Art. 7
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
|
Art. 7
1. The controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposes.
2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.
|
Art. 7
1. Where Article 6(1)(a) applies the controller shall be able to demonstrate that unambiguous consent was given by the data subject.
1a. Where Article 9(2)(a) applies, the controller shall be able to demonstrate that explicit consent was given by the data subject.
2. If the data subject's consent is to be given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable (...) from the other matters, in an intelligible and easily accessible form, using clear and plain language.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof.
4. (...)
|
Art. 7
Member States shall provide that personal data may be processed only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of the data subject; or
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).
|
No (special) provision under Hungarian law.
|
Definitions
§ 3 Data Protection Act
[...]
(7) ‘the data subject’s consent’ means any freely and expressly given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed without limitation or with regard to specific operations;
(8) ‘the data subject’s objection’ shall mean an indication of his wishes by which the data subject objects to the processing of his personal data and requests that the processing of data relating to him be terminated and/or the processed data be deleted;
[...]
Requirement of preliminary information of data subjects
§ 20 Data Protection Act
(1) Before processing operations are carried out the data subject shall be informed whether his consent is required or processing is mandatory.
(2) Before processing operations are carried out the data subject shall be clearly and elaborately informed of all aspects concerning the processing of his personal data, such as the purpose for which his data is required and the legal basis, the person entitled to control the data and to carry out the processing, the duration of the proposed processing operation, if the data subject’s personal data is processed in accordance with Subsection (5) of Section 6, and the persons to whom his data may be disclosed. Information shall also be provided on the data subject’s rights and remedies.
(3) In the case of mandatory processing such information may be supplied by way of publishing reference to the legislation containing the information referred to in Subsection (2).
(4) If the provision of information to the data subject proves impossible or would involve disproportionate efforts, the obligation of information may be satisfied by the public disclosure of the following:
a) an indication of the fact that data is being collected;
b) the data subjects targeted;
c) the purpose of data collection;
d) the duration of the proposed processing operation;
e) the potential data controllers with the right of access;
f) the right of data subjects and remedies available relating to data processing; and
g) where the processing operation has to be registered, the number assigned in the data protection register, with the exception of Subsection (2) of Section 68.
The data subject’s right to object to the processing of his personal data
§ 21 Data Protection Act
(1) The data subject shall have the right to object to the processing of data relating to him:
a) if processing or disclosure is carried out solely for the purpose of discharging the controller’s legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a third party, unless processing is mandatory;
b) if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and
c) in all other cases prescribed by law.
(2) In the event of objection, the controller shall investigate the cause of objection within the shortest possible time inside a fifteen-day time period, adopt a decision as to merits and shall notify the data subject in writing of its decision.
(3) If, according to the findings of the controller, the data subject’s objection is justified, the controller shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection.
(4) If the data subject disagrees with the decision taken by the controller under Subsection (2), or if the controller fails to meet the deadline specified in Subsection (2), the data subject shall have the right under Section 22 to bring action in the court of law within thirty days of the date of delivery of the decision or from the last day of the time limit.
(5) If data that are necessary to assert the data recipient’s rights are withheld owing to the data subject’s objection, the data recipient shall have the right under Section 22 to file charges against the controller within fifteen days from the date the decision is delivered under Subsection (2) in order to obtain the data. The controller may give third-party notice to the data subject.
(6) If the data controller fails to send notice as specified in Subsection (3), the data recipient shall have the right to request information from the controller concerning the circumstances of non-disclosure, upon which the controller shall make available the information requested within eight days of receipt of the data recipient’s request. Where information had been requested, the data recipient may bring action against the controller within fifteen days from the date of receipt of the information, or from the deadline prescribed therefor. The controller may give third-party notice to the data subject.
(7) The controller shall not delete the data of the data subject if processing has been prescribed by law. However, data may not be disclosed to the data recipient if the controller agrees with the objection or if the court has found the objection justified.
|
Law No. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data, as amended and completed
Article 5:
(1) Any personal data processing, except for the processing which refer to the categories mentioned in Article 7 paragraph (1) and Articles 8 and 10, may be carried out only if the data subject has given his/her express and unequivocal consent for that processing.
(2) The data subject’s consent is not required in the following situations:
a) when the processing is required in order to carry out a contract or pre-contract to which the data subject is party of, or in order to take some measures, at his request, before signing that contract or the pre-contract;
b) when the processing is required in order to protect the data subject’s life, physical integrity or health or that of a threatened third party;
c) when the processing is required in order to fulfill a legal obligation of the data controller;
d) when the processing is required in order to accomplish some measures of public interest or regarding the exercise of public official authority prerogatives of the data controller or of the third party to which the date are disclosed;
e) when the processing is necessary in order to accomplish a legitimate interest of the data controller or of the third party to which the date are disclosed, on the condition that this interest does not prejudice the interests, or the fundamental rights and freedoms of the data subject;
f) when the processing concerns data which is obtained from publicly accessible documents, according to the law;
g) when the processing is performed exclusively for statistical purposes, historical or scientific research and the data remain anonymous throughout the entire processing;
(3) The provisions of paragraph (2) do not infringe the legal texts that govern the obligations of public authorities to respect and protect intimate, family and private life.
|