-day Hungarian data protection. Hungary has had close to a 30-year long data protection practice which has been long enough to develop an established approach to data protection supported by numerous decisions and guidelines…

Contributed by VJT & Partners


It would be incorrect to say that it was solely the GDPR that led to modern-day Hungarian data protection. Hungary has had close to a 30-year long data protection practice which has been long enough to develop an established approach to data protection supported by numerous decisions and guidelines.

As regards approach, the Hungarian Data Protection Authority (DPA) has been always considered as one of the strictest privacy watchdogs in the EU due to its strict interpretation of data protection laws. It is especially strict in interpreting basic data protection principles and having a very granular approach on data processing purposes resulting in a much heavier documentation requirement (e.g. a much longer privacy policy) than other EU countries.

This can pose problems as many foreign companies simply expect to localise their Hungarian data processing operations and automatically ensure a consistent approach across different jurisdictions (e.g. one uniform local privacy policy across jurisdictions). In short, meeting Hungarian data processing rules is a challenging task as, despite the uniform GDPR rules, the DPA still interprets the GDPR in its own way by adding its ’local flavours’ which makes the Hungarian data protection environment unique.

Moreover, the Hungarian Data Protection Act itself also adds some specific requirements including extending the GDPR to manual data processing even where personal data is not a part of the filing system and, in some instances, even to the processing of a deceased person’s personal data.

Last but not least, as part of the GDPR implementation package, Hungary amended 86 sectoral acts in numerous sectors (including the employment, CCTV, finance, healthcare and marketing sectors) making room for plenty of GDPR derogations.

Overall, despite the GDPR’s intention to introduce uniformity, many Hungarian peculiarities still do not allow a cross-border uniform approach in Hungary.

In our guide, we provide a basic survival kit by focusing on the specialities of the Hungarian data protection practice that businesses must address when commencing any data processing activity in Hungary. First, we will provide an overview of the most important local Hungarian data protection flavours irrespective of the type of data processing. Secondly, we will present the Hungarian specialities in the context of employment and business data processing. Finally, we consider it important to touch upon the outlook of the Hungarian data protection practice.


In this part, we present a general overview of the most important issues that regularly present a challenge in Hungarian data protection practice.

Data localisation

The GDPR applies not just to structured electronic data, but also to unstructured data (e.g. data in e-mails, PDFs and spreadsheets). Moreover, the Hungarian Data Protection Act extends the GDPR’s reach to include manual data processing even where personal data is not part of the filing system (e.g. business cards).  The bottom line is that businesses must identify all their data processing activities.

Purpose specification

It is not enough to locate the data processing activities; they must be also specified. For each data processing purpose, the data processing circumstances (e.g. the legal grounds, the scope of data, the duration of data processing, the persons authorised to processing, etc) may be determined only if the data processing purpose is correctly identified. The DPA requires the purpose to be as specific as possible so that the purpose can be interpreted only in one way (e.g. “sending a newsletter” is satisfactory as it could be not interpreted differently; however, “marketing” is unsatisfactory as it could be interpreted in numerous ways).


The DPA considers that privacy policies must be written in a way that every layman could understand. At the same time, the DPA expects a controller to have a detailed privacy policy so that a data subject can gain a comprehensive understanding of the data processing circumstances for each data processing purpose. This means that the data controller must first identify the data processing purpose based on a purpose specification requirement and then all other data processing circumstances must be provided for each data processing purpose (e.g. in a table where each specified purpose is connected with the relevant data processing circumstances). This could result in long privacy policies, longer than businesses are used to.

Data minimisation

The DPA takes data minimisation requirements very strictly. Only data that is strictly necessary for the reason to process data may be processed. For example, the DPA has fined marketing companies for collecting unnecessary online marketing data, i.e. collecting e-mail addresses is permitted but collecting one’s phone number and date of birth data is not. If the scope of data is not set by law for the given data, the data controller decides for itself on the scope of the collected data but the data controller must strictly follow the logic of the data minimisation requirement. If the scope of collected data is set by law for the given purpose, the data controller may collect only that data.

Storage limitation

The DPA also keeps an eye on storage limitation requirements. In several rulings, the DPA has fined a company due to a breach of storage limitation rules (e.g. storing CCTV files for an unjustifiable time). If a specific law has set a retention period for the given purpose, those retention periods apply. If a specific law sets the data processing circumstances for the given purpose (e.g. the scope of the data that may be collected or the authorised persons who may collect the data) but without the retention period(s), the necessity of processing must be reviewed and documented every 3 years. In other cases, the controller decides the duration of the processing on its own but must strictly follow the storage limitation requirement.

Legal grounds

Obviously, the GDPR intended to make the application of legal grounds more flexible by providing room to apply various legal grounds to process data. However, the DPA applies quite a restrictive interpretation of those legal grounds. The following are the most important:

  • Consent – The DPA is very consistent in requiring ’voluntary’ consent. Thus, a data subject must have the opportunity to give its consent separately for each data processing purpose. This means that the data controller must work out the proper check-box mechanism (e.g. if there are 5 various marketing purposes, 5 checkboxes must be provided).
  • Legitimate interest – In business, it has become common to refer to legitimate interest as providing legal grounds to process data. Still, in the Hungarian data protection practice, the controller may rely on legitimate interest only if a proper balance test is carried out and documented. The balance test must demonstrate why the controller’s interest overrides the privacy interest of the data subject. The test must answer some basic questions, e.g.:
  1. What is the interest of the parties?
  2. Is there any alternative to data processing or a less privacy-invasive solution? and
  3. What guarantees are taken to protect the data subject’s rights?

For each data processing purpose, a separate balance test must be conducted; this could result in a significant additional administrative burden.

  • Fulfilment of contract – The Hungarian DPA accepts this very narrowly, i.e. where the data processing is necessary to fulfil the contract. For example, if the data subject breaches the contract, and the data controller assigns its claim to a debt collector agency, the debt collector agency may not rely on the fulfilment of the contract rationale as it is outside the scope of the original contract (concluded between the controller and the data subject).
  • Legal obligation – The Hungarian Data Protection Act provides that a legal obligation as legal grounds may only be accepted if Hungarian law specifies the data processing circumstances (e.g. the scope of data, the purpose of the processing or the duration of the processing). If the law does not provide the circumstances of the processing and makes too much room for the controller to determine such circumstances, the controller must instead rely on legitimate interest and carry out and document a balance test.

Data security requirements

In general, there are no special Hungarian flavours. But it is worth investing in data security measures as there is a shift from traditional GDPR to cyber-security and data breach issues; further, the Hungarian DPA has imposed its highest fine (approx. EUR 300,000) in this area. For certain organisations (e.g. critical service providers in the financial, energy or health sectors), the Information Security Act also applies (apart from the GDPR) which imposes additional security requirements (e.g. logging, data localisation or reporting security breaches).

Data breach management

The Hungarian DPA sets a very low threshold for data breach notifications. In general, controllers must file a notification to the DPA each time there is a reasonable certainty that a breach has occurred and the breach may have had an adverse effect on data subjects. Although it could be argued that the GDPR is more nuanced in this regard, the DPA has a strict approach and anything beyond the “not occurred” category is practically reportable.


Hungarian employment data processing also has specialities in all cases from recruitment and selection through establishing and maintaining employment relationships to employee monitoring.

The Hungarian GDPR implementation has also brought important changes in the workplace environment by presenting new rules that present hardships for employers in practice (e.g. not allowing copies to be made of employee documents).

In this part, we present the key Hungarian data protection challenges in the employment context:


Candidates must get a company’s privacy policy together with the job description. Anonymous offers are not accepted. If a recruiter company is engaged, the candidate must give consent to the transfer of the CV to the employer. As a general rule, candidates’ background checks are not allowed. The exceptions to this are the need to request clear criminal records and check social media under certain conditions. Personality tests are not permitted.

Employment relationships

In the employment context, the basic data protection principles apply even under some stricter settings:

  • Legal grounds – Businesses must be careful that, in principal, consent is not an acceptable legal ground for employment data processing as consent cannot be voluntary due to the subordinate nature of the employment. The main legal grounds to process data remain legitimate interest and legal obligation. In some instances, the performance of a contract can also be used.
  • Data minimisation – This principle is very strongly reflected under employment relationships. The employer may require only data that is necessary to establish, complete or terminate the employment relationship, or that is important in relation to exercising employment claims. Moreover, during the onboarding process, employers may only ask the employee to show their documents (e.g. ID, driving licence, address card, tax card and qualification documents) and the employer may not make electronic or hard copies.
  • Confidentiality – Only the relevant authorised people within the employer’s organisation may have access to employee data. For company groups, the parent company and the affiliates are qualified as separate entities; thus, to disclose data within the group, lawful legal grounds must be provided.
  • Storage limitation – In principle, employee data may not be processed after the end of the employment relationship. But the employer may keep any records that may be important in an employment dispute for a further 3 years (i.e. for the limitation period set for employment-related claims) based on its legitimate interest. The employer may also retain any documents relevant to pension entitlement up to 5 years after the employee has reached pension age.

Strict conditions for employment monitoring

Even before the GDPR implementation package, it was clear that an employer may monitor an employee’s work (e.g. monitoring e-mail, laptop or internet use) only if the employer provides prior notice of this activity. But, the GDPR implementation package made it clear that such notice must be made in writing and it must cover why the employer’s measures are necessary and proportionate in comparison to limiting the employee’s personal rights.

The key takeaways are the following:

  • The employer may not store the employee’s private files;
  • The employer must provide the possibility to the employee to be present before the inspection. The employer must always act in light of the proportionality and gradual approach (e.g. if websites are blocked, website monitoring may not be needed); and
  • The employee must be properly notified before each respective monitoring.


The business data processing environment also remains a challenging field as the DPA strictly interprets this area as well. The DPA requires data controllers in this field to strictly follow the basic data protection principles (see the MOST IMPORTANT LOCAL DATA PROTECTION SPECIALITIES)

The Hungarian GDPR implementation package aimed at harmonising the sectoral data protection legislation with the GPDR has not brought particular easement either.

In this part, we present the key Hungarian data protection challenges in the business context:


In the e-commerce world, businesses tend to rely on the performance of a contract as providing the legal grounds to process data in a broad way as it makes their data processing operations practical.

However, this is not a sustainable solution in Hungary as the E-Commerce Act states that, for any data processing operation that does not strictly stem from the provision of the service (e.g. improving performance or marketing research) the service provider must specify any sub-data processing operations in advance.

In practice, this means that, prior to introducing a new e-commerce business, the service providers must examine whether the ‘provision of the service’ can be broken down into further sub-purposes and then examine the compliance of each sub-purpose against basic data protection requirements.

The data minimisation principle has a special dimension in Hungarian e-commerce. Apart from assessing which data is strictly necessary for a given purpose, service providers must pay attention to the requirement that the data collected for purposes other than ‘the provision of a service’ may not be linked with the user’s identification data.

Electronic marketing

To prevent client or lead dropouts, businesses regularly try to avoid consent in promoting their business, especially by using legitimate interest as the legal ground for data processing, because they consider that the GDPR is more flexible on legitimate interest. However, the Hungarian electronic marketing sector has been largely unaffected in this regard, as Hungarian law did not remove the consent requirement. In principle, electronic marketing (via email, fax or SMS) is allowed only if the user’s prior, explicit and unambiguous consent has been obtained.

The DPA recognises electronic marketing communication without consent only for offering similar products/services to existing customers. In such case, obtaining consent can be avoided if the business carries out and documents a legitimate interest test in which it explains why its business interest overrides the user’s interest and the user has the right to opt out from future marketing communication at any time.

Internet use & social media

Website operators remain liable for any third-party cookies used on their website. Thus, they should only use cookies that they are fully aware of. Only functional cookies (that are strictly necessary for the website’s operation) do not require explicit consent but, even in this case, a legitimate interest test must be carried out and documented. For non-functional cookies (e.g. marketing cookies), the cookies may be placed on the user’s device only based on prior and explicit consent (e.g. a cookie wall appears where the user can read the full cookie information and individually choose the cookies they want to be placed on their device)

A website operator who uses embedded social media modules (e.g. tracking pixels) is qualified as a data controller. Thus, the DPA expects such operators to examine how the social media modules involve transferring personal data to social media and to reflect this adequately in the privacy policy. It is also crucial to ensure a free consent mechanism for social media modules. If the user can access a website content only by clicking ’accept all cookies’, the consent will be not valid.

Retail sector

To comply with the GDPR, retail stores must remove pages containing customer comments/complaints from the public consumer complaint registry (so the general public can no longer view them). The retail stores must provide the serial numbers to the removed pages and only keep them in their internal records for inspection purposes.


As presented, the Hungarian data protection practice has many local flavours.

The key issue remains whether the DPA will keep its own practice or rely more on the interpretation of the European Data Protection Board (EDPB) that has the role of making guidelines uniform across the EU.

There are some signs that the DPA is trying to avoid conflict with EDPB/WP29 international guidelines and thus, it has started to focus more on areas that dictate more uniform logic (e.g. data subject rights) instead of the privacy policy area which, for a long time, was an enforcement priority and was the main source of headaches for businesses in Hungary.

Still, the Hungarian DPA will continue to use its old practice in all issues that are not explicitly regulated by the EDPB guidelines. Currently, there are still many such unregulated areas.

The GDPR implementation of more than 80 sectoral laws also deserves special attention. It provides many additional special sectoral data protection rules and raises questions about where the GDPR alignment with the local laws has not been fully reached.

Overall, the Hungarian data protection environment must be treated carefully and it is worth investing efforts in complying with the local Hungarian flavours.