Published data protection fines
The National Data Protection and Freedom of Information Authority (DPA) has recently published on its website certain resolutions imposing a fine. A summary of such resolutions follows below. The DPA issued the fines under the rules effective prior to 25 May 2018 and not under the GDPR, in March and, respectively, May this year.
1. EOS Faktor Magyarország Zrt.
The DPA established that the debt handling company, EOS had violated the principle of data minimisation and processed data without a valid legal ground for which the authority imposed a fine of HUF 1 million (approx. EUR 3,000).
According to the resolution, EOS processed the data it took over from the assignor as an assignee. Mobil phone number was not among the data taken over. The person filing the complaint consented to the processing of his mobile phone number for a certain period and he later withdrew his consent and it was only his address the management of which he did not object to.
Pursuant to the resolution, the person filing the complaint requested EOS to erase the landline phone number and the mobile phone number processed in connection with the debt. First, EOS did not fulfill the request, referring to data processing on the basis of legitimate interest and it was only after several requests that EOS had finally erased them.
The data protection policy of EOS contained no material information in connection with the balancing test concerning the legitimate interest and EOS did not provide the DPA with the balancing test, thus, the company failed to prove that such a test had actually been prepared.
EOS obtained the landline phone number from the phone number directory, even though the name linked to the number and the name of the person filing the complaint did not match, thus, EOS was processing this data unlawfully as per the DPA. The company was processing the mobile phone number even after the person filing the complaint had withdrawn his consent, thus, unlawful data processing took place since EOS was in possession of the address of the person filing the complaint. Thus, it was not necessary to process the mobile phone number for the purposes of reaching the purpose of data processing.
Furthermore, despite the fact that the person filing the complaint reported to EOS an address change, EOS did not erase the address but kept processing it along with the new address.
In determining the size of the fine, the DPA emphasized that EOS (i) was unlawfully processing personal data, (ii) failed to fulfill the requests for erasure and (iii) failed to provide adequate information on data processing as well as the result of the balancing test.
2. Magyar Telekom Nyrt.
Telecoms operator Magyar Telekom was processing personal data for the purposes of direct marketing unlawfully for which the authority imposed a fine of HUF 2 million (approx. EUR 6,100).
As per the resolution, the person filing the complaint requested the company not to send any text messages to him to his mobile phone. The telecom service provider responded that if he did not wish to receive any such message, he should request that in writing or set this up online. Despite the requests, the person filing the complaint kept receiving direct marketing messages. Then, he requested the company not to call him and not to send him any text message again in connection with direct marketing messages. Furthermore, he even requested online that he not be sent such messages. The person filing the complaint still kept receiving direct marketing messages in text messages, via email and was also called on the phone. The person filing the complaint then turned to the company's internal data protection officer and requested again not to send any direct marketing messages to him via any channel. The person filing the complaint did not receive any response to this request.
The DPA established that the direct marketing messages were sent unlawfully and that Magyar Telekom did not fulfill its information obligations as per the Info Act and that the voluntary nature of the consent was not ensured because the customer (the person filing the complaint) had no option at the conclusion of the contract not to give consent to data processing for the purposes of direct marketing. In addition, upon creating the Telekom account, the box concerning consent for the purposes of direct marketing was pre-ticked on the web, which is also unlawful.
The authority established that this actually means that there was an inherent illegality within the whole system of Magyar Telekom, which affected a larger group of people (about 1.9 million subscribers in case of the contractual direct marketing provision and approx. 1.2 million customers in case of the Telekom account).
3. Hungarian Basketball Players Association
The DPA established that the Association (i) had processed data without a valid legal basis, (ii) failed to provide adequate information and (iii) violated the principles of purpose limitation and proportionality, for which a fine of HUF 1.5 million (approx. EUR 4,600) was imposed.
A person filed a complaint in connection with the player registration system which contains data available to all, including the data subject's name, place and date of birth, mother's name, citizenship, height, address and photo. As per the resolution, the registry also contains personal data of minors and those of players of the Hungarian national team, which data are accessible to the general public.
According to the declaration of the association, the registry is kept on the basis of the consent of the players. During the procedure, it was established that the giving of consent is a condition of the issuance of a player's license, thus, consent is not voluntary. The authority also established that the registry was kept without consent prior to 2013 and that there had been no valid legal basis for data processing either before or after 2013.
The registry contains personal data of 65.234 persons out of which 31.295 persons are minors.
The DPA established that the association failed to provide adequate information to the data subjects in line with the Info Act. The authority also emphasized that "the publication of personal data in a data base on the web in a way that it is accessible to and searchable by all is not necessary for reaching the purpose of data processing.". Publication of the data (including also the address) of minors is of particular concern.
The authority also established that there had been no data privacy policy on the association's website prior to the launch of the authority procedure.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attoneys at Law, Budapest, Hungary (zoltan.kovacs@szecskay.com)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.
