GDPR, which will enter into force on 25 May 2018 elicited different reactions from organisations. Some people had already started to prepare for compliance years before, others started to panic, at the last minute or after the last minute, and in our experience many thought the legislation was just another unnecessary scare, despite the penalties.
A serious question was how these requirements could be incorporated into domestic practice and how the NAIH would sanction any incidents. On the international market, as could be expected, a wave of denunciations immediately hit the giant companies, with Google, for example, receiving a fine of €50 million.
But what about the domestic market, were there penalties?
Parties are also involved and video recordings should be used with caution
The largest known fine was given to a political party. A news according to the The NAIH imposed an 11 million HUF fine because an unknown attacker exploited the vulnerability of a website run by the party to access and upload the names, email addresses, usernames and passwords of nearly 6,000 supporters in encrypted form to the internet. Aggravating circumstances included the specific nature of the data in terms of political opinion, the outdated encryption technology and the fact that the party did not report the incident and did not inform the parties concerned.
In another case, a company was fined 1 million HUF for inadequate management of video recordings at reception and in waiting areas. Full details of the reasoning and decision are available at this link. The operation of the cameras also involves the processing of personal data, so such activities can be carried out in compliance with the applicable data protection rules. Under the current legislation, our consent is required for data processing, i.e. the recording of our image by a camera. This consent is usually given by entering the area guarded by the camera, despite the information notice posted, as an act of impulse. However, under GDPR rules, consent can be withdrawn at any time, in which case the personal data (in this case, the image or audio recording) must be deleted. At present, the law on the protection of property sets strict time limits for the retention of images and sound recordings, which, according to the practice of the NAIH, must also be applied by data controllers who are not subject to this law. Accordingly, at present, as a general rule, it is possible to retain images and sound recordings for 3 working days, and in special cases for 30 or 60 days.
Lack of legal basis, disclosure of data to unauthorised persons
Although no fines were imposed, a penalty was imposed on an organisation for previous (10 years) incorrect data recording disclosed the pledgor's details to an unauthorised person. The organisation believed they were talking to the owner of the property they were hedging, which was due to an administrative error. "According to the application, on July 18, 2018, the Respondent's employee disclosed personal information to a third party by telephone without the consent of the Respondent or any other legal basis, when he called the third party - who was not named in the mortgage contract - by telephone on the grounds that the Respondent was not paying the repayments and informed him of his personal information, including his address." The fact that the infringement took place in the first few months of the Data Protection Regulation was considered a mitigating circumstance.
Before the GDPR came into force, a pharmaceutical company was fined HUF 800,000 for processing personal data in the context of CCTV surveillance without a proper legal basis, for failing to provide adequate prior information to its employees about the processing and the circumstances of the CCTV surveillance.
In May 2018, a sports federation was fined (HUF 1.500.000), because it processed personal data in the operation of the register without an appropriate legal basis. It failed to provide adequate prior information on the processing and its circumstances to the data subjects (or their legal representatives, as many of them were minors) included in the register, and operated the register containing personal data in breach of the principle of purpose and necessity.
Other, instructive cases
Smaller fines of between HUF 500,000 and HUF 1 million were also imposed in March 2019, but a few instructive cases are worth highlighting:
One case concerned a public interest notification of the Institution established and supervised by the municipality concerned the operation of. The person concerned was an employee of the institution at the time of the notification. The head of the institution requested as additional information the full content of the public interest report, which was provided by the case officer of the Mandate, i.e. the document containing the personal data - the public interest report of the person concerned - was in full, without anonymisation sent it to the institution, which is the employer of the person concerned and is the subject of the procedure initiated in the public interest report. The institution then terminated the employment of the person concerned by extraordinary dismissal, one of the reasons given for which was the public interest report lodged by the person concerned. The data subject subsequently requested information from the Obligation on how and why his personal data had become known to his employer. On the contrary, the Data Protection Officer and the Head of the DPO of the Obligation, during the investigation of the case, clearly took the view that, although certain personal data of the data subject were indeed processed by the institution in his capacity as employer, the information contained in or deducible from the whistleblowing, such as the quality of the data subject as whistleblower, had not been previously processed by the institution.
One school asked the NAIH whether it was necessary to whether the consent of students and teachers is required for the publication of their class photos in the school yearbook, and whether a consent form is required for photographs taken at school events. According to the Authority, a school may have a proper legal basis for processing where it asks students or teachers for "informed consent", i.e. where the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes. An important point to note is that consent is a voluntary, specific, informed and unambiguous expression of the data subject's wishes, whereby the data subject indicates, by a statement or by an act expressing his or her consent in an unequivocal manner and without any ambiguity as to the affirmative action, that he or she gives his or her consent to the processing of personal data concerning him or her.