(Status 01.03.2024, subject to change due to pending implementing regulations, in which case the information below will be amended)

In accordance with the provisions of the Hungarian Code of General Administrative Procedure (Ákr.) (https://njt.hu/jogszabaly/en/2016-150-00-00), the Authority shall, upon request, verify the compliance with the requirements set out in Chapter III of the DGA, or may at any time initiate an ex officio procedure for that purpose.

As long as no dedicated online interface is provided on the website of the Authority, the application shall be in the form and content required for legal persons subject to electronic administration under the Hungarian Code of General Administrative Procedure and shall be submitted through ePapír service (template "Egyéb (NAIH)" under the menu item "Nemzeti Adatvédelmi és Információszabadság Hatóság eljárásai" on https://epapir.gov.hu/).

In addition to the information specified in the Hungarian Code of General Administrative Procedure (data and contact details necessary to identify the client and its representative), the application for the procedure for the supervision of data intermediation services providers shall contain at least the following data pursuant to Paragraph (2) of Article 64/F of the Act CXII of 2011 on  the right to informational self-determination and on the freedom of information (hereinafter "Act CXII of 2011" https://njt.hu/jogszabaly/en/2011-112-00-00):

1. specification of the alleged infringement,
2. a description of the concrete conduct or state resulting in the alleged infringement,
3. the data available to the applicant necessary for the identification of the data intermediation services provider committing the alleged infringement,
4. the facts that support the statements related to the alleged infringement, as well as the evidence of such facts, and
5. an explicit request to adopt a decision on remedying the indicated infringement.

In the procedure for the supervision of data intermediation services providers, the administrative time limit shall be 150 days. This time limit shall not include the period between a call for the communication of data necessary for the clarification of the facts of the case and its fulfilment.

If in conducting a proceeding for the supervision of data intermediation services providers,  the Authority finds that there is no need to terminate the proceeding, and it cannot be established either that the behaviour of the monitored data intermediation services provider is not unlawful, the Authority shall send to the monitored data intermediation services provider its preliminary position on the case, which shall include the established facts of the case, the supporting evidence, an assessment of the facts of the case, as well as a description of the essence of the considerations and conclusions necessary for taking the decision, and of the considerations intended to be taken into account in a possible imposition of a fine. The monitored data intermediation services provider may make a statement or observations as to the preliminary position within 30 days.

The Authority may, where it finds that there is an infringement, require cessation of the infringement from the data intermediation services provider within a reasonable period, or with immediate effect in the case of a serious infringement, and take appropriate and proportionate measures to ensure compliance. The Authority, as appropriate:

1. may impose a fine between HUF 100 000 and HUF 50 000 000;
2. may require a postponement of the commencement or a suspension of the provision of the data intermediation service until any changes to the conditions requested by the Authority for data intermediation services have been made;
3. may require the cessation of the provision of the data intermediation service in the event that serious or repeated infringements have not been remedied despite prior notification.

In deciding whether it is justified to impose a fine and in determining the amount of the fine, the Authority shall take all circumstances of the case into account, in particular the gravity of the infringement, including the duration of the infringing situation, and whether the infringing party was previously in the proceeding for the supervision of data intermediation services providers found to have committed an infringement in the context of its activities.

The Authority may order its decision, including the identification data of the data intermediation services provider, to be made public if the gravity of the injury justifies publication.

The Authority shall cooperate with the supervisory authorities referred to in the DGA in accordance with the provisions of the DGA.

In the event of a finding of infringement, the data affected by the processing operation in dispute shall not be erased or destroyed until the expiry of the time limit for bringing an action to challenge the decision of the Authority or, in the event of bringing an administrative court action, until the adoption of the final and binding court decision.

The provisions of Paragraph 61.§ (7)-(10) of the Act CXII of 2011 shall apply accordingly to proceedings for supervision of data intermediation services providers.