The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) recently issued two decisions dealing with breaches of data protection rules set by the European General Data Protection Regulation (‘GDPR’).
The subsequent investigations led to the levy of a fine of EUR 3,135 against one company.
These are the first cases in which the NAIH considered the imposition of fines. Both procedures were conducted at the request of the data subjects, and the identities of the companies were not released.
6.5% fine for breaching the access right
In the first case, an individual visited the infringing company’s office and asked to inspect certain documents related to a dispute. The company refused the request, and the individual requested a copy of relevant CCTV recordings as evidence in the litigation. The company refused the request, arguing that the recordings did not support the individual’s claims, but only proved that he was present in a given place at a given time. After reviewing this case, the NAIH found that the company infringed the individual’s access rights, and clarified the following principles on the right to access:
- the data controller cannot request any justification from an individual making a data request;
- the data controller is not in a position to determine whether the required data would be necessary for the individual’s litigation purposes.
The NAIH imposed a fine of HUF 1,000,000 (EUR 3,135) against the company, which represents 6.5 % of its annual net sales revenue and considered the following circumstances when determining the amount of the fine:
- the nature of the breach;
- the fact that the deleted recordings could not be recovered;
- the fact that this was the company’s first infringement under the GDPR;
- the net sales revenue of the data controller company in the preceding year was HUF 15.3 billion (EUR 48,000);
- Hungarian rules on CCTV operation are currently not in line with the GDPR, and stipulate that if an individual requests a data controller not to delete a CCTV recording, he must prove that that the recording affects his rights or legal interests. This provision violates the GDPR, and cannot apply.
As a result, Hungarian companies are advised to update their subject access rights (SAR) procedures to reflect the GDPR.
No fine for unlawful data disclosure
In the second case, the NAIH determined that a bank breached a debtor’s privacy by providing information on his unpaid debts to the co-mortgagor of an underlying loan. The reason for the unlawful data disclosure was a data-entry error conducted at the conclusion of the initial mortgage agreement more than ten years before.
As a result, the bank fully cooperated with the NAIH, conducted an internal investigation, immediately communicated its results to NAIH, and also corrected the error without delay.
Ultimately, the NAIH did not impose a fine because the bank did not breach the GDPR and the incorrect entry had taken place more than a decade before. The NAIH’s findings, however, emphasise the importance of the “accuracy” principle under Article 5 of the GDPR. Companies must always ensure in day-to-day operations that the personal data they are processing are accurate and up to date. Companies must also take every reasonable step to ensure that inaccurate personal data are erased or corrected without delay.