Recently, NAIH (Hungary’s Authority for Data Protection and Freedom of Information) imposed HUF 1 m fine (EUR 3,200) against a company that offered a prize draw competition for customers without providing adequate privacy information. The company shall amend its privacy notice in accordance with NAIH’s findings and make it available on its website. The underlying resolution provides further guidance to companies to ensure that their data processing operations are in compliance with local requirements. NAIH's approach is strict in comparison to most EU DPAs. This strict approach is likely to continue after the GDPR becomes mandatory.

NAIH’s main findings include:

  • Privacy notices shall contain a detailed list of the data processors involved, including their specific activity and for how long they can access a participant’s data.
  • Privacy notices shall provide detailed information on the participants’ data protection rights and remedies (e.g. the deadlines for the company to fulfil the individuals’ requests, and the competent court for the matter.)
  • Companies shall obtain a separate consent for the transfer of personal data to another company in its group (that will send marketing messages to the customers), and conclude a data transfer agreement for this purpose.
  • The contents of the company’s mandatory registration in the Data Protection Registry shall always match the information provided in the privacy notice, such as the scope of data, the purpose for processing it, and the data retention period.

As part of GDPR compliance, companies should revise their privacy notices, the information they provide on data processors, their consent forms to verify if they are compliant with the above resolution. As of 25 May 2018, there will be no registration obligation in the Data Protection Registry but it cannot be excluded that NAIH will check the former registrations in case of an inspection. Therefore, it is also advisable for companies to check whether their privacy notices mirror the information they provided in the registration.