Resolutions of the Hungarian data protection authority imposing fines under the GDPR (21 June 2019)
Below you will find a brief summary of the resolutions of the data protection authority uploaded on their website up until today imposing a fine under the GDPR.
1. Failure to facilitate the exercise of data subjects' rights
The data subject wanted to exercise his access right, right to receive a copy, and his right to restrict processing of camera recordings of him at the reception area of a service provider. The data subject said he needed the recordings and the restriction of processing for the exercise of his legal claims However, the service provider failed to accommodate his request. The controller reasoned that the data subject failed to properly prove the legal claim for which he needed the recordings. The controller also referred to an effective statutory provision holding
"The person whose right or legitimate interest is…affected by a recording may…within three business days from the date of recording…request the controller not to destroy or delete the recording…by way of proving his right or legitimate interest…"
Furthermore, the controller informed the data subject of the fact that the recordings had been deleted within 3 business days from the date of the recordings and they could not be restored.
The controller failed to inform the data subject of his remedies (turning to the authority and turning to court).
The authority held that
(i) the rights in the GDPR are objective rights, meaning it is not necessary to prove any legitimate interest for the exercise of the rights;
(ii) the statutory provision invoked by the controller is contrary to the superior rules of the GDPR, thus, it has to be disregarded;
(iii) the company should have informed the data subject of his remedies;
(iv) this means that the controller had violated the GDPR.
The authority imposed a fine of HUF 1 million (about EUR 3,100) on the controller (an electricity provider).
The revenues of the controller for 2017 amounted to HUF 15.3 billion (about EUR 48 million).
2. Violation of the principle of accuracy, failure to facilitate the exercise of data subjects' rights
The data subject and complainant in the case received payment notices (text messages) on his mobile phone in connection with a debt despite not being a customer.
The data subject told all this to the bank, who responded that he would not be getting any further such message. In spite of the bank's statement, the data subject still received a payment notice in the form of a text message. The data subject then turned to the data protection authority.
First, the bank tried to get in contact with its customer with a view to clarifying the issue but, received no response. Then the bank requested the person filing the complaint to provide the bank with a copy of the subscription agreement so that the bank can make sure that the phone number was indeed not its customer's but the person's filing the complaint.
The authority held that
(i) the bank should have restricted data processing until it could find out whether or not the phone number belonged to the person filing the complaint rather than a customer, and
(ii) instead of requesting a copy of the subscription agreement, the bank should have informed the person filing the complaint of the fact that he could have proven that the phone number was his number by way of showing the subscription agreement to the bank, in which case, the bank would delete the inaccurate data from its system.
The authority also found that the bank failed to facilitate the exercise of the data subject's rights when sending a request for the subscription agreement to the data subject since the bank had no authority to request a copy of such document.
The authority imposed a fine of HUF 500,000 (about EUR 1,550) on the bank.
The financial result of the controller before taxation for 2017 amounted to HUF 31 billion (approx. EUR 95 million).
3. Failure to facilitate the exercise of data subjects' rights
The data subject and complainant in the case had received a payment notice from the assignee after which the data subject declared that he had owed no debts and requested that his data be deleted and that he be informed about the deletion.
In order to facilitate the exercise of data subject's rights, the assignee requested the person filing a complaint to provide it with his personal identification data. The data subject refused to provide his data saying that he could be identified based on the matter number and his name.
Then the assignee informed the data subject of the fact that, in the absence of identification of the data subject, it had completed the complaint procedure However, the assignee did not inform the data subject that he could have requested the processing of his complaint via ordinary mail. And that doing so would mean that the complaint could have been investigated even in the absence of any additional identification data if the letter contains the name and signature of the data subject and the matter number.
The authority found that the assignee had failed to facilitate the exercise of the data subject's rights and failed to inform him of the possible methods of the assertion of his rights.
The assignor repurchased the claim from the assignee and that is when the assignee erased the data subject's data. The assignee also informed the data subject of the erasure.
The authority also established that, despite the specific request of the data subject, the assignee failed to properly inform the data subject of the last backup which contained the data subject's personal data, when the backup may be used and when erasure of the last backup containing the data subject's personal data takes place in the absence of the use of the backup.
The authority imposed a fine of HUF 500,000 (about EUR 1,550) on the assignee.
The financial result of the bank before taxation in 2017 amounted to roughly HUF 20 billion (approx. EUR 61.5 million).
4. Violation in connection with erasure request, processing without valid legal basis
The data subject entered into a loan agreement with the controller. During the term of the agreement, the data subject told the controller via mail that his address had changed and requested the controller to delete his phone number.
The company responded that it could only change the address in its system if the data subject sent it a copy of the residential card. Furthermore, the controller added that it would not delete the phone number with respect to the fact that it may further process such data based on its legitimate interest because the phone number may be necessary for the purposes of phone calls in connection with a possible debt collection case.
The authority found that the balancing test in connection with the legitimate interest had not been prepared properly and that the processing of the phone number was not necessary for the purposes of debt collection and of keeping contact with the data subject. The data should have been erased because there were other means of keeping contact with the data subject.
The authority established that the controller had failed to accommodate the data subject’s deletion request and that it was processing the phone number without a valid legal basis. Furthermore, the authority held that the controller had violated the principle of purpose limitation and data minimisation.
The authority held that the controller had been processing the phone number for a purpose (e.g. improvement of customer services) other than the original purpose (performance of contract). However, the controller had failed to give prior information to the data subject of such data processing.
The authority imposed a fine of HUF 1,000,000 (about EUR 3,100) on the controller.
The net revenues of the controller in 2017 amounted to HUF 4 billion (approx. EUR 15.5 million).
5. Violation of law in connection with data breach
The authority received a report of public interest stating that the website of one of the political parties (Democratic Coalition) had been hacked and data (name, email address, user name, password) were then published on the Internet. The data related to members of the party, supporters and those who sympathize with the party.
The authority held that the party had failed to (i) report the data breach to the authority, (ii) inform the data subjects of the data breach and (iii) register the data breach in its own registry of breaches. The authority also found that the party failed to establish proper IT security.
The authority imposed a fine of HUF 11,000,000 (about EUR 34,000) on the bank.
The revenues of the political party amounted to HUF 270 million (approx. EUR 830,000) in 2017.
6. Violation of law in connection with data breach
An employee of a public body accidentally mailed 9 documents containing personal data to a wrong addressee (namely, to a municipality) which also deals with the same issues as the public body but in a different geographical territory. The personal data in the documents became accessible to the wrong addressee, thus, the integrity of the data was compromised. The data breach affected 18 data subjects, including some minors (the data affected by the breach were identification data, contact details, data concerning criminal sentences, criminal offences or punishments, measures and other personal data relating to the private life of children processed in the context of child protection procedures conducted by the public body).
Following receipt of the documents, the wrong addressee notified the public body that it had received documents it should not have received and then took the necessary measures to return the documents to the public body.
The public body reported the data breach to the data protection authority three weeks after it had become aware of the incident. Moreover, it did not inform the data subjects of the data breach with respect to the fact that it had taken measures after the incident to ensure that the high risk to the rights and freedoms of data subjects was no longer likely to materialize.
The authority held that the data breach had not been reported to the authority within the period of time as required by the GDPR.
The authority imposed a fine of HUF 100,000 (about EUR 330) on the public body.
7. Making unlawful copies of documents
A festival organizing company (Sziget Zrt.) processed the scanned copy of the ID cards / passports of the persons entering the event based on its own and the participants' legitimate interest in a way that only those persons out of those who purchased a ticket were allowed to enter the event who allowed the scanning of the document.
The company argued that the scanning of the documents was necessary for the purposes of ensuring safety and preventing terrorist attacks.
In the authority's view, the company invoked a public interest that did not fall to the company to protect – meaning also the definition of the public task and the means used for such task. Thus, the company does not have the means and the authority for processing data in pursuit of such purpose. Therefore, no such interests may be referred to in the context of the processing of personal data based on which the controller may act lawfully.
In the authority's view, no documents may be copied or data stored in connection with the purposes mentioned by the company and this kind of processing is not suitable for reaching the purposes the company refers to (prevention of the activities of ticket touts, prevention of terrorist attacks).
The authority held that the company had processed personal data (copies of id documents) without a valid legal basis and that the data processing was not in line with the principle of purpose limitation and data minimization.
The authority imposed a fine of HUF 30 million (approx. EUR 92,500) on the company.
The revenues of the controller for 2017 were a bit short of HUF 1.3 billion (about EUR 4 million).
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary (firstname.lastname@example.org)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.