Resolutions of the Hungarian Data Protection Authority Imposing Fines Under the GDPR (21 June 2019)
July, 2019 - Zoltan Balazs Kovacs
Below you will find a brief summary of the resolutions of the data protection authority uploaded on their website up until today imposing a fine under the GDPR.
1. Failure to facilitate the exercise of data subjects' rights
The data subject wanted to exercise his access right, right to receive a copy, and his right to restrict processing of camera recordings of him at the reception area of a service provider. The data subject said he needed the recordings and the restriction of processing for the exercise of his legal claims However, the service provider failed to accommodate his request. The controller reasoned that the data subject failed to properly prove the legal claim for which he needed the recordings. The controller also referred to an effective statutory provision holding
"The person whose right or legitimate interest is…affected by a recording may…within three business days from the date of recording…request the controller not to destroy or delete the recording…by way of proving his right or legitimate interest…"
Furthermore, the controller informed the data subject of the fact that the recordings had been deleted within 3 business days from the date of the recordings and they could not be restored.
The controller failed to inform the data subject of his remedies (turning to the authority and turning to court).
The authority held that
(i) the rights in the GDPR are objective rights, meaning it is not necessary to prove any legitimate interest for the exercise of the rights;
(ii) the statutory provision invoked by the controller is contrary to the superior rules of the GDPR, thus, it has to be disregarded;
(iii) the company should have informed the data subject of his remedies;
(iv) this means that the controller had violated the GDPR.
The authority imposed a fine of HUF 1 million (about EUR 3,100) on the controller (an electricity provider).
The revenues of the controller for 2017 amounted to HUF 15.3 billion (about EUR 48 million).
2. Violation of the principle of accuracy, failure to facilitate the exercise of data subjects' rights
The data subject and complainant in the case received payment notices (text messages) on his mobile phone in connection with a debt despite not being a customer.
The data subject told all this to the bank, who responded that he would not be getting any further such message. In spite of the bank's statement, the data subject still received a payment notice in the form of a text message. The data subject then turned to the data protection authority.
First, the bank tried to get in contact with its customer with a view to clarifying the issue but, received no response. Then the bank requested the person filing the complaint to provide the bank with a copy of the subscription agreement so that the bank can make sure that the phone number was indeed not its customer's but the person's filing the complaint.
The authority held that
(i) the bank should have restricted data processing until it could find out whether or not the phone number belonged to the person filing the complaint rather than a customer, and
(ii) instead of requesting a copy of the subscription agreement, the bank should have informed the person filing the complaint of the fact that he could have proven that the phone number was his number by way of showing the subscription agreement to the bank, in which case, the bank would delete the inaccurate data from its system.
The authority also found that the bank failed to facilitate the exercise of the data subject's rights when sending a request for the subscription agreement to the data subject since the bank had no authority to request a copy of such document.
The authority imposed a fine of HUF 500,000 (about EUR 1,550) on the bank.
The financial result of the controller before taxation for 2017 amounted to HUF 31 billion (approx. EUR 95 million).
3. Failure to facilitate the exercise of data subjects' rights
The data subject and complainant in the case had received a payment notice from the assignee after which the data subject declared that he had owed no debts and requested that his data be deleted and that he be informed about the deletion.
In order to facilitate the exercise of data subject's rights, the assignee requested the person filing a complaint to provide it with his personal identification data. The data subject refused to provide his data saying that he could be identified based on the matter number and his name.
Then the assignee informed the data subject of the fact that, in the absence of identification of the data subject, it had completed the complaint procedure However, the assignee did not inform the data subject that he could have requested the processing of his complaint via ordinary mail. And that doing so would mean that the complaint could have been investigated even in the absence of any additional identification data if the letter contains the name and signature of the data subject and the matter number.
The authority found that the assignee had failed to facilitate the exercise of the data subject's rights and failed to inform him of the possible methods of the assertion of his rights.
The assignor repurchased the claim from the assignee and that is when the assignee erased the data subject's data. The assignee also informed the data subject of the erasure.
The authority also established that, despite the specific request of the data subject, the assignee failed to properly inform the data subject of the last backup which contained the data subject's personal data, when the backup may be used and when erasure of the last backup containing the data subject's personal data takes place in the absence of the use of the backup.
The authority imposed a fine of HUF 500,000 (about EUR 1,550) on the assignee.
The financial result of the bank before taxation in 2017 amounted to roughly HUF 20 billion (approx. EUR 61.5 million).
4. Violation in connection with erasure request, processing without valid legal basis
The data subject entered into a loan agreement with the controller. During the term of the agreement, the data subject told the controller via mail that his address had changed and requested the controller to delete his phone number.
The company responded that it could only change the address in its system if the data subject sent it a copy of the residential card. Furthermore, the controller added that it would not delete the phone number with respect to the fact that it may further process such data based on its legitimate interest because the phone number may be necessary for the purposes of phone calls in connection with a possible debt collection case.
The authority found that the balancing test in connection with the legitimate interest had not been prepared properly and that the processing of the phone number was not necessary for the purposes of debt collection and of keeping contact with the data subject. The data should have been erased because there were other means of keeping contact with the data subject.
The authority established that the controller had failed to accommodate the data subject’s deletion request and that it was processing the phone number without a valid legal basis. Furthermore, the authority held that the controller had violated the principle of purpose limitation and data minimisation.
The authority held that the controller had been processing the phone number for a purpose (e.g. improvement of customer services) other than the original purpose (performance of contract). However, the controller had failed to give prior information to the data subject of such data processing.
The authority imposed a fine of HUF 1,000,000 (about EUR 3,100) on the controller.
The net revenues of the controller in 2017 amounted to HUF 4 billion (approx. EUR 15.5 million).
Find more cases here:https://eugdpr.blog.hu/
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.
Link to article