NAIH, Hungary’s Authority for Data Protection and Freedom of Information recently issued its annual report on its activities carried out in 2015. The 2015 Annual Report of NAIH contains an interesting overview of the number and nature of cases investigated by the Authority, and also provides useful insight into the approach followed by NAIH in its day-to-day investigations. 

Statistics 

7,594 cases were filed with NAIH in 2015, which is 2.5 times higher than the 3,030 cases in 2014. Interestingly, even if the EU’s new Data Protection Regulation will abolish the registration obligations, there was a dramatic increase in the volume of notifications recorded in the Data Protection Registry (Adatvédelmi Nyilvántartás). The total number of notifications amounted to 3,680, compared to the 588 in 2014. 2,655 cases were investigations (the number grew by almost 800 compared to the previous year), and NAIH had to conduct an administrative procedure in 67 of the above cases. 67% of the cases were related to data protection, 17% to freedom of information, and 3% affected both fields. 

In 2015, NAIH issued 4 major data protection recommendations: Recommendation on Privacy NoticesRecommendation on Data Processing for the Organisation of Student Reunions,Recommendation on the Processing of Online Data of the Deceased, and Recommendation on Cost Implications of Access to Health Documents. 

In 2015, NAIH specially focused on the data processing operations pertaining to debt collection, debt management, product presentations and database marketing. 

Data processing operations of debt collection and debt management companies 

NAIH investigated the following data processing operations of debt collection and debt management companies: the proportionality of the processing (for example, the processing of the data of the debtor’s neighbours and relatives, data processing for the purpose of enforcing debt collection costs etc.), the privacy notice provided to data subjects, the use of the “legitimate interest” legal basis, data minimisation techniques, the physical deletion of data, and regulation of controller-processor relationships. 

Database marketing 

NAIH also investigated companies that perform data processing with the purpose of database compilation and direct marketing. NAIH emphasised that when a company is collecting data on its own website, it must pay special attention to disclose the mandatory privacy information in sufficient detail and in plain language. The privacy notice must be accessible from a direct link when users make their registration. NAIH also emphasised that the user’s consent is voluntary only if he/she has the freedom to determine separately each third person whom his/her personal data may be transferred to. 

Further recommendations on employee monitoring and privacy notices 

In its recommendation on the General Requirements of Electronic Monitoring Systems at Workplaces, NAIH already explained its standpoint on employee monitoring via any technological device in 2013. In its 2015 Annual Report, NAIH provides further aspects on this topic. Such aspects include the legitimate preconditions of the monitoring, the privacy notice to be provided, restrictions on private use of company systems, and the gradual approach to be applied in email screenings. 

The most important recommendation of NAIH in 2015 gave detailed clarifications on the requirements of privacy notices and privacy policies. The recommendation is stricter than the applicable law, and compliance is important because privacy notices are on NAIH’s radar more frequently. 

Practical consequences 

The approach of NAIH to the above data processing issues, as described in its 2015 Annual Report, may provide useful guidance for companies operating in other industries on how to ensure that their privacy practices are in line with NAIH’s expectations. If the provisions of the Hungarian Data Protection Act are violated, NAIH is entitled to impose a fine of between HUF 100,000 (approx. €320) and HUF 20,000,000 (approx. €64,050). For example, NAIH may impose a fine if, according to NAIH, the shortcomings in a privacy policy greatly affect the individuals in their consent, and therefore they could only see the consequences of data processing on a limited level; in such case the processing may be unlawful. Therefore, it is of primary importance for Hungarian companies, or companies who may be subject to Hungarian data protection laws on the basis of the approach set out in the Weltimmo case, to revise their privacy notices, policies and practices with a view to NAIH’s statements in its 2015 Annual Report. 

NAIH’s 2015 Annual Report: http://naih.hu/files/NAIH-BESZ-MOL--2015-MID-RES.pdf (only in Hungarian)