CLVPartners

News

Uncertainty Surrounding U.S. Data Transfers: What to expect following the Trump v. Slaughter decision

Reading time: 4 minutes

The U.S. Supreme Court decision issued on 29 June 2026 (Trump v. Slaughter; hereinafter “Decision”) is likely to affect the legal assessment of international data transfers between the European Union and the United States and may mark a turning point in current practices in this area.

In its decision, the Supreme Court of the United States (“Supreme Court”), relying on the theory of a unified executive branch, concluded that all independent executive agencies operating in the United States are unconstitutional. The decision also directly affects the U.S Federal Trade Commission (“FTC”).

This development is of particular significance from the perspective of European data protection law, as the current EU–US Data Privacy Framework (the “EU–US Data Privacy Framework”, hereinafter “Framework”), adopted by the European Commission’s (“Commission”) Implementing Decision No. 2023/1795, designates the FTC as the independent supervisory authority responsible for ensuring compliance with data protection rules.

In our newsletter, we provide an overview of the most important rules governing data transfer practices between the European Union and the United States, and we also review what changes companies need to prepare for as a result of the Decision.

The regulatory framework for data transfers to third countries under the GDPR and the legacy of the Schrems decisions

Under Regulation 2016/679 on the protection of personal data (“GDPR”), the transfer of personal data to a third country is, as a general rule, lawful only if that country ensures an adequate level of protection. A key consideration in assessing adequacy is whether the third country has an independent and effective data protection supervisory authority capable of effectively enforcing and ensuring compliance with data protection rules. In the absence of such an authority or if it functions inadequately, a system of safeguards comparable to that at the EU level cannot be ensured. For this reason, the Commission may adopt an adequacy decision regarding a third country only if the legal system of the country under review – including through such an independent supervisory authority – ensures an adequate level of protection for personal data.

In this context, it is also important to note that the legal framework governing data transfers from the European Union to the United States has long been fraught with uncertainty. In its decisions in the Schrems I and Schrems II cases, the Court of Justice of the European Union previously invalidated the Safe Harbor framework and, subsequently, the Privacy Shield framework governing data transfers between the EU and the U.S. The court justified its decision by stating that, due to the mass surveillance practices applied in the United States and the lack of effective legal remedies, data subjects are not guaranteed a level of protection in accordance with EU data protection rules.

Thereafter, the current Framework was introduced as a sort of “third-generation” data transfer adequacy decision, which designates the FTC as the independent supervisory authority with respect to the United States. However, as a result of the Decision, it has become unclear whether the conditions necessary for the FTC’s independence continue to be met.

Why is this relevant for EU data controllers?

In the past few decades, many EU companies have outsourced their data processing activities to U.S. cloud service providers. However, the GDPR clearly stipulates that companies may lawfully transfer personal data to a third country – including the United States – only if the transfer is based on appropriate safeguards and a legal basis.

One possible legal basis for data transfers is what are known as adequacy decisions. In the context of relations between the European Union and the United States, the Framework serves currently this function. In the absence of an adequacy decision, data transfers may only take place lawfully if the organization in question provides appropriate safeguards, such as the use of the Standard Contractual Clauses (“SCC”) adopted by the European Commission or the implementation of Binding Corporate Rules (“BCR”).

If it is concluded that the FTC no longer meets the independence requirements set forth in the Framework, it is likely that the Commission will review the Framework in the future and, if necessary, repeal it.

We emphasize that this development may not be limited to data transfers carried out under the Framework. Data controllers who use SCCs or BCRs may also be affected, as, in accordance with the principle of accountability under the GDPR, companies are required to assess, as part of a data transfer impact assessment, whether the laws of the third country ensure the necessary level of protection. If this assessment concludes that the U.S.’s legal system – particularly with regard to government access or remedy mechanisms – does not provide adequate safeguards, then the use of SCCs or BCRs alone is not sufficient to maintain the lawfulness of the data transfer, and therefore they cannot provide an adequate basis for data transfers to the United States.

Recommended steps

Based on the above, the current developments require increased caution from all data controllers involved in international data transfers to the United States. The decision does not require immediate direct action; rather, it calls for a review of internal processes and appropriate risk management:

a comprehensive review of internal procedures governing data transfers;

updating data transfer impact assessments;

assessing whether it is necessary to implement additional technical measures, including, for example, the use of encryption;

identifying alternative data processing solutions.

Summary

It can therefore be concluded that the adequacy of the Framework is not clear; however, the Framework itself remains in effect until the Commission repeals it or the Court of Justice of the European Union annuls it. Consequently, the Decision does not currently have a direct impact on EU data controllers. However, companies are advised to review their practices regarding data transfers to the United States and, if necessary, prepare to implement alternative solutions.

Photo source: pexels.com, Mark Stebnicki

Uncertainty Surrounding U.S. Data Transfers: What to expect following the Trump v. Slaughter decision Read More »

Collective redundancies: a practical overview of the legal requirements

Reading time: 5 minutes

As we referred to in our previous article, if a certain number of employment relationships are terminated for reasons related to the employer’s operations, the special procedural rules governing collective redundancies must be applied. These provisions serve a dual purpose: on the one hand, to mitigate the adverse consequences for employees and make the process more predictable; on the other hand, to ensure that employment authorities are prepared to handle the increased number of job seekers.

In the second part of our series of articles on terminations based on reasons related to the employer’s operations, we examine the circumstances under which the rules governing collective redundancies apply, as well as the factors that must be considered when determining the number of employees affected.

Regulations governing collective redundancies and conditions for their implementation

The rules governing collective redundancies are set forth in Act I of 2012 on the Labor Code (“Labour Code”). The employer must apply these special procedural rules if the set of conditions specified in the Labor Code are met.

Accordingly, collective redundancy refers to a situation where an employer intends to terminate the employment of a number of employees specified by law, on a specific legal basis, within a thirty-day period. We will present these conditions below.

Legal basis to be taken into account:

Only those terminations of employment may be taken into account for the purposes of determining the applicability of the rules governing collective redundancies that are attributable to reasons related to the employer’s operations. Accordingly, terminations based on the employee’s conduct or ability, as well as terminations initiated by the employee, are not relevant in this context. It is important to note, however, that not only traditional employer-initiated terminations should be taken into account, but also any grounds for termination that are actually related to the employer’s operations. The following should therefore be considered as such:

termination by the employer based on its own operations;

termination by mutual agreement initiated by the employer;

termination of a fixed-term employment relationship by the employer without notice and justification;

as well as – until proven otherwise – a termination without notice communicated to the employee who qualifies as a pensioner or holds an executive position.

Duration:

With regard to collective redundancies, termination notices issued within the 30-day period or termination agreements concluded by mutual consent are relevant. It is important to emphasize that if an employer carries out successive terminations of employment in such a way that no more than 30 days elapse between them, the individual terminations may be linked, and measures taken over a longer period—in some cases spanning several months—must be counted together. As a result, the total number of terminations may reach the headcount threshold specified by law, thereby qualifying as a collective redundancy procedure.

It also follows from the above that the timing and scheduling of these measures are of paramount importance. Even if the notices of termination are formally communicated outside the same 30-day period, where they are substantively linked and connected from an economic and operational perspective, there is a risk that the competent authority or court, upon evaluating the proceedings – taking into account all the circumstances of the case – will deem this to be a circumvention of the relevant rules. In such circumstances, the question may arise whether the rules governing collective redundancies should nevertheless be applied (or should be reclassified).

Determining headcount:

Finally, the application of the rules governing collective redundancies depends on the number of employees the employer intends to terminate in respect of its total workforce.

First and foremost, it should be noted that, according to the Labour Code, the number of employees must be determined based on the average statistical headcount over the six months preceding the decision on collective redundancies. For a precise calculation of this figure, the relevant methodological guidelines issued by the Hungarian Central Statistical Office (KSH) provide guidance.

The rules on collective redundancies must be applied mandatorily where the employer intends to terminate the employment of at least the following number of employees within a 30-day period:

in the case of an employment headcount between 21 and 99 employees, at least 10 employees;

in the case of an employment headcount between 100 and 299 employees, at least 10% of the employees;

in the case of an employment headcount of 300 or more employees, at least 30 employees.

An additional key consideration regarding the determination of headcount is that the Labour Code requires the combined headcount of branches operating within the same county or in the capital to be taken into account. This requirement to aggregate headcounts is intended to prevent employers from circumventing statutory thresholds by considering their branches within the same county as separate entities.

Fulfilment of conditions

Therefore, if all three of these conditions are met, the employer is required to comply with the specific notification, consultation, and other procedural obligations governing collective redundancies. We will address these obligations in the next section of our series of articles; however, we would like to note already at this point that, in the event of a violation of these rules, the courts may also rule that the terminations are unlawful.

Summary

We refer to collective redundancies when an employer intends to terminate the employment of a number of employees specified by law within a thirty-day period for reasons related to its operations. In such cases, the Labor Code prescribes specific notification and consultation obligations, and the terminations actually become effective as a result of a predetermined process lasting at least thirty days.

Photo source: pexels.com, Mike van Schoonderwalt

Collective redundancies: a practical overview of the legal requirements Read More »

Hungary’s guest worker ban – What does the June 5 amendment mean for employers?

Reading time: 7 minutes

Introduction

The employment of foreign workers has become one of the most frequently raised economic and employment policy issues in Hungary’s election campaign. The Tisza Party has already indicated in its election programme that, if it comes to power, it would introduce a “guest worker ban” effective as of 1 June 2026, with the aim of limiting the influx of workers from third countries and providing greater protection for the Hungarian labour market.

As a result, the Government adopted Government Decree No. 92/2026 (VI. 5.) amending Government Decree No. 450/2024 (XII. 23.) on the employment of guest workers in Hungary (“Amendment”), which entered into force on 6 June 2026 and introduced significant changes to the regulation of guest worker employment in Hungary.

The measure is often referred to in the press as a “guest worker stop”, but the actual content of the Amendment is more nuanced than that. Below, we summarize exactly what changes the legislator has made, who is affected by the Amendment, and what options remain for employers.

Who qualifies as a guest worker, and who is affected by the current amendment?

First of all, it is important to clarify who qualifies as a guest worker and exactly whom the Amendment affects. Under the Act on the Entry and Residence of Third-Country Nationals (“Immigration Act”), the term “guest worker” is a collective term denoting a specific category of persons. Accordingly, a third-country national is classified as a guest worker if they hold a specific type of permit (permit for seasonal employment, permit for the purpose of employment, permit for the purpose of implementing an investment project, or permit for the purpose of guest working) for the purpose of long-term residence and employment in Hungary.

In other words, the guest worker residence permit is a specific type of permit designated in the Immigration Act. This permit was intended specifically for the employment of third-country workers of certain nationalities by specific employers (preferential employer or certified temporary work agency).

It therefore follows from the above that the terms “guest worker” and “guest worker permit” refer to two entirely different approaches and concepts, which have understandably caused a great deal of confusion in recent times. However, it is important to note at this point that the Amendment does not affect guest workers, but rather exclusively the category of guest worker residence permits, and does not generally eliminate the possibility of employing third-country workers in Hungary.

Guest worker ban – What does the Amendment entail?

The practical effect of the Amendment is that, as of 6 June 2026, it will no longer be possible to apply for a new guest worker residence permit.

However, the amendment did not permanently repeal the provisions governing guest worker residence permits. The government implemented the ban through a technical solution: it currently does not designate any third countries whose citizens would be eligible to apply for a guest worker residence permit in Hungary.

The Amendment, therefore, does not constitute a comprehensive ban on the employment of foreign workers, but rather eliminates the applicability of a specific type of permit. As a result, temporary work agencies and employers that have primarily employed third-country workers under this arrangement will face significant restrictions when bringing in new workers.

Transitional provisions

The legislator has introduced detailed transitional provisions to ensure that employees already working in Hungary and pending administrative procedures are not adversely affected overnight.

Employees who, on 5 June 2026, already hold a valid guest worker residence permit may continue to:

reside and work in Hungary in accordance with the terms of their existing permit; and

apply for the extension of their permit or, in certain cases, for its reissuance under the previously applicable rules.

Similarly, applications submitted on or before 5 June 2026, for which the relevant administrative fee has also been paid, will benefit from more favourable transitional treatment. Applications for the issuance or extension of a guest worker residence permit in such cases must continue to be assessed under the rules that were in force prior to the entry into force of the Amendment.

In practice, this means that the Amendment primarily affects new applicants, while the majority of existing permit holders and pending cases may continue to be administered under the previous regulatory framework.

Outlook and Alternative Options

While the Amendment introduces a significant change to the Hungarian labour market, it does not entirely eliminate the possibility of employing third-country nationals in Hungary.

First, it is important to note that the current changes do not affect other types of residence permits. Where an employer continues to have a need for foreign labour, it is advisable to assess on a case-by-case basis whether another legal basis may be available for the employee concerned, such as a residence permit for employment purposes, a Hungarian Card, or an EU Blue Card.

Particular attention should be paid to the fact that the legislation does not expressly exclude the use of temporary agency work arrangements. Accordingly, it may still be possible, at least in principle, to employ third-country nationals under a residence permit for employment purposes within a labour leasing structure. However, the official interpretation and enforcement practice of the authorities in this respect are not yet known. Therefore, a separate legal assessment is recommended before implementing such arrangements.

It should also be borne in mind that the legislator has indicated that further amendments may follow. As a result, the regulatory framework may continue to evolve in the coming months, requiring employers to monitor developments closely.

At present, the most important practical recommendation for employers is to carefully manage the status of their existing foreign workforce in Hungary, ensure that any necessary permit extensions are submitted in a timely manner, and explore the alternative immigration routes that may remain available.

Our firm continues to monitor developments closely and remains at our clients’ disposal to assist with any questions regarding the employment of foreign nationals in Hungary.

Photo source: pexels.com, Ammy Singh

Hungary’s guest worker ban – What does the June 5 amendment mean for employers? Read More »

The risk-based approach in practice: Prohibited AI systems in the EU

Reading time: 5 minutes

The European Union’s pioneering regulation, the Artificial Intelligence Regulation (“AI Act”), is not merely another administrative obligation for businesses, but the world’s first comprehensive legal framework that, in the context of the development and use of artificial intelligence, explicitly places the protection of fundamental rights and human dignity alongside – and, where appropriate, ahead of – technological progress. In a previous article in this series, we presented how, to this end, the AI Act applies the so-called risk-based approach; that is, rather than classifying the technology itself, it examines its specific use cases, categorizing AI systems into four different risk categories.

In the third part of our series, we use practical examples to illustrate the AI-based solutions that pose an unacceptable risk to fundamental rights and EU values and are therefore classified as prohibited AI systems under the AI Act.

General rules

First and foremost, it is important to note that the provisions regarding prohibited AI systems are among the rules that came into force on 2 February 2025. Accordingly, with a few exceptions, the placing on the market, putting into service, and use of prohibited AI systems are all prohibited within the EU.

Accordingly, the development and use of prohibited AI systems constitute a serious violation of the law, which may result in significant penalties. The fines imposed may amount to up to 7% of the company’s global annual turnover or 35 million euros.

List of prohibited AI-systems

In the following, we present the prohibited areas specified in the AI Act, illustrated with practical examples:

Subliminal, deliberately manipulative, or deceptive techniques

The prohibition extends to the use of so-called subliminal stimuli, i.e., those that operate below the threshold of consciousness or circumvent it. The essence of these mechanisms is that they operate covertly, thereby bypassing the conscious processing and rational defence mechanisms of the person concerned. An example of such a technique is when an AI system inserts visual or textual elements that appear for an extremely brief moment during a video playback; these elements are formally perceptible but are visible for such a short time that they cannot be consciously perceived, yet they are still capable of influencing the user’s attitudes or behaviour.

Targeted manipulative techniques that seek to distort decision-making through the use of sensory or psychological methods also fall within the prohibited category. This category also includes systems that deliberately use background sounds or visual elements to induce emotional or mood changes, thereby influencing users’ decisions.

Similarly, deceptive techniques aimed at restricting an individual’s autonomy, free will, or freedom of choice in such a way that the person is unaware of the influence being exerted or is unable to adequately control its effects are also prohibited. An example of such a practice would be an AI-powered chatbot that uses a synthetic voice to impersonate another person, such as a family member or friend, thereby deceiving the user and enabling the deployer to obtain an undue advantage or cause harm.

AI Systems exploiting vulnerabilities

AI systems that exploit the vulnerabilities of certain individuals or groups – such as those arising from age, disability, or social or economic situation – and are therefore particularly capable of enabling manipulative or exploitative practices are prohibited.

An example of such a system would be an AI system that targets elderly individuals with deceptive, personalized offers or fraudulent schemes, exploiting potential cognitive decline. The system aims to induce them to make decisions they would not otherwise make, and which are likely to result in significant financial harm.

Social scoring

The use of so-called social scoring systems is also prohibited, i.e. where an AI system evaluates the trustworthiness of individuals based on their social behavior or personal characteristics and assigns adverse consequences accordingly.

An example of this would be a private credit institution using an AI system to assess customers’ creditworthiness and determine eligibility for a mortgage loan based on personal characteristics that are not directly related to the purpose of assessing creditworthiness.

Individual risk assessment and prediction of criminal offenses

The AI Act prohibits AI systems that, based solely on profiling or the assessment of personality traits or individual characteristics, seek to assess or predict whether a natural person is likely to commit a criminal offence.

An example of this would be a public authority using a system that infers or predicts the risk of criminal behaviour – such as the commission of a terrorist act – based on characteristics such as age, nationality, address, type of vehicle, or marital status.

Establishment of facial recognition databases

The AI Act prohibits AI systems that create or expand facial recognition databases through the targeted but non-directed scraping of facial images from online sources or closed-circuit television (CCTV) footage.

Accordingly, it is prohibited, for example, for a company developing facial recognition software to use automated tools to collect facial images from social media platforms such as Facebook, YouTube, or other services. In such cases, the system searches for human faces among publicly available images on the internet and uses the collected material to build or expand a facial recognition database.

Emotion-recognition systems in the workplace and in schools

The AI Act prohibits AI systems from inferring the emotions of natural persons in workplace or educational contexts, except where such use is justified on medical or safety grounds.

For instance, it is not allowed for an employer to use technology that analyses facial expressions, body posture, or voice to infer employees’ emotional states, and to use such information for performance assessment or HR-related decision.

AI systems used for biometric categorisation of individuals

The AI Act prohibits biometric categorisation systems that individually categorise natural persons based on their biometric data in order to infer or deduce their race or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation.

For example, it is prohibited to deploy an AI system that categorises users of a social media platform based on biometric analysis of photographs uploaded to the platform, in order to infer their presumed political orientation and deliver targeted political messaging.

AI systems for real-time remote biometric identification in publicly accessible spaces for law enforcement purposes

As a general rule, the AI Act prohibits the use of real-time remote biometric identification systems in publicly accessible spaces for law enforcement purposes. These systems identify individuals remotely without their active participation by comparing their biometric data against a database. Real-time operation means that the comparison and identification occur either simultaneously with the capture of biometric data or with only minimal delay.

An example of such a system would be surveillance cameras installed in metro stations for security purposes, which are connected to systems capable of identifying suspects in real time based on a reference database.

The rationale for this prohibition lies primarily in the risk of technical inaccuracies, which may lead to false or distorted results and potentially discriminatory outcomes. In addition, such systems may significantly affect the privacy of the general population and create a perception of continuous surveillance.

However, the AI Act also provides for specific exceptions, for example in cases such as the search for missing persons, the identification of victims of kidnapping or human trafficking, or situations involving sexual exploitation, where the use of real-time biometric identification may be permitted under strictly limited conditions.

Summary

The risk-based approach of the AI Act establishes a clear and coherent framework for the regulation of artificial intelligence in the European Union. Its core principle is that the legislator does not assess the technology itself, but rather its specific use cases and societal impacts. As a result, AI systems that pose an unacceptable risk to fundamental rights and EU values are subject to a comprehensive prohibition.

Photo source: pexels.com, panumas nikhomkhai

The risk-based approach in practice: Prohibited AI systems in the EU Read More »

Artificial Intelligence and Data Protection in Corporate Practice

Reading time:5 minutes

The use of artificial intelligence (hereinafter also referred to as AI) is no longer merely a technological issue but is increasingly also a data protection and compliance challenge. Whether it is the analysis of customer data, automated customer service chatbots, tools used to provide and develop a company’s services and improve operational efficiency, or even tools used to enhance the efficiency of HR processes, AI systems provide a significant competitive advantage. Due to the processing of personal data, the rules of the General Data Protection Regulation (GDPR) remain applicable, while the European Union’s Regulation on Artificial Intelligence (AI Act) also introduces additional obligations. In this article, we provide an overview of the main data protection and AI Act-related considerations that should be taken into account in corporate AI use in order to ensure compliance.

The legal relevance of automation

In practice, one of the most important questions is what exact role the given AI system plays in the data processing workflow. The functioning of the applied technology and the way data is used fundamentally determine the legal classification of the AI system, as well as the data protection and compliance obligations of the company. From a data protection perspective, there is a significant distinction between automated data processing, profiling, and automated decision-making:

Automated data processing:

This is a technical process; data processing is considered automated where the collection, organisation, and retrieval of data take place without human intervention, by software (for example, a system automatically sorting incoming applications in alphabetical order, or categorising incoming customer requests or documents).

Profiling:

Under the GDPR, profiling means that the system does not merely organise data, but draws conclusions about, evaluates, or ranks data subjects. If the system, based on personal data, scores or filters individuals in any form according to certain personal characteristics – such as their financial situation, preferences, interests, reliability, or even abilities or suitability – this may qualify as profiling.

Automated decision-making:

This occurs where the process is not only technically automated, but the AI system itself makes the final decision without human intervention, and this decision produces legal effects concerning the individual or similarly significantly affects them. A typical example is when the software automatically rejects (excludes) an applicant from a process without human approval based on certain criteria.

In practice, these categories are often not separate processes. Even a simple technical automation can easily evolve into a process that raises issues of profiling or automated decision-making. Therefore, each AI-based process must be assessed individually based on data usage and the actual functioning of the system.

Data protection considerations

Where a company integrates AI technology into its internal processes or services provided to customers, the nature of the system’s operation must be assessed from a data protection perspective in order to classify the type of data processing. During this assessment, it must be determined whether profiling or automated processing takes place, and whether there are circumstances requiring a data protection impact assessment (DPIA).

According to the guidance of the National Authority for Data Protection and Freedom of Information (NAIH), the use of new technologies may in itself carry a high level of risk. However, a DPIA is particularly necessary where the processing involves the evaluation, scoring, or prediction of personal characteristics of natural persons; where automated decision-making results in exclusion or rejection without human intervention (e.g. during recruitment filtering); or where the technology is used for systematic, software-based monitoring of employee performance or productivity.

In addition, an appropriate legal basis for processing must be ensured, and in certain cases the consent of the data subject may be required. Furthermore, in line with the transparency principles of the GDPR and the AI Act, data subjects must be clearly and comprehensibly informed about the use of AI, its purpose, the basic logic of its operation, and their rights, including the right of access, erasure, objection, and the important right to request human review of decisions made by the system.

Based on our experience, the following are the most commonly used AI software programs applied by companies that involve the processing of personal data, which is why it is necessary to review the data processing documentation:

ChatGPT

Microsoft 365 Copilot

Google Gemini

Perplexity

Claude

Conclusion

The introduction of artificial intelligence is not merely an IT issue, but a complex legal and data protection compliance task. Since AI-based systems almost always involve the processing of personal data, it is advisable to address these issues already before the deployment of such systems, in light of GDPR requirements and regulatory expectations. Establishing transparent, secure, and legally compliant operation from the design phase onwards not only reduces legal risks, but also forms a fundamental basis for long-term business success and trust. If a company plans to implement or has already implemented an AI solution, it is necessary to review it from a data protection perspective and update the data protection documentation accordingly.

Photo source: pexels.com, Egor Komarov

Artificial Intelligence and Data Protection in Corporate Practice Read More »

The EDPS 2025 Annual Report: A New Era in Corporate Data Protection and Technological Compliance

Reading time: 6 minutes

The European Data Protection Supervisor (EDPS) has published its 2025 Annual Report (hereinafter: the “Report“), providing a detailed account of its activities to protect personal data in a rapidly changing digital world. The Report clearly signals that the European data protection and digital regulatory environment has entered a new phase: the focus is no longer merely on formal GDPR policies, but on the actual operational controls of AI systems, cloud services, and international data transfers. The investigations typically center on tools and processes that most organizations use on a daily basis: Microsoft 365, cloud infrastructure, generative AI solutions, mobile applications, and HR systems. In this article, we present the main findings of the Report and outline the key aspects and recommendations necessary for compliance.

AI Governance: A new dimension of compliance

One of the most important messages of the Report is that corporate control over artificial intelligence (AI governance) will shortly develop into a standalone, high-priority compliance area. Artificial intelligence is no longer an experimental technology; it has become an integral part of daily operations within EU institutions and an increasing number of organizations. In preparation, the EDPS has already taken the first major steps:

Established a dedicated AI unit: It has strengthened its newly created AI unit to prepare for supervisory duties under the EU Artificial Intelligence Act.

Mapped generative AI usage: It assessed the current AI ecosystem regarding prohibited practices and high-risk systems, and published a report highlighting the dominant areas of AI use and enforcement priorities.

Launched an AI regulatory sandbox program: Within the framework of a pilot project, it created a safe regulatory testing environment for developing and testing innovative AI systems under supervisory oversight.

Issued a new AI risk management guide for identifying and mitigating technical risks associated with the development and deployment of AI systems.

Regulatory focus is intensifying particularly in the following specific areas:

the corporate use of generative AI tools;

the compliance of off-the-shelf AI solutions;

the strict control of high-risk AI systems;

the legal relationship between AI and personal data;

the technical risk management of AI systems.

In a corporate environment, this means that the use of AI is no longer exclusively an IT or innovation issue, but a key legal, compliance, and data protection risk area. Therefore, organizations must prepare now to introduce, document, supervise, and use AI solutions in their daily operations in accordance with the requirements of the GDPR and the EU Artificial Intelligence Act.

Microsoft 365 and enterprise IT systems

In 2025, the EDPS further strengthened its oversight over large IT systems, including cloud services similar to Microsoft 365. The lesson from previous investigations is that compliance is not solely a contractual matter but requires an assessment covering the entire lifecycle of data processing.

The investigations focused on issues that are also critical for large enterprises:

international data transfers to third countries;

the transparency of complex sub-processing chains;

the control of access to data;

the existence of appropriate technical and organizational guarantees.

A key message of the Report is that a service agreement or a “GDPR-compliant” label alone is no longer sufficient. Supervisory practice increasingly examines actual operational controls, technical measures, and documented risk assessments. For this reason, it is definitely recommended to conduct a limited review of supplier contracts from a data protection perspective – based on our recommendation, it is sufficient to do this once and then incorporate a control into the process that ensures compliance in the event of changes or that allows for periodic reviews and follow-up checks.

International data transfers

Data transfers to third countries remain a high-priority enforcement area. The EDPS emphasizes that appropriate contractual clauses are not sufficient on their own. In assessing compliance, an increasingly important role is played by the actual content of the Transfer Impact Assessment (TIA), the evaluation of the legal and practical environment of the third country, and the real-world operation of the applied technical and organizational measures. In modern cloud-based systems, according to data protection law, remote access also constitutes a data transfer. If a third-country IT engineer (e.g., from India or the United States) logs into a database stored in Europe for support or system maintenance purposes, the data legally leaves the EEA. These risks can only be meaningfully assessed by a TIA. This is particularly relevant in environments where global cloud infrastructures or centralized IT support operate. In practice, this means that companies should assess whether data transfers outside the EU occur due to the nature of the supplier’s operations or due to the processes required by the corporate group, and classify them accordingly.

The future of data protection will be technologically focused

Based on the EDPS Report, European data protection practice has definitively shifted in a technological direction. At the center of the supervisory focus stands the understandable and accountable operation of artificial intelligence, the continuous monitoring of cloud services, and the complete fusion of cybersecurity and data protection. Data protection compliance is thus no longer an isolated legal task, but a shared, daily responsibility of corporate management, procurement, digital transformation, and IT security.

Based on the EDPS Report, it is clearly visible: in the coming years, organizations that recognize this paradigm shift and build a real, auditable technological governance system – rather than just a formal, paper-based GDPR compliance – will hold a clear competitive advantage.

Photo source: pexels.com, Fotó: Jcmotive

The EDPS 2025 Annual Report: A New Era in Corporate Data Protection and Technological Compliance Read More »

Expected legislation on the horizon

Reading time: 4 minutes

The Government has submitted its legislative programme for the period extending until the end of 2026 to the Parliament, from which it is already becoming apparent which regulatory areas are expected to undergo significant changes in the near future.

The document contains a total of 83 proposals, the most important of which are summarised below.

Labour law proposals

Pay transparency

In the field of labour law, a particularly significant initiative is the draft legislation on pay transparency between men and women, which aims to transpose Directive (EU) 2023/970 of the European Parliament and of the Council of 10 May 2023 to strengthen the application of the principle of equal pay for equal work or work of equal value between men and women through pay transparency and enforcement mechanisms (“Pay Transparency Directive”) into national law. The proposed regulation is expected to impose substantial new obligations on employers, particularly in relation to the transparency of remuneration systems, the provision of information to employees, and regular data reporting requirements. The amendments aim to reduce the gender pay gap and to ensure more effective enforcement of the principle of equal pay for equal work. The adoption of the draft legislation is expected to take place in October 2026.

Platform-work

The transposition of the regulation of platform-based employment also serves to fulfil an EU legal harmonisation obligation is, which aims to improve and make more predictable the working conditions of labour performed through digital platforms. The Directive (EU) 2024/2831 on improving working conditions in platform work (“Platform Work Directive”) sets 2 December 2026 as the final deadline for transposition by Member States. In line with this, the Hungarian legislative process is expected to conclude earlier, as the adoption of the relevant national legislation is anticipated for October 2026.

Occupational safety and health

In the field of occupational safety and health, several forthcoming changes are also taking shape. The planned amendments related to the implementation of Regulation (EU) 2023/1230 of the European Parliament and of the Council on machinery and repealing Directive 2006/42/EC of the European Parliament and of the Council and Council Directive 73/361/EEC (“Machinery Regulation”), primarily aim to modernise the safety and health requirements applicable to machinery, with particular regard to the use of new technologies, including artificial intelligence.

Corporate law proposals

In the area of company law, amendments to Act V of 2006 on Public Company Information, Company Registration and Winding-up Proceedings (“Ctv.”) are expected. Among other things, the proposal would introduce shorter deadlines for registering changes and conducting proceedings at the court of registry and would extend the application of certain EU regulations to general partnerships and limited partnerships. The proposal would also simplify administrative procedures related to cross-border operations, for example by abolishing the apostille requirement within the European Union and introducing an EU company certificate.

In this context, a further bill is also expected to be submitted to postpone the entry into force of Act LIX of 2025 on the Register of Legal Entities, as well as Act LX of 2025 on certain court proceedings relating to legal entities and winding-up proceedings. The postponement is primarily justified by delays in the development and readiness of the IT systems required for the implementation of the new regulatory framework.

Commercial law proposal

In the area of commercial law, changes to regulations governing foreign direct investment are expected. The planned changes aim to enhance the competitiveness of the investment environment and make the regulatory framework more investor-friendly, with regard to the energy sector. In this context, restrictions on transactions affecting the ownership structure of strategically important companies operating solar power plants are also expected to be abolished.

Digital state-related proposal

In connection with the development of the digital state, a review and amendment of Act CIII of 2023 on the digital state and certain rules on the provision of digital services (“Dáptv.”) and the related implementing decrees is expected. The proposed amendments would introduce clarifications and improvements based on practical experience, with particular regard to the functioning of electronic administration and e-government services.

Review of acts relating to the administration of justice

Finally, several amendments to legislation affecting the operation of the judicial system are also expected, in particular Act XLI of 1991 on Notaries Public, Act XLIX of 1991 Bankruptcy Proceedings and Liquidation Proceedings (“Cstv.”), and Act LIII of 1994 on Judicial Enforcement (“Vht.”). The purpose of these amendments is to implement the corrections necessitated by a review of the existing regulatory frameworks.

Summary

Our firm continuously monitors developments and submitted proposals, and where appropriate provides Clients with detailed updates on their content. Should you have any questions regarding the above, please do not hesitate to contact us.

Photo source: pexels.com, Efrem Efre 

Expected legislation on the horizon Read More »

What’s next for pay transparency? By dr. Anna Katalin Papp

Reading time: 8 perc

If we open any HR portal, we will find a news article about pay transparency on nearly every homepage, which is hardly surprising. In my opinion, the 2023 directive requires a level of transparency from companies that is unprecedented in labour law and fundamentally reshapes the way companies and their employees communicate with one another— in my view, for the better.

The topic itself is not new. In fact, the principle that men and women should receive equal pay for equal work was already set out in the 1957 Treaty of Rome establishing the European Economic Community. In Hungary, the Labour Code also contains numerous provisions aimed at preventing discrimination based on gender.

The real change in recent years is brought by Directive (EU) 2023/970 to strengthen the application of the principle of equal pay for equal work or work of equal value between men and women through pay transparency and enforcement mechanisms (“EUPTD”), which recognises that pay systems are not transparent and therefore employees are unable to enforce their claims. Accordingly, it imposes specific disclosure, information, and reporting obligations on employers.

The EUPTD is therefore a kind of enforcement directive, and to our knowledge, the Hungarian draft law already prepared by the ministry does not significantly expand or tighten these rules, as they are already quite detailed in themselves.

We are aware that some of our clients have been dealing with this topic at group level for quite some time, while others have started processing it independently due to a lack of background support or while waiting for Hungarian legislation. In many cases, we provide assistance in this area, but we also consider it important to summarise—briefly and in newsletter form—how this project should be approached.

Naturally, we have reviewed numerous service providers’ approaches and implementation models that may be viable, but our position is primarily based on the specific provisions of the EUPTD, guidance and working documents of EU expert bodies, as well as relevant case law of the Court of Justice of the European Union, which is binding on Member States. We do this because we believe this approach provides the highest level of legal certainty for companies aiming for compliance.

Key steps in the EUPTD compliance process for all companies from 7 June 2026:

Identification of individuals classified as employees and wage components

Although the concept of “employee” may seem straightforward at first, the EU definition is significantly broader than the Hungarian legal concept. Accordingly, any legal relationship falls under labour-law assessment in which a person: (i) for a certain period; (ii) under the direction of another person; (iii) performs work / provides services; and (iv) receives remuneration (wage) in return.

Accordingly, employers must proceed carefully, as among their contractual arrangements, freelancers, interns, cooperative workers, or agency workers may all fall within the scope of the EUPTD project, as well as board members.

It is also of key importance which remuneration elements the company includes in the assessment. Based on EU terminology and case law, not only base salary and bonuses, but also benefits in kind (e.g. company-provided additional leave, travel passes, personal use of company equipment, internal mobility opportunities), as well as group-level benefits (ESOP, MRP, VSOP systems) fall under the scope of the EUPTD.

Defining compensation components can provide a competitive advantage—for example during a recruitment process—but at the same time, it will be necessary to take a more holistic approach to the issue, as there have historically been significant differences between individual employees, and trade secrets and personal rights may also be compromised in the process.

Establishing or reviewing job and pay structures

Although the existence of a job structure is not a formally required obligation, in my view the compliance process cannot be completed without it. All reporting and disclosure obligations are based on the employer’s accountability regarding which employee performs what work (as defined in task-definition section of the job description). At the same time, companies are expected to assess what skills, effort, responsibility, and working conditions are associated with each role.

Once the baseline data (employees, remuneration, and job roles) is available, it becomes possible to assess how objectively the pay structure has been established. The remuneration assigned to each role must therefore be evaluated: to what extent it is based on objective criteria, and whether any differences between identical roles can be justified. This base data will also form the foundation of the salary increase strategy, as employees will need to be informed about career advancement opportunities in the future.

For many companies, carrying out the above task is a challenge because it forces mid-level managers to confront the fact that the compensation of certain employees cannot be justified rationally, while other employees with long-term stable performance have not received appropriate salary increases or adjustments. While it will be easier to build such systems going forward, correcting existing discrepancies or identifying the reasons behind them is a process that requires more time and significant HR resources. The good news is that this task can be managed as a project, and EU guidance materials support companies in accelerating the process.

Companies that already have a pay structure in place should review their job roles and employee categories based on the EUPTD framework to prepare for their reporting obligations

Administration, administration, administration

A key objective of the EUPTD is that employers must be accountable. Therefore, companies must establish information procedures in four directions:

towards job applicants

towards employees

in consultations with employee representatives

towards supervisory and regulatory authorities

Most of the detailed Hungarian regulations are expected in this regard, as defining specific deadlines, appointing the responsible authority, and specifying the sanctions applicable in the event of non-compliance typically fall within the competence of the national legislator.

Employers are required to present pay data derived from the aforementioned structure on a very broad scale, in each case including a percentage-based comparison of the gender pay gap.

As several misunderstandings and pieces of misinformation often arise in this regard, it is important to emphasize that the vast majority of the above tasks are mandatory only for companies of a certain size starting this June. The SME sector is granted relief in that the reporting to authorities and employee representatives will be introduced in stages, as follows:

250+ employees from 7 June 2027, annually thereafter
150–249 employees from 7 June 2027, every three years thereafter
100–149 employees from 7 June 2031, every three years thereafter
1–99 employees voluntary

General approach of the EUPTD

Based on our experience to date, it is equally important that—without claiming to be exhaustive—the following aspects be discussed and considered prior to implementation and to note that the EUPTD implementation should not be viewed as a standalone, isolated project:

employee curiosity

new market players and services (new benchmarking opportunities, competency mapping, process management)

role of publicity

impact on market competition

transformation of internal procedures

opportunities offered by AI

specifics of executive compensation systems

I believe that for colleagues working in internal HR or legal departments, this will be an extremely exciting and professionally challenging period. Although implementing the EUPTD within a Hungarian organisation will certainly require significant time investment, its long-term effects (e.g. more efficient recruitment, standardisation and accountability of selection and evaluation criteria, transparent corporate HR culture) will ultimately be positive and supportive of everyday cooperation. We of course continue to support our clients throughout the process, as interpreting the detailed rules together and assessing related labour law (and broader legal) implications raises many practical questions for which it is worth preparing the correct answers in advance.

Photo source: pixabay, pexels.com

What’s next for pay transparency? By dr. Anna Katalin Papp Read More »

CLVPartners has achieved outstanding results in the 2026 guides of Chambers and Partners Europe© and Legal 500©

We are pleased to announce that Chambers and Partners© and Legal 500© have ranked our firm for the 13th consecutive year in 2026, and in multiple categories: we are one of the few firms in Hungary to have been recognized in the areas of labor law, commercial law, corporate law, and M&A, as well as data protection.

This year marks a particularly significant milestone for us, as we have moved up one category and achieved a higher band rating.

As a boutique law firm competing against the largest international firms with nearly 100 employees, this achievement is a significant recognition for us, one that reaffirms our professional commitment and our dedication to providing our clients with the highest level of service.

We are particularly pleased that our managing partner, Anna Papp, has also received individual recognition and was listed in the guide among Hungary’s notable practitioners in the field of labour law.

We would like to share some feedback that is particularly valuable to us, which our clients provided to the certification body:

„The law firm’s technical strength, practical mindset and outstanding client care make it genuinely distinctive within the employment law market.”

„The team is approachable, easy to reach and provides timely advice, even on short notice. Its ability to balance quick turnarounds with well-considered, practical guidance is a key strength.”

“The firm has particularly extensive experience in designing whistleblowing systems and managing data protection requirements for internal workplace investigations. This includes ensuring that the principle of ‘privacy by design’ is upheld even when investigating sensitive corporate matters or reports of harassment.”

“CLVPartners is always flexible, proactive, and solution-oriented. Their approach is holistic: beyond solving the immediate problem, they highlight areas we may not have considered but which are essential.”

“Anna Papp demonstrates flexibility, preparedness, extensive experience, precision and client focus. In addition to her comprehensive expertise, she also understands the practical side of things.”

“We can count on Anna Papp for all our questions. We don’t have a problem that she doesn’t have a suggestion for. Her professional knowledge and dedication are outstanding”.

“Barbara Seregély has extensive experience in cross-border mergers and acquisitions and corporate law.”

“Anikó Hrebenku delivers an excellent client experience, ensuring that each matter is handled by experts who provide consistent support.”

We would like to thank our clients for their trust and valuable feedback throughout the year. We remain committed to continuing to effectively support our clients’ day-to-day operations.

Photo source: pexels.com, Fotó: Pixabay

CLVPartners has achieved outstanding results in the 2026 guides of Chambers and Partners Europe© and Legal 500© Read More »

Questions regarding the scope of the AI Act

Reading time: 5 minutes

On 12 June 2024, a new era began in the regulation of artificial intelligence (“AI“) with the adoption and publication of the European Union’s Artificial Intelligence Regulation (“AI Act“). The purpose of the legislation is to provide a framework for the safe, transparent, and responsible development and use of AI in the European Union. In order to properly interpret the obligations set out in the AI Act, it is first necessary to clarify exactly which organizations, activities, or technological solutions are covered by the regulation.

In the second part of our series of articles, we will therefore examine the most important rules relating to the scope of the AI Act in order to help our clients start preparing for compliance in advance and to identify whether they are developing or using AI systems in their operations that are subject to the provisions of the AI Act.

The most important rules relating to the scope of the AI Act

Subject of the AI Act

The AI Act essentially covers the regulation of AI systems. Accordingly, it is first important to identify what qualifies as an AI system.

According to the AI Act, an AI system is a machine-based system that is specifically designed to operate with varying levels of autonomy and to be capable of adapting after deployment. These systems analyze inputs for explicit or implicit purposes and generate outputs—such as predictions, content, recommendations, or decisions—that may have an impact on the physical or virtual environment.

What fundamentally distinguishes AI systems from traditional software solutions is their ability to learn from input data, draw conclusions based on that data, and create models. In contrast, simpler software systems based on classic programming approaches—including systems that perform automated operations based solely on predefined, human-set rules—do not have such learning or adaptation capabilities. As a result, these solutions are not considered AI systems and are therefore not covered by the relevant regulations.

Traditional software solutions include applications that operate entirely on predetermined rules and are incapable of independent learning or adaptation. These include traditional calculators, certain basic functions of Microsoft Excel, and performance evaluation software used for financial forecasting, which are only capable of processing historical data and drawing simple statistical conclusions.

It is also important to note that, as a general rule, the AI Act does not apply to certain specific areas. The scope of the regulation does not cover AI systems used for military, defence, or national security purposes, nor does it cover systems, models, and results created specifically for scientific research and development. In addition, the AI Act does not apply to natural persons who use AI systems solely for personal, non-professional purposes.

Territorial and personal scope

The scope of the AI Act is not limited to operators located within the European Union. The regulation applies to all AI systems that are placed on the market, put into service, or used within the internal market of the European Union. Accordingly, in certain cases, the regulation also applies to operators located outside the Union.

The regulation essentially covers all operators who come into contact with AI systems, from development to use. Accordingly, the scope of the AI Regulation may include, among others, developers, service providers, distributors, importers, installers, operators, and users of the systems.

Temporal scope

The provisions of the AI Act will enter into force in stages.

However, it is important to note that certain provisions of the AI Act are already in force. These include, among others, provisions on definitions, rules on AI systems that pose an unacceptable risk (i.e., prohibited AI systems), obligations governing general-purpose AI models, and provisions on AI literacy, regulatory oversight, and sanctions.

The requirement for so-called AI literacy has particular significance. Under this provision, organizations using AI systems are required to ensure that the persons managing or operating the system have an adequate level of knowledge about AI.

According to the current provisions of the AI Act, the majority of the provisions will become applicable on 2 August 2026. However, as part of the Digital Omnibus Package, the European Commission proposed in November 2025 that the application of certain rules be postponed by up to 18 months.

Further uncertainty regarding implementation arises from the fact that the Commission was supposed to publish guidance on the classification of high-risk AI systems by 2 February 2026. These guidelines are key to determining whether a given AI application is considered high-risk and, as a result, subject to stricter documentation, compliance, and oversight requirements. However, the guidelines have not yet been published. In addition, several Member States have encountered difficulties in designating the authorities responsible for implementing the regulation.

As a result, there is still considerable uncertainty regarding the entry into force and practical application of certain provisions.

Domestic regulation

Due to its legislative form, Hungarian regulation is essentially supplementary to EU rules. Accordingly, Act LXXV of 2025 on the implementation of the European Union’s Artificial Intelligence Act in Hungary (“Hungarian AI Act”) applies only to matters, organizations, and AI systems that affect Hungary or its territory.

In terms of temporal scope, the AI Act generally applicable from December 2025, with the exception of the provision on the regulatory sandbox, which will enter into force on 2 August 2026.

Summary

The AI Act regulates systems that can learn from input data, drawing conclusions, or generating outputs autonomously, while traditional software that operates solely according to predefined rules is not covered by its scope. The territorial scope of the AI Act is broad, as it applies not only to entities established in the EU, but also to those who place AI systems on the EU market or use their outputs in the EU. The regulation covers all relevant actors, from the development to the use of the system. Although the rules of the AI Act become applicable in stages, several key provisions are already in force, but the lack of guidelines and institutional conditions for implementation is currently causing uncertainty in practical application.

Photo source: pexels.com, Tara Winstead

Questions regarding the scope of the AI Act Read More »

CLVPartners
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.