2000/519/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Hungary (notified under document number C(2000) 2305) (Text with EEA relevance.)
95/46/EC • 32000D0519
Legal Acts - Directives
- 3 Inbound citations:
- •
- 0 Cited paragraphs:
- •
- 29 Outbound citations:
Avis juridique important
2000/519/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Hungary (notified under document number C(2000) 2305) (Text with EEA relevance.) Official Journal L 215 , 25/08/2000 P. 0004 - 0006
Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Hungary (notified under document number C(2000) 2305) (Text with EEA relevance) (2000/519/EC) THE COMMISSION OF THE EUROPEAN COMMUNITIES, Having regard to the Treaty establishing the European Community, Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1), and in particular Article 25(6) thereof, Whereas: (1) Pursuant to Directive 95/46/EC Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member State's laws implementing other provisions of the Directive are complied with prior to the transfer. (2) The Commission may find that a third country ensures an adequate level of protection. In that case personal data may be transferred from the Member States without additional guarantees being necessary. (3) Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations and in respect of given conditions. The Working Party on Protection of Individuals with regard to the Processing of Personal Data established under that Directive has issued guidance on the making of such assessments(2). (4) Given the different approaches to data protection in third countries, the adequacy assessment should be carried out, and any decision based on Article 25(6) of Directive 95/46/EC should be enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail nor constitute a disguised barrier to trade, regard being had to the Community's present international commitments. (5) As regards Hungary, the legal standards on the protection of personal data have binding legal effect. (6) The protection of privacy, particularly with regard to the processing of personal data, is provided for by Article 59 of the Hungarian Constitution. The legal provisions are laid down by Law LXIII of 17 November 1992, which entered into force on 1 May 1993. Various sectoral laws have also incorporated provisions on the protection of personal data in various areas such as statistics, market research, scientific research and health. (7) With effect from 1 February 1998, Hungary ratified the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No 108)(3), which aims to reinforce the protection of personal data and to ensure free circulation between the Contracting Parties, subject to any exceptions which these parties may provide for. Without being directly applicable, the Convention lays down the international commitments concerning not only the basic principles of protection which each Contracting Party must implement in its internal law but also the mechanisms of cooperation between the Contracting Parties. In particular, the competent Hungarian authorities must provide the authorities of the other Contracting Parties which so request with any information on the law and administrative practice regarding data protection, and with information on any specific instance of automatic processing of data. They must also assist any person residing abroad in exercising his right to be informed about the existence of processing operations on data concerning him, the right to access his data or to ask for them to be corrected or deleted, and the right of judicial remedy. (8) The legal standards applicable in Hungary cover all the basic principles necessary for an adequate level of protection for natural persons, even if exceptions and limitations are also provided for in order to safeguard important public interests. The application of these standards is guaranteed by judicial remedy and by independent supervision carried out by the Commissioner appointed by the Parliament pursuant to Law LXIII of 1992. Furthermore, the compensation of persons who have suffered prejudice as a result of unlawful processing is guaranteed by law. (9) In the interests of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify in this Decision the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection. (10) The Working Party on Protection of Individuals with regard to the Processing of Personal Data established under Article 29 of Directive 95/46/EC has delivered opinions on the level of protection provided by Hungarian law which have been taken into account in the preparation of the current Decision(4). (11) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31 of Directive 95/46/EC, HAS ADOPTED THIS DECISION: Article 1 For the purposes of Article 25(2) of Directive 95/46/EC, for all the activities falling within the scope of that Directive, Hungary is considered as providing an adequate level of protection of personal data transferred from the Community. Article 2 This Decision concerns only the adequacy of protection provided in Hungary with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC and does not affect other conditions or restrictions implementing other provisions of the Directive that pertain to the processing of personal data within the Member States. Article 3 1. Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of Directive 95/46/EC, the competent authorities in Member States may exercise their existing powers to suspend data flows to a recipient in Hungary in order to protect individuals with regard to the processing of their personal data in cases where: (a) a competent Hungarian authority has determined that the recipient is in breach of the applicable standards of protection; or (b) there is a substantial likelihood that the standards of protection are being infringed; there are reasonable grounds for believing that the competent Hungarian authority is not taking or will not take appropriate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects and the competent authorities in the Member States have made reasonable efforts in the circumstances to provide the party responsible fo processing established in Hungary with notice and opportunity to respond. The suspension shall cease as soon as the standards of protection are assured and the competent authority concerned in the Community is notified thereof. 2. Member States shall inform the Commission without delay when measures are adopted on the basis of paragraph 1. 3. The Member States and the Commission shall also inform each other of cases where the action of bodies responsible for ensuring compliance with the standards of protection in Hungary fails to secure such compliance. 4. If the information collected under paragraphs 1, 2 and 3 provides evidence that any body responsible for ensuring compliance with the standards of protection in Hungary is not effectively fulfilling its role, the Commission shall inform the competent Hungarian authority and, if necessary, present draft measures in accordance with the procedure under Article 31 of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope. Article 4 1. This Decision may be amended at any time in the light of experience with its functioning or of changes in Hungarian legislation. The Commission shall evaluate the functioning of this Decision on the basis of available information, three years after its notification to the Member States and report any pertinent findings to the Committee established under Article 31 of Directive 95/46/EC, including any evidence that could affect the finding in Article 1 of this Decision that protection in Hungary is adequate within the meaning of Article 25 of this Directive and any evidence that this Decision is being implemented in a discriminatory way. 2. The Commission shall, if necessary, present draft measures in accordance with the procedure established by Article 31 of Directive 95/46/EC. Article 5 Member States shall take all the measures necessary to comply with this Decision at the latest at the end of a period of 90 days from the date of its notification to the Member States. Article 6 This Decision is addressed to the Member States. Done at Brussels, 26 July 2000. For the Commission Frederik Bolkestein Member of the Commission (1) OJ L 281, 23.11.1995, p. 31. (2) Opinion 12/98, adopted by the Working Party on 24 July 1998: "Transfers of personal data to third countries. Applying Articles 25 and 26 of the EU Data Protection Directive" (DG MARKT D/5025/98), available on the Europa website hosted by the Commission: http://europe.eu.int/comm/internal_market/en/media/dataprot/wpdocs/index.htm (3) Available on website: http://conventions.coe.int/treaty/EN/cadreintro.htm (4) Opinion 6/99 adopted by the Working Party on 7 September 1999 (DG MARKT 5070/99), available on the Europa website cited in footnote 2.
Commission Decision
of 26 July 2000
pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Hungary
(notified under document number C(2000) 2305)
(Text with EEA relevance)
(2000/519/EC)
THE COMMISSION OF THE EUROPEAN COMMUNITIES,
Having regard to the Treaty establishing the European Community,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1), and in particular Article 25(6) thereof,
Whereas:
(1) Pursuant to Directive 95/46/EC Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member State's laws implementing other provisions of the Directive are complied with prior to the transfer.
(2) The Commission may find that a third country ensures an adequate level of protection. In that case personal data may be transferred from the Member States without additional guarantees being necessary.
(3) Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations and in respect of given conditions. The Working Party on Protection of Individuals with regard to the Processing of Personal Data established under that Directive has issued guidance on the making of such assessments(2).
(4) Given the different approaches to data protection in third countries, the adequacy assessment should be carried out, and any decision based on Article 25(6) of Directive 95/46/EC should be enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail nor constitute a disguised barrier to trade, regard being had to the Community's present international commitments.
(5) As regards Hungary, the legal standards on the protection of personal data have binding legal effect.
(6) The protection of privacy, particularly with regard to the processing of personal data, is provided for by Article 59 of the Hungarian Constitution. The legal provisions are laid down by Law LXIII of 17 November 1992, which entered into force on 1 May 1993. Various sectoral laws have also incorporated provisions on the protection of personal data in various areas such as statistics, market research, scientific research and health.
(7) With effect from 1 February 1998, Hungary ratified the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No 108)(3), which aims to reinforce the protection of personal data and to ensure free circulation between the Contracting Parties, subject to any exceptions which these parties may provide for. Without being directly applicable, the Convention lays down the international commitments concerning not only the basic principles of protection which each Contracting Party must implement in its internal law but also the mechanisms of cooperation between the Contracting Parties. In particular, the competent Hungarian authorities must provide the authorities of the other Contracting Parties which so request with any information on the law and administrative practice regarding data protection, and with information on any specific instance of automatic processing of data. They must also assist any person residing abroad in exercising his right to be informed about the existence of processing operations on data concerning him, the right to access his data or to ask for them to be corrected or deleted, and the right of judicial remedy.
(8) The legal standards applicable in Hungary cover all the basic principles necessary for an adequate level of protection for natural persons, even if exceptions and limitations are also provided for in order to safeguard important public interests. The application of these standards is guaranteed by judicial remedy and by independent supervision carried out by the Commissioner appointed by the Parliament pursuant to Law LXIII of 1992. Furthermore, the compensation of persons who have suffered prejudice as a result of unlawful processing is guaranteed by law.
(9) In the interests of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify in this Decision the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection.
(10) The Working Party on Protection of Individuals with regard to the Processing of Personal Data established under Article 29 of Directive 95/46/EC has delivered opinions on the level of protection provided by Hungarian law which have been taken into account in the preparation of the current Decision(4).
(11) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31 of Directive 95/46/EC,
HAS ADOPTED THIS DECISION:
Article 1
For the purposes of Article 25(2) of Directive 95/46/EC, for all the activities falling within the scope of that Directive, Hungary is considered as providing an adequate level of protection of personal data transferred from the Community.
Article 2
This Decision concerns only the adequacy of protection provided in Hungary with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC and does not affect other conditions or restrictions implementing other provisions of the Directive that pertain to the processing of personal data within the Member States.
Article 3
1. Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of Directive 95/46/EC, the competent authorities in Member States may exercise their existing powers to suspend data flows to a recipient in Hungary in order to protect individuals with regard to the processing of their personal data in cases where:
(a) a competent Hungarian authority has determined that the recipient is in breach of the applicable standards of protection; or
(b) there is a substantial likelihood that the standards of protection are being infringed; there are reasonable grounds for believing that the competent Hungarian authority is not taking or will not take appropriate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects and the competent authorities in the Member States have made reasonable efforts in the circumstances to provide the party responsible fo processing established in Hungary with notice and opportunity to respond.
The suspension shall cease as soon as the standards of protection are assured and the competent authority concerned in the Community is notified thereof.
2. Member States shall inform the Commission without delay when measures are adopted on the basis of paragraph 1.
3. The Member States and the Commission shall also inform each other of cases where the action of bodies responsible for ensuring compliance with the standards of protection in Hungary fails to secure such compliance.
4. If the information collected under paragraphs 1, 2 and 3 provides evidence that any body responsible for ensuring compliance with the standards of protection in Hungary is not effectively fulfilling its role, the Commission shall inform the competent Hungarian authority and, if necessary, present draft measures in accordance with the procedure under Article 31 of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.
Article 4
1. This Decision may be amended at any time in the light of experience with its functioning or of changes in Hungarian legislation.
The Commission shall evaluate the functioning of this Decision on the basis of available information, three years after its notification to the Member States and report any pertinent findings to the Committee established under Article 31 of Directive 95/46/EC, including any evidence that could affect the finding in Article 1 of this Decision that protection in Hungary is adequate within the meaning of Article 25 of this Directive and any evidence that this Decision is being implemented in a discriminatory way.
2. The Commission shall, if necessary, present draft measures in accordance with the procedure established by Article 31 of Directive 95/46/EC.
Article 5
Member States shall take all the measures necessary to comply with this Decision at the latest at the end of a period of 90 days from the date of its notification to the Member States.
Article 6
This Decision is addressed to the Member States.
Done at Brussels, 26 July 2000.
For the Commission
Frederik Bolkestein
Member of the Commission
(1) OJ L 281, 23.11.1995, p. 31.
(2) Opinion 12/98, adopted by the Working Party on 24 July 1998: "Transfers of personal data to third countries. Applying Articles 25 and 26 of the EU Data Protection Directive" (DG MARKT D/5025/98), available on the Europa website hosted by the Commission: http://europe.eu.int/comm/internal_market/en/media/dataprot/wpdocs/index.htm
(3) Available on website: http://conventions.coe.int/treaty/EN/cadreintro.htm
(4) Opinion 6/99 adopted by the Working Party on 7 September 1999 (DG MARKT 5070/99), available on the Europa website cited in footnote 2.