CLVPartners

News

Data and Information Security: The Relationship Between GDPR and NIS2

Reading time: 6 minutes

With the rise of digitalization and data-driven decision-making, the volume of sensitive information has increased, along with the associated cyber risk. It has become necessary to establish a regulatory framework that provides guidance on managing expectations, responsibilities, and approaches shaped by the technological environment. Its two main pillars are the European Parliament and Council Directive (EU) 2022/2555 (14 December 2022) (general EU cybersecurity directive, hereinafter: “NIS2 Directive”), implemented in Hungary through Act LXIX of 2024 on Cybersecurity (“Cybersecurity Act”), and the European Parliament and Council Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, repealing Directive 95/46/EC (“GDPR”), which ensures data protection compliance.

The NIS2 Directive, the resulting national cybersecurity regulations, and GDPR apply different perspectives; however, the affected areas often overlap in practice, particularly in electronic information systems that process personal data. Therefore, aligning the requirements of these two regulatory frameworks is essential for the lawful and secure operation of the affected organizations. This article outlines the relationship between the NIS2 Directive and national regulations with GDPR, their overlaps, conflicts, and practical resolutions.

Scope of NIS2 and GDPR: Dual obligations

The GDPR applies to all organizations that qualify as data controllers, meaning they determine the purposes and means of processing personal data either independently or jointly with others. The scope of NIS2 is determined based on a complex set of criteria, which may include various enterprises depending on their activities, size, and revenue. Consequently, if an entity falls under both NIS2 and GDPR, it must comply with the rules of both frameworks simultaneously. For example, a medium- or large-sized company in the manufacturing sector may be subject to cybersecurity regulations based on its activities and size, and in the course of its activities, it typically processes at least employee and supplier data as a data controller, thus requiring the application of both the GDPR and NIS2 provisions.

In practice, electronic information systems often process personal data, such as HR systems or customer databases. In the event of an incident, both GDPR and NIS2 impose obligations on the organization. A data protection incident involves a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data, whereas a cybersecurity incident refers to an event that threatens the availability, integrity, or confidentiality of data stored, transmitted, or processed in electronic information systems, or the services provided or accessible through such systems. Therefore, if a cybersecurity incident involves personal data—for example, data loss or leakage due to a phishing email or a ransomware attack—it simultaneously constitutes a data protection incident. Consequently, incident handling must comply with both regulations, and notifications to the competent authorities must be made when conditions are met. For this purpose, it is advisable to establish an internal procedure that accounts for the obligations required by both frameworks.

Proper classification of incidents is particularly important, as different types of incidents have distinct notification obligations, content requirements, and deadlines. In a data protection incident, the organization must first assess whether the event poses a risk to the rights and freedoms of natural persons. If such a risk is likely, the incident must be reported to the National Authority for Data Protection and Freedom of Information within 72 hours, and, in case of high risk, the affected individuals must also be notified. Cybersecurity incidents, on the other hand, follow a different procedure: the organization must report the incident within 24 hours based on the available information, submit a detailed report within 72 hours, and, after completing the investigation, submit a final report to the national cybersecurity incident handling center no later than 30 days. Since GDPR and cybersecurity rules define incidents and related obligations differently, situations may arise where an event qualifies as a cybersecurity incident but does not require a data protection incident report.

The practical significance of dual compliance is illustrated by a medium- or large-sized company engaged in “other machinery manufacturing,” which falls under the scope of the NIS2 Directive. If the company suffers an incident as a result of which the attacker gains unauthorized access to a server containing employees’ personal data, the event must be assessed not only from a data protection perspective but also under the Cybersecurity Act. According to the law, any threat, near-incident, or actual incident—including operational cybersecurity incidents—that causes severe disruption or financial loss to the organization or significant material or immaterial harm to others must be reported without undue delay, but no later than 24 hours, to the competent cybersecurity incident handling center. This example highlights that organizations must comply with both legal frameworks simultaneously and design incident handling accordingly.

Aligning processes at the documentation and operational levels

If an organization falls under both GDPR and cybersecurity regulations, the documentation and operational processes required by both frameworks must be aligned for dual compliance. GDPR requires that the organization maintain a data protection policy, provide a privacy notice to data subjects, and, in some cases, conduct a data protection impact assessment. Similarly, cybersecurity rules require the establishment of an information security policy. In addition, both frameworks require regulation of incident management processes and training to raise awareness among relevant staff.

The organization’s leadership is responsible for complying with NIS2 and GDPR requirements, while the data protection officer and the professional responsible for the security of electronic information systems play a key role in ensuring compliance. To avoid parallel, isolated processes, it is essential for information security and data protection officers to collaborate actively on a daily basis. Aligning the requirements of both frameworks is not merely an administrative task: its significance lies in the fact that both areas rely on the same information systems, data flows, and risks, even if they examine them from different perspectives. When an organization designs its processes in a unified, coherent manner, overlaps can be avoided, error risks reduced, and both cybersecurity and data protection requirements can be ensured. Incident management processes should be designed to ensure that any potential event is handled in a way that fulfills the obligations of both frameworks. This approach is not only resource-efficient but also strengthens legal compliance, system security, and the trust of clients, partners, and employees.

NIS2 and GDPR serve different purposes and approach the same events differently. GDPR’s primary objective is to protect the rights and freedoms of natural persons, whereas NIS2 focuses on strengthening information system security, safeguarding service continuity, and increasing resilience against cyber threats. Accordingly, the two frameworks impose different expectations on organizations: GDPR emphasizes data minimization and purpose limitation, while NIS2 specifically requires detailed logging, continuous monitoring, and retention of log files. This often results in NIS2 compliance requiring the storage of large volumes of technically processed personal data, which must be handled carefully from a data protection perspective.

Apparent conflicts between the two regulations can be resolved in practice through a coordinated approach. One key step is integrating information security risk assessments with GDPR data protection impact assessments, as both assess the same systems, data flows, and risk factors from different perspectives. Equally important is designing internal policies that simultaneously comply with mandatory cybersecurity measures and GDPR provisions.

Both NIS2 and GDPR require that organizations properly train all personnel who have access to information systems or process personal data. Therefore, it is advisable to align the strategic planning and content of training programs, considering risk assessment results, previous incidents, regulatory changes, and the professional opinions of the organization’s security experts. True alignment between the two regulatory areas is important not only for legal compliance but also for operational security, risk reduction, and maintaining internal and external trust.

Conclusion

GDPR and the NIS2 Directive serve different purposes but converge on many points regarding information security requirements. Dual compliance therefore requires careful alignment: interpreting the regulations consistently and integrating related procedures can ensure that an organization meets the expectations of both frameworks simultaneously. Coherent revision of professional documentation and operational processes, coordination of internal responsibilities, and alignment of regular training and audits facilitate achieving both GDPR data protection and NIS2 cybersecurity goals. Compliance with these requirements strengthens the organization’s information security and data protection resilience, meeting the relevant EU and national legal obligations.

Photo source: pexels.com, Kevin Ku

Data and Information Security: The Relationship Between GDPR and NIS2 Read More »

Online presence in the shadow of GDPR – rules for consent-based data processing

Reading time: 5 minutes

In order to remain competitive, it is no longer merely an advantage for companies to have an online presence, but a fundamental requirement. Websites and newsletters facilitate communication with customers, while providing an opportunity for addressees to learn about the latest services and offers firsthand. At the same time, it is important to note that this may also involve the processing of personal data, which is subject to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („General Data Protection Regulation”; „GDPR”). Accordingly, data processing for marketing purposes is only possible with the express consent of the data subjects, in strict compliance with the requirements set out in the GDPR. In this article, we summarize the most important rules relating to consent-based data processing.

When to apply GDPR?

As outlined by the National Authority for Data Protection and Freedom of Information (“NAIH“) in its material on website privacy settings and cookies, processing the personal data of natural persons acting on behalf of the companies (e.g., employees, private person client) falls under the scope of the GDPR. For instance, collecting, recording, storing, and using a customer’s name, phone number, address, email address, or bank account number constitutes data processing. It implies that if a company processes data relating exclusively to legal persons, its activities do not fall within the scope of the General Data Protection Regulation, and therefore compliance with its provisions is not mandatory for it. However, in many cases, the contact details of the legal person (e.g., name, personal email address, position) are essential for communication, which involves data processing.

Similarly, subscribing to a newsletter, targeted requests (also known as asking for a callback), or tools that support the effective functioning of websites—such as the use of cookies or visitor measurement – it is essential for the company to process natural persons’ data, which is why this type of data processing will also fall under the scope of the GDPR.

Consent as a possible legal basis for processing personal data

The fundamental rule of data processing is that, in the absence of a valid legal basis, processing personal data is not considered to be lawful. One of the legal bases for data processing – most commonly required for data processing for marketing purposes – is the consent of the data subject.

Conditions for consent

According to the GDPR, consent is valid if it is freely given, specific, based on adequate information, and unambiguous, indicating that the data subject agrees to the processing of his/her personal data.

Freely given

Consent can be freely given if individuals can refuse and withdraw their consent without risk of external pressure or negative consequences. Therefore, it cannot be considered voluntary if the data subject has no real choice, feels pressured to consent, or faces negative consequences from the data controller if they refuse to consent. This was confirmed by the recent opinion of the European Data Protection Board (“EDPB”), which stated that so-called “pay or consent” models do not meet the requirement of freely given consent. This is due to the fact that such models are based on offering data subjects a choice: either they consent to the processing of their personal data, or they pay a fee to prevent their data from being processed.

The voluntary nature of consent also implies that the data subject has the right to withdraw the consent at any time.

Specific and appropriate information

In order for consent to be valid, the purpose of data processing must also be specific. This condition is closely linked to the condition of informed consent. Therefore, individuals must be informed of the specific purposes in simple and easily understandable language so that they have a clear understanding of the purpose for which their data is being processed. This also means that if the purposes of the data processing operation change or further data processing operations are being added, consent must be obtained from individuals again. Likewise, if a data processing operation has multiple purposes, separate consent must be obtained for each purpose for the processing to be lawful. When providing information, the data subject must also be made aware that they may withdraw their consent at any time.

Unambiguous consent

According to the GDPR, a statement by the data subject or a clear affirmative action is required for the consent to be unambiguous. This in fact means that consent can only be given through active action or statement. The EDPB considers that the comprehensive acceptance of general terms and conditions does not constitute an act of confirmation that is unambiguously expressed. The GDPR also expressly prohibits data controllers from offering pre-ticked boxes or opt-out mechanisms that require the data subject to take action to prevent consent from being given (so called opt out systems).

Duration and demonstration of the contribution

The General Data Protection Regulation does not provide for any limitation on the duration of consent. However, this does not mean that personal data can be processed indefinitely with the consent of the data subject. The duration of consent depends in each case on the context of the data processing in question. In order to determine the duration correctly, it is therefore necessary to assess the circumstances of the data processing.

Furthermore, the GDPR stipulates that during data processing, the data controller must always be able to adequately demonstrate the existence of the consent.

Without claiming to be exhaustive, we merely refer to the fact that the General Data Protection Regulation lays down additional conditions in relation to the consent of children and special categories of data.

Summary

The online presence of companies—for example, through websites and newsletters—is essential to maintaining competitiveness, but it can also involve the processing of personal data, which falls under the scope of the GDPR. Personal data may only be processed on an appropriate legal basis, the existence of which is essential in all cases. When developing and enhancing their marketing strategies, it is crucial for companies to simultaneously establish and review their data processing frameworks to ensure that their data processing activities comply with the GDPR.

Photo source: pexels.com, Tara Winstead

Online presence in the shadow of GDPR – rules for consent-based data processing Read More »

Data Subject Rights and the Importance of Consent in Online Content Creation

Reading time: 4 minutes

With the development of digital platforms, anyone can become a content creator today: a smartphone, a good idea, and a few clicks are enough for our messages, videos, or pictures to reach thousands of people. However, online presence carries not only creative opportunities but also legal responsibilities and risk. When sharing various types of content – such as posts or videos – especially if identifiable persons appear in them, the processing of personal data occur.

General applicability of the GDPR

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, serves a dual purpose: it ensures the protection of individuals’ personal data while also providing a framework for the free flow of such data within the European Union. The GDPR sets out in detail the rights of data subjects and the obligations of data controllers.

At the same time, the GDPR does not be applicable in certain exceptional cases; one such exception applies when a natural person processes personal data exclusively for personal purposes. Examples include private correspondence whether on paper or electronically, storage of addresses or contact details, personal notes or diaries, family photographs, communication on social networks, and other online activities. These exceptions must be interpreted narrowly, and data processing only falls outside the scope of the GDPR if it serves a purely private purpose – that is, it has no community, professional, or economic aspect. Thus, if data can be accessed by an indefinite number of persons or is made public, the activity no longer qualifies as private data processing. In the case of data processing carried out by business entities, personal or household use cannot be invoked. Therefore, the publication of any online content containing personal data (such as photographs, audio recordings, or other information) – whether it concerns employees or any other natural person – requires appropriate legal diligence in all cases.

Data processing related to online content creation

Digital platforms widely enable users to create and share photos, videos, or audio recordings – even of other people. The question may arise whether data protection rules apply in such cases. Since uploaded recordings – including images, voices, or other identifiable information – constitute personal data and are made accessible to the public, their processing falls under the GDPR.

One of the fundamental principles of data protection is that any processing of personal data must be based on a valid legal basis. When a data controller undertakes any activity involving the processing of personal data, it must carefully assess which legal basis best suits the intended purpose. In the context of content creation, data processing most commonly relies on the data subject’s consent.

Obtaining consent is crucial, as recording or publishing someone else’s image or voice is only lawful if the data subject has given explicit, informed, and prior consent. Simply tolerating the presence of a camera or answering a question does not constitute valid consent. This demonstrates how strictly the GDPR defines the requirement of a lawful basis: unlike the Hungarian Civil Code (“Civil Code”), which allows certain exceptions for public figures or mass recordings, the GDPR does not provide such derogations. This highlights the coexistence of parallel legal frameworks – compliance with the Civil Code does not necessarily mean compliance with data protection law, thus each legal regime has distinct requirements for lawful conduct.

Consequences of Non-Compliance

Publishing content online without a valid legal basis – such as consent – constitutes a violation of data protection rules. Unlawful data processing can have serious consequences, including regulatory procedures and administrative fines. If a recording is made or published without permission and results in significant harm to an individual’s interests, the act may not only be unlawful under data protection law but could also amount to a criminal offence or establish a claim for non-pecuniary damages under the Civil Code, depending on the circumstances. Liability always lies with the person who created or published the recording.

Particularly high-risk situations include cases involving children, healthcare settings, political opinions, or other sensitive personal data. If such content is shared without the data subject’s knowledge or consent, it does not qualify as private activity and is considered full-fledged data processing under the GDPR. In such cases, data subjects have the right to request information, withdraw consent, demand deletion of recordings, and pursue legal remedies.

Summary

Presence in the online space – particularly in the context of corporate communications, marketing, or HR content creation – requires careful data protection practices. What may not entail legal consequences under the Civil Code can still constitute a data protection violation.

Consent is therefore not a mere formality, but one of the fundamental prerequisites for lawful data processing. Organizations – whether content creators or employers – are advised to establish internal procedures, training programs, or policies to manage the data protection risks associated with online content creation.

Respecting data subject rights, properly documenting consents, and complying with GDPR requirements are not only matters of legal compliance, but also essential for maintaining corporate reputation and trust.

Photo source: pexels.com, Plann

Data Subject Rights and the Importance of Consent in Online Content Creation Read More »

The Scope of the NIS2 Directive and the Cybersecurity Act – Determining Involvement in Practice

Reading time: 6 minutes

The rapid advancement of digitalisation has brought new opportunities but also new types of risks. In business operations, the reliability of electronic information systems plays an increasingly important role, and ensuring the confidentiality, integrity, and availability of managed data and information has become a fundamental requirement. To address this, the Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (the “NIS2 Directive”), was adopted. Its national transposition in Hungary resulted in Act LXIX of 2024 on Cybersecurity (the “Cybersecurity Act”). These instruments aim to reduce risks to electronic information systems and ensure the continuity of services in key sectors such as energy, healthcare, transport, digital infrastructure, and manufacturing. Depending on their activities, size, and role, organisations are subject to different obligations. Each organisation must determine whether it falls within the scope of the Cybersecurity Act and which specific requirements apply to it. This article outlines the key aspects of self-identification, helping organisations comply with the NIS2 Directive and the Cybersecurity Act.

Who does the Cybersecurity Act apply to?

The Cybersecurity Act covers a wide range of sectors and activities. It applies to designated public administration entities, certain state-influenced enterprises, and defence-related organisations — though these are not detailed here. Beyond these, many private-sector organisations may also be affected. For them, both their activities and their size and turnover must be assessed.

Based solely on activity

Regardless of size, the Cybersecurity Act applies to organisations providing electronic communications services, trust services, DNS services, top-level domain name registry services, or domain name registration services.

These service providers can be identified by the authorities that maintain their registries, so the Cybersecurity Act applies to electronic communications service providers and trust service providers listed in the registry of the National Media and Infocommunications Authority (NMHH), DNS service providers, the top-level domain name registrar (currently the only such organization in Hungary is ISZT Nonprofit Kft.), and domain name registration service providers who are registrars available on the domain.hu website operated by ISZT).

Based on activity and size

The Cybersecurity Act applies to medium-sized and larger organisations — that is, companies with more than 50 employees and an annual net turnover or balance sheet total exceeding EUR 10 million, provided they carry out activities specified under the Cybersecurity Act.

Of the organizations that meet the size criteria, those operating in high-risk sectors, such as healthcare, telecommunications services, digital infrastructure (e.g., cloud service providers, data center service providers), as well as service providers and organizations operating in high-risk sectors, such as food production, processing, and distribution, the manufacture of computer, electronic, and optical products, and the manufacture of machinery and equipment.

Assessing and determining activities

If an organisation does not perform an activity that automatically falls within the scope of the Cybersecurity Act, both its size and its activities must be considered together. When size thresholds are met, the next step is to assess whether it operates within a high-risk or critical sector; this, however, is not always straightforward in practice.

The sector or activity to be examined and, consequently, the involvement in the case of activities subject to authorization, based on the records kept by the competent authorities (e.g., in the case of the transport sector, the Ministry of Construction and Transport as the transport authority; for activities in the food industry sector, the National Food Chain Safety Office; for the pharmaceutical industry and healthcare providers, the National Public Health and Pharmaceutical Center; and for electronic communications, trust and postal service providers, the National Media and Communications Authority).

In other cases — particularly in manufacturing — the relevant activity may be identified using the TEÁOR code (Hungarian equivalent of the NACE code) or similar classification numbers, which may indicate whether the company’s operations bring it under the scope of the Cybersecurity Act.

In most cases, the TEÁOR code makes identification relatively straightforward, for example:

manufacturing of electronic components or measuring instruments (computer, electronic, or optical products sector),

manufacturing of household electrical appliances (electrical equipment sector),

manufacturing of engines, turbines, or special-purpose machinery (machinery and equipment sector),

manufacturing of motor vehicle parts and accessories (road vehicle sector).

However, identification may be influenced by the interpretation of which sector the activities actually carried out belong to. For instance, an organisation engaged in IT consultancy and systems operation could qualify as a cloud service provider, thus falling within the scope of the Cybersecurity Act.

Furthermore, determining involvement may be complicated by the interpretation and practical application of the legal definitions of certain activities. For instance, in the case of a business engaged in the manufacture of plastic packaging materials or plastic products, the classification is not always clear-cut. According to the Cybersecurity Act, an organization is considered to be in a high-risk sector if it is classified as a food business within the food (i) production, (ii) processing, and (iii) distribution sector and is engaged in wholesale activities, industrial production, and processing. These criteria raise the need to clarify several concepts, namely whether such a manufacturing organization qualifies as a food business and whether the activities actually carried out qualify as activities related to any stage of food production, processing, or distribution.

The Limits and Risks of Self-Identification – Recommended Actions

It is clear that self-identification is not always straightforward. The TEÁOR code alone may not precisely reflect the organisation’s real activities, which may lead to misclassification under the Cybersecurity Act. In Hungary, it is common for companies to retain outdated or inaccurate TEÁOR codes in their official records. In such cases, the authority may still assess the company as falling under NIS2 obligations, resulting in unnecessary compliance burdens and administrative costs.

Incorrect or incomplete self-identification can also lead to fines and subsequent enforcement measures. Therefore, it is crucial that businesses regularly review their registered activities and maintain only those TEÁOR codes that accurately represent their actual operations.

Conclusion

Accurate self-identification is not only a legal obligation but also in the best interest of the organisation. Retaining inaccurate or unnecessary TEÁOR codes may result in misinterpretation by authorities and potential sanctions. Proper self-identification and conscious management of registered activities are not merely administrative tasks — they are essential elements of business security. Those who act proactively and with awareness can not only avoid sanctions but may also gain a competitive advantage through enhanced trustworthiness and compliance.

Photo source: pexels.com, Markus Spiske

The Scope of the NIS2 Directive and the Cybersecurity Act – Determining Involvement in Practice Read More »

Product liabilty rules are changing

Reading time: 4 minutes

Considering modern technological developments, it has become necessary to rethink product liability regulations, as a result of which the European Parliament and the Council have adopted Directive 2024/2853 (“Directive“) on liability for defective products and repealing Council Directive 85/374/EEC. The aim of the Directive is to promote a balance between the responsibility of economic operators and a high level of consumer protection. To comply with the Directive, whose provisions must be implemented by Member States into their national legislation by 9 December 2026 at the latest, the Ministry of Justice has drafted amendments to private law, including a comprehensive review of the product liability rules of the Act V of 2013 on Civil Code (“Civil Code“). In this article, we present the new rules on product liability.

What is a product?

The comprehensive reform of EU regulations was prompted by technological developments: the spread of digital and smart devices has brought new risks, which are addressed by the Directive and, through its implementation, by Hungarian regulations. One of the most significant innovations is that, based on the Directive, the Civil Code extends the concept of a product: Under the new provisions, any movable item is considered a product, even if it is incorporated into or connected to another movable item or immovable property, including electricity, digital manufacturing files, raw materials, and software. This means that the new liability rules will apply to products placed on the market or put into service after 9 December 2026, including digital manufacturing files and software, whether they are sold as stand-alone products or integrated into other devices.

However, free and open-source software developed or made available in the course of non-commercial activities is exempt from these regulations.

Who bears the responsibility?

The basic principle of product liability is that, to protect consumers, it imposes obligations on economic operators who are responsible for damage caused by defective products. Under the new rules, the scope of persons who can be held liable is expanded, meaning that product liability may be imposed on the following economic operators:

The manufacturer of the product is primarily responsible for any defects in the product, i.e., the party who develops, manufactures, produces, labels the product as the manufacturer, or develops, manufactures, or produces the product for their own use.

If the defect is caused by an integrated component, the manufacturer of that component shall also be liable if the component was incorporated into a product under the manufacturer’s control.

If the product or its component parts originate from a manufacturer operating outside the European Union, responsibility lies with the company importing the product into the EU, i.e. the company placing the product on the EU market, and the manufacturer’s authorized representative.

If the importer or the manufacturer’s authorized representative is also not based in the EU, then the logistics service provider is responsible, i.e. anyone who offers at least two of the following services in the course of their commercial activities: storage, packaging, addressing, and shipping of a product, without owning the product in question.

The distributor shall also be liable if the person responsible cannot be identified and, at the request of the injured party, does not identify the economic operator or distributor listed above.

In addition, if a natural or legal person substantially modifies a product without the manufacturer’s knowledge or control and then distributes or puts it into service, that person is also considered a manufacturer under the law and may be liable for product damage.

A new provision is that the manufacturer of a defective product is jointly and severally liable for product damage with other economic operators cooperating with it, such as the component manufacturer or importer, so that the consumer can claim full compensation from any of them. The economic operator providing compensation to the injured party may then recourse against the other responsible economic operators.

When is a product considered defective?

A product is considered defective if it does not provide the level of safety that is generally expected of that type of product or that is required by EU legislation or relevant domestic regulations. When assessing the level of safety, factors such as the reasonably foreseeable use of the product, the date of placing on the market, and the reasonable expectations of consumers must be considered. At the same time, the mere fact that a more advanced or modern version becomes available after the product’s release—whether in the form of an update or a completely new product—does not in itself render the previous model defective. The basis for assessing a defective product is therefore not its comparison with the latest technological standards, but rather whether it provides the level of safety that could be expected at the time of its manufacture.

When can the manufacturer, importer, or other economic operator be exempt from liability?

Economic operators may be exempted from product liability under certain conditions if they can prove that the defect causing the damage did not arise within their sphere of responsibility or was not foreseeable.

The manufacturer or importer shall be exempt from liability if they can prove that they did not place the product on the market or put it into service. The distributor may be exempt if they can prove that they did not make the product in question available on the market.

Any economic operator may be exempted from liability if they can prove that the defect in the product was not likely to exist at the time of placing on the market, putting into service or distribution, or that it only arose after that time. However, this provision shall not apply if the defect of the product is related to a service associated with the product under the manufacturer’s control, to software accompanying the product (including software updates or upgrades), to the absence of software updates or upgrades necessary to maintain safety, or to a material modification of the product.

Liability shall also be excluded if the defect of the product results from compliance with legal requirements (e.g., adherence to a mandatory technical standard that caused the defect), or if the defect could not have been detected based on the state of scientific and technical knowledge at the time the product was placed on the market or put into use, or while the product was still under the manufacturer’s control.

Unchanged provisions

The manufacturer and other liable parties are subject to product liability for a period of 10 years. The injured party must still prove the defect in the product, the damage suffered, and the existence of a causal link between the defect and the damage. There is a three-year limitation period for asserting claims, which begins from the date on which the injured party became aware or could reasonably have become aware of the occurrence of the damage, the defect in the product, and the identity of the responsible economic operator.

Summary

The Directive and its domestic implementation bring significant changes to product liability regulations. With these amendments, both the definition of “product” and the scope of parties who may be held liable for damages caused by defective products are expanded. The concept of a product now includes software, digital manufacturing files, and related services, meaning that the liability framework also applies to modern, digital, and complex technologies. This implies that economic operators will need to act with greater caution and awareness in the design, manufacture, distribution, and modification of products in the future.

The aim of the new regulation is to strengthen consumer protection against modern product risks, while at the same time imposing greater liability on economic operators. In light of these changes, it is essential for the affected companies to review their operations, internal processes, contracts, and liability insurance practices.

Photo source: pexels.com, Lukas

Product liabilty rules are changing Read More »

The most important things to know about mothers and employees with young children returning to work

Reading time: 5 minutes

The birth of a child is a significant event in a human ‘s life, which also has a major impact on the professional and work-related life of employees. Given the importance of becoming a parent, the Hungarian labour law contains numerous provisions aimed at promoting the proper development and care of children and protecting mothers and parents with young children.

According to Act I of 2012 on the Labor Code („Labour Code“), mothers are entitled to 24 consecutive weeks of maternity leave (CSED) and parents of young children (until the child reaches the age of 3) are entitled to unpaid leave (GYED, GYES) for the purpose of caring for their children.

During the care and upbringing of a child, there may come a point when the desire to return to work arises. However, it is important to note that during the parent’s absence, numerous changes may occur in the employee’s personal circumstances and in the employer’s organization, because of which the employee’s previous employment conditions may no longer be guaranteed or may no longer be appropriate. The Labor Code contains detailed rules for reconciling the differing interests of employees and employers and for protecting social objectives. In this article, we summarize the most important rules related to this topic.

General rules applicable in all cases

Announcement of return

According to the Labor Code, the employee may specify the date of his/her return, but when indicating the date, to comply with the obligation to cooperate, the employer must be given at least 30 days’ notice. Therefore, the employee must give notice of his/her intention to end unpaid leave taken for the purpose of caring for a child at least 30 days before the end of the leave.

Wage adjustment

Given the wage increases that occur during the employee’s absence, a situation may arise where the wages of the employee with young children are less than their colleagues. This situation clearly violates the requirement of equal treatment, thus the Labor Code stipulates that the employer is obliged to make an offer to adjust the wage after the absence has ended. For the purposes of making an offer, the average annual wage increase applied by the employer to colleagues working in the same position as the employee must be considered. If there are no other employees in the same position, then the average annual wage increase implemented by the employer on a company level shall be the reference point.

Granting leave

The entire duration of maternity leave and the first six months of unpaid leave taken for the purpose of caring a child are considered leave-entitling periods, meaning that the employee’s leave entitlement accrues even during his/her absence. As a general rule, the employer must grant this accumulated leave within 60 days of the employee’s return (typically before the employee actually returns to work).

Changes in terms and conditions of employment

Generally, the employer is obliged to employ the employee upon his/her return in accordance with the original conditions (e.g., working hours, job description, place of work). However, it is easy to see that during the employee’s absence, changes may occur on both sides (e.g., the employee relocates, termination of his/her position), which would make employment (under the same conditions) no longer possible or would cause the parties to temporarily deviate from it (e.g., part-time employment). The parties may, of course, amend any terms and conditions or terminate the employment relationship by mutual agreement, but in certain cases and under certain conditions, they may also be entitled to do so unilaterally.

Modification of employment conditions upon the request of the employee with young children

In order to facilitate the appropriate development of young children, the Labor Code provides employees with young children with the opportunity to request changes to their employment conditions (e.g., place of work, remote work, part-time work) under certain conditions.

In the context of changes to employment conditions, we would like to point out that employers are often subject to a prior notification obligation, i.e. they must inform employees about the availability of part-time and remote working positions.

In certain cases, employers are obliged to comply with requests from employees with young children without consideration, while in other cases, the feasibility of the request and its acceptability by the employer may be examined.

The employer is obliged to respond to requests that are subject to employee justification or employer discretion within 15 days. If the employer fails to do so or rejects the request without justification, the employee has the right to challenge the decision before a court, so it is advisable for employers to prepare in advance for the return and employment of parents with young children and to establish appropriate procedures.

Special rules relating to termination of employment

Employees are forbidden to be dismissed during pregnancy, maternity leave, paternity leave, parental leave and leave of absence taken without pay for caring for a child. After the employee’s return, this absolute prohibition no longer applies, but until the child reaches the age of three, the employer has limited rights to terminate the employee’s employment in certain cases. Termination on grounds related to the employee’s abilities or the employer’s operations (e.g., cessation of the employee’s position) may only be given if there is no other suitable vacant position or if the employee has rejected an offer of the position. It is also important to note that the fact that the employer filled the employee’s position by a way of hiring another employee in the meantime does not in itself constitute a legal basis for termination of employment, as the employee has the right to be employed in their original position. Termination based on conduct may only be given if it meets the requirements for termination without notice.

Summary

Overall, it can be stated that the Labour Code contains numerous restrictions regarding the return to work and employment of mothers/parents with young children in order to take into account the individual circumstances of employees. However, it is important to emphasize that the interests of employees are not exclusively protected, as the legislator considers the economic aspects of employers in many respects.

Photo source: pexels.com, Yan Krukau

The most important things to know about mothers and employees with young children returning to work Read More »

General obligations of the employer in the event of a change in the employee’s health

Reading time: 5 minutes

During the course of employment, situations may arise where an employee’s health condition changes, either temporarily or permanently. This may result, for instance, from an accident-related injury, post-surgery rehabilitation, treatment of a chronic illness, or even partial loss of working capacity. In such circumstances, a key question for the employer is to what extent and in what manner they are required to adapt work organisation and working conditions to the employee’s altered health status.

In this respect, the employer bears not only legal but also social responsibility — the way an employer handles changes in employees’ health conditions is a key indicator of responsible employment. However, it is important to define the limits of the employer’s duty to adjust and take appropriate measures, as this obligation may vary depending on the specific case and circumstances (e.g. the employer’s available resources). The following article provides guidance on situations where the employee is still considered fit for work but experiences a change in their state of health.

General Obligations

Pursuant to Act I of 2012 on the Labour Code (hereinafter: the “Labour Code”) and occupational safety regulations, employees may only be employed for work that, in view of their physical constitution, development, and state of health, do not have adverse consequences for them. Furthermore, it is the employer’s fundamental responsibility to ensure that work is performed under safe and healthy conditions that do not pose a risk to the employee’s well-being. This obligation applies throughout the entire duration of the employment relationship and includes continuous assessment. Accordingly, if an employee’s health condition changes over time, the employer is required to take appropriate measures in response to the situation.

In practice, this may involve temporary adjustments (e.g. part-time work, reduction of physical strain) or minor organisational changes (e.g. reassignment of certain tasks, review of working logistics).

Limits of the employer’s obligations – the principle of reasonableness

It is important to emphasise that the employer’s obligation to take measures is not unlimited. According to Section 6 of the Labour Code, which sets out the “principle of reasonableness”, the employer is only required to modify working conditions or reorganise work to the extent that is realistically and fairly expected under the given circumstances — that is, as long as doing so does not impose a disproportionate economic or organisational burden on the employer. The assessment of this obligation must always be based on the specific circumstances of the individual case, considering the employer’s economic and organisational capacity, as well as the nature of the employee’s health-related limitations.

In general, the employer is not required to:

create a new position,

hire additional staff, or

make significant investments

solely to ensure the continued employment of the affected employee.

The case law of the Curia (Supreme Court of Hungary) also confirms that the extent of the employer’s obligation must always be determined by the specific circumstances of the case. For example, if an office employee temporarily cannot type due to a broken hand, the employer is obliged to provide lighter or alternative administrative tasks during recovery but is not required to establish a new position.

The situation differs, however, when a professional driver is subject to a medical opinion imposing (not merely temporary) restrictions on their ability to perform driving duties. In such a case, even by modifying the working conditions, the employee would not be able to perform the essential functions of their role. Considering the principle of reasonableness — as a limitation on the employer’s duty to adapt and take measures — the continued employment of the worker would impose a disproportionate burden on the employer. Therefore, with appropriate justification, the termination of the employment relationship would be considered lawful.

Summary

The employer is required to adjust working conditions to the employee’s (changed) state of health where this is necessary to ensure safe and healthy working conditions. However, this obligation is not unlimited: under the principle of reasonableness set out in the Labour Code, the employer is only required to take measures to the extent that they do not impose a disproportionate burden. Accordingly, the extent of adaptation expected from the employer must always be assessed on a case-by-case basis, considering the specific circumstances and available resources, in order to determine what level of adjustment is reasonable to enable the continued employment of the affected worker. For a lawful and fair procedure, it is advisable to involve the employee, the occupational health physician, and—where necessary—the occupational safety specialist in the decision-making process, and to maintain transparent documentation of the measures taken. This approach ensures not only the protection of the employee’s interests but also the employer’s lawful and compliant operation.

Image source: pexels.com, Karolina Grabowska

General obligations of the employer in the event of a change in the employee’s health Read More »

The cessation of AVDH and the related tasks of companies

Reading time: 4 minutes

Electronic administration has undergone significant changes in recent years with the introduction of the Digitális Állampolgári Program (DÁP). The previously widely used document authentication (AVDH) has been phased out and is now completely obsolete. Given that this has a significant impact on the way individuals and companies conduct their electronic administration (e.g. ePapír administration, either as individuals or through the Company Gate), we outline below the essence of the changes, the parties affected and the practical steps to be taken.

AVDH in brief

AVDH was previously a free document authentication solution available to all users with a client gate. It was a widely applicable, easily accessible and simple to use service, and was also considered suitable for corporate signatures. Documents authenticated with AVDH were considered private documents with full probative force, so they could be used in a wide range of procedures and administrative processes.

The general availability of AVDH ended at the end of last year, so it could only be used in a limited scope, integrated into the ePapír service. This meant that when individuals and companies submitted documents to government agencies (e.g. to the labour authority) via ePapír, they could authenticate their submissions and attachments with AVDH, thus eliminating the need for electronic signatures.

Changes in November

On 31stOctober 2025, the AVDH service was completely discontinued (i.e. in official procedures as well). It was replaced by a service for user document assignment (FEDOR) with significantly reduced functions, starting from 1 November 2025.

However, FEDOR does not provide nearly all the features of its predecessor. The FEDOR service does not replace the signature, but only assigns it to the individual, so it does not result in a fully probative private document. However, for an electronic document to be considered authentic, it must at least have the probative value of a private document (and an electronic time stamp).

Necessary steps

Given that authentic electronic documents must be submitted during electronic administration, authorities currently ask clients to resubmit the appropriate documents in cases where the documents do not qualify as private documents with full probative value.

Under current legislation, documents bearing a qualified electronic signature or an advanced electronic signature based on a qualified certificate are considered private documents with full probative value, so the documents to be submitted must be signed with one of these.

In order to ensure that the company’s communication with authorities does not become impossible, we know that many companies have quickly opted for a qualified electronic signature provided by a Hungarian trusted service provider. However, it is important to note that choosing the right partner in the long term opens up many more opportunities for digitisation.

Practical options

Private individuals have access to the eAláírás function provided by DÁP, which is considered a qualified electronic signature. However, it is important to note that this can only be used by private individuals, i.e. the DÁP eAláírás function is not suitable for corporate signatures under the provisions of the law, so business organisations will have to look for other solutions.

Qualified electronic signatures and advanced signatures based on qualified certificates can only be provided by so-called trust service providers. It is important to note that this is regulated at European Union level, which means that such services can be used not only from the three providers registered in Hungary, but also from providers registered in any EU Member State, as Member States are obliged to accept them. In Hungary, the National Media and Infocommunications Authority (NMHH) is the competent supervisory authority, which maintains this register, and the list of registered service providers can be found here. Service providers registered in the various EU Member States can be accessed via the following link.

It is also important to note that it is, of course, possible to act through an authorised representative (e.g. a private individual, accountant, legal representative) in electronic procedures, in which case the authorised representative must have the appropriate signature.

Summary

With the complete discontinuation of the previously widely used AVDH service, an appropriate electronic signature is required to use the ePapír service.

Although this may initially be perceived as a burden by those affected, electronic signatures can be used in a much wider range of applications and can practically replace the role of previous paper-based signatures entirely. Electronic signatures may, of course, entail additional costs, but it should also be noted that their use reduces several other costs (e.g. paper, printing, postage, courier and travel costs). Given that there are several types of electronic signatures, which result in different types of documents with varying degrees of evidential value, and that they can be used in a wide range of situations (e.g. company procedures, employment relationships, official notifications), it is definitely advisable to consider the purpose and scope of use when selecting a specific service (signature type). In our practice, we have assisted numerous group of companies with their digital transition, and we can clearly state that companies choose different service providers based on their varying priorities (e.g., mass document uploading, document management, a wide range of signatories, signatures that can be provided to employees by their employer, cost).

Photo source: pexels.com, Karola G.

The cessation of AVDH and the related tasks of companies Read More »

Special rules in case of foreign founder(s) and/or managing director(s)

Reading time: 4 minutes

Introduction

In the following article, we have compiled the most important topics that inevitably arise in the life of companies with foreign members or executives. Regardless of the type of foreign person, if he plays a role in the company’s life from a company law viewpoint, there are a few additional matters that will certainly arise during the company establishment or change procedure.

Company extract of the foreign member

If a foreign legal person becomes a member of a company, either at the time of incorporation or later, or if there is a change in its data (e.g., the foreign member’s registered seat changes), the foreign company’s company extract or other document with identical content (e.g., a notarial statement), and its certified Hungarian translation must be submitted to the Court of Registry. The purpose of this is to certify the

registration of the foreign company under its own law,

data of the foreign company, and

person(s) authorized to represent the foreign company.

In this case, the foreign company member must request its company extract from its own court of registry/registry authority, which must then be prepared in a certified Hungarian translation by a qualified translator.

Delivery agent

If a foreign legal person or a foreign natural person, who has no address in Hungary holds a position in the company (e.g., member or managing director of the company, member of the supervisory board, etc.), he/she must designate a person to be his/her delivery agent.

A delivery agent can be an organization with its registered seat located in Hungary or a natural person with a permanent residence in Hungary. This is a frequently asked question, thus it is important to clarify that members of the company, its management and supervisory board members are not allowed to perform such a function. This means that if the only member of the company is a foreign entity, its delivery agent cannot be the company’s managing director, even if he or she has Hungarian nationality and residence.

The function of the delivery agent is to receive and deliver certain documents (e.g., court/authority documents) addressed to the foreign person. The reason for this is obviously the difficulty and cost of delivering documents abroad, which the authorities/courts do not want to bear. In the case of a delivery agent, the law provides for a presumption as to the date of delivery: the foreign person is presumed to have knowledge of the document on the 15th day following the day on which it was duly delivered to the delivery agent.

It can therefore be seen that the task of the delivery agent is important and crucial, as he/she often has to forward notices, requests to foreign addressees with tight deadlines, the failure to comply with which may entail serious legal consequences.

Tax identification number

Although few people are aware of it, since 2018, the executive officer of the company, or in certain cases its member or shareholder, who does not have a tax identification number, is required to request one from the National Tax and Customs Office.

It is often the case, for example, that the foreign managing director performs his/her position on the basis of a free-of-charge mandate agreement, in which case no taxable income is generated in Hungary. In such cases, the absence of a tax identification number does not necessarily arise from a tax viewpoint. However, companies are obliged to use electronic communication, via Company Gate. The managing director(s) can register a Company Gate on the basis of their existing Client Gate access, which requires the Hungarian tax identification number.

The prominent role of e-signatures

There is no doubt that with the increasing use of electronic signatures processes are becoming faster, more convenient and more efficient for all of us. This is even more true in case of companies with a foreign person(s). If, for example, the company has foreign members and managing directors, even from different countries, signing certain documents can take weeks and incur unnecessary costs (e.g., courier services, travel, notarization). With e-signatures, however, this time can be reduced to minutes or even seconds, as it takes just a few clicks to place 1 signature and there are no associated costs beyond providing the e-signature.

In legal procedures, such as company proceedings, it is also possible for the legal representative to identify the signatories online, also within a few minutes, saving additional time and costs.

It is therefore worth considering the use of electronic signatures, which can be a convenient, time- and cost-effective solution, and can have the same legal effect as a physical signature.

Photo source: pexels.com, Kampus Production

Special rules in case of foreign founder(s) and/or managing director(s) Read More »

Capital difficulties and their possible remedies in case of limited liability companies

Reading time: 4 minutes

 

The preparation and adoption of the annual accounts each year is an important step in the operation of a company as it clearly shows the results of the previous financial year. Act V of 2013 on the Civil Code (“Civil Code“) provides for a number of capital requirements and the obligation to intervene to remedy them for the purposes of protection of creditors. In our article below, we will examine the possible cases of undercapitalization and the legal solutions available, focusing on the rules governing limited liability companies.

Cases of undercapitalization

The Civil Code defines four cases, when the members are obliged to intervene and provide additional necessary funds or decide on appropriate restructuring of the capital structure. These are, in summary, the following:

  • the company’s equity capital has fallen below the minimum amount of registered capital laid down by law
    • an LLC can be established with a minimum registered capital of HUF 3 million, therefore this case arises if the equity capital is less than HUF 3 million
  • the company’s equity capital has fallen to half of the registered capital due to losses
    • with regard to the case of undercapitalization above, this can only arise if the registered capital exceeds the minimum amount, so for example its amount is HUF 10 million. In this case the members shall intervene, when the equity capital is HUF 5 million, or less
  • the company is threatened with insolvency or has stopped making payments
    • threat of insolvency is a situation where the directors of a company foresee, or with reasonable diligence should foresee, that the entity will not be able to meet its obligations as they fall due
  • the company’s assets do not cover its debts
    • this is the case when the company’s debts (e.g. debt, loans from members, other claims against the company) exceed the company’s total assets.

Obligation to intervene

In the event of undercapitalization, the Civil Code imposes specific obligations on both the managing director and the members.

The managing director shall without delay convene the members’ meeting (sole member) or initiate the decision of the general meeting without holding a meeting in order to take the necessary measures.

Members shall then decide on a solution to the situation and the adopted measures shall be implemented within 3 months. If the undercapitalization is due to the fact that the company’s equity capital dropped to half of the registered capital due to losses, and the members are unable to eliminate this within 3 month, the company’s registered capital must be reduced.

Possible actions by members

Members can remedy the cases of undercapitalization in several ways, as follows:

  • supplementary payment
    • in the event of authorization in the articles of association, the general meeting may impose a supplementary payment obligation on the members to cover losses
    • in addition to the authorization, the articles of association must specify the maximum amount of supplementary payment that members may be required to pay, as well as the frequency with which such payments may be imposed. If these conditions are not met, supplementary payment may not be made even with the support of the general meeting
    • in connection with the supplementary payment, it must be stated that its amount does not increase the financial contribution of the members. The supplementary payment may only be used to cover losses and, as a general rule, any unused supplementary payment shall be returned to the members
  • reduction of capital
    • in this case the members reduce the registered capital of the company, which entails a reduction in the member(s)’ business quotas;
    • it is important to note that this can only happen if the original registered capital exceeds the minimum value of the registered capital set by law, i.e. HUF 3 million
  • to provide equity capital by other means
    • it is clear that, compared to the previous measures, this is an open option, i.e. it is not possible to define in a taxonomy exactly what actions may be appropriate in this regard;
    • such possible solution for example: granting/cancelling loan by the members, assumption of (intra-group) debt from the company. However, it is also important to consider the tax implications of these possibilities
  • transformation, merger, division and dissolution without legal succession
    • if the members do not decide on supplementary payment, reduction of the capital, provision of equity by other means, the members must decide on transformation, merger, division or dissolution without legal succession
    • of course, there is no obstacle to members taking such a decision immediately, if they so wish and if their other conditions for such decision are met

Summary

As can be seen from the above, there are a number of options available to restore the limited liability company’s capital position. Which of these options is the most appropriate cannot be generally determined, as it is always necessary to look at the specific company, its characteristics and the underlying causes of undercapitalization on a case-by-case basis, and to identify which measures offer a real long-term solution.

Image source: Mikhail Nilov, pexels.com

Capital difficulties and their possible remedies in case of limited liability companies Read More »

CLVPartners
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.