NAIH, Hungary’s Authority for Data Protection and Freedom of Information recently issued its annual report on its activities carried out in 2015. The 2015 Annual Report of NAIH contains an interesting overview of the number and nature of cases investigated by the Authority, and also provides useful insight into the approach followed by NAIH in its day-to-day investigations.
7,594 cases were filed with NAIH in 2015, which is 2.5 times higher than the 3,030 cases in 2014. Interestingly, even if the EU’s new Data Protection Regulation will abolish the registration obligations, there was a dramatic increase in the volume of notifications recorded in the Data Protection Registry (Adatvédelmi Nyilvántartás). The total number of notifications amounted to 3,680, compared to the 588 in 2014. 2,655 cases were investigations (the number grew by almost 800 compared to the previous year), and NAIH had to conduct an administrative procedure in 67 of the above cases. 67% of the cases were related to data protection, 17% to freedom of information, and 3% affected both fields.
In 2015, NAIH issued 4 major data protection recommendations: Recommendation on Privacy Notices, Recommendation on Data Processing for the Organisation of Student Reunions,Recommendation on the Processing of Online Data of the Deceased, and Recommendation on Cost Implications of Access to Health Documents.
In 2015, NAIH specially focused on the data processing operations pertaining to debt collection, debt management, product presentations and database marketing.
Data processing operations of debt collection and debt management companies
NAIH investigated the following data processing operations of debt collection and debt management companies: the proportionality of the processing (for example, the processing of the data of the debtor’s neighbours and relatives, data processing for the purpose of enforcing debt collection costs etc.), the privacy notice provided to data subjects, the use of the “legitimate interest” legal basis, data minimisation techniques, the physical deletion of data, and regulation of controller-processor relationships.
NAIH also investigated companies that perform data processing with the purpose of database compilation and direct marketing. NAIH emphasised that when a company is collecting data on its own website, it must pay special attention to disclose the mandatory privacy information in sufficient detail and in plain language. The privacy notice must be accessible from a direct link when users make their registration. NAIH also emphasised that the user’s consent is voluntary only if he/she has the freedom to determine separately each third person whom his/her personal data may be transferred to.
Further recommendations on employee monitoring and privacy notices
In its recommendation on the General Requirements of Electronic Monitoring Systems at Workplaces, NAIH already explained its standpoint on employee monitoring via any technological device in 2013. In its 2015 Annual Report, NAIH provides further aspects on this topic. Such aspects include the legitimate preconditions of the monitoring, the privacy notice to be provided, restrictions on private use of company systems, and the gradual approach to be applied in email screenings.
The most important recommendation of NAIH in 2015 gave detailed clarifications on the requirements of privacy notices and privacy policies. The recommendation is stricter than the applicable law, and compliance is important because privacy notices are on NAIH’s radar more frequently.
NAIH’s 2015 Annual Report: http://naih.hu/files/NAIH-BESZ-MOL--2015-MID-RES.pdf (only in Hungarian)