AI Legal Framework: Institutional Implementation and Related Areas of Law

Institutional framework of artificial intelligence in Hungary

Hungary lays down the institutional and procedural foundations of national implementation by Act LXXV of 2025 and the implementing Government Decree 344/2025 (X. 31.). These legal acts aim not only to fulfil the obligation imposed on Member States by the AI Regulation to establish an artificial intelligence authority, but also to develop the domestic artificial intelligence ecosystem, to ensure uniform application of the law, and to respect fundamental rights and human autonomy. In Hungary, although the AI market surveillance authority has been designated by the above legal acts, the authority organisation responsible for market surveillance has not yet been established; therefore, further legislation or amendments are expected in the future regarding the authority responsible for supervising artificial intelligence.

The AI Regulation requires the designation of Member State notifying and market surveillance authorities for the prior conformity assessment and subsequent market surveillance of AI systems. To perform these tasks, the Government has designated the following bodies:

Artificial intelligence notifying authority (AI notifying authority)

The National Accreditation Authority performs these tasks. Its main task is the assessment, designation, notification and monitoring of organisations assessing the conformity of high-risk AI systems, on the basis of accredited status.

Artificial intelligence market surveillance authority (AI market surveillance authority)

The Minister responsible for enterprise development has been designated as the general market surveillance authority, as well as the operator of the single point of contact. The exclusive competence of the market surveillance authority includes the examination of AI systems where the client does not qualify as a consumer. However, supervision does not extend to high-risk AI systems placed on the market, put into service, or used in connection with the provision of financial services by organisations falling under the scope of the Act on the Hungarian National Bank; the supervision of such systems is carried out by the Hungarian National Bank (MNB).

Domestic procedural specificities

The domestic regulatory framework establishes special provisions for procedures related to artificial intelligence:

The artificial intelligence market surveillance authority acts ex officio in market surveillance cases under the AI Regulation. During the procedure, the authority may impose an administrative fine, establish the unlawful use of the AI system, and call upon the person concerned to cease the unlawful conduct.

The maximum amount of the fine may be a fixed amount in Hungarian forints corresponding to the amounts expressed in euros set out in the AI Regulation. In the event of non-compliance with prohibited AI practices, the maximum amount of the fine may be HUF 13.3 billion. If the AI system is placed on the market or put into service in a sector for which another sectoral market surveillance authority is also responsible, the sectoral authority (for example the National Media and Infocommunications Authority (NMHH) in its consumer protection/market surveillance procedure, or the National Authority for Data Protection and Freedom of Information (NAIH) in its data protection procedure) participates as a specialised authority in the artificial intelligence market surveillance procedure. In other cases, where in a procedure of a sectoral authority the conformity of the AI system must be examined, the sectoral authority must obtain the specialised authority opinion of the artificial intelligence market surveillance authority.

In the procedures of both the artificial intelligence notifying authority and the artificial intelligence market surveillance authority, summary procedure is excluded, meaning that expedited conduct of the procedure is not possible even if all information and evidence necessary for making the decision are available and no evidentiary procedure is required.

In addition to the artificial intelligence notifying and market surveillance authorities listed above, the Hungarian Artificial Intelligence Council (hereinafter: the Council) was established in order to ensure uniform application of the law, to develop the national artificial intelligence strategy and policy, and to deepen dialogue among stakeholders of the domestic artificial intelligence ecosystem.

The Council is a body without decision-making powers. It supports the Government in the development and implementation of the national artificial intelligence strategy and policy. Its further tasks include coordinating research, development and innovation activities, monitoring AI applications in the public sector, and creating and increasing national artificial intelligence proficiency.

The members of the Council are persons designated by key state bodies (e.g. the Hungarian National Bank, the National Media and Infocommunications Authority, the Hungarian Competition Authority, the National Tax and Customs Administration, the National Authority for Data Protection and Freedom of Information), by ministers, and by representatives of the scientific and economic spheres (e.g. the Hungarian Academy of Sciences, the Hungarian Chamber of Commerce and Industry). The Chair of the Council is appointed by the Prime Minister for a period of 5 years, upon the proposal of the Minister responsible for enterprise development and the Minister responsible for information technology. The position of Chair of the Council is held, until the end of the appointment in force at the time the Act enters into force, by the Government Commissioner responsible for artificial intelligence.

By establishing this legal framework, Hungary is ready for the pioneering task of implementing the AI Regulation, which, due to the rapid development of technology and the lack of experience in law enforcement, continuously challenges stakeholders.

Overview of other areas of law related to artificial intelligence and the associated risks

During the development, putting into service, use and introduction of artificial intelligence, companies must comply not only with the relevant provisions of the AI Regulation, but also with numerous other legal rules, and must also integrate the operation of the artificial intelligence system into their existing compliance processes, for example their data protection processes.

Legal basis for processing and data minimisation

Perhaps the closest and one of the most important related areas to an artificial intelligence system is data protection, since for the training and operation of artificial intelligence systems data and datasets are used, which in most cases also contain personal data. In relation to the personal data transferred and used for the development of the artificial intelligence system, it is worth paying attention to whether the processing of personal data used for training is lawful and whether it is carried out on one of the legal bases set out in the GDPR (e.g. consent, legitimate interest, performance of a contract, etc.).

If the legal basis for processing is legitimate interest, carrying out a balancing test is also mandatory, the purpose of which is to find and document the balance between the data controller’s legitimate interest and the fundamental rights of the data subjects. If the artificial intelligence system is trained with personal data that are processed without a legal basis, this constitutes a data protection infringement, which allows the initiation of a data protection authority procedure and is sanctionable under the GDPR. Furthermore, the GDPR lays down the principle of data minimisation, i.e. that personal data may be processed only to the extent necessary for the purpose of collecting the personal data; therefore the principles of processing must be observed and personal data going beyond the purpose of processing should be anonymised and used as such for training the artificial intelligence system.

If unlawfully processed data were used to train the artificial intelligence system, deleting such data from the AI model may cause problems, and it may become necessary to redevelop the system in order to restore lawful operation.

Automated decision-making and data protection impact assessment

In the area of data protection, a further significant risk is the issue of automated decision-making. The relevant provision of the GDPR provides that the data subject has the right, as a general rule, not to be subject to a decision based solely on automated processing that produces legal effects concerning them or similarly significantly affects them. Such a situation may arise in the case of AI systems if critical, important decisions are made solely by the given AI system without human review, e.g. CV screening software decides which job applicant to hire and the company’s decision-maker or employee does not verify the recommendation provided by the AI system or perform human review; such a procedure may be unlawful in several cases.

In several cases, in particular for systems classified as high-risk under the AI Regulation, carrying out a data protection impact assessment is also mandatory in accordance with the GDPR and the guidance of the National Authority for Data Protection and Freedom of Information. For example, it is mandatory to carry out a data protection impact assessment if the operation of the AI system is aimed at monitoring employees or assessing their performance. Beyond the mandatory cases of data protection impact assessment published by the NAIH, a data protection impact assessment may be required under the GDPR in any case where the AI system entails a high risk to the rights and freedoms of natural persons.

Labour law obligations and employee monitoring

Numerous labour law obligations are also associated with the introduction of artificial intelligence and are closely linked to the above-mentioned data protection obligations. If the employer uses an AI-based access control system or identification, it must be examined whether the conditions for biometric identification are met, because under Hungarian labour law it is permitted only to a limited extent. Biometric identification may be used only if it is necessary to prevent unauthorised access to something or to data that would entail a risk of serious or mass, irreversible harm to a significant interest protected by law, or to the life, physical integrity or health of the employee or others. In the case of biometric identification, the related data protection documentation must also be prepared and supplemented.

In cases where the employer intends to monitor employees’ conduct related to the employment relationship by means of an AI tool, employees must be informed in advance of this fact, and if a works council operates at the employer, at least 15 days before starting the monitoring of employees by an AI system the employer must obtain the opinion of the works council. Given that monitoring employees with the help of an AI system generally involves the processing of employees’ personal data, the employer must accordingly review the employee data protection notice and other documents and incorporate provisions relating to processing carried out by the AI system. With regard to AI solutions introduced in the field of employment, both labour law and data protection rules must be complied with.

Copyright, trademarks and outputs created by AI

The relationship between copyright and artificial intelligence may also raise questions, since, as mentioned above, the data used for training may also be works protected by copyright. Due to the operation and black-box nature of the AI system, and depending on the training data, trademarks created or generated by artificial intelligence may, if they resemble existing trademarks and are confusingly similar, constitute trademark infringement. The question of whether an output created by artificial intelligence can be considered a work protected by copyright also deserves attention. Currently, several court proceedings concerning copyright are pending abroad, and the judgments delivered in them will most likely have an impact on the assessment of this issue.

Trade secrets and internal regulation

For companies, the protection of trade secrets and the internal regulation of the use of artificial intelligence within an organisation are of outstanding importance, because if the framework and limits of the use of artificial intelligence are not laid down, it may occur that without control and restriction the company’s trade secrets and know-how are transferred into an AI software that further develops itself with the data fed into it, thereby causing serious damage and loss to the company.

Competition law

In the field of competition law, the importance of data has increased particularly in recent times, and the importance of who owns these data, who and how effectively and methodically can collect, organise, process and use them, in which AI technologies have an outstanding and increasing role. Artificial intelligence appears primarily in pricing and through algorithms and direct marketing. The possession and use of data may change market positions and roles, the structure of markets, the intensity of competition, may create or strengthen dominant market positions, affect acquisitions, pricing practices, and the shaping of market conduct and strategies, and may also facilitate unlawful collusion.

Consumer protection

Artificial intelligence may also impose additional obligations on companies in the field of consumer protection. It often occurs that various online platforms, websites and webshops use chatbots, through which consumers can communicate with an AI-driven virtual assistant via a chat window or by telephone. In such cases, it is necessary to inform consumers that they are not interacting with a human, and also what types of questions the virtual assistant can help with and what limitations the operation of the virtual assistant has.

It is clear that compliance with the AI Regulation requires understanding the domestic institutional implementation and the joint management of the requirements of several related areas of law. In the next part of the article series, the practical steps of compliance will be in focus.

 

The author of the article is Dr. Putnoki Poppea, Associated Attorney-at-law of CLM Bitai & Partners Law Firm.

The article was first published on the website of Grant Thornton Hungary: https://grantthornton.hu/en/audit-tax-valuation-accounting-digitax

    Nyelv választás