The first Hungarian GDPR fine
A few days ago, the Hungarian data protection authority published its first resolution which imposes a GDPR fine (in the amount of HUF 1 million) on a data controller.
According to the facts as contained in the resolution, the data subject wished to exercise his right to access, right to get a copy of the record and his right to the restriction of data processing. The data subject indicated within three business days from the making of the record that he needed the same and wanted to exercise his right to the restriction of data processing (which practically means that the data processing has to be suspended, thus, no data erasure may take place for a certain period of time) for the purposes of asserting his legal claims. The data controller rejected the data subject's request. The data controller's reasoning for its decision was that the data subject had failed to properly justify the assertion of what kind of a legal claim he needed the record for. The controller referred to a Hungarian statutory provision pursuant to which
"Any person whose right or legal interest is affected by the record… may,… within three business days from the making of the record… and by way of justifying its right or legal interest, request the data controller… not to delete or erase the record…"
Furthermore, the controller informed the data subject of the fact that it had erased the records within 3 business days in line with the applicable statutory provisions and that they could no longer be restored.
The data controller failed to give information to the data subject concerning his remedy rights (right to turn to the authority and courts).
The data protection authority emphasized in its resolution that:
(i) there was no need to justify any legal interest in order for the data subject to exercise his rights under the GDPR;
(ii) the above-cited statutory provision (which is an effective national rule) was not in line with the rules of the GDPR (the provisions of which take priority over national rules) and that such national provisions could, thus, not be applicable;
(iii) the company should have informed the data subject of his remedy rights;
(iv) with respect to the above, it can be established that the controller has violated the provisions of the GDPR.
When determining the amount of the fine, the authority took into account the nature of the violation, the fact that the records could not be restored and that the company had committed the above violations for the first time and also that the above-cited statutory provision which contradicts the GDPR might have been confusing to the controller.
In 2017, the company's revenues were equal to HUF 15.3 billion.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary (email@example.com)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.