New Hungarian data protection fines

The Hungarian Data Protection and Freedom of Information Authority (NAIH) has published new resolutions imposing fines. A summary of the resolutions follows below.

1. Text messages sent to wrong phone number

A bank (the data controller) sent payment notice text messages (SMS) to a person who was not the bank’s customer. The person made a complaint towards the bank and requested it not to send any such further messages to him. Despite the request, the person still received payment notices via text message. The reason was that his phone number was registered with the bank’s system as the phone number of the customer owing the bank a certain amount. The bank tried to get in contact with its customer with a view to checking the phone number, however, it did not succeed in contacting its customer.

The authority established that the bank should have restricted the processing of the phone number until it had clarified that the phone number was not in fact the customer’s. Furthermore, the bank should have signaled to the person (who made a complaint because of the SMS received) that he could prove that the phone number was his by way of presenting his subscription agreement, following which the bank should have erased the data. The bank failed to do this and, thus, it violated the principle of accuracy (Article 5 (1) d) of the GDPR) and the principle to facilitate the exercise of data subject rights (Article 12 (2) of the GDPR).

The bank’s financial result before taxation for 2017 was HUF 31 billion (about EUR 96.9 million).

The authority established that unlawful data processing had taken place and imposed a fine of HUF 500,000 (about EUR 1,600).

2. Prevention of the exercise of data subject rights

A company (to which a claim had been assigned) sent a payment notice to the debtor to pay his debt. The debtor requested the company in an email to provide him with the documentation supporting the debt and information demonstrating the laws on which the processing was based. The company requested the person to identify himself so that the company could proceed with the matter. In order for the company to be able to identify the person, they requested also birth data which was data the company did not process, thus, this data could not match any data in its system. The person did not provide the requested data as a result of which the company closed the matter and informed the person of the closure.

The authority established that the company was not entitled to request the birth data (as it had not processed such data anyway) and should have informed the person about the fact that he could also exercise his rights via mail in which case there was no need to identify himself since the letter already contains his name, address and signature (thus, a violation of Article 12 (2) of the GDPR had taken place).

The NAIH further established that the data controller had failed to properly inform the data subject about what the last backup saving was in which his personal data were contained and, thus, the company had violated the principle of transparency (Article 5 (1) a) of the GDPR).

The controller’s financial result before taxation for 2017 was HUF 20 billion (about EUR 62.5 million).

The NAIH established that an unlawful data processing had taken place and imposed a fine of HUF 500,000 (about EUR 1,600).

3. Transfer of data without legal title

The Mayor’s Office of the City of Kecskemét reported a data breach to the NAIH.

The NAIH established that the controller had acted unlawfully since it had handed over the report of public interest made by the data subject (which contained the data subject’s personal data) to a third party (an institution supervised by the municipality), which, thus, had unlawful access to the data. The person making the report of public interest was employed by this institution. The institution terminated the employment of the person making the report of public interest due to the report.

The authority established that the controller had violated Article 5 (1) a) (principle of transparency) and Article 6 (processing without legal basis) of the GDPR. The transfer of data without legal basis qualified as a data breach which can be regarded as a high-risk breach since it is capable of causing serious negative consequences.

The NAIH imposed a fine of HUF 1 million (about EUR 3,200).

4. Right to erasure

The person concerned entered into a loan agreement with the controller. The person indicated to the controller in a letter that his residential address had changed and requested the erasure of his phone number out of the data the controller was processing.

The controller requested the person to provide a copy of his residential card so that they can record the change. Simultaneously, the company indicated that it would not erase the phone number because it was processing this data due to its legitimate interest; and based on the balancing test it had prepared, it was authorized to process such data in the context of collecting overdue debts via phone.

At the data subject’s request, a data protection authority procedure was commenced.

The NAIH established that the controller did not properly prepare the balancing test, thus, there was no legal basis for the processing of the phone number and processing was unlawful (in violation of Article 6 of the GDPR) and violated the principle of data minimisation (Article 5 (1) c) of the GDPR). The authority stated that the violation of Article 17 (1) of the GDPR could be established since the controller had not granted the request for deletion.

The NAIH also established that the controller was processing the phone number for a purpose different from the original purpose (by way of reference to the development of customer care) in regard of which it failed to carry out a balancing test and failed to inform the data subject of such processing. Therefore, the controller violated Article 6 (4) and Article 13 (3) of the GDPR.

The NAIH also established that the controller had also processed the phone number for a purpose in regard of which it had failed to prepare a balancing test, thus, it violated the principle of purpose limitation (Article 5 (1) b)) and the principle of data minimisation (Article 5 (1) c)).

The company’s net revenues in 2017 were HUF 4 billion (about EUR 12.5 million).

The NAIH imposed a fine of HUF 1 million (about EUR 3,200) on the controller.

5. Failure to report a data breach to the authority, failure to inform the data subjects of the breach

A hacker could access to a database on the website of the political party, Democratic Coalition. The database contained names, email addresses, user names and encrypted passwords. Following accessing the database, the hacker published the same on the Internet. The database contained the data of 6,987 data subjects.

Following becoming aware of the data breach, the party did not report the breach to the NAIH and did not inform the data subject of the breach. Furthermore, the party failed to record the data breach.

The NAIH established that the risk posed by the breach was high since an identification fraud could take place and it affected data concerning political views.

The party’s revenues amounted to HUF 269,361,000 (approx. HUF 841,000).

The authority established that the party had violated Articles 33 and 34 of the GDPR and imposed a fine of HUF 11 million (about EUR 34,500).

Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary (zoltan.kovacs@szecskay.com)

The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.