The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) recently imposed fines in two separate cases of data infringement and violation of the EU's General Data Protection Regulation (GDPR).

In the first case, NAIH imposed a fine of HUF 100,000 (EUR 310) on an unnamed social and child welfare institution for late notification of a data breach. The organisation had sent nine letters to incorrect recipients, containing sensitive information on 18 individuals, including contact information for children and their families, criminal-record data and information related to child-protection proceedings.

As part of GDPR-mandated breach management, the institution had performed a risk analysis based on the Personal Data Breach Severity Assessment Methodology developed by the European Network and Information Security Agency (ENISA), introduced a double-control process when addressing letters, and implemented specific data protection training.

Nevertheless, the institution only informed the NAIH of the breach more than 20 days after becoming aware of it. As a mitigating factor, the NAIH accepted the institution's excuse that the person responsible for breach management did not have the capacity to deal with the case.

The NAIH also issued its highest data protection fine (HUF 30,000,000 or EUR 100,000, representing 2.3% of the company’s net revenue) for “Sziget”, one of Hungary's largest multicultural music and arts festivals. The violation concerned the festival organiser's procedure for the security screenings of hundreds of thousands of festival guests by photocopying IDs and taking photos at the entry gate.

The NAIH disputed whether individuals voluntarily consented to such screenings since this data processing was necessary for each guest to obtain services and attend the festival. In other similar cases, primary services cannot be subject to consent for the underlying data processing, and companies must rely on another legal basis to justify it.

The NAIH also found the scope of the data that was processed (e.g. citizenship, type, number and expiration date of ID, date of birth and gender) to be excessive and the retention period of one year to be too long. Although the NAIH considered some of the company's actions to be legitimate (e.g. financial measures implemented to prevent the misuse of tickets), the company could not appropriately prove its legitimate interest in processing this data in question.

The newly prepared “balancing test” did not contain a list or an explanation of the specific rights of the individuals that were restricted by the data processing. Nor did it contain the relevant risks brought on by the processing. According to the NAIH, the screening process was both incapable of reaching its goal of averting the misuse tickets, preventing crimes and addressing exceptional situations such as health and safety problems, which are considered rare.

The NAIH stated that preventing acts of terrorism and other crimes is the responsibility of the competent authorities, and companies should implement security measures that do not necessarily include the processing and retention of personal data. Acceptable security measures include physical screenings, metal detectors, appropriate vigilance by trained security personnel, and cooperation with authorities.

In light of the above two decisions, CMS recommends that companies protect themselves from similar GDPR-related issues by ensuring that it notify authorities about personal data breaches in a timely fashion, and that it employs proper legitimate interest tests when considering the processing of personal data. When implementing security, companies are advised to consider methods that do not include data processing.