In decisions announced on March 7, the Hungarian National Authority for Data Protection and the Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) imposed fines of HUF 500,000 (EUR 1,560) on data controllers in two separate cases.
Contrary to its previous practice, the NAIH did not identify the data controllers receiving fines. As a result, in the future the NAIH will likely identify data controllers in only the most severe breaches of data protection law.
In the first case, the NAIH issued a fine on a bank for failing to comply with the principle of accuracy under the GDPR. The procedure was initiated on the request of a data subject after the bank mistakenly sent SMS messages about the subject's credit card debt to the telephone number of another person. After receiving an incorrect telephone number from the client at the time of contracting, the bank did not comply with the data subject's request to erase the data and continued to send SMS message to the incorrect telephone number.
In its decision, the NAIH made the following findings:
- The credit institution does not have to delete a telephone number processed by mistake if the error is reported by a third person who is not properly identified.
- As soon as the inaccuracy of a telephone number becomes certain, however, the bank must erase the given data. It should also consult the subscription contract of the complaining data subject, which can confirm whether an error has taken place.
- The bank should have restricted the processing of the data in question until the accuracy of the telephone number was certified.
Based on the above case, it is recommended that data controllers revise their measures for assuring the accuracy of data and regularly ask clients to revise their data and report any changes. In addition, it is also suggested that revisions be made to the internal policies concerning the accuracy of data and to the management of data subject requests.
In its other decision, the NAIH imposed a fine on a debt collector for breaching the principles of transparency and data minimisation. In this case, a data subject satisfied its claim to the debt collector and afterwards, according to the GDPR, requested information on his processed data, and requested that his e-mail address and other personal data be erased.
The debt collector stated that it could not identify the data subject and requested his name, place and date of birth, mother’s maiden name and address. The data subject declined to give this data and consequently the debt collector rejected the above request, stating it was unable to identify the data subject.
After more correspondence, the data subject was successfully identified, but the debt collector refused to erase the personal data, claiming it must retain it to comply with legal obligations, including the obligation to retain backup copies under the Accountancy Act. The debt collector also cited its internal policy concerning backup copies.
The NAIH further stated that the debt collector also breached the principle of transparency by not appropriately informing the data subject on the rules of backup copies and by referring to an internal policy, which is not public and not accessible to the data subject. The debt collector should have informed the data subject of the backup copy in a transparent and detailed way with information on the personal data stored, the retention period, the possible use of the copies and their deletion date.
In its decision, the NAIH, however, highlighted the right to erasure and made the following findings:
- assignment contracts do not have to be deleted even at the request of the data subject and, according to the Accountancy Act, must be retained for a period of eight years;
- making and retaining backup copies are obligatory according to a government decree concerning information security of financial institutions, and therefore this data cannot be deleted even on request;
- a complaint does not have to be deleted, even on request, since the financial institution must retain it for a period of five years in line with the Act on Credit Institutions.
According to the NAIH's rulings in this case, we advise all companies to minimise the data required for client identification, that all internal company policies on data processing be fully transparent to clients, and that policies for making backup copies of data be revised to reflect the GDPR.
In arriving at fines of HUF 500,000 (EUR 1,560) for both institutions, the NAIH did not take into account the companies' worldwide annual turnover or income – as it had in previous decisions based on the GDPR – and instead focussed on the results of their business activities. This discrepancy suggests there is still no unified practice in Hungary for assessing fines.
In both cases, the fines were symbolic. For the bank, the fine represented only .0016% of its profit of HUF 31 billion. The debt collector, the fine represented only .0025% of its profit HUF 20 billion.