On 27 May 2019, the Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) issued a warning to an organisation for failing to properly notify the affected individuals of a personal data breach and for not having an internal data-breach management procedure in place.

The case concerned a report by whistleblowers against an official of an organisation and that organisation's complaint-management (integrity report) procedure.

The organisation's integrity consultant investigated the whistleblowers' statements, and then forwarded a report on the testimony to the affected official. Although the report did not contain the whistleblowers' names and addresses, it did contain sufficient data to identify them.

As a result, the official initiated a defamation procedure against the whistleblowers.

The whistleblowers then asked the organisation why their identities had been revealed to the official. The organisation conducted an internal investigation, determined that the incident constituted a data breach, and notified the NAIH.

The breach also affected special categories of personal data, such as political opinion and religious beliefs. Because the breach resulted in a defamation procedure against the whistleblowers, the risk to their rights and freedoms was deemed high. As a result, the organisation's data protection officer began a review of internal policies and access controls, and also initiated employee training in the areas of data protection, information security and document management.

Finally, the organisation ordered the deletion of the report from the e-mail account of the official named by the whistleblowers.

The NAIH assessed the organisation's data-security policy and instructions for internal investigations based on integrity reports, and concluded that the data breach resulted from an employee's misinterpretation of internal data-security rules.

The NAIH found that the organisation had no internal data-breach management procedure, and that the organisation did not provide enough details on the breach to the individuals concerned. (Data-breach management procedures must contain protocols for notifying individuals affected by high-risk data breaches, and these notifications must include a clear and understandable description of a breach, the name of a contact person with whom affected individuals can communicate, the likely consequences of the breach, and the corrective measures that have been taken or proposed.)

The NAIH also identified the organisation in its warning because it deems data processing surrounding whistleblowing systems to be highly important, and that there is public interest in protecting whistleblowers.

In the light of the NAIH decision, companies should verify if they have sufficient internal data-breach management procedures in place, which ensures that individuals affected by a breach receive appropriate notification.