1. Description of data controller

Data controller:

National Tax and Customs Administration (NAV)

Registered seat:

1054 Budapest, Széchenyi utca 2.

Postal address:

1373 Budapest, Pf. 561.




+36 (1) 428-5100


Data Protection Officer: dr. Attila Kiss (dpo@nav.gov.hu)


2. Legal basis of data processing

2.1. Regulation (EU) 2016/679 of the European Parliament and of the Council (of 27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: GDPR).

2.2. Act CXII of 2011 on the Right to Informational Self-Determination and on the Freedom of Information (hereinafter: Privacy Act).

2.3. Acts regulating the tasks set out in Article 13 of Act CXXII of 2010 on the National Tax and Customs Administration.

2.4. The data subject’s consent.


3. Scope, purpose and duration of processed data

3.1. Scope and purpose of processed data

Personal identification details

For identifying customers.

Contact details

For communication with customers.

Data arising from tasks of tax and customs administration, crime prevention and law enforcement, policing and administration, as well as from other tasks

For the purpose of dealing with the specific case.

3.2. Period of data processing

NAV will process data for a maximum period of time specified by the law applicable to the given procedure or, in the case of the data subject’s consent, for the period specified in the data processing information concerning the specific data processing.


4. Data access and data security measures

4.1. Data access and data transmission

Personal data may only be accessed by NAV as data controller and staff employed by data controllers entrusted by NAV. This group may be enlarged by bodies and persons specified by the data subject, in case of data processed based on the data subject’s consent.

NAV will transfer personal data processed by it to other bodies and persons only in the manner and for the purpose specified by law. Thus, for example, when the police/prosecutor’s office contacts NAV and asks for the transfer of the relevant personal data for an investigation.

4.2. Data security measures


NAV uses its own servers for the storage of personal data recorded. NAV uses no other service providers and entrusts no other data controllers for the storage of personal data. NAV will take appropriate IT, technical and personal measures to protect the personal data it processes against, inter alia, unauthorized access or alteration. Thus, for example, access to data stored in NAV’s IT system is logged, i.e. one can always check who, when, and what personal data has accessed.


5. Data subject’s rights in relation to data processing

5.1. Right to access

The data subject will have the right to request information from NAV, via the contact details provided in Section 1 above, as to whether the processing of his/her personal data is in progress and, if such processing is in progress, to find out about

  • NAV
    • what personal data;
    • on what legal basis;
    • for what purpose of data processing;
    • and for how long is processed by it; and
  • to whom, when, under what legal regulation, and which personal data has NAV granted access to, or to whom has it transferred his/her personal data;
  • what is the source of his/her personal data (if not provided to NAV by the data subject).

In order to comply with data security requirements and to protect the data subject’s rights, NAV must verify whether the identity of the data subject and that of the person wishing to exercise his/her right of access agree; and, for that purpose, the information provision is linked to the identification of the data subject.

5.2. Right to rectification

The data subject may request NAV in writing to change any of his/her personal data, via the contact details provided in Section 1 above. NAV will perform the request within a maximum of one month and will notify the data subject through the contact details provided.

5.3. Right to deletion

The data subject may request NAV in writing to delete his/her personal data, via the contact details provided in Section 1 above.

NAV will reject the request for deletion if it still has some legal basis for the further storage and use of the data. This is the case, for example, if the time limit for archiving has not expired.

However, in the absence of such an obligation, NAV will perform the request within a maximum of 10 days and will notify the data subject thereof through the contact details provided.

5.4. The right to blocking (to restrict data processing)

Through the contact details specified in Section 1 above, the data subject may request NAV in writing to block his/her personal data (clearly indicating the limited nature of data processing and ensuring that the data is processed separated from other data). The blocking will last as long as the reasons provided by the data subject so require.

The data subject may request NAV to block his/her data, if it is necessary not to delete such data for some official or court proceedings initiated by him/her. In this case, NAV will continue to store his/her personal data until such time when the relevant authority or court contacts it, after which it will delete such data.

5.5. Right to object

The data subject may object to the processing of data at any time for reasons related to his/her situation, through the contact details provided in Section 1 above, if in his/her opinion NAV would not process his/her personal data properly in connection with the purpose stated in this data processing information. In this case, NAV must prove that the processing of personal data is justified by legitimate reasons which take precedence over the interests, rights and freedoms of the data subject or which are related to the submission, enforcement or protection of legal claims.


6. Enforcement of rights in relation to data processing

If the data subject considers that NAV has violated the effective data protection requirements in the processing of his/her personal data, then

  • the data subject may submit a complaint to the National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa utca 9-11., postal address: 1374 Budapest, Pf. 603.; E-mail: ugyfelszolgalat@naih.hu, website: naih.hu(https://www.naih.hu)), or

the data subject may turn to court to protect his/her data, which will act out of turn in relation to the case. In this case, the data subject is free to decide whether to bring an action before the regional competent court for his/her place of residence (permanent address) or his/her place of stay (temporary address) or NAV’s registered office. The data subject can find the regional court competent for his/her place of residence or stay by visiting the webpage https://birosag.hu/birosag-kereso (https://birosag.hu/birosag-kereso) . According to the registered office of NAV, will have jurisdiction over the lawsuit.