Recently, NAIH (Hungary’s Authority for Data Protection and Freedom of Information) imposed a HUF 1 m fine (EUR 3,200) on a Hungarian financial services branch office. The underlying resolution provides further guidance to companies to ensure that their Hungarian data processing operations are in compliance with local requirements. NAIH's approach is strict in comparison to most of the EU DPAs, and will likely continue to be so after the GDPR becomes mandatory.

NAIH’s main findings include:

  • Unless authorised by law, making copies of customer ID cards is excessive, even if the customers provide their prior consent to such practice. Companies shall identify the individual once he or she has shown ID, and it is not necessary to make and store a copy of it as well, since such a copy has no probative force (compared to the original document).
  • It is not enough to indicate “direct marketing” as a data processing purpose in consent forms. The text shall describe the exact method of such marketing.
  • According to NAIH, it may be enough to use anonymised information when making product development statistics, and such procedures do not require the use of customer personal data.
  • Regarding the verification of customer income, companies shall contact a customer’s employer only upon the prior – preferably written – consent of the customer.
  • The customer shall provide his or her consent separately for each data processing purpose, and privacy information shall specify the personal data that the company can process or obtain from a third party.

As part of GDPR compliance, companies should revise their document-copying practices, the wording of their privacy consent forms, and their third-party information requests to verify if they are compliant with the above.