Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Hungary Magyarország

WEB ANALYTICS · COOKIE COMPLIANCE · EASTERN EUROPE · HU

Hungary — analytics & cookie compliance reference

What you can run on a Hungary-targeted website without a NAIH fine — GA4, cookies, vendor stack, and the rules behind them. Single national DPA · active on AI/biometric processing · Hungarian-language privacy notices required.

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Hungary. Sectoral rules (healthcare, banking, employment) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

Infotörvény
2011. évi CXII. törvény az információs önrendelkezési jogról és az információszabadságról
National implementation of GDPR opening clauses + freedom-of-information regime + national-security and law-enforcement processing + NAIH governance and fining powers. Applies in parallel with GDPR — controllers must satisfy both.
  • § 2 Scope — extends GDPR rules to processing outside EU law (national security, law enforcement) where Union law does not apply
  • § 25 DPO designation — mirrors GDPR Art 37 with no lower headcount threshold
  • § 38 NAIH powers — investigation, audit, administrative fines up to 20M HUF or GDPR ceilings, whichever higher
  • § 60 Administrative procedure — NAIH official inquiry process (hatósági eljárás) and binding decisions
Act CXII of 2011 on Informational Self-Determination and Freedom of Information, latest substantive amendment 2018 (Act XXXVIII of 2018) aligning with GDPR + 2023 amendments on AI/biometric data oversight.
Eht. § 155
2003. évi C. törvény az elektronikus hírközlésről
Cookies + terminal-equipment storage/access + electronic communications confidentiality. § 155(4) requires prior, informed consent for any non-strictly-necessary storage or access on a user's terminal equipment.
  • § 155(4) Storage/read access on terminal equipment requires prior, informed consent — analytics, marketing, A/B testing all require opt-in
  • § 155(5) Strictly-necessary exception — narrowly construed; user-explicit-request communications + technical session continuity only
  • § 156 Traffic and location data — separate consent regime for value-added services
Act C of 2003 on Electronic Communications, § 155 transposes ePrivacy Directive Art 5(3) on cookies and terminal-equipment access.
Reklámtörvény
2008. évi XLVIII. törvény a gazdasági reklámtevékenység alapvető feltételeiről és egyes korlátairól
Direct marketing — email/SMS/automated-call opt-in regime. § 6 requires prior, express, documented consent (effectively double-opt-in standard per Hungarian Competition Authority and NAIH joint guidance). GDPR legitimate interest does not cure a Reklámtv. breach.
  • § 6(1) Direct marketing communications — prior express consent required, must be specific, voluntary, and informed
  • § 6(2) Consent record-keeping — controller must be able to prove consent at any time; double-opt-in is the de facto standard
  • § 6(5) Opt-out at every contact — every marketing message must offer free, simple unsubscribe
Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Commercial Advertising Activity

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
NAIH · Nemzeti Adatvédelmi és Információszabadság Hatóság
Single national DPA — supervises all GDPR + Infotörvény processing in Hungary (no state/regional sub-authorities). Also competent authority for freedom-of-information requests and AI-systems oversight under coordination with Hungarian AI Coalition.
https://www.naih.hu/

Coordination body

EDPB participation · European Data Protection Board — NAIH represents Hungary
NAIH participates in EDPB consistency mechanism and One-Stop-Shop lead/concerned-DPA roles. No domestic federal-state coordination body — single national authority.
  • 2022-02-10 · Google Analytics — NAIH alignment with Austrian DSB / French CNIL post-Schrems II — GA Universal flagged as problematic; GA4 acceptable post-DPF subject to consent + TIA documentation.
  • 2024-03 · Biometric attendance systems — NAIH issued multiple decisions against employer biometric attendance systems (fingerprint, facial recognition) — disproportionate under Art 9 + Hungarian Labour Code.
  • 2024-11 · AI systems and Clearview-style scraping — NAIH active on AI/biometric processing — fines and warnings for facial-recognition databases assembled from public-web scraping; aligned with Italian Garante and Greek DPA on Clearview-related cases.
https://edpb.europa.eu/

Notable enforcement

NAIH is moderately active by EU standards — not as headline-grabbing as Italian Garante or Spanish AEPD, but consistent on its enforcement priorities: AI/biometric processing, employer monitoring, and unencrypted personal-data exposures. Fines tend to fall in the 1M–100M HUF range (≈€2.5K–€250K) with occasional higher penalties. The 2024–2025 enforcement wave on biometric attendance systems and Clearview-style facial-recognition databases marks NAIH's active stance on AI-era data protection. Controllers should prioritize Hungarian-language privacy notices and documented consent records — both are recurring deficiency findings.

  1. 2021-04 €700k
    Bank (anonymized) NAIH · Art 6, 22 stood

    Use of AI-driven voice-emotion analysis on customer-service calls without lawful basis or transparency — ~250M HUF fine. Landmark NAIH AI-systems case.

  2. 2020-02 €280k
    Digi Kft. NAIH · Art 5, 32 stood

    Major Hungarian ISP — unencrypted customer database exposed via test server; ~100M HUF fine for security failures and excessive retention. NAIH's largest pre-2024 fine.

  3. 2023-06 €150k
    Fintech (anonymized) NAIH · Art 32, 33 stood

    Insufficient breach notification + access-control failures at Hungarian fintech; ~55M HUF.

  4. 2025-02 €90k
    Retail chain (CCTV) NAIH · Art 5, 6, 13 stood

    Excessive CCTV retention + missing Hungarian-language signage — ~35M HUF; Hungarian-language transparency cited as recurring deficiency.

GA4 status

GA4 is usable in Hungary with prior, explicit, granular consent under Eht. § 155 + GDPR Art 6/7. After EU-US DPF (10 Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. NAIH posture is moderate — aligned with EDPB Schrems II coordinated action but not a leading enforcer on this dimension. Hungarian-language privacy notice required.

DPAStance
NAIHModerate — aligned with EDPB. Post-DPF acceptable; expects consent + Hungarian-language disclosure + TIA documentation for non-DPF transfers. No proactive cookie-banner sweeps as of 2026.

Cross-border transfers + Schrems II

NAIH posture on transfers is moderate — it followed the EDPB Schrems II coordinated action in 2022 but did not lead. Post-DPF (10 Jul 2023) NAIH accepts adequacy for DPF-certified US importers. For non-DPF transfers, NAIH expects EU 2021/914 SCCs + a documented Transfer Impact Assessment, but enforcement is reactive rather than proactive on this dimension.

EU 2021/914 SCCs are the standard fallback when DPF certification is absent. NAIH has not published a Hungarian-specific TIA template — controllers rely on EDPB Recommendations 01/2020 and joint EU DPA guidance.

Topic: International transfers

Employee data

Key thresholds

Child consent age
16 years
Article 27 representative
Required
Marketing consent
Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red
VendorStatusRationale
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Hungary vs Austria
COMPARE
Hungary vs Germany
COMPARE
Hungary vs Romania
COMPARE
Hungary vs Slovakia

Common questions

Is Google Analytics legal in Hungary in 2026?
Yes, conditionally. GA4 is usable in Hungary with prior, explicit, granular consent under Eht. § 155 (cookies) + GDPR Art 6/7 (subsequent processing). After EU-US DPF (10 Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. NAIH posture is moderate — aligned with EDPB but not a leading enforcer on analytics specifically. Hungarian-language privacy notice required.
Which DPA is competent in Hungary?
NAIH (Nemzeti Adatvédelmi és Információszabadság Hatóság) is the single national DPA — there are no state or regional sub-authorities. NAIH supervises all GDPR + Infotörvény processing in Hungary, handles freedom-of-information requests, and represents Hungary in the EDPB. Cross-border processors with multiple EU establishments use the GDPR One-Stop-Shop lead-DPA mechanism, with NAIH as concerned authority for Hungarian data subjects.
What is NAIH most active on?
AI systems and biometric processing. NAIH issued multiple 2024 decisions against employer biometric attendance systems (fingerprint, facial recognition) and against Clearview-style facial-recognition databases assembled from public-web scraping. NAIH also enforces on unencrypted personal-data exposures, fintech security, and missing Hungarian-language transparency disclosures. Recent decisions are published at naih.hu/hatarozatok.
What's the difference between Infotörvény and GDPR?
GDPR is the EU regulation; Infotörvény (Act CXII of 2011) is Hungary's national law that fills GDPR opening clauses, governs national-security/law-enforcement processing outside EU law, and establishes NAIH's powers. The 2018 amendment (Act XXXVIII of 2018) aligned Infotörvény with GDPR. Key Infotörvény-only rules: § 38 (NAIH fining authority — up to 20M HUF or GDPR ceilings), § 60 (NAIH administrative procedure / hatósági eljárás).
What is the child consent age in Hungary?
16 years. Hungary kept the GDPR Art 8 default of 16 (unlike Spain/Denmark/Sweden/UK at 13 or Austria at 14). Below 16, parental authorization is required for information-society services offered to a child. This affects analytics on services targeting minors — age-gating and parental-consent flows must be in place.
What language must my privacy notice be in?
Hungarian. NAIH consistently treats Hungarian-language privacy notices as required for Hungary-targeted sites — English-only or auto-translated notices are recurring deficiency findings (see 2025 retail-chain CCTV decision). The targeting test mirrors GDPR Art 3(2): Hungarian-language website, .hu domain, HUF/EUR pricing, Hungarian-language marketing. If you target Hungarian users, your notice must be in Hungarian.
Can I use biometric attendance systems for employees?
Generally no. NAIH has consistently struck down fingerprint and facial-recognition timekeeping as disproportionate under GDPR Art 9 + Munka Törvénykönyve § 11/A — even with employee consent, since consent is treated as non-voluntary in employment contexts. Less-intrusive alternatives (PIN, card, mobile app) are expected. The 2024 enforcement wave produced multiple fines against Hungarian employers.
Do I need an Article 27 representative for Hungary?
Yes if you are a non-EU controller offering goods/services to or monitoring behavior of people in Hungary (or any EEA state), unless the small-business exception in Art 27(2) applies. NAIH does not maintain a public register of representatives, but has cited non-designation in cross-border investigations. The representative must be established in an EU member state where some of the data subjects are.
Is double-opt-in required for email marketing in Hungary?
Yes, effectively. Reklámtörvény (Act XLVIII of 2008) § 6 requires prior, express, documented consent for direct marketing — and joint NAIH/Hungarian Competition Authority guidance treats double-opt-in (confirmation email after sign-up) as the de facto evidentiary standard for proving consent. GDPR legitimate interest does not cure a Reklámtv. breach. Single-opt-in with no confirmation has been challenged in NAIH proceedings.
Does Schrems II still affect transfers post-DPF?
Yes for non-DPF transfers. The DPF restored adequacy for DPF-certified US importers (renewed by EU General Court Sep 2025, T-553/23). For non-DPF US recipients, Schrems II logic still applies — Transfer Impact Assessment + supplementary measures required. NAIH expects EU 2021/914 SCCs + documented TIA for non-DPF transfers, but enforcement on this dimension is reactive — not a leading priority.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Hungary's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.