Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Hungary - Data Protection Overview
Back

Hungary - Data Protection Overview

December 2021

1. Governing Texts

In Hungary, the current main national law on personal data protection is Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (as amended by Act XXXVIII of 2018 (only available in Hungarian here) to implement the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')) (an up-to-date version of which is only available in Hungarian here) ('the Act'). The Act sets out the general framework for data protection and is supervised by the National Authority for Data Protection and Freedom of Information ('NAIH').

1.1. Key acts, regulations, directives, bills

The Act applies to all kinds of data processing operations, except to the processing of personal data by a natural person in the course of a purely personal or household activity. This is an addition to the GDPR and covers manual data processing operations as well.

The Act is applicable if:

  • the data controller's:
    • main establishment; or
    • only place of business in the EU is in Hungary; or
  • the data processing operations of a data controller or its data processor are related to:
    • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in Hungary; or
    • the monitoring of the data subjects' behaviour as far as their behaviour takes place within Hungary.

At the request of the NAIH, a local government notary may be involved in the verification of the actual circumstances of the data processing activities of a data controller. In particular, the scope of the personal data processed, the means of the operations, and the technical and organisational measures.

The NAIH's administrative deadline for closing the data protection authority procedure is 150 days.

Other significant provisions in the Act:

  • The Act established specific and permanent confidentiality obligation for data protection officers ('DPOs'). Organisations should revise the confidentiality clauses of the contracts with their DPOs to ensure harmonisation with the Act.
  • The NAIH will convene and set the agenda of the 'conference of DPOs' each year. This conference shall serve as a regular interaction point between DPOs and the NAIH.
  • In accordance with the GDPR, organisations shall not register their data processing operations with the NAIH anymore and shall record their own data processing operations in line with Article 30 of the GDPR.

Harmonisation of sectoral laws with the GDPR

A number of sector-specific laws have been amended to guarantee harmonisation with the GDPR, including:

  • Act I of 2012 on the Labour Code (only available in Hungarian here) ('the Labour Code');
  • Act XLVII of 1997 on the Medical Data Act (only available in Hungarian here) ('the Medical Data Act');
  • Act XXI of 2008 on Protection of Human Genetic Data (only available in Hungarian here) ('the Human Genetic Information Act'); 
  • Act LXVI of 1992 on Personal Data and Address Records of Citizens (only available in Hungarian here);
  • Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators (only available in Hungarian here) ('the Security Services Act');
  • Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing (only available in Hungarian here) ('the Direct Marketing Act'); and
  • Act CLXV of 2013 on Complaints and Public Interest Notices (only available in Hungarian here) ('the Public Interest Notices Act').

The main amendments are outlined below

Labour Code

  • The employer must inform the employee in writing about the restriction of his/her personality right. This includes the circumstances justifying the necessity and proportionality of the restriction. This is not the same as the balancing test that the employer has to carry out in the case of data processing on the basis of legitimate interest. Information should be made in a written form and published in a customary and generally known method at the workplace, such as by email or on the company intranet.
  • The employer, works committees, and trade unions may process the personal data of employees for the purpose of labour relations and the employer also for the purpose of establishing, fulfilling, terminating, or enforcing the employment relationship. The employee may be required to present a document for this purpose, but the above data controllers do not have the option of making copies. Employees should also be informed in writing about these data processing operations, including by communication methods customary and generally known at the workplace (i.e. communication by email or publication on the company intranet).
  • Biometric identification of employees is possible to prevent risks to human life, physical integrity, health, or to protect significant interests and materials protected by law or regarded as hazardous or dangerous (e.g. classified data, explosives, hazardous substances, and nuclear materials).
  • The employer may process criminal personal data to determine whether the candidate or the employee is subject to the exclusion or restriction criterion specified by the law or the employer. An employer may determine such a criterion if the employment of the person concerned in a particular job would threaten the employer's substantial financial interests, trade secrets, or a significant interest protected by law. The employer must specify both the restrictive or exclusionary criteria and the conditions for the processing of criminal data, either by email or via the intranet, if this is in line with the customary and generally known method at the workplace.
  • Employees may not use the IT tools provided by the employer (i.e. computer, telephone, or even an employer's WiFi network) for private purposes unless the employer explicitly authorises private use. Regardless of this fact, whether the IT or computing tool used for work is the employer's or the employee's property, its control can only cover the data related to the employment relationship. The employer must also inform an employee in writing of the terms of any inspection, either by email or by publication on the intranet, if this is in accordance with the customary and generally known method at the workplace.

Security Services Act

  • In case of the use of an electronic surveillance system, the legal basis for data processing is the legitimate interest of the company or a third party for all affected persons contrary to the previous rules which required relying on legitimate interest for processing employee data and on implied consent (by entry to the territory affected by surveillance) for processing data of other persons (e.g. clients, visitors).
  • Electronic monitoring systems may be used only in private areas.
  • In accordance with the amendment, controllers would be entitled to determine the purpose for which they install an electronic monitoring system (e.g. protection of classified information, storage of biological and chemical substances, etc.), and the period necessary to keep recordings (e.g. with a view to civil law claim enforcement, defence in official proceedings, filing a criminal report, or other specific deadlines) contrary to the previous rules, which maximised storage periods generally in three working days (with minor exceptions) and applied pre-defined purposes of monitoring (e.g. protection of assets, storage of hazardous materials, etc.).
  • Requests for and access to recordings will be governed by the GDPR (especially subject access rights) and the legal provisions governing the official requests for information from each authority. The reason and time of recording and the person accessing it must be recorded in the relevant minutes.

The Direct Marketing Act

Based on the amendment to the Direct Marketing Act, the name and address can be requested, collected, or transferred in the future for direct marketing purposes:

  • from the state name and address register;
  • from the customer or the person who was in contact with the data collector;
  • from a published database, name and address book, phonebook, directory, statistical list; and
  • from another similar person or body.

The Public Interest Notices Act

In relation to the abuse reporting (whistleblowing) system operated by employers, the Public Interest Notices Act makes it clear that the affected person can be the person reporting, the person affected by the report, and the person having substantive information about the report. Further, sensitive data and criminal data may be processed in the abuse reporting system and may be forwarded to a whistleblower's lawyer or an external organisation contrary to previous rules, which did not permit processing such data in the framework of the reporting system.

In the case of a natural person, the Public Interest Act will continue to allow anonymous reporting, while in the case of reports lodged by a legal person, identification will be explicitly required.

Medical Data Act

  • The rules of the GDPR will apply to the processing of personal data relating to the circumstances of a deceased person's death and the cause of death, as well as to the deceased person's health records.
  • The permitted goals of the processing of health and personal identification data (i.e. the promotion of health preservation, improvement, maintenance, and enforcement of patient rights, etc.) are further defined in the Medical Data Act.
  • The amendment also eliminates the obligation to appoint a DPO. The GDPR, however, requires that the controller or the processor appoints a DPO when the processing of health data (on a large scale) is the main activity. Based on the practice of the NAIH, data processing by a particular specialist or health care professional does not fall within this scope, so only hospitals and major healthcare providers are obliged to appoint a DPO.

Human Genetic Information Act

Genetic samples or data may only be transferred to a third country and may be imported from a third country where the GDPR and the data transfer conditions of the Human Genetic Information Act are recognised. Specifically, a third country must recognise:

  • adequacy decision taken by the European Commission;
  • the existence of appropriate guarantees under the GDPR;
  • the transmission only of genetic samples encoded for human genetic testing; and
  • notification on the transfer of genetic samples and data to a third country (in a manner incapable of personal identification) to the competent health administration.

1.2. Guidelines

Before the GDPR, the NAIH issued a guideline concerning preparation for the GDPR. The one-page guideline contains the general description of the 12 most important tasks for GDPR compliance (only available in Hungarian here). The tasks related to the following: data protection awareness, data mapping, privacy information obligations, individuals' data protection rights, access rights, legal basis of data processing operations, revision of privacy consents, protection of children's rights, data breach management, Privacy by Design and Default, Data Protection Impact Assessments ('DPIAs'), DPOs, and competence of the data protection authorities.

The NAIH has issued a statement on the application and legal assessment of social media modules used on websites, how to obtain consent legally, and the obligations of website operators (only available in Hungarian here). The statement confirmed that the website operator is the data controller for all personal data collected and transmitted over its website. However, the website operator's control is limited to the operations for which it defines the underlying purposes and means. The website operator is not considered a data controller after the transfer of the personal data when the social media provider has conducted further data processing. According to the NAIH, the use of the social-media module requires user consent. Users must be able to decide individually whether or not to consent to the operation of a given type of cookie. (The user must be able to decide whether he agrees to the data processing in question, such as the operation of a particular cookie).

The NAIH has issued a guidance on how employers can lawfully determine whether an employee is protected against COVID-19 (only available in Hungarian here). For certain occupations or employees, it may be a necessary and proportionate for employers to know whether the employee is protected against COVID-19 in line with labour law, occupational health and safety, and the work organisation. The employer can only ask employees to present their Coronavirus Protection Certificate and the application for a Coronavirus vaccination. The company cannot make copies of them, store them in any form and manner, or transfer them on to third parties. The employer can only record that the employee is certified as being protected against COVID-19 and can record how long this protection will last. Employers must prepare an objective risk assessment on a job-by-job or employee-by-employee basis with the guiding principles of safeguarding the life and health of protected workers, other workers, and third parties (i.e. customers), and being in full compliance with their obligations.

1.3. Case law

See section on enforcement decision below for relevant decisions of the NAIH.

2. Scope of Application

2.1. Personal scope

No national law variations, except on deceased individuals (see above). In addition, the data of private entrepreneurs is considered as personal data.

2.2. Territorial scope

Not applicable.

2.3. Material scope

For processing activities, where the GDPR is not applicable (including processing of manual, unstructured documents), the specific rules of the Act apply, which mostly reflect the provisions of the GDPR with a number of deviations (e.g. requests of data subjects must generally be answered within 25 days). Such rules also fully govern data processing for law enforcement, national security, and national defence purposes, bearing in mind that the implementing national law of the Law Enforcement Directive is the Act in Hungary.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The main regulator is the NAIH.

3.2. Main powers, duties and responsibilities

The NAIH may initiate a number of procedures, including:

  • an inspection in case of a report lodged by anyone with a reference to the breach of data protection rights, as well as in case of any breach of the right to be informed about public data and data rendered public, or in case of the imminent threat of such breaches;
  • an inspection procedure initiated at request or in the discretion of NAIH;
  • a secrecy supervisory procedure concerning the classification of national classified data;
  • a court procedure (especially in case of the breach of the right to be informed about public data and data rendered public);
  • approval of Binding Corporate Rules ('BCRs');
  • cooperation with third country authorities and international organisations;
  • certification (the practice of which is still unclear due to the novelty of this duty); and
  • initiation of a criminal, offense or disciplinary procedure.

4. Key Definitions

Data controller: No national law variations.

Data processor: No national law variations.

Personal data: No national law variations.

Sensitive data: No national law variations.

Health data: No national law variations.

Biometric data: No national law variations.

Pseudonymisation: No national law variations.

5. Legal Bases

5.1. Consent

No national law variations.

5.2. Contract with the data subject

No national law variations.

5.3. Legal obligations

Articles 6(1)(c) and (e) of the GDPR enables data processing if:

  • it is necessary for compliance with a legal obligation to which the controller is subject; or
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The Act defines these kinds of data processing operations as 'mandatory data processing operations' and provides that organisations can rely only on laws and municipality decrees in these cases.

Such laws and municipality decrees shall mean the following:

  • the identity of the data controller;
  • the purpose, term, and conditions of the data processing;
  • the type of data;
  • the access rights to the data; and
  • when it is necessary to revise the data processing purpose.

If an organisation is processing personal data on the basis of legal instruments which are not laws or municipality decrees (e.g. governmental decrees, or decrees from a ministry or an authority such as the Hungarian Central Bank or the National Media and Infocommunications Authority), it may choose another legal basis, e.g. legitimate interest. However, this restrictive provision may be in conflict with Recital 41 of the GDPR, which provides that, 'where [the GDPR] refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned.'

In case of 'mandatory data processing operations,' data controllers must periodically assess whether particular data processing is necessary for achieving its purpose. The Act also addresses the case when the relevant law/municipality decree does not define the time for this. In such a case, the data controller shall revise the purpose itself at least every three years, calculated from the commencement of the processing. The data controller shall:

  • document the circumstances and results of such revision; and
  • keep such documentation for ten years and present it to the NAIH at its request.

Data controllers must revise pre-GDPR data processing operations on 25 May 2021 at the latest.

The NAIH confirmed that even though the rules of the Act on mandatory data processing operations provide that processing must be based on laws or municipality decrees, this obligation only burdens the legislator and not the data controllers in general (only available in Hungarian here). This also means that data controllers may base their processing operations necessary for complying with legal obligations on Article 6(1)(c) of the GDPR, even when such legal obligation is prescribed by another legal instrument besides laws or municipality decrees (e.g. by a government decree or a ministerial decree).

5.4. Interests of the data subject

No national law variations.

5.5. Public interest

No national law variations.

5.6. Legitimate interests of the data controller

No national law variations.

5.7. Legal bases in other instances

No national law variations.

6. Principles

No national law variations.

7. Controller and Processor Obligations

7.1. Data processing notification

There are no national requirements in respect to notification/registration. The NAIH may inspect whether a company registered its data processing activities before 25 May 2018 (when it was still mandatory), but shall not sanction the omission of such reporting.

7.2. Data transfers

Any data controlled by certain entities (expressly listed in the relevant law) can only be processed in an IT system in the territory of Hungary. The National Cyber Security Center ('the Center') may approve that a listed entity transfer the operation of an IT system to another EU Member State. However, even the Center may not consent to any processing outside EU.

Entities who have been designated as 'operators of critical infrastructure' can only process data in IT systems that are operated within the EU. There is no possibility to ask for any further exemption from an authority for the restriction of operating IT systems in the EU.

7.3. Data processing records

In practice, NAIH can request documents for an undefined period of time.

7.4. Data protection impact assessment

The NAIH also published on its webpage the open-source software developed by the French data protection authority ('CNIL'), which assists data controllers in the preparation of DPIAs.

The NAIH also published an exemplary list ('the Hungary Blacklist') concerning processing activities subject to conducting a DPIA and possible prior consultation with the NAIH.

The Hungary Blacklist provides the following types of processing operations requiring a DPIA:

  • where the processing of biometric data for the purpose of uniquely identifying a natural person refers to systematic monitoring;
  • where the processing of biometric data for the purpose of uniquely identifying a natural person concerns vulnerable data subjects, in particular, concerning children, employees, and mentally ill people;
  • where the processing of genetic data is carried out in connection with sensitive data or data of a highly personal nature;
  • where the purpose of the processing of genetic data is to evaluate or score a natural person;
  • scoring: the purpose of data processing is to assess certain characteristics of the data subject, and its result has an effect on the quality or the provision of the service provided and to be provided to the data subject;
  • credit rating: the purpose of data processing is to assess the creditability of the data subject by way of evaluating personal data on a large scale or systematically;
  • solvency rating: the purpose of data processing is to assess the solvency of the data subject by way of evaluating personal data on a large scale or systematically;
  • further use of data collected from third persons: the purpose of data processing is the use of personal data collected from third persons in the decision to refuse or cancel a service to the data subject;
  • the use of the personal data of pupils and students for assessment. The purpose of data processing, regardless of whether tuition is at primary, secondary, or advanced level, is to record and examine the preparedness, achievement, aptitude, and mental state of pupils and students, and the data processing is not statutory;
  • profiling: the purpose of data processing is profiling by way of evaluating personal data on a large-scale and systematically, especially when it is based on the characteristics of the workplace performance, financial status, health condition, personal preferences or interests, trustworthiness or conduct, residence or movement of the data subject;
  • anti-fraud activity: the purpose of data processing is to use credit reference, anti-money-laundering or anti-terrorism financing, and anti-fraud databases for screening clients;
  • smart meters: the purpose of data processing is the application of 'smart meters' set up by public utilities providers;
  • automated decision making producing legal effects or similarly significant effects. The purpose of data processing is to make decisions with legal effects or other significant effects on natural persons, which decisions might result in the exclusion of or discrimination against individuals in certain cases;
  • systematic surveillance. Systematic and large-scale surveillance of data subjects in public areas or spaces by camera systems, drones or any other new technology;
  • location data: where the processing of location data refers to systematic monitoring or profiling;
  • monitoring employee work. Where the purpose of data processing is the systematic and extensive processing and assessment of employee's personal data in the course of the monitoring of employee work, including, e.g. placing GPS trackers in vehicles, and camera surveillance against theft or fraud;
  • processing of considerable amounts of special categories of personal data. Under Recital 91 of the GDPR, processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer;
  • the processing of considerable amounts of personal data for law enforcement purposes;
  • processing of large amounts of data related to vulnerable data subjects for purposes different from the original purpose, in the case of, e.g., the elderly, children, and mentally ill persons;
  • the processing of the personal data of children for profiling, automated decision making, marketing purposes or providing them information society related services directly;
  • the use of new technologies for data processing. This includes the processing of large amounts of data obtained via sensor-equipped devices (e.g. smart televisions, smart household appliances, smart toys, etc.) and transferred through the Internet or other channels, and such devices providing data on the characteristics of the financial status, health condition, personal interests, trustworthiness or conduct, residence or movement of the natural person, and such data form the basis of profiling;
  • the processing of health data. In respect of large amounts of special data processed by hospitals, healthcare providers, and private medical services or non-medical practitioners with a large clientele. This also includes the processing of health data collected from members of major sports establishments or workout rooms;
  • when the data controller is planning to set up an application, tool, or platform for use by an entire sector to process also special categories of personal data; and
  • the purpose of data processing is to combine data from various sources for matching and comparison purposes.

The NAIH did not publish any exemplary or exhaustive lists concerning processing activities not subject to conducting a DPIA and possible prior consultation with NAIH so far.

7.5. Data protection officer appointment

Data controllers and data processors must publish the contact details of their DPOs and communicate them to NAIH through the Data Protection Officer Reporting System (only available in Hungarian here), and by registering on the DPO online registry (only available in Hungarian here). The NAIH must make the DPO information that it has received publicly available (Article 70(B)(1)(c) of the Act). DPOs registered with the NAIH can be found through a search tool (only available in Hungarian here). The NAIH will convene and set the agenda of the conference of DPO each year. This conference serves as a regular interaction point between DPOs and the NAIH.

Organisations that appoint a DPO are under an obligation to notify their name, postal and email address to the NAIH, as well as a change of such data (Article 25(L)(4) of the Act). The privacy statement on the NAIH's website (only available in Hungarian here) ('the Privacy Statement') further specifies that the NAIH may also process phone numbers of DPOs.

In line with the Privacy Statement, when a DPO is notified, the NAIH will assess the notification and reach out to the email address provided in the notification; if the notified DPO does not confirm the notification within 15 days, the NAIH will consider the notification as non-compliant and will not disclose information about the notified individual.

The retention period of data of a notified DPO in the reporting system will be processed for as long as necessary, i.e. until the NAIH receives information that a person no longer performs their role as a DPO (the Privacy Statement and Article 70(B)(3)(c) of the Act.

The conference of DPOs ('the Conference'), which is convened by the NAIH at least once a year, serves as a channel of communication between the NAIH and the DPOs in Hungary, in order to ensure uniform application of data protection rules. Furthermore, the NAIH is tasked with determining the agenda of the Conference (Article 25(N)(1) and (2) of the Act).

7.6. Data breach notification

No variation or exemption was introduced concerning breach notification obligation.

Data controllers must notify personal data breaches to the NAIH through the Personal Data Breach Reporting System (only available in Hungarian here). The reporting form is also available on the NAIH's website, if a company wants to report the breach on paper.

7.7. Data retention

As regards specific archiving rules, it is advisable to retain data until the relevant period of limitation has expired. A number of circumstances can make it difficult to establish the date on which this period expires, and there are also a couple of rules under the laws which regulate various specific retention obligations in connection with specific documents (e.g. general period of limitation for civil law claims, employment-related documents, safe-keeping of accounting documents and tax returns, employer's certificates concerning social security and workplace accident allowance, declarations on social security entitlement, etc.) Any concerns regarding the retention obligation pertaining to a particular document are assessed on a case-by-case basis. Usually, employment-related data (e.g. internal correspondence) can be kept for three years, data with civil law nature (e.g. contract data, information on commitments) can be kept for five years, and if the document is relevant for accounting purposes (e.g. certificate of performance or payment), the retention period is eight years.

7.8. Children's data

The Act does not provide for deviations from the GDPR in relation to the offer of information society services directly to a child and the processing of the personal data of a child, which shall only be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

7.9. Special categories of personal data

The Act provides that data controllers can process personal data relating to criminal convictions and offences in accordance with the rules on the processing of special categories of personal data. The practical implication of the above is that companies can process such data mainly:

  • based on the explicit consent of the individual;
  • for carrying out the obligations and exercising specific rights in the field of employment and social security and social protection law; or
  • for the establishment, exercise, or defence of legal claims.

The NAIH clarified in respect of the processing of moral certificates that in case of processing criminal data, the data controller also has to refer to a condition under Article 9(2) of the GDPR concerning the processing of special categories of personal data besides relying on a legal basis under Article 6(1) of the GDPR. The NAIH further clarified that for employers processing moral certificates of new employees, the applicable legal basis would be Article 6(1)(f) of the GDPR in addition to Article 9(2)(b) of the GDPR (only available in Hungarian here).

7.10. Controller and processor contracts

There are no specific requirements for Hungary; the GDPR shall apply.

8. Data Subject Rights

8.1. Right to be informed

No national law variations.

8.2. Right to access

No national law variations.

8.3. Right to rectification

No national law variations.

8.4. Right to erasure

No national law variations.

8.5. Right to object/opt-out

No national law variations.

8.6. Right to data portability

No national law variations.

8.7. Right not to be subject to automated decision-making

No national law variations.

8.8. Other rights

Deceased data subjects

The Act ensures that within five years of the death of an individual, the person designated by the individual – in an administrative declaration, public document, or in a private document with full probative force – may exercise the data protection rights of the deceased. In the absence of such provision, the close relative of the deceased may exercise the right to rectification, as well as the right to object to the data processing, the right to be forgotten, and the right to the restriction of the processing.

Besides such rules, a number of sectoral laws also stipulate that for the processing of certain type of data of deceased people, the rules of the GDPR apply (e.g. health records of deceased persons, and insurance data).

9. Penalties

In its decision following the data protection authority's procedure, NAIH may:

  • impose sanctions prescribed by the GDPR;
  • in case of data processing for law enforcement, national security, and national defence purposes, may order the rectification of data, its blockage, erasure, or destruction, prohibit the unlawful processing of personal data or their cross-border transfer and may impose data protection fines. The extent of fines corresponds with those provided by the GDPR; and
  • in case of budgetary organisations (such as a local government), the possible amount of data protection fine is limited to HUF 20 million (approx. €55,540).

In Hungary, GDPR compliance is challenging for a wide range of small and medium-sized enterprises ('SMEs'). Pursuant to a specific provision in the Act, the NAIH has issued guidance in which it stated that it will usually warn a data controller or processor at the first infringement of the GDPR or local data protection laws in lieu of imposing a fine (only available in Hungarian here). Such a rule, however, only provides orientation to the NAIH, which may also use other measures in case of a first breach, if it deems such measures necessary and fitting for the circumstances of the case. In the case of continuous breaches, the NAIH may impose fines even on private persons, individual entrepreneurs or SMEs.

9.1 Enforcement decisions

The NAIH is still very active. In 2020, a total of 10,609 cases were initiated by the NAIH, extending from previous years, and together with the cases, there were thus 11,825 cases pending. The most noticeable change is the reduction in the number of consultation type cases, at the same time, an increase in the number of investigations. The number of cases in the consultation type case decreased by 17%, while the number of cases covered by the data protection investigations was increased by 28 % compared to 2019. With this increase in the number of cases, the workload of the NAIH also multiplied. The most important topics in connection with which an application for an official procedure was submitted were data processing operations pertaining to COVID-19, the privacy and security aspects of distance learning, temperature measurement at the workplaces, the disclosure of PCR and other infection test results to employers and third parties, workplace data processing, balance of interests and accountability in relation to CCTV use, data processing of banks and insurers, and the fulfilment of access rights. The NAIH received 781 personal data breach notifications in 2020, more than one and a half times the announcements of the previous year.

The NAIH has issued decisions, among others, on the following issues:

  • the branch office of an insurance service provider must comply with local data protection laws as well, notwithstanding the rules of its parent companies and the so-called 'general good' rules (only available in Hungarian here);
  • the branch office of an insurance service provider must not appoint a DPO, provided that its group DPO is easily accessible and the staff of the branch office has the language skills to communicate with the DPO (only available in Hungarian here);
  • the local branch offices of foreign companies can act as individual data controllers, however, they must always consider whether they are joint controllers with their mother company, subject to the specific circumstances of the actual data processing (only available in Hungarian here);
  • there are no obligations for the DPO to attend mandatory trainings (only available in Hungarian here);
  • managing directors, IT, and HR heads cannot be DPOs (only available in Hungarian here);
  • the DPO cannot be 'faceless.' One entity can appoint multiple DPOs, but it must clearly name the person who bears the privacy responsibility for the entity (only available in Hungarian here);
  • the NAIH broadly interprets the terms 'filing system' and the processing of personal data other than by 'automated means' (e.g. manual data processing). They cover any set of personal data, which is accessible or can be searched according to specific criteria (e.g. registers, lists, or paper documents stored in dossiers and folders) (only available in Hungarian here);
  • company emails that contain the name of a natural person and the name of a natural person contact at a company can be personal data. When a company provides such data to its contracting party, the legal basis of such data provision is the performance of the employment agreement with the relevant contact person. The contracting party must process the data of the contact persons based on its legitimate interests, subject to a balancing test (only available in Hungarian here);
  • companies must prepare an internal data protection policy only if it is proportionate in relation to the data processing activities (only available in Hungarian here);
  • the NAIH accepts that an organisation does not have control over Facebook, Inc.'s data processing operations, however, data protection compliance in respect to the personal data collected by the organisation itself (e.g. the data of the users of its Facebook page) is of primary importance (only available in Hungarian here);
  • the legitimate interest of the operator of a webpage (Article 6 (1)(f) of the GDPR) may be relied on in case of applying cookies, which are deemed necessary for the operation of the webpage, whereas the consent of the individual should be required for cookies unnecessary for such purpose (e.g. statistical cookies, marketing cookies) (only available in Hungarian here);
  • the NAIH further clarified whether it is in compliance with the GDPR to promote subscribing to newsletter services by providing benefits to data subjects. The NAIH found that providing benefits for newsletter subscription does not contradict the GDPR in itself, if the voluntary nature of consent (subscription) is not affected and the data subject is not forced to use the service. In general, it means that if the data subject revokes his/her consent, he/she may only lose access to the service directly in connection with the consent (i.e. access to the newsletter service in case of the subscription); and
  • the NAIH confirmed that during the current COVID-19 pandemic brought on by mass infections, organisations (i.e. businesses, associations, institutions) can measure the temperature of individuals if all of the following conditions are met:
    • the individual is entering territory, property, or buildings owned or used by the organisation;
    • measurement is applied uniformly to all persons wishing to enter (whether the individual is in an employment relationship or otherwise);
    • personal identification of the subject whose body temperature is being measured is not included in the process; and
    • measurement does not in any way involve the recording, further storage, or transmission of data (only available in Hungarian here).

Notable cases under the GDPR

Right to access:

An individual visited a company's office and asked to inspect certain documents related to a dispute. The company refused the request, and the individual requested a copy of relevant CCTV recordings as evidence in the litigation. The company refused the request, arguing that the recordings did not support the individual's claims, but only proved that he was present in a given place at a given time.

The NAIH found that the company infringed the individual's access rights, and clarified the following principles on the right to access (only available in Hungarian here):

  • a company cannot request any justification from an individual making a data request; and
  • a data controller is not in a position to determine whether the required data would be necessary for the individual's litigation purposes.

The NAIH imposed a fine of HUF 1 million (approx. €2,777) against the company. It considered the following circumstances when determining the amount of the fine:

  • the nature of the breach;
  • the fact that the deleted recordings could not be recovered;
  • the fact that this was the company's first infringement under the GDPR;
  • the net sales revenue of the data controller company in the preceding year was HUF 15.3 billion (approx. €42.5 million); and
  • Hungarian rules on CCTV operation were not in line with the GDPR by the time of the decision because they stipulated that if an individual requested a company not to delete a CCTV recording, he/she had to prove that the recording affected his/her rights or legal interests.

Fine against a bank:

The NAIH has issued a fine of HUF 500,000 (approx. €1,390) on a bank for failing to comply with the principle of accuracy under the GDPR (only available in Hungarian here). The procedure was initiated on the request of an individual after the bank mistakenly sent SMS messages about his credit card debt to the telephone number of another person. After receiving an incorrect telephone number from the client at the time of contracting, the bank did not comply with the individual's request to erase the data and continued to send SMS message to the incorrect telephone number.

In its decision, the NAIH made the following findings:

  • the bank does not have to delete a telephone number processed by mistake if the error is reported by a third person who is not properly identified;
  • as soon as the inaccuracy of a telephone number becomes certain, however, the bank must erase the given data. It should also review the contract of the complaining individual, which can confirm whether an error has taken place; and
  • the bank should have restricted the processing of the data in question until the accuracy of the telephone number was certified.

Fine on a debt collector for breaching the principles of transparency and data minimisation:

The NAIH imposed a fine of HUF 500,000 (approx. €1,390) on a debt collector for breaching the principles of transparency and data minimisation (only available in Hungarian here). An individual satisfied its claim to the debt collector and afterwards, according to the GDPR, requested information on his processed data, and requested that his email address and other personal data be erased, which was declined by the debt collector.

The NAIH stated that the debt collector breached the principle of transparency by not appropriately informing the individual on the rules of backup copies and by referring to an internal policy, which is not public and not accessible to the individual.

The NAIH highlighted that companies should minimise the data required for client identification, that all internal company policies on data processing be fully transparent to clients, and that policies for making backup copies of data be revised to reflect the GDPR.

When issuing the fine, the NAIH did not take into account the company's worldwide annual turnover or income, as it had in previous decisions based on the GDPR, and instead focussed on the results of its business activities. This discrepancy suggests there is still no unified practice in Hungary for assessing fines.

Fine for unsatisfactory balancing test:

A financial institution failed to delete the telephone number of its client at his request for possible claim enforcement purposes. Following the client's complaint, the NAIH determined that (only available in Hungarian here):

  • the balancing test was too broad and covered more than one data processing purpose, which would have necessitated the preparation of separate balancing tests. The balancing test specified only economic and convenience aspects and failed to prove the priority of the data controller's interests over that of the individual and contained irrelevant findings (e.g. the data controller complies with data security requirements);
  • the telephone number in itself is not necessary for claim enforcement. Written form correspondence is sufficient for communication with the debtor or client; and
  • regarding the fine, the NAIH took into account both the income and the profits of the data controller's company. It is highlighted that in previous cases, the NAIH took into account such indicators separately, meaning that there is still no solid practice for this in Hungary.

Data protection fine for sending mails to wrong recipients:

The NAIH imposed a fine of HUF 100,000 (approx. €278) on a social and child welfare institution for a data breach concerning sending letters to the wrong recipients (only available in Hungarian here). The nine letters concerned affected 18 data subjects and included sensitive information, especially data on children, as well as criminal data.

The controller only performed a risk analysis and informed the NAIH of the breach more than 20 days after becoming aware of the breach, which enhanced the risk of the breach on the affected data subjects.

In addition to imposing a fine, the NAIH highlighted the importance of proper and immediate risk analysis, as well as the adoption of breach management guidelines to minimise or terminate the negative consequences of the breach on the data subjects and to reassess data security measures applied by the controller.

Fine for unlawful processing of data of festival visitors:

The NAIH imposed a fine of HUF 30 million (approx. €83,300) on a local company hosting the biggest music festivals in Hungary (only available in Hungarian here). The case started in 2016, when a number of festival visitors complained to the NAIH about the controller's data processing practice at the entrance of the festivals, which included scanning of identity documents and making video recordings. It is highlighted in the case that initially, the controller relied on the consent of the festival visitors for its entry control and argued that the consent of the visitors was voluntary due to the fact that they had a free choice to visit the given festival or not.

Later on, the controller relied on legitimate interest and argued that processing data at the entrance of the festivals served as its legitimate interest as well as the visitors' interest to avoid misuse of tickets and entry armbands, and to prevent acts of terrorism and further crimes (e.g. drug traffic) from taking place at the scene of the festivals. The NAIH highlighted in its decision that the controller may have a financial interest to prevent misuse of tickets and armbands but failed to properly assess the scope of data necessary for entry control and to apply necessary measures for such purposes.

As regards to the calculation of the fine, the NAIH took into account, as aggravating circumstances, the fact that the controller breached both the principle of purpose limitation and data minimisation, processed the data of hundreds of thousands of festival visitors unlawfully and wilfully, and that the controller is a market-leading company in the field of festival organisation. The NAIH also took into account the sales revenue of the controller for the business year of 2017, which reached over HUF 1.2 billion (approx. €3.5 million).

Non-sufficient cooperation with data subject concerning camera recordings and breaching right to access:

The NAIH further imposed a fine of HUF 700,000 (approx. €1,945) on a local bank (only available in Hungarian here). The data subject requested a copy of camera recordings capturing his image, which the company had refused referencing other persons' personality rights and its trade secrets.

With regard to the inspection into camera recordings and the provision of their copies, the NAIH recommended to blur out other persons on the recordings, as well as trade secrets if deemed necessary by the company in the given case. In case of processing data to comply with a legal obligation of the company, the company must specify such legal obligation in the respective data protection notice.

Ruling on data erasure and data-device destruction

The NAIH issued a ruling on the erasure of personal data and the destruction of data carriers (e.g. disks, pen-drives, and electronic data) used for storing personal information.

Focusing on both employee and client data, the ruling stated that companies must erase personal data in such a way that no links can be made to the identities of individuals. In case of electronically stored data, the mere reformatting of hard disks or other data-storage devices or carriers is not enough. According to the NAIH, companies may use free software products such as DBAN or a form of HDD-wipe software to perform deletions.

If companies outsource data erasure (especially, the destruction of data-carrier devices) to third-party service providers, the provider should be certified and able to issue an official destruction protocol at the end of the process (the NAIH provides no further details on certification).

Companies must verify the erasure of data in writing, although the possession of a destruction protocol may be sufficient as long as it includes the full information verifying the data erasure, such as identification of the data carrier (e.g. a registration or serial number) and the method used to destroy the device. Unfortunately, the NAIH does not offer further details, such as how this protocol is able to prove the actual destruction of a particular piece of data linked to one individual.

Fine for delayed breach notification

As abovementioned in the context of fines for sending mails to wrong recipients, the NAIH imposed a fine of HUF 100,000 (approx. €278) on an unnamed social and child welfare institution for the late notification of a data breach. The organisation had sent nine letters to incorrect recipients, containing sensitive information on 18 individuals, including contact information for children and their families, criminal-record data, and information related to child-protection proceedings.

As part of GDPR-mandated breach management, the institution had performed a risk analysis based on the Recommendations for a methodology of the assessment of severity of personal data breaches developed by the European Network and Information Security Agency ('ENISA'), and had introduced a double-control process when addressing letters, and implemented specific data protection training.

Nevertheless, the institution only informed the NAIH of the breach more than 20 days after becoming aware of the data breach. As a mitigating factor, the NAIH accepted the institution's excuse that the person responsible for breach management did not have the capacity to deal with the case (only available in Hungarian here).

Fines for insufficient balancing tests and failing to fulfil subject access

The NAIH imposed fines in two separate cases, involving balancing tests and subject access.

In the first case, the NAIH imposed a fine of HUF 600,000 (approx. €1,670), representing 0.003% of the offender's revenue for the preceding year, against a Hungarian employer for sending the tax certificate of an employee to another individual, which constituted a notifiable personal data breach under the GDPR.

Furthermore, the NAIH established that the employer failed to provide data requested by an employee within one month (as required by the GDPR) and did not specify whether it was necessary to extend the deadline.

The NAIH ordered the employer to provide the employee with copies of the requested information and documents within the one-month deadline, including tax, social security, and pension reports (T1041 and M30 forms) for the employee, the date, and the amount of tax paid by the employee, any missing payment periods, and the employee's scope of work (only available in Hungarian here).

In the second case, the NAIH imposed a fine of HUF 2 million (approx. €5,555), or 0.0027% of the offender's revenue for the preceding year, on a telco company and another fine of HUF 1 million (approx. €2,777), or 0.013% of the offender's past year's revenue, on a claim management company as a result of legitimate interest balancing tests and their decision in choosing an incorrect legal basis for data processing for claim management purposes.

In one case, an unknown fraudster used the personal data of the complainant in a telephone call to illegally conclude a subscription, but failed to pay the service fees later on. As a result, the telco company refused to conclude a subscription contract with the complainant because its fraud prevention database indicated that the complainant had an unfulfilled debt.

The telco company already sold and assigned the underlying claim to the claim management company. The complainant submitted a subject access request to clarify the accuracy of the data held in the companies' database since it disputed the fact that it previously had a contract with the telco and owed it money. The investigation revealed the fraud.

The NAIH has established the following general provisions, which every data controller must fulfil: the legitimate interest balancing test must specify a potential fraud, its repeated attempts, how the processing of personal data serves its prevention, and why the data are necessary and relevant for this purpose. Furthermore, the test should measure the data controller's interest against the rights and interests of the data subject. The data controller must suspend all data processing until it prepares a proper test.

In case of data processing in connection with the assignment of claims, the appropriate legal basis is typically the legitimate interest of the assignee to enforce the claim.

In case of fraud, the data controller must provide the complainant with a copy of the call recording with the fraudster, but it should make the personal data of the people mentioned in the call unrecognisable (only available in Hungarian here).

Fines for unlawful access to workplace emails

The NAIH imposed fines in two cases related to monitoring workers. In both cases, the employers failed to provide proper privacy information on the use of their employees' data and did not have appropriate internal policies in place.

In the first case, an employee was on sick leave when his employer checked his desktop, laptop, and emails to ensure that his work-related duties were being covered in his absence. The employer then suspended his account. The employee complained to NAIH, claiming that he did not receive pre-notification and did not have the chance to copy and delete his private information (e.g. telephone numbers, messages). NAIH fined the employer HUF 1 million (approx. €2,777) (only available in Hungarian here).

In the second case, the employer restored the mailbox of a director who had left the company a year before and found an email containing a work-related legal document. Similar to the first case, the director complained he received no warning that his former inbox would be activated and did not have a chance to copy and delete his private information. (e.g. passwords, financial information etc.). NAIH fined the employer HUF 500,000 (approx. €1,390) (only available in Hungarian here).

In these cases, NAIH agreed with the employer's argument that an absent employee who has failed to perform his tasks represents an integrity risk with financial and legal consequences. Hence, it is in an employer's legitimate business interest to take steps to prevent or mitigate these risks. NAIH also recognised that it may be necessary to archive the mailbox of former employees for security purposes, but stated that employers must comply with data protection rules in all cases.

Fines for an IT security breach at a telco

The NAIH imposed a data protection fine of HUF 100 million (approx. €280,000) on a Hungarian telco company for an IT security breach alongside allowing unauthorised access to the personal data of customers.

In addition to the fine, the NAIH ordered the company to review its databases containing personal data, determine whether applying encryption is justified to ensure security, and to inform the NAIH of the results of the review.

The company created a large test database of customer and subscriber data for troubleshooting purposes, but failed to delete it once the underlying errors were corrected and the database was no longer needed.

A white-hat hacker accessed the test database through the company website, hacking into the personal data of customers that included the following information: name, birth name, mother's name, place and date of birth, address, ID card number, personal ID number, email address, mobile phone number, landline number, bank account number, telecom contract data, and data relating to the services used. By exploiting the discovered vulnerability, the hacker was also able to access another database used for direct marketing purposes, which contained a subscriber newsletter and system administrator data that in turn provided access to the website interface.

The hacker informed the company of the breach and the vulnerability of its systems.

The NAIH found after an investigation that the company did not apply appropriate technical and organisational measures proportionate to the risks because:

  • the vulnerability of the company's open-source content management system had been known for more than nine years and was listed on the official website of the software developer together with the method for repairing that error;
  • although an official patch for the error was not created, an unofficial repair was publicly available for anyone, free of charge; and
  • the storing of plain-text data of a sensitive nature in the database constitutes a high-level security issue, which can be eliminated by using appropriate encryption.

The NAIH also established that the test database contained sufficient personal data to make customers vulnerable to identity theft or misuse of identity. In addition, the information accessible via the system administrator also left customers open to both identity theft and illegal access to even more personal data (only available in Hungarian here).

Fine for failure to provide access to private emails

The NAIH imposed a fine of HUF 200,000 (approx. €555) on a company for unlawfully denying a former employee access to archived private emails.

In addition to the fine, the NAIH ordered the company to cooperate with the employee, conduct a review within 15 days, determine the personal data contained in the former employee's archived email account that should be considered private in nature, and give the employee access to these private personal emails.

The decision, however, also features some unprecedented findings favourable to employers. According to the NAIH, the former employee is not entitled to request the release of his entire email correspondence, and the employer cannot be expected to sort through the former employee's private e-mails independently.

A former employee requested that its previous employer provide access to the 2018 archive of the employee's work email account, which was partially of a private nature, and concerned scientific publications pertaining to research activities conducted in the context of his employment relationship.

The company denied the request for the following reasons:

  • the former employee is no longer entitled to indicate the company in scientific publications, therefore it has no interest that could justify the request to have access to the email account;
  • the access would jeopardise the company's financial and economic interests and would also endanger trade secrets;
  • since an employment lawsuit is pending between the company and the former employee, providing access would enable the former employee to destroy evidence; and
  • the company was not able to identify the scope of the private personal data (e.g. the scientific publications, the release of which the former employee had requested).

In its decision the NAIH confirmed the following:

  • data contained in a work email account constitutes personal data, irrespective of whether the emails pertain to work or private correspondence;
  • emails pertaining to work, such as emails potentially containing trade secrets, are protected, and as a result, the former employee's full email correspondence cannot be released;
  • access to emails of a private nature must be ensured. A work email account, however, potentially contains such a large quantity of sent and received emails that the employer cannot be expected to sort through it all. The appropriate measure would have been to notify the former employee that he is no longer entitled to indicate the company in his future scientific publications, which would have made it unnecessary for the former employee to request the release of the full 2018 archive of his work email account. Furthermore, the company should have informed the former employee that it is fully open to release his private emails, provided that he indicates the exact emails required and the data medium on which he wishes to receive these emails; and
  • private emails may be released, but the former employee must select the required emails from a list of contents or by participating in the sorting together with the company.

Fine levied for data breach related to COVID-19 rapid test

The NAIH has imposed a HUF 10 million (approx. € 27,700) fine on the 11th District Public Health Department of the Government Office of the Capital City Budapest for failing to apply data security measures commensurate with the risks entailed in processing health data when it transmitted an Excel file containing a data base of health and contact information to general practitioners.

According to the NAIH, the data breach was linked to the following factors:

  • the sender did not sort information according to each general practitioner's district, enabling doctors to see the personal data of both their patients and patients under the care of other doctors;
  • the transmitted file lacked access protection or encryption to guarantee confidentiality; and
  • the file was sent by way of simple e-mails that could be viewed by anyone.

Although the Government Office warned the general practitioners about the confidentiality of health data and to delete the data of patients not belonging to their districts, the above activity resulted in a high-risk data breach, which it failed to report to the NAIH and the data subjects.

In its decision the NAIH established the following:

  • the data breach resulted from the Government Office's failure to implement appropriate technical and organisational measures to safeguard the confidentiality of health data during the transmission;
  • the sender should have sorted the personal data on a district-by-district basis before transmission, thus ensuring that general practitioners could only access the data of patients in their own districts and not those of other patients, even if urgent action was necessary; and
  • the lack of security measures may have resulted in personal data being disclosed to recipients who were entitled to access a fraction of the data (i.e. only the data applicable to each doctor-patient relationship).

Fine levied for the mismanagement of a data subject request regarding CCTV operations

The NAIH conducted a proceeding against a shoe trade company and examined how the company handled the data subject access requests in relation to its CCTV operations, including its internal procedure. The person involved in the case bought a shoe from the company. He alleged that the cash was not properly returned to him at the cashier, and he asked the company to have access to the CCTV recording of the incident and not to delete the recording until the situation is clarified. The company informed that it could only issue camera footage to the police. Moreover, the company did not block the recording, but deleted it after the retention period, so despite filing a complaint with the police, the recording was no longer available. The company did not justify to the applicant that why it did not grant him access to the recordings, and it did not have any data protection regulations regarding CCTV recordings at all. The company kept a systematic record of incoming messages, but did not separate the data protection but registered the data subject's complaint, which was otherwise a data protection issue, as a consumer protection complaint. The NAIH has imposed a HUF 20 million (approx. € 55,555) on the company.

Fine levied for unlawful voice recordings

One customer reported to the NAIH that a voice recording was made at the customer service office of a telecommunications service provider during the administration, but those concerned were not (adequately) informed. (The complainant accidentally noticed that a microphone was installed.) In its decision, the NAIH condemned the service provider in view of the fact that it could not identify the conflicting interests or did not present the interests of the data subjects in any form in the legitimate interest balancing test. The test included general consideration, not consideration by type of administration / type of interests / type of purposes. The NAIH found that the service provider had made a sound recording of personal customer service administration during the period under review without a proper legal basis. Furthermore, the prior information provided by the service provider was also inadequate, as the privacy notice was available on the company's website, but the customer service did not provide information on the existence or availability of such privacy notice. Prior to the commencement of the recording, the data subjects were provided with information only on the fact of the data processing – the information on the other relevant circumstances of the data processing was not easily accessible. Due to the above, the authority considered it necessary to impose a data protection fine of HUF 60 million (approx. €166,600). Namely, during the period under review, the service provider - in all its stores in total – liaised with 45,000 to 55,000 people per month at its personal customer services, the number of those affected thus calculated in the order of millions.

Data breach of a medical website

The NAIH received a complaint according to which medical findings and referrals managed in the appointment system of the website operated by the data controller can be publicly accessed or downloaded to unauthorised users.

The NAIH has determined that this is a directory leakage vulnerability. The vulnerability affected two websites where documents with .pdf extensions containing patient findings were stored. Instead of displaying the requested interface, the web server lists all the content on the web server by invoking the URLs. This allowed anyone with the knowledge of the links to access the documents stored on the online interface without registering on the site.

The data controller was not able to determine exactly how long the vulnerability had existed, it had only been informed of it from the NAIH. Based on the log files, the data controller could not detect unauthorised access, hence, in the course of its risk analysis, it found that it was not likely to pose a risk to the rights and freedoms of those concerned. Therefore, the controller did not consider it appropriate to report the breach to the NAIH and inform those concerned.

The NAIH found that the data controller had violated GDPR's data security requirements and the obligation to report the breach due to its inability to detect external access.

The data controller was obliged by the NAIH to pay a fine of HUF 7.5 million (approx. €20,830).

Unlawful access to customer data at a travel agency

The personal data of customers was available to anyone through a website operated by a travel agency. Thus, passengers' names, contact details, address details, identity card and passport numbers, booking and travel information, dates, destination, accommodation, contract details and the specific travel contract was accessible for the public.

The complainant found this by browsing the internet and typing her father's name into a Google search engine, and then, through one of the hits, she was able to open the database without any authorisation checks. Thus, the database was also crawled by Google's search engine and made the data stored in it searchable.

The NAIH found that a vulnerability was left in the development of the travel agency's website due to the omission of various IT security measures (e.g., testing, vulnerability testing) and careless design of the website that allowed public access to the database. Customer data continuously uploaded to the travel agency's live contract data database was transferred through a 'forgotten' connection point to the test database previously created by the website developer. However, due to inadequate protection, the test database became available to everyone through the website, so virtually anyone could follow the updating and management of customer data on the Internet. Neither the data controller nor the data processor previously knew about the public availability of the database.

Through the vulnerability, until its elimination, 781 individuals and a total of 309 travel contracts were affected - approx. 2,500 personal data.

The NAIH found that the data management travel agency had commissioned an inappropriate data processor to design the website, could not guarantee the security of the personal data processed, and did not inform those concerned about the high-risk personal data breach.

NAIH also found that the data processor in charge of developing and operating the website did not subject the website to proper security checks, vulnerability tests and acted with a high degree of negligence in its development.

NAIH ordered the travel agency to pay a HUF 20 million (approx. €55,555) data protection fine and the website development company a HUF 500,000 (approx. €1,388) data protection fine.

Data breach as the result of incorrect configuration on the web servers

A financial service provider reported a personal data breach to the NAIH. On the internet interface created by the service provider for data sharing, due to an incorrect configuration on the web servers, contracts and portfolio statements created for individuals became publicly available.

Out of a total of about 200 customer data stored on the site affected by the incident, the incident concerned the personal data of 50 customers: identity data (name, date of birth, place of birth, identity card number, tax identification number, and nationality), contact information (address, e-mail address, and telephone number), and financial information (portfolio value).

According to the NAIH, the financial service provider would have been expected to regularly check the incorrectly configured system with vulnerability tests performed by internal and external experts. It would also have been expected of the data controller to ban search engine crawlers in the case of the data processing in question, i.e. to ban the listing of data stored on the web server.

NAIH obliged the data controller to pay a HUF 2 million (approx. € 5,555) data protection fine in view of the application of insufficient security measures.