GDPR and Privacy in Hungary: Obligations for KFTs in 2026

Does GDPR Apply to Hungarian KFTs?

Yes, fully and directly. Hungary is a member state of the European Union, and the General Data Protection Regulation (GDPR — EU Reg. 2016/679) applies to all companies that process personal data of individuals in the EU, regardless of their registered office. A Hungarian KFT that collects data from customers, employees, or suppliers is therefore subject to all GDPR obligations, just like an Italian SRL.

The competent Hungarian supervisory authority for data protection is the NAIH (Nemzeti Adatvédelmi és Információszabadság Hatóság), equivalent to the Italian Data Protection Authority.

Main GDPR Obligations for a KFT

  • Lawful basis for processing: every processing of personal data must have a valid lawful basis (consent, contract, legal obligation, legitimate interest, etc.)
  • Privacy Notice: obligation to provide data subjects with clear information on how their data is processed
  • Record of Processing Activities (ROPA): KFTs with more than 250 employees or those carrying out high-risk processing must keep a record of processing activities
  • Data subject rights: guarantee the right to access, rectification, erasure, portability, and objection to processing
  • Data breach notification: obligation to notify the NAIH within 72 hours of discovering a personal data breach
  • Data Protection Impact Assessment (DPIA): mandatory for high-risk processing (profiling, sensitive data, systematic surveillance)

DPO Appointment: When is it Mandatory?

The appointment of a Data Protection Officer (DPO) is mandatory for KFTs that:

  • Are a public authority or public body
  • Carry out systematic and large-scale monitoring of individuals (e.g., tracking platforms, apps with geolocation)
  • Process special categories of data on a large scale (health data, biometric data, data relating to criminal convictions)

For most small and medium-sized KFTs (e-commerce, consulting, B2B SaaS), the appointment of a DPO is not mandatory but may be appropriate as an accountability measure.

Data Transfer Between Hungarian KFT and Italian SRL

When a Hungarian KFT and an Italian SRL exchange personal data (e.g., data of common customers, employee data), this is an intra-EU transfer. Since both countries are in the EU, the transfer is free and does not require additional guarantees beyond standard GDPR. However, it is necessary to:

  • Define the roles of controller and processor between the two companies
  • Enter into a Data Processing Agreement (DPA) if one company processes data on behalf of the other
  • Ensure that both companies comply with GDPR principles when processing shared data

GDPR for E-commerce and SaaS with Hungarian KFT

For KFTs that manage e-commerce or SaaS, the most relevant GDPR obligations are:

  • Cookie policy and consent: compliant cookie banner, with granular consent for profiling and marketing cookies
  • Privacy policy on the website: complete and updated information, accessible from all pages
  • User data management: procedures to respond to requests for access, erasure, and portability
  • Third-party providers (sub-processors): DPA contracts with all providers who process data on behalf of the KFT (e.g., Shopify, Stripe, Mailchimp, Google Analytics)
  • Extra-EU data transfer: if cloud services with servers outside the EU are used, verify adequate safeguards (Standard Contractual Clauses)

GDPR Penalties: What a KFT Risks

Penalties for GDPR violations are the same throughout the EU:

Type of violation Maximum penalty
Minor violations (information, record of processing) €10 million or 2% of global annual turnover
Serious violations (lawful basis, data subject rights, unlawful transfers) €20 million or 4% of global annual turnover

The Hungarian NAIH has demonstrated that it applies concrete penalties even to SMEs. In 2024-2025, it imposed significant penalties on Hungarian companies for failure to manage data breaches and non-compliant cookie policies.

GDPR Checklist for KFT: Where to Start

  • ✅ Map all personal data processing carried out by the KFT
  • ✅ Identify the lawful basis for each processing
  • ✅ Draft or update the website's privacy policy
  • ✅ Implement a compliant cookie consent management system
  • ✅ Enter into DPAs with all sub-processor providers
  • ✅ Establish procedures to respond to data subject requests
  • ✅ Define a data breach response plan
  • ✅ Assess whether a DPIA is necessary for high-risk processing
  • ✅ Train staff on GDPR procedures

Conclusion

GDPR is a real and concrete obligation for all Hungarian KFTs that process personal data. Compliance is not only a legal requirement but also an element of trust with customers and business partners. Properly structuring privacy management from the establishment of the KFT is much more efficient than having to remedy it later.

The Start Ungheria team supports KFTs in GDPR compliance, from mapping processing activities to drafting necessary documentation. Contact us for a free consultation.

0 comments

Leave a comment

Guide e Risorse Utili

Approfondimenti per fare impresa in Ungheria

La Flat Tax Ungherese al 9%

Guida completa al regime fiscale ungherese

Aprire una Società in Ungheria

Requisiti, costi e procedure in 3-5 giorni

Trasferimento Società in Ungheria

Guida al trasferimento transfrontaliero UE

Fare Impresa a Budapest

Perché scegliere l'Ungheria per la tua attività