Hungary - Data Protection Overview
1. Governing Texts
In Hungary, the current main national law on personal data protection is Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (as amended by Act XXXVIII of 2018 (only available in Hungarian here) to implement the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')) (an up-to-date version of which is only available in Hungarian here) ('the Act'). The Act sets out the general framework for data protection and is supervised by the National Authority for Data Protection and Freedom of Information ('NAIH').
The Act applies to all kinds of data processing operations, except to the processing of personal data by a natural person in the course of a purely personal or household activity. This is an addition to the GDPR and covers manual data processing operations as well.
The Act is applicable if:
- the data controller's:
- main establishment; or
- only place of business in the EU is in Hungary; or
- the data processing operations of a data controller or its data processor are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in Hungary; or
- the monitoring of the data subjects' behaviour as far as their behaviour takes place within Hungary.
At the request of the NAIH, a local government notary may be involved in the verification of the actual circumstances of the data processing activities of a data controller. In particular, the scope of the personal data processed, the means of the operations, and the technical and organisational measures.
The NAIH's administrative deadline for closing the data protection authority procedure is 150 days, excluding the length of time between the receipt of the notice requesting information for ascertaining the relevant facts of the case, until such information is provided. If the NAIH exceeds this deadline by more than two times, it can no longer impose a fine, however, other sanctions are still possible, e.g. a request to cease the unlawful data processing.
Other significant provisions in the Act:
- The Act established specific and permanent confidentiality obligation for data protection officers ('DPOs'). Organisations should revise the confidentiality clauses of the contracts with their DPOs to ensure harmonisation with the Act.
- The NAIH will convene and set the agenda of the 'conference of DPOs' each year. This conference shall serve as a regular interaction point between DPOs and the NAIH.
- In accordance with the GDPR, organisations shall not register their data processing operations with the NAIH anymore and shall record their own data processing operations in line with Article 30 of the GDPR.
- As of 1 January 2022, the NAIH is entitled to order the erasure of certain unlawfully processed personal data ex officio, without the request of the data subject.
- NAIH may, in the course of an administrative procedure or an administrative investigation, order the temporary removal of unlawfully processed electronic data by the hosting provider in the case of children or special or criminal personal data. It is also subject to the condition that there is an imminent and serious risk of an irreparable breach of the right to the protection of personal data.
Harmonisation of sectoral laws with the GDPR
A number of sector-specific laws have been amended to guarantee harmonisation with the GDPR, including:
- Act I of 2012 on the Labour Code (only available in Hungarian here) ('the Labour Code');
- Act XCIII of 1993 on Labour Safety (only available in Hungarian here) ('the Labour Safety Act’)
- Act XLVII of 1997 on the Medical Data Act (only available in Hungarian here) ('the Medical Data Act');
- Act XXI of 2008 on Protection of Human Genetic Data (only available in Hungarian here) ('the Human Genetic Information Act');
- Act LXVI of 1992 on Personal Data and Address Records of Citizens (only available in Hungarian here);
- Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators (only available in Hungarian here) ('the Security Services Act');
- Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing (only available in Hungarian here) ('the Direct Marketing Act'); and
- Act CLXV of 2013 on Complaints and Public Interest Notices (only available in Hungarian here) ('the Public Interest Notices Act').
The main amendments are outlined below
- The employer must inform the employee in writing about the restriction of their personality right. This includes the circumstances justifying the necessity and proportionality of the restriction. This is not the same as the balancing test that the employer has to carry out in the case of data processing on the basis of legitimate interest. Information should be made in a written form and published in a customary and generally known method at the workplace, such as by email or on the company intranet.
- The employer, works committees, and trade unions may process the personal data of employees for the purpose of labour relations and the employer also for the purpose of establishing, fulfilling, terminating, or enforcing the employment relationship. The employee may be required to present a document for this purpose, but the above data controllers do not have the option of making copies. Employees should also be informed in writing about these data processing operations, including by communication methods customary and generally known at the workplace (i.e. communication by email or publication on the company intranet).
- Biometric identification of employees is possible to prevent risks to human life, physical integrity, health, or to protect significant interests and materials protected by law or regarded as hazardous or dangerous (e.g. classified data, explosives, hazardous substances, and nuclear materials).
- The employer may process criminal personal data to determine whether the candidate or the employee is subject to the exclusion or restriction criterion specified by the law or the employer. An employer may determine such a criterion if the employment of the person concerned in a particular job would threaten the employer's substantial financial interests, trade secrets, or a significant interest protected by law. The employer must specify both the restrictive or exclusionary criteria and the conditions for the processing of criminal data, either by email or via the intranet, if this is in line with the customary and generally known method at the workplace.
- Employees may not use the IT tools provided by the employer (i.e. computer, telephone, or even an employer's WiFi network) for private purposes unless the employer explicitly authorises private use. Regardless of this fact, whether the IT or computing tool used for work is the employer's or the employee's property, its control can only cover the data related to the employment relationship. The employer must also inform an employee in writing of the terms of any inspection, either by email or by publication on the intranet, if this is in accordance with the customary and generally known method at the workplace.
The Labour Safety Act
- In case of teleworking, the employer exercises the right of supervision primarily by electronic means. However, the employer or its representative shall routinely inspect work conditions at the place of teleworking and ensure that they are compliant with the requirements, and the employees have knowledge of and observe the provisions pertaining to them. Consequently, this may also mean that the employer carries out the supervision at the employee's home. At the same time, the workers' representative for occupational safety may enter the property where teleworking is performed with the employee's consent. The supervision cannot, however, impose a disproportionate burden on the employee or on any other person using the place of teleworking, nor infringe the privacy or dignity of the employee. The rules for the supervision, including data protection requirements, should be laid down in advance. In addition, in the context of regular teleworking, further data protection issues arise in relation to the use of information technology and IT tools provided for work and of the permission of their use for private purposes, as the employer may be exposed to greater risks, for example in relation to security or data protection incidents. Therefore, it may be appropriate to provide for specific rules on confidentiality and security in the context of teleworking as well.
Security Services Act
- In case of the use of an electronic surveillance system, the legal basis for data processing is the legitimate interest of the company or a third party for all affected persons contrary to the previous rules which required relying on legitimate interest for processing employee data and on implied consent (by entry to the territory affected by surveillance) for processing data of other persons (e.g. clients, visitors).
- Electronic monitoring systems may be used only in private areas.
- In accordance with the amendment, controllers would be entitled to determine the purpose for which they install an electronic monitoring system (e.g. protection of classified information, storage of biological and chemical substances, etc.), and the period necessary to keep recordings (e.g. with a view to civil law claim enforcement, defence in official proceedings, filing a criminal report, or other specific deadlines) contrary to the previous rules, which maximised storage periods generally in three working days (with minor exceptions) and applied pre-defined purposes of monitoring (e.g. protection of assets, storage of hazardous materials, etc.).
- Requests for and access to recordings will be governed by the GDPR (especially subject access rights) and the legal provisions governing the official requests for information from each authority. The reason and time of recording and the person accessing it must be recorded in the relevant minutes.
The Direct Marketing Act
Based on the amendment to the Direct Marketing Act, the name and address can be requested, collected, or transferred in the future for direct marketing purposes:
- from the state name and address register;
- from the customer or the person who was in contact with the data collector;
- from a published database, name and address book, phonebook, directory, statistical list; and
- from another similar person or body.
The Public Interest Notices Act
In relation to the abuse reporting (whistleblowing) system operated by employers, the Public Interest Notices Act makes it clear that the affected person can be the person reporting, the person affected by the report, and the person having substantive information about the report. Further, sensitive data and criminal data may be processed in the abuse reporting system and may be forwarded to a whistleblower's lawyer or an external organisation contrary to previous rules, which did not permit processing such data in the framework of the reporting system.
In the case of a natural person, the Public Interest Act will continue to allow anonymous reporting, while in the case of reports lodged by a legal person, identification will be explicitly required.
Medical Data Act
- The rules of the GDPR will apply to the processing of personal data relating to the circumstances of a deceased person's death and the cause of death, as well as to the deceased person's health records.
- As of 1 January 2022, the processing of health and identity data may also be used to track individual patient journeys.
- The permitted goals of the processing of health and personal identification data (i.e. the promotion of health preservation, improvement, maintenance, and enforcement of patient rights, etc.) are further defined in the Medical Data Act.
- The amendment also eliminates the obligation to appoint a DPO. The GDPR, however, requires that the controller or the processor appoints a DPO when the processing of health data (on a large scale) is the main activity. Based on the practice of the NAIH, data processing by a particular specialist or health care professional does not fall within this scope, so only hospitals and major healthcare providers are obliged to appoint a DPO.
Human Genetic Information Act
Genetic samples or data may only be transferred to a third country and may be imported from a third country where the GDPR and the data transfer conditions of the Human Genetic Information Act are recognised. Specifically, a third country must recognise:
- adequacy decision taken by the European Commission;
- the existence of appropriate guarantees under the GDPR;
- the transmission only of genetic samples encoded for human genetic testing; and
- notification on the transfer of genetic samples and data to a third country (in a manner incapable of personal identification) to the competent health administration.
Before the GDPR, the NAIH issued a guideline concerning preparation for the GDPR. The one-page guideline contains the general description of the 12 most important tasks for GDPR compliance (only available in Hungarian here). The tasks related to the following: data protection awareness, data mapping, privacy information obligations, individuals' data protection rights, access rights, legal basis of data processing operations, revision of privacy consents, protection of children's rights, data breach management, Privacy by Design and Default, Data Protection Impact Assessments ('DPIAs'), DPOs, and competence of the data protection authorities.
The NAIH has issued a statement on the application and legal assessment of social media modules used on websites, how to obtain consent legally, and the obligations of website operators (only available in Hungarian here). The statement confirmed that the website operator is the data controller for all personal data collected and transmitted over its website. However, the website operator's control is limited to the operations for which it defines the underlying purposes and means. The website operator is not considered a data controller after the transfer of the personal data when the social media provider has conducted further data processing. According to the NAIH, the use of the social-media module requires user consent. Users must be able to decide individually whether or not to consent to the operation of a given type of cookie. (The user must be able to decide whether he agrees to the data processing in question, such as the operation of a particular cookie).
The NAIH has issued a guidance on how employers can lawfully determine whether an employee is protected against COVID-19 (only available in Hungarian here). For certain occupations or employees, it may be a necessary and proportionate for employers to know whether the employee is protected against COVID-19 in line with labour law, occupational health and safety, and the work organisation. The employer can only ask employees to present their Coronavirus Protection Certificate and the application for a Coronavirus vaccination. The company cannot make copies of them, store them in any form and manner, or transfer them on to third parties. The employer can only record that the employee is certified as being protected against COVID-19 and can record how long this protection will last. Employers must prepare an objective risk assessment on a job-by-job or employee-by-employee basis with the guiding principles of safeguarding the life and health of protected workers, other workers, and third parties (i.e. customers), and being in full compliance with their obligations.
In a recent statement on data protection requirements for drones intended for use by local authorities, the NAIH has declared that using drones to notice and explore certain illegal activities, such as illegal landfills, illegal building activities etc. raises significant data protection concerns. Even normal use of drones is a very strong interference into privacy, as the device can indiscriminately collect data about anything and anyone that comes into its field of vision, which would be an unusually wide scope. In determining the possible legal bases for the processing, it should also be borne in mind that the use of a drone for the purpose of detecting illegal activity cannot be based on the consent of the data subject, who is not in a real and free position to decide whether they wish to be recorded by the drone. Drones are usually fast and unnoticeable, merely their presence can cause a chilling effect among citizens, and the risk of processing for purposes other than the original purpose is particularly high. It should also be noted that flying a drone without permission over residential areas carries a penalty under Section 422/A of Act C of 2012 on the Hungarian Criminal Code (only available in Hungarian here).
The NAIH has opened an ex officio investigation into the lawfulness of the data processing activities related to purchasing fuel at the cost-capped price (according to the mandatory law on fuel price restrictions) due to the large number of the data subjects complaints, and has issued a statement on the processing of personal in connection with scanning the barcode on the registration permit of petrol stations. The underlying question arises because operators of petrol stations may, under the mandatory local law on fuel price restrictions, check and record either the barcode of a vehicle's registration permit or the vehicle's registration number, when purchasing fuel at capped price. Where the operator of the petrol station opts for recording such data, it will transmit the recorded information to the Hungarian tax authority for the purposes of tax audit. The NAIH emphasised that the operators should provide comprehensive information to the customers pursuant to Article 13(1) and (2) of the GDPR at the place of processing in connection with the above.
1.3. Case law
See section on enforcement decision below for relevant decisions of the NAIH.
2. Scope of Application
No national law variations, except on deceased individuals (see above). In addition, the data of private entrepreneurs is considered as personal data.
For processing activities, where the GDPR is not applicable (including processing of manual, unstructured documents), the specific rules of the Act apply, which mostly reflect the provisions of the GDPR with a number of deviations (e.g. requests of data subjects must generally be answered within 25 days). Such rules also fully govern data processing for law enforcement, national security, and national defence purposes, bearing in mind that the implementing national law of the Law Enforcement Directive is the Act in Hungary.
3.1. Main regulator for data protection
The main regulator is the NAIH.
3.2. Main powers, duties and responsibilities
The NAIH may initiate a number of procedures, including:
- an inspection in case of a report lodged by anyone with a reference to the breach of data protection rights, as well as in case of any breach of the right to be informed about public data and data rendered public, or in case of the imminent threat of such breaches;
- an inspection procedure initiated at request or in the discretion of NAIH;
- a secrecy supervisory procedure concerning the classification of national classified data;
- a court procedure (especially in case of the breach of the right to be informed about public data and data rendered public);
- approval of Binding Corporate Rules ('BCRs');
- cooperation with third country authorities and international organisations;
- certification (the practice of which is still unclear due to the novelty of this duty); and
- initiation of a criminal offense or disciplinary procedure.
4. Key Definitions
5. Legal Bases
No national law variations.
No national law variations.
Articles 6(1)(c) and (e) of the GDPR enables data processing if:
- it is necessary for compliance with a legal obligation to which the controller is subject; or
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The Act defines these kinds of data processing operations as 'mandatory data processing operations' and provides that organisations can rely only on laws and municipality decrees in these cases.
Such laws and municipality decrees shall mean the following:
- the identity of the data controller;
- the purpose, term, and conditions of the data processing;
- the type of data;
- the access rights to the data; and
- when it is necessary to revise the data processing purpose.
If an organisation is processing personal data on the basis of legal instruments which are not laws or municipality decrees (e.g. governmental decrees, or decrees from a ministry or an authority such as the Hungarian Central Bank or the National Media and Infocommunications Authority), it may choose another legal basis, e.g. legitimate interest. However, this restrictive provision may be in conflict with Recital 41 of the GDPR, which provides that, 'where [the GDPR] refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned.'
In case of 'mandatory data processing operations,' data controllers must periodically assess whether particular data processing is necessary for achieving its purpose. The Act also addresses the case when the relevant law/municipality decree does not define the time for this. In such a case, the data controller shall revise the purpose itself at least every three years, calculated from the commencement of the processing. The data controller shall:
- document the circumstances and results of such revision; and
- keep such documentation for ten years and present it to the NAIH at its request.
Data controllers must revise pre-GDPR data processing operations on 25 May 2021 at the latest.
The NAIH confirmed that even though the rules of the Act on mandatory data processing operations provide that processing must be based on laws or municipality decrees, this obligation only burdens the legislator and not the data controllers in general (only available in Hungarian here). This also means that data controllers may base their processing operations necessary for complying with legal obligations on Article 6(1)(c) of the GDPR, even when such legal obligation is prescribed by another legal instrument besides laws or municipality decrees (e.g. by a government decree or a ministerial decree).
No national law variations.
No national law variations.
No national law variations.
No national law variations.
No national law variations.
7. Controller and Processor Obligations
There are no national requirements in respect to notification/registration. The NAIH may inspect whether a company registered its data processing activities before 25 May 2018 (when it was still mandatory), but shall not sanction the omission of such reporting.
Any data controlled by certain entities (expressly listed in the relevant law) can only be processed in an IT system in the territory of Hungary. The National Cyber Security Center ('the Center') may approve that a listed entity transfer the operation of an IT system to another EU Member State. However, even the Center may not consent to any processing outside EU.
Entities who have been designated as 'operators of critical infrastructure' can only process data in IT systems that are operated within the EU. There is no possibility to ask for any further exemption from an authority for the restriction of operating IT systems in the EU.
In practice, NAIH can request documents for an undefined period of time.
The NAIH also published on its webpage the open-source software developed by the French data protection authority ('CNIL'), which assists data controllers in the preparation of DPIAs.
The NAIH also published an exemplary list ('the Hungary Blacklist') concerning processing activities subject to conducting a DPIA and possible prior consultation with the NAIH.
The Hungary Blacklist provides the following types of processing operations requiring a DPIA:
- where the processing of biometric data for the purpose of uniquely identifying a natural person refers to systematic monitoring;
- where the processing of biometric data for the purpose of uniquely identifying a natural person concerns vulnerable data subjects, in particular, concerning children, employees, and mentally ill people;
- where the processing of genetic data is carried out in connection with sensitive data or data of a highly personal nature;
- where the purpose of the processing of genetic data is to evaluate or score a natural person;
- scoring: the purpose of data processing is to assess certain characteristics of the data subject, and its result has an effect on the quality or the provision of the service provided and to be provided to the data subject;
- credit rating: the purpose of data processing is to assess the creditability of the data subject by way of evaluating personal data on a large scale or systematically;
- solvency rating: the purpose of data processing is to assess the solvency of the data subject by way of evaluating personal data on a large scale or systematically;
- further use of data collected from third persons: the purpose of data processing is the use of personal data collected from third persons in the decision to refuse or cancel a service to the data subject;
- the use of the personal data of pupils and students for assessment. The purpose of data processing, regardless of whether tuition is at primary, secondary, or advanced level, is to record and examine the preparedness, achievement, aptitude, and mental state of pupils and students, and the data processing is not statutory;
- profiling: the purpose of data processing is profiling by way of evaluating personal data on a large-scale and systematically, especially when it is based on the characteristics of the workplace performance, financial status, health condition, personal preferences or interests, trustworthiness or conduct, residence or movement of the data subject;
- anti-fraud activity: the purpose of data processing is to use credit reference, anti-money-laundering or anti-terrorism financing, and anti-fraud databases for screening clients;
- smart meters: the purpose of data processing is the application of 'smart meters' set up by public utilities providers;
- automated decision making producing legal effects or similarly significant effects. The purpose of data processing is to make decisions with legal effects or other significant effects on natural persons, which decisions might result in the exclusion of or discrimination against individuals in certain cases;
- systematic surveillance. Systematic and large-scale surveillance of data subjects in public areas or spaces by camera systems, drones or any other new technology;
- location data: where the processing of location data refers to systematic monitoring or profiling;
- monitoring employee work. Where the purpose of data processing is the systematic and extensive processing and assessment of employee's personal data in the course of the monitoring of employee work, including, e.g. placing GPS trackers in vehicles, and camera surveillance against theft or fraud;
- processing of considerable amounts of special categories of personal data. Under Recital 91 of the GDPR, processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer;
- the processing of considerable amounts of personal data for law enforcement purposes;
- processing of large amounts of data related to vulnerable data subjects for purposes different from the original purpose, in the case of, e.g., the elderly, children, and mentally ill persons;
- the processing of the personal data of children for profiling, automated decision making, marketing purposes or providing them information society related services directly;
- the use of new technologies for data processing. This includes the processing of large amounts of data obtained via sensor-equipped devices (e.g. smart televisions, smart household appliances, smart toys, etc.) and transferred through the Internet or other channels, and such devices providing data on the characteristics of the financial status, health condition, personal interests, trustworthiness or conduct, residence or movement of the natural person, and such data form the basis of profiling;
- the processing of health data. In respect of large amounts of special data processed by hospitals, healthcare providers, and private medical services or non-medical practitioners with a large clientele. This also includes the processing of health data collected from members of major sports establishments or workout rooms;
- when the data controller is planning to set up an application, tool, or platform for use by an entire sector to process also special categories of personal data; and
- the purpose of data processing is to combine data from various sources for matching and comparison purposes.
The NAIH did not publish any exemplary or exhaustive lists concerning processing activities not subject to conducting a DPIA and possible prior consultation with NAIH so far.
Data controllers and data processors must publish the contact details of their DPOs and communicate them to NAIH through the DPO Reporting System (only available in Hungarian here), and by registering on the DPO online registry (only available in Hungarian here). The NAIH must make the DPO information that it has received publicly available (Article 70(B)(1)(c) of the Act). DPOs registered with the NAIH can be found through a search tool (only available in Hungarian here). The NAIH will convene and set the agenda of the conference of DPO each year. This conference serves as a regular interaction point between DPOs and the NAIH.
Organisations that appoint a DPO are under an obligation to notify their name, postal, and email address to the NAIH, as well as a change of such data (Article 25(L)(4) of the Act). The privacy statement on the NAIH's website (only available in Hungarian here) ('the Privacy Statement') further specifies that the NAIH may also process phone numbers of DPOs. In line with the Privacy Statement, when a DPO is notified, the NAIH will assess the notification and reach out to the email address provided in the notification; if the notified DPO does not confirm the notification within 15 days, the NAIH will consider the notification as non-compliant and will not disclose information about the notified individual.
The retention period of data of a notified DPO in the reporting system will be processed for as long as necessary, i.e. until the NAIH receives information that a person no longer performs their role as a DPO (the Privacy Statement and Article 70(B)(3)(c) of the Act. The conference of DPOs ('the Conference'), which is convened by the NAIH at least once a year, serves as a channel of communication between the NAIH and the DPOs in Hungary, in order to ensure uniform application of data protection rules. Furthermore, the NAIH is tasked with determining the agenda of the Conference (Article 25(N)(1) and (2) of the Act).
No variation or exemption was introduced concerning breach notification obligation.
Data controllers must notify personal data breaches to the NAIH through the Personal Data Breach Reporting System (only available in Hungarian here). The reporting form is also available on the NAIH's website, if a company wants to report the breach on paper.
As regards specific archiving rules, it is advisable to retain data until the relevant period of limitation has expired. A number of circumstances can make it difficult to establish the date on which this period expires, and there are also a couple of rules under the laws which regulate various specific retention obligations in connection with specific documents (e.g. general period of limitation for civil law claims, employment-related documents, safe-keeping of accounting documents and tax returns, employer's certificates concerning social security and workplace accident allowance, declarations on social security entitlement, etc.) Any concerns regarding the retention obligation pertaining to a particular document are assessed on a case-by-case basis. Usually, employment-related data (e.g. internal correspondence) can be kept for three years, data with civil law nature (e.g. contract data, information on commitments) can be kept for five years, and if the document is relevant for accounting purposes (e.g. certificate of performance or payment), the retention period is eight years.
The Act does not provide for deviations from the GDPR in relation to the offer of information society services directly to a child and the processing of the personal data of a child, which shall only be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
The Act provides that data controllers can process personal data relating to criminal convictions and offences in accordance with the rules on the processing of special categories of personal data. The practical implication of the above is that companies can process such data mainly:
- based on the explicit consent of the individual;
- for carrying out the obligations and exercising specific rights in the field of employment and social security and social protection law; or
- for the establishment, exercise, or defence of legal claims.
The NAIH clarified in respect of the processing of moral certificates that in case of processing criminal data, the data controller also has to refer to a condition under Article 9(2) of the GDPR concerning the processing of special categories of personal data besides relying on a legal basis under Article 6(1) of the GDPR. The NAIH further clarified that for employers processing moral certificates of new employees, the applicable legal basis would be Article 6(1)(f) of the GDPR in addition to Article 9(2)(b) of the GDPR (only available in Hungarian here).
There are no specific requirements for Hungary; the GDPR shall apply.
8. Data Subject Rights
No national law variations.
No national law variations.
No national law variations.
No national law variations.
No national law variations.
No national law variations.
No national law variations.
Deceased data subjects
The Act ensures that within five years of the death of an individual, the person designated by the individual – in an administrative declaration, public document, or in a private document with full probative force – may exercise the data protection rights of the deceased. In the absence of such provision, the close relative of the deceased may exercise the right to rectification, as well as the right to object to the data processing, the right to be forgotten, and the right to the restriction of the processing.
Besides such rules, a number of sectoral laws also stipulate that for the processing of certain type of data of deceased people, the rules of the GDPR apply (e.g. health records of deceased persons, and insurance data).
In its decision following the data protection authority's procedure, NAIH may:
- impose sanctions prescribed by the GDPR;
- in case of data processing for law enforcement, national security, and national defence purposes, may order the rectification of data, its blockage, erasure, or destruction, prohibit the unlawful processing of personal data or their cross-border transfer and may impose data protection fines. The extent of fines corresponds with those provided by the GDPR; and
- in case of budgetary organisations (such as a local government), the possible amount of data protection fine is limited to HUF 20 million (approx. €50,580).
In Hungary, GDPR compliance is challenging for a wide range of small and medium-sized enterprises ('SMEs'). Pursuant to a specific provision in the Act, the NAIH has issued guidance in which it stated that it will usually warn a data controller or processor at the first infringement of the GDPR or local data protection laws in lieu of imposing a fine (only available in Hungarian here). Such a rule, however, only provides orientation to the NAIH, which may also use other measures in case of a first breach, if it deems such measures necessary and fitting for the circumstances of the case. In the case of continuous breaches, the NAIH may impose fines even on private persons, individual entrepreneurs or SMEs.
The NAIH is still very active. In 2021, a total of 8,271 cases were initiated by the NAIH, extending from previous years, and together with the cases, there were thus 9,872 cases pending. The most noticeable change is the reduction in the number of consultation type cases, at the same time, an increase in the number of investigations, 556 in total. The number of cases in the consultation type case decreased by 14% while the number of cases covered by the data protection investigations was increased by 44% compared to 2020. With this increase in the number of cases, the workload of the NAIH also multiplied. There was a significant decrease in procedures examining COVID-19 induced data processing activities, and the most important topics in connection with which an application for an official procedure was submitted were data processing operations pertaining to direct marketing activity, workplace data processing, balance of interests, and accountability in relation to CCTV use, data processing of banks and insurers, and the fulfilment of access rights. The NAIH received 836 personal data breach notifications in 2021, which is about 7% more than in the previous year.
The NAIH has issued decisions, among others, on the following issues:
- With regard to the installation of security cameras in public places, the NAIH reiterated that the surveillance of public places (e.g. streets) is only possible in a narrow scope, according to explicit legal provisions, as this activity may violate the privacy of the person being monitored by the camera, by processing personal data even against their will (only available in Hungarian here).
- As regards the legal basis for workplace CCTV, the NAIH stated that the absolute limit in respect of the installation of workplace CCTV is respect for human dignity, and therefore cameras cannot be used for the permanent, unintended surveillance of workers and their activities. The use of an electronic surveillance system whose purpose is to influence the behaviour of workers at work, including the permanent observation and monitoring of workers by means of cameras, is also considered unlawful (available only in Hungarian here).
- A healthcare service provider charged a fee for the copying of medical records when fulfilling a data subject's request under Article 15 of the GDPR, in relation to which the NAIH ruled that the first copy of a medical record is free of charge even if the record has already been provided to the data subject once during a previous medical examination (available only in Hungarian here).
- In connection with sending newsletters for direct marketing purposes, the NAIH has once again stated that processing of personal data for marketing purposes is specific, and referred to in Article 21(2) of the GDPR, which provides that the data subject may object at any time to the processing of personal data relating to them for direct marketing purposes and, if they do so, the personal data may no longer be processed for such purposes. In such a case, the controller has no discretion as to whether or not to delete the personal data to the processing of which the data subject has objected (available only in Hungarian here).
- the branch office of an insurance service provider must comply with local data protection laws as well, notwithstanding the rules of its parent companies and the so-called 'general good' rules (only available in Hungarian here);
- the branch office of an insurance service provider must not appoint a DPO, provided that its group DPO is easily accessible and the staff of the branch office has the language skills to communicate with the DPO (only available in Hungarian here);
- the local branch offices of foreign companies can act as individual data controllers, however, they must always consider whether they are joint controllers with their parent company, subject to the specific circumstances of the actual data processing (only available in Hungarian here);
- there are no obligations for the DPO to attend mandatory trainings (only available in Hungarian here);
- managing directors, IT, and HR heads cannot be DPOs (only available in Hungarian here);
- the DPO cannot be 'faceless.' One entity can appoint multiple DPOs, but it must clearly name the person who bears the privacy responsibility for the entity (only available in Hungarian here);
- the NAIH broadly interprets the terms 'filing system' and the processing of personal data other than by 'automated means' (e.g. manual data processing). They cover any set of personal data, which is accessible or can be searched according to specific criteria (e.g. registers, lists, or paper documents stored in dossiers and folders) (only available in Hungarian here);
- company emails that contain the name of a natural person and the name of a natural person contact at a company can be personal data. When a company provides such data to its contracting party, the legal basis of such data provision is the performance of the employment agreement with the relevant contact person. The contracting party must process the data of the contact persons based on its legitimate interests, subject to a balancing test (only available in Hungarian here);
- companies must prepare an internal data protection policy only if it is proportionate in relation to the data processing activities (only available in Hungarian here);
- the NAIH accepts that an organisation does not have control over Facebook, Inc.'s data processing operations, however, data protection compliance in respect to the personal data collected by the organisation itself (e.g. the data of the users on its Facebook page) is of primary importance (only available in Hungarian here);
- the legitimate interest of the operator of a webpage (Article 6 (1)(f) of the GDPR) may be relied on in case of applying cookies, which are deemed necessary for the operation of the webpage, whereas the consent of the individual should be required for cookies unnecessary for such purpose (e.g. statistical cookies, marketing cookies) (only available in Hungarian here);
- the NAIH further clarified whether it is in compliance with the GDPR to promote subscribing to newsletter services by providing benefits to data subjects. The NAIH found that providing benefits for newsletter subscription does not contradict the GDPR in itself, if the voluntary nature of consent (subscription) is not affected and the data subject is not forced to use the service. In general, it means that if the data subject revokes their consent, they may only lose access to the service directly in connection with the consent (i.e. access to the newsletter service in case of the subscription); and
- the NAIH confirmed that during the current COVID-19 pandemic brought on by mass infections, organisations (i.e. businesses, associations, institutions) can measure the temperature of individuals if all of the following conditions are met:
- the individual is entering territory, property, or buildings owned or used by the organisation;
- measurement is applied uniformly to all persons wishing to enter (whether the individual is in an employment relationship or otherwise);
- personal identification of the subject whose body temperature is being measured is not included in the process; and
- measurement does not in any way involve the recording, further storage, or transmission of data (only available in Hungarian here).
Notable cases under the GDPR
Right to access:
An individual visited a company's office and asked to inspect certain documents related to a dispute. The company refused the request, and the individual requested a copy of relevant CCTV recordings as evidence in the litigation. The company refused the request, arguing that the recordings did not support the individual's claims, but only proved that he was present in a given place at a given time.
The NAIH found that the company infringed the individual's access rights, and clarified the following principles on the right to access (only available in Hungarian here):
- a company cannot request any justification from an individual making a data request; and
- a data controller is not in a position to determine whether the required data would be necessary for the individual's litigation purposes.
The NAIH imposed a fine of HUF 1 million (approx. €2,530) against the company. It considered the following circumstances when determining the amount of the fine:
- the nature of the breach;
- the fact that the deleted recordings could not be recovered;
- the fact that this was the company's first infringement under the GDPR;
- the net sales revenue of the data controller company in the preceding year was HUF 15.3 billion (approx. €38.7 million); and
- Hungarian rules on CCTV operation were not in line with the GDPR by the time of the decision because they stipulated that if an individual requested a company not to delete a CCTV recording, they had to prove that the recording affected their rights or legal interests.
Fine against a bank:
The NAIH has issued a fine of HUF 500,000 (approx. €1,260) on a bank for failing to comply with the principle of accuracy under the GDPR (only available in Hungarian here). The procedure was initiated on the request of an individual after the bank mistakenly sent SMS messages about his credit card debt to the telephone number of another person. After receiving an incorrect telephone number from the client at the time of contracting, the bank did not comply with the individual's request to erase the data and continued to send SMS message to the incorrect telephone number.
In its decision, the NAIH made the following findings:
- the bank does not have to delete a telephone number processed by mistake if the error is reported by a third person who is not properly identified;
- as soon as the inaccuracy of a telephone number becomes certain, however, the bank must erase the given data. It should also review the contract of the complaining individual, which can confirm whether an error has taken place; and
- the bank should have restricted the processing of the data in question until the accuracy of the telephone number was certified.
Fine on a debt collector for breaching the principles of transparency and data minimisation:
The NAIH imposed a fine of HUF 500,000 (approx. €1,260) on a debt collector for breaching the principles of transparency and data minimisation (only available in Hungarian here). An individual satisfied its claim to the debt collector and afterwards, according to the GDPR, requested information on his processed data, and requested that his email address and other personal data be erased, which was declined by the debt collector.
The NAIH stated that the debt collector breached the principle of transparency by not appropriately informing the individual on the rules of backup copies and by referring to an internal policy, which is not public and not accessible to the individual. The NAIH highlighted that companies should minimise the data required for client identification, that all internal company policies on data processing be fully transparent to clients, and that policies for making backup copies of data be revised to reflect the GDPR. When issuing the fine, the NAIH did not take into account the company's worldwide annual turnover or income, as it had in previous decisions based on the GDPR, and instead focussed on the results of its business activities. This discrepancy suggests there is still no unified practice in Hungary for assessing fines.
Fine for unsatisfactory balancing test:
A financial institution failed to delete the telephone number of its client at his request for possible claim enforcement purposes. Following the client's complaint, the NAIH determined that (only available in Hungarian here):
- the balancing test was too broad and covered more than one data processing purpose, which would have necessitated the preparation of separate balancing tests. The balancing test specified only economic and convenience aspects and failed to prove the priority of the data controller's interests over that of the individual and contained irrelevant findings (e.g. the data controller complies with data security requirements);
- the telephone number in itself is not necessary for claim enforcement. Written form correspondence is sufficient for communication with the debtor or client; and
- regarding the fine, the NAIH took into account both the income and the profits of the data controller's company. It is highlighted that in previous cases, the NAIH took into account such indicators separately, meaning that there is still no solid practice for this in Hungary.
Data protection fine for sending mails to wrong recipients:
The NAIH imposed a fine of HUF 100,000 (approx. €250) on a social and child welfare institution for a data breach concerning sending letters to the wrong recipients (only available in Hungarian here). The nine letters concerned affected 18 data subjects and included sensitive information, especially data on children, as well as criminal data. The controller only performed a risk analysis and informed the NAIH of the breach more than 20 days after becoming aware of the breach, which enhanced the risk of the breach on the affected data subjects. In addition to imposing a fine, the NAIH highlighted the importance of proper and immediate risk analysis, as well as the adoption of breach management guidelines to minimise or terminate the negative consequences of the breach on the data subjects and to reassess data security measures applied by the controller.
Fine for unlawful processing of data of festival visitors:
The NAIH imposed a fine of HUF 30 million (approx. €75,870) on a local company hosting the biggest music festivals in Hungary (only available in Hungarian here). The case started in 2016, when a number of festival visitors complained to the NAIH about the controller's data processing practice at the entrance of the festivals, which included scanning of identity documents and making video recordings. It is highlighted in the case that initially, the controller relied on the consent of the festival visitors for its entry control and argued that the consent of the visitors was voluntary due to the fact that they had a free choice to visit the given festival or not.
Later on, the controller relied on legitimate interest and argued that processing data at the entrance of the festivals served as its legitimate interest as well as the visitors' interest to avoid misuse of tickets and entry armbands, and to prevent acts of terrorism and further crimes (e.g. drug traffic) from taking place at the scene of the festivals. The NAIH highlighted in its decision that the controller may have a financial interest to prevent misuse of tickets and armbands but failed to properly assess the scope of data necessary for entry control and to apply necessary measures for such purposes.
As regards to the calculation of the fine, the NAIH took into account, as aggravating circumstances, the fact that the controller breached both the principle of purpose limitation and data minimisation, processed the data of hundreds of thousands of festival visitors unlawfully and wilfully, and that the controller is a market-leading company in the field of festival organisation. The NAIH also took into account the sales revenue of the controller for the business year of 2017, which reached over HUF 1.2 billion (approx. €3.1 million).
Non-sufficient cooperation with data subject concerning camera recordings and breaching right to access:
The NAIH further imposed a fine of HUF 700,000 (approx. €1,770) on a local bank (only available in Hungarian here). The data subject requested a copy of camera recordings capturing his image, which the company had refused referencing other persons' personality rights and its trade secrets. With regard to the inspection into camera recordings and the provision of their copies, the NAIH recommended to blur out other persons on the recordings, as well as trade secrets if deemed necessary by the company in the given case. In case of processing data to comply with a legal obligation of the company, the company must specify such legal obligation in the respective data protection notice.
Ruling on data erasure and data-device destruction
The NAIH issued a ruling on the erasure of personal data and the destruction of data carriers (e.g. disks, pen-drives, and electronic data) used for storing personal information. Focusing on both employee and client data, the ruling stated that companies must erase personal data in such a way that no links can be made to the identities of individuals. In case of electronically stored data, the mere reformatting of hard disks or other data-storage devices or carriers is not enough. According to the NAIH, companies may use free software products such as DBAN or a form of HDD-wipe software to perform deletions. If companies outsource data erasure (especially, the destruction of data-carrier devices) to third-party service providers, the provider should be certified and able to issue an official destruction protocol at the end of the process (the NAIH provides no further details on certification).
Companies must verify the erasure of data in writing, although the possession of a destruction protocol may be sufficient as long as it includes the full information verifying the data erasure, such as identification of the data carrier (e.g. a registration or serial number) and the method used to destroy the device. Unfortunately, the NAIH does not offer further details, such as how this protocol is able to prove the actual destruction of a particular piece of data linked to one individual.
Fine for delayed breach notification
As abovementioned in the context of fines for sending mails to wrong recipients, the NAIH imposed a fine of HUF 100,000 (approx. €250) on an unnamed social and child welfare institution for the late notification of a data breach. The organisation had sent nine letters to incorrect recipients, containing sensitive information on 18 individuals, including contact information for children and their families, criminal-record data, and information related to child-protection proceedings.
As part of GDPR-mandated breach management, the institution had performed a risk analysis based on the Recommendations for a methodology of the assessment of severity of personal data breaches developed by the European Network and Information Security Agency ('ENISA'), and had introduced a double-control process when addressing letters, and implemented specific data protection training. Nevertheless, the institution only informed the NAIH of the breach more than 20 days after becoming aware of the data breach. As a mitigating factor, the NAIH accepted the institution's excuse that the person responsible for breach management did not have the capacity to deal with the case (only available in Hungarian here).
Fines for insufficient balancing tests and failing to fulfil subject access
The NAIH imposed fines in two separate cases, involving balancing tests and subject access.
In the first case, the NAIH imposed a fine of HUF 600,000 (approx. €1,520), representing 0.003% of the offender's revenue for the preceding year, against a Hungarian employer for sending the tax certificate of an employee to another individual, which constituted a notifiable personal data breach under the GDPR.
Furthermore, the NAIH established that the employer failed to provide data requested by an employee within one month (as required by the GDPR) and did not specify whether it was necessary to extend the deadline.
The NAIH ordered the employer to provide the employee with copies of the requested information and documents within the one-month deadline, including tax, social security, and pension reports (T1041 and M30 forms) for the employee, the date, and the amount of tax paid by the employee, any missing payment periods, and the employee's scope of work (only available in Hungarian here).
In the second case, the NAIH imposed a fine of HUF 2 million (approx. €5,060), or 0.0027% of the offender's revenue for the preceding year, on a telco company and another fine of HUF 1 million (approx. €2,530), or 0.013% of the offender's past year's revenue, on a claim management company as a result of legitimate interest balancing tests and their decision in choosing an incorrect legal basis for data processing for claim management purposes.
In one case, an unknown fraudster used the personal data of the complainant in a telephone call to illegally conclude a subscription but failed to pay the service fees later on. As a result, the telco company refused to conclude a subscription contract with the complainant because its fraud prevention database indicated that the complainant had an unfulfilled debt.
The telco company already sold and assigned the underlying claim to the claim management company. The complainant submitted a subject access request to clarify the accuracy of the data held in the companies' database since it disputed the fact that it previously had a contract with the telco and owed it money. The investigation revealed the fraud.
The NAIH has established the following general provisions, which every data controller must fulfil: the legitimate interest balancing test must specify a potential fraud, its repeated attempts, how the processing of personal data serves its prevention, and why the data are necessary and relevant for this purpose. Furthermore, the test should measure the data controller's interest against the rights and interests of the data subject. The data controller must suspend all data processing until it prepares a proper test.
In case of data processing in connection with the assignment of claims, the appropriate legal basis is typically the legitimate interest of the assignee to enforce the claim.
In case of fraud, the data controller must provide the complainant with a copy of the call recording with the fraudster, but it should make the personal data of the people mentioned in the call unrecognisable (only available in Hungarian here).
Fines for unlawful access to workplace emails
The NAIH imposed fines in two cases related to monitoring workers. In both cases, the employers failed to provide proper privacy information on the use of their employees' data and did not have appropriate internal policies in place.
In the first case, an employee was on sick leave when his employer checked his desktop, laptop, and emails to ensure that his work-related duties were being covered in his absence. The employer then suspended his account. The employee complained to NAIH, claiming that he did not receive pre-notification and did not have the chance to copy and delete his private information (e.g. telephone numbers, messages). NAIH fined the employer HUF 1 million (approx. €2,530) (only available in Hungarian here).
In the second case, the employer restored the mailbox of a director who had left the company a year before and found an email containing a work-related legal document. Similar to the first case, the director complained he received no warning that his former inbox would be activated and did not have a chance to copy and delete his private information. (e.g. passwords, financial information etc.). NAIH fined the employer HUF 500,000 (approx. €1,260) (only available in Hungarian here).
In these cases, NAIH agreed with the employer's argument that an absent employee who has failed to perform his tasks represents an integrity risk with financial and legal consequences. Hence, it is in an employer's legitimate business interest to take steps to prevent or mitigate these risks. NAIH also recognised that it may be necessary to archive the mailbox of former employees for security purposes, but stated that employers must comply with data protection rules in all cases.
Fines for an IT security breach at a telco
The NAIH imposed a data protection fine of HUF 100 million (approx. €252,910) on a Hungarian telco company for an IT security breach alongside allowing unauthorised access to the personal data of customers.
In addition to the fine, the NAIH ordered the company to review its databases containing personal data, determine whether applying encryption is justified to ensure security, and to inform the NAIH of the results of the review.
The company created a large test database of customer and subscriber data for troubleshooting purposes, but failed to delete it once the underlying errors were corrected and the database was no longer needed.
A white-hat hacker accessed the test database through the company website, hacking into the personal data of customers that included the following information: name, birth name, mother's name, place and date of birth, address, ID card number, personal ID number, email address, mobile phone number, landline number, bank account number, telecom contract data, and data relating to the services used. By exploiting the discovered vulnerability, the hacker was also able to access another database used for direct marketing purposes, which contained a subscriber newsletter and system administrator data that in turn provided access to the website interface.
The hacker informed the company of the breach and the vulnerability of its systems.
The NAIH found after an investigation that the company did not apply appropriate technical and organisational measures proportionate to the risks because:
- the vulnerability of the company's open-source content management system had been known for more than nine years and was listed on the official website of the software developer together with the method for repairing that error;
- although an official patch for the error was not created, an unofficial repair was publicly available for anyone, free of charge; and
- the storing of plain-text data of a sensitive nature in the database constitutes a high-level security issue, which can be eliminated by using appropriate encryption.
The NAIH also established that the test database contained sufficient personal data to make customers vulnerable to identity theft or misuse of identity. In addition, the information accessible via the system administrator also left customers open to both identity theft and illegal access to even more personal data (only available in Hungarian here).
Fine for failure to provide access to private emails
The NAIH imposed a fine of HUF 200,000 (approx. €510) on a company for unlawfully denying a former employee access to archived private emails.
In addition to the fine, the NAIH ordered the company to cooperate with the employee, conduct a review within 15 days, determine the personal data contained in the former employee's archived email account that should be considered private in nature, and give the employee access to these private personal emails.
The decision, however, also features some unprecedented findings favourable to employers. According to the NAIH, the former employee is not entitled to request the release of his entire email correspondence, and the employer cannot be expected to sort through the former employee's private e-mails independently.
A former employee requested that its previous employer provide access to the 2018 archive of the employee's work email account, which was partially of a private nature, and concerned scientific publications pertaining to research activities conducted in the context of his employment relationship.
The company denied the request for the following reasons:
- the former employee is no longer entitled to indicate the company in scientific publications, therefore it has no interest that could justify the request to have access to the email account;
- the access would jeopardise the company's financial and economic interests and would also endanger trade secrets;
- since an employment lawsuit is pending between the company and the former employee, providing access would enable the former employee to destroy evidence; and
- the company was not able to identify the scope of the private personal data (e.g. the scientific publications, the release of which the former employee had requested).
In its decision the NAIH confirmed the following:
- data contained in a work email account constitutes personal data, irrespective of whether the emails pertain to work or private correspondence;
- emails pertaining to work, such as emails potentially containing trade secrets, are protected, and as a result, the former employee's full email correspondence cannot be released;
- access to emails of a private nature must be ensured. A work email account, however, potentially contains such a large quantity of sent and received emails that the employer cannot be expected to sort through it all. The appropriate measure would have been to notify the former employee that he is no longer entitled to indicate the company in his future scientific publications, which would have made it unnecessary for the former employee to request the release of the full 2018 archive of his work email account. Furthermore, the company should have informed the former employee that it is fully open to release his private emails, provided that he indicates the exact emails required and the data medium on which he wishes to receive these emails; and
- private emails may be released, but the former employee must select the required emails from a list of contents or by participating in the sorting together with the company.
Fine levied for data breach related to COVID-19 rapid test
The NAIH has imposed a HUF 10 million (approx. €25,290) fine on the 11th District Public Health Department of the Government Office of the Capital City Budapest for failing to apply data security measures commensurate with the risks entailed in processing health data when it transmitted an Excel file containing a data base of health and contact information to general practitioners.
According to the NAIH, the data breach was linked to the following factors:
- the sender did not sort information according to each general practitioner's district, enabling doctors to see the personal data of both their patients and patients under the care of other doctors;
- the transmitted file lacked access protection or encryption to guarantee confidentiality; and
- the file was sent by way of simple e-mails that could be viewed by anyone.
Although the Government Office warned the general practitioners about the confidentiality of health data and to delete the data of patients not belonging to their districts, the above activity resulted in a high-risk data breach, which it failed to report to the NAIH and the data subjects.
In its decision the NAIH established the following:
- the data breach resulted from the Government Office's failure to implement appropriate technical and organisational measures to safeguard the confidentiality of health data during the transmission;
- the sender should have sorted the personal data on a district-by-district basis before transmission, thus ensuring that general practitioners could only access the data of patients in their own districts and not those of other patients, even if urgent action was necessary; and
- the lack of security measures may have resulted in personal data being disclosed to recipients who were entitled to access a fraction of the data (i.e. only the data applicable to each doctor-patient relationship).
Fine levied for the mismanagement of a data subject request regarding CCTV operations
The NAIH conducted a proceeding against a shoe trade company and examined how the company handled the data subject access requests in relation to its CCTV operations, including its internal procedure. The person involved in the case bought a shoe from the company. He alleged that the cash was not properly returned to them at the cashier, and he asked the company to have access to the CCTV recording of the incident and not to delete the recording until the situation is clarified. The company informed that it could only issue camera footage to the police. Moreover, the company did not block the recording, but deleted it after the retention period, so despite filing a complaint with the police, the recording was no longer available. The company did not justify to the applicant that why it did not grant them access to the recordings, and it did not have any data protection regulations regarding CCTV recordings at all. The company kept a systematic record of incoming messages, but did not separate the data protection but registered the data subject's complaint, which was otherwise a data protection issue, as a consumer protection complaint. The NAIH has imposed a HUF 20 million (approx. €50,580) on the company.
Fine levied for unlawful voice recordings
One customer reported to the NAIH that a voice recording was made at the customer service office of a telecommunications service provider during the administration, but those concerned were not (adequately) informed. (The complainant accidentally noticed that a microphone was installed.) In its decision, the NAIH condemned the service provider in view of the fact that it could not identify the conflicting interests or did not present the interests of the data subjects in any form in the legitimate interest balancing test. The test included general consideration, not consideration by type of administration / type of interests / type of purposes. The NAIH found that the service provider had made a sound recording of personal customer service administration during the period under review without a proper legal basis. Furthermore, the prior information provided by the service provider was also inadequate, as the privacy notice was available on the company's website, but the customer service did not provide information on the existence or availability of such privacy notice. Prior to the commencement of the recording, the data subjects were provided with information only on the fact of the data processing – the information on the other relevant circumstances of the data processing was not easily accessible. Due to the above, the authority considered it necessary to impose a data protection fine of HUF 60 million (approx. €1.5 million). Namely, during the period under review, the service provider - in all its stores in total – liaised with 45,000 to 55,000 people per month at its personal customer services, the number of those affected thus calculated in the order of millions.
Data breach of a medical website
The NAIH received a complaint according to which medical findings and referrals managed in the appointment system of the website operated by the data controller can be publicly accessed or downloaded to unauthorised users.
The NAIH has determined that this is a directory leakage vulnerability. The vulnerability affected two websites where documents with .pdf extensions containing patient findings were stored. Instead of displaying the requested interface, the web server lists all the content on the web server by invoking the URLs. This allowed anyone with the knowledge of the links to access the documents stored on the online interface without registering on the site.
The data controller was not able to determine exactly how long the vulnerability had existed, it had only been informed of it from the NAIH. Based on the log files, the data controller could not detect unauthorised access, hence, in the course of its risk analysis, it found that it was not likely to pose a risk to the rights and freedoms of those concerned. Therefore, the controller did not consider it appropriate to report the breach to the NAIH and inform those concerned.
The NAIH found that the data controller had violated GDPR's data security requirements and the obligation to report the breach due to its inability to detect external access.
The data controller was obliged by the NAIH to pay a fine of HUF 7.5 million (approx. €18,970).
Unlawful access to customer data at a travel agency
The personal data of customers was available to anyone through a website operated by a travel agency. Thus, passengers' names, contact details, address details, identity card and passport numbers, booking and travel information, dates, destination, accommodation, contract details and the specific travel contract was accessible for the public.
The complainant found this by browsing the internet and typing her father's name into a Google search engine, and then, through one of the hits, they were able to open the database without any authorisation checks. Thus, the database was also crawled by Google's search engine and made the data stored in it searchable.
The NAIH found that a vulnerability was left in the development of the travel agency's website due to the omission of various IT security measures (e.g., testing, vulnerability testing) and careless design of the website that allowed public access to the database. Customer data continuously uploaded to the travel agency's live contract data database was transferred through a 'forgotten' connection point to the test database previously created by the website developer. However, due to inadequate protection, the test database became available to everyone through the website, so virtually anyone could follow the updating and management of customer data on the Internet. Neither the data controller nor the data processor previously knew about the public availability of the database.
Through the vulnerability, until its elimination, 781 individuals and a total of 309 travel contracts were affected - approximately 2,500 personal data.
The NAIH found that the data management travel agency had commissioned an inappropriate data processor to design the website, could not guarantee the security of the personal data processed, and did not inform those concerned about the high-risk personal data breach.
NAIH also found that the data processor in charge of developing and operating the website did not subject the website to proper security checks, vulnerability tests and acted with a high degree of negligence in its development.
NAIH ordered the travel agency to pay a HUF 20 million (approx. €50,580) data protection fine and the website development company a HUF 500,000 (approx. €1,260) data protection fine.
Data breach as the result of incorrect configuration on the web servers
A financial service provider reported a personal data breach to the NAIH. On the internet interface created by the service provider for data sharing, due to an incorrect configuration on the web servers, contracts and portfolio statements created for individuals became publicly available.
Out of a total of about 200 customer data stored on the site affected by the incident, the incident concerned the personal data of 50 customers: identity data (name, date of birth, place of birth, identity card number, tax identification number, and nationality), contact information (address, e-mail address, and telephone number), and financial information (portfolio value).
According to the NAIH, the financial service provider would have been expected to regularly check the incorrectly configured system with vulnerability tests performed by internal and external experts. It would also have been expected of the data controller to ban search engine crawlers in the case of the data processing in question, i.e. to ban the listing of data stored on the web server.
NAIH obliged the data controller to pay a HUF 2 million (approx. €5,560) data protection fine in view of the application of insufficient security measures.
Emotion recognition system powered by artificial intelligence
A bank used artificial intelligence ('AI') based speech-signal processing technology in its customer service, that automatically analysed a list of keywords and the emotional state of the speaker. The bank used the results to monitor the quality of calls, prevent complaints, rate the quality of work, and increase the efficiency of its call-handling staff. The results of the detected keywords and emotions were also stored along with the call, and the calls could be replayed within the voice analytics software for up to 45 days. The software ranked the calls and provided recommendations according to priority of the callers to be contacted.
The NAIH launched a procedure against a bank for the shortcomings of its automatic AI analysis of recordings of customer service calls, which included assessing the emotional state of the speaker and other characteristics.
The NAIH’s findings:
The NAIH did not rule the AI analysis of recorded customer service calls unlawful, it found the following shortcomings:
- the bank's customer service privacy notice did not contain any substantive information on voice analysis. The privacy notice only mentioned quality assurance and complaint prevention as data processing purposes.
- The bank-based data processing on its legitimate interest in retaining customers and improving the efficiency of its internal operations. However, the different data processing operations related to these interests were not separated either in the privacy notice or in the balancing of interest test ('LIA').
- The bank's DPIA concluded that this processing is high-risk for a number of reasons. However, the DPIA did not provide substantive solutions to address these risks.
- The bank did not actually examine the proportionality of the data processing and its effects on data subjects and trivialised the significant risks to fundamental rights. It expressly failed to consider the right of data subjects to adequate information and their right to object.
NAIH ordered the bank to pay a HUF 250 million (approx. €632,280) data protection fine, which is the highest fine imposed by the NAIH for violations of data protection laws so far.
Public disclosure of personal data in national directory
The NAIH investigated the data processing of a mobile service provider on the basis of a complaint from a data subject, who complained that his name, address and telephone number were publicly available in the public directory of the data controller, despite the fact that he had not consent to their disclosure. Further, they repeatedly asked the mobile service provider to delete their personal data from the online directory, and the mobile service provider only complied with this deletion request at the third attempt. The mobile service provider acknowledged that the data subject's requests for erasure had not been implemented due to technical and administrative errors: the first request for deletion was processed and the necessary steps for deletion were taken, however, due to a technical error, the actual deletion of the personal data did not take place and remained available on the public notice interface, and the data subject's second request for deletion was incorrectly recorded in the data controller's internal records as 'closed' due to a one-off operator error.
Regarding the public disclosure of personal data in the online directory, the NAIH found during the investigation that under the terms of a subscriber agreement between the data subject and the data controller for a top-up card service concluded in 2015, the data subject did not consent to the data controller publishing his name, permanent address, and phone number as part of his subscriber data in the public national directory maintained by the data controller. However, at the time of the contract renewal in 2018, according to the statement of the data controller, the declarations made by the data subject were amended, and he gave consent to public disclosure of his data in the directory. The data controller provided a screenshot with a ticked check-box to demonstrate the validity of this statement.
According to the NAIH, a screenshot with a ticked check-box does not suffice the conditions for accountability pursuant to Article 5(2) of the GDPR, as in the absence of the contract signed by the parties it cannot demonstrate that the consent was freely given, specific, informed and an unambiguous indication of the data subject's wish according to Articles 4 and 7 of the GDPR.
In relation to the failure to comply with the data erasure requests, the NAIH found that the controller's procedures were in breach of the GDPR as well.
NAIH ordered the mobile service provider to pay a HUF 5 million (approx. €12,650) data protection fine.
Failure to identify proper legal basis relating to processing of personal data after completed pre-credit assessment and credit assessment
According to the complaint filed with the NAIH, a bank rejected the complainant's loan application and later notified them of a new credit assessment based on the personal data recorded in connection with the rejected loan application, even though the complainant did not request a new loan offer.
In relation to the legal basis for the processing of personal data for the purposes of pre-credit assessment and credit assessment, the NAIH found that the bank lawfully based its processing of personal data for the purpose of the pre-credit assessment and credit assessment process on Article 6(1)(b) of the GDPR until the time such assessments are completed.
However, contrary to the practice of the bank, the processing of personal data after such assessments have been completed, cannot be based on the same contractual basis, if no contract was concluded as a result of the pre-credit and credit assessments. Following an order from the NAIH to modify this legal basis in order to bring the data processing in compliance with the provisions of the GDPR, the bank modified the legal basis to Article 6(1)(f) of the GDPR.
The NAIH stated that the bank has properly modified the legal basis of its data processing on its legitimate interest pursuant to Article 6(1)(f) of the GDPR. However, the NAIH, in its analysis of the legitimate LIA, found that when comparing the interests of the data controller and the data subject, it did not address the processing of the pre-credit assessment, but only examined the 'credit assessment'. The NAIH found further inconsistency in the LIA, as it incorrectly stated that it applied 'also to data processing relating to loans granted in the course of a pre-credit assessment', which means data processing where loans were also granted, even though the data processing subject to the LIA is 'retention of personal data collected in the course of credit assessments in cases where a contract has not been concluded'.
Based on the above, according to the NAIH, the LIA regarding the retention of personal data obtained in the course of the pre-credit assessment is flawed in such a way that it is not suitable to demonstrate the existence of a legal basis and the NAIH ordered the bank to delete the personal data in question.
NAIH ordered the bank to pay a HUF 30 million (approx. €75,870) data protection fine.
Public area surveillance system using facial recognition cameras in the administrative area of Siófok
The NAIH launched investigation after it was informed about via press reports the intent of the Municipality of Siófok ('Municipality') to install a 39 camera system with facial recognition AI to monitor the public space. (the decision is only available in Hungarian here).
In its investigation the NAIH declared that according to the responses provided to them, the public domain camera system had been installed in Siófok since 2014, operated by the Municipality, by means of a cooperation agreement with the Police in the field of crime prevention and public safety. Within this context the Police had contributed to the development of the camera system, beginning in 2020, and a technology company provided the technical support for the processing of the recordings.
The Municipality's claimed that the use of the surveillance was justified based on the thousands of people who were visiting the nightclubs in the affected area and the increasing number of crimes. However, the NAIH found that the mass processing of biometric data under Section 7(3) of Act LXII of 1999 on Public Area Surveillance (only available in Hungarian here) and Section 42(2) of Act XXXIV of 1994 on the Police (only available in Hungarian here) was not sufficiently justified, since biometric data is subject to special protection as special category of data, and therefore, the current Hungarian legislation does not allow the operation of a public area surveillance system which processes biometric data.
The NAIH further identified shortcomings in the cooperation agreement between the Police and the Municipality. Additionally, the NAIH found that the Police and the Municipality were joint controllers for the data processing in question, and identified a violation on the part of each such joint controller in relation to the absence of a data processing agreement pursuant to Section 25/B(1) of the Act, which regulates the tasks and responsibilities related to the performance of the controller's obligations.
In addition, the NAIH found that the obligation under Article 25/F(4) of the Act to keep data recorded in the register of controllers and processors in an electronic logbook for ten years after deletion of the processed data could not be fulfilled, since the activities of users can be viewed in the system only for 30 days.
Finally, the NAIH identified the technology company as a data processor for the processing in question and found that it had modified, deleted, and created access roles in the surveillance processing system without the knowledge of the Municipality, thereby infringing Article 25/D(3)(a) of the Act, stating that a data processor may only act on the written instructions of the controller.
In consideration of the above findings, the NAIH found that the Municipality and the Police had processed personal data unlawfully through the camera surveillance system. In relation to the technology company, the NAIH decided to impose a fine of HUF 500,000 (approx.€1,260) (the decision can be accessed only in Hungarian, here).
Lawfulness of data processing for direct marketing purposes
The NAIH imposed a fine of HUF 80 million (approx. €202,330) in an investigation into a company's practices related to direct marketing (only available in Hungarian here). In its procedure, NAIH found that the company had processed the contact details (name and address) of approximately 300,000 to 400,000 data subjects in the context of sending a postal notification inviting them to a free hearing test without adequate information, without a specific and real purpose and without an adequate legal basis.
The company claimed that letter assessing the need for hearing tests were only sent to persons listed in the database provided by the Ministry of Interior, which were requested every two to three months for market research. After receiving the data, competent employees of the company transferred them to a separate, secure server and the entire contents of the device were irretrievably deleted after the transfer. The company argued that the legal basis of the data processing was the consent of the data subjects, and the data subjects had the possibility to withdraw their consent at the Ministry of Interior or the controller if they do not wish their personal data to be processed further.
The NAIH held in its decision, that the company violated Article 6(1) of the GDPR, since if the data subject did not take any active steps to give its consent, the data controller cannot consider the silence as an affirmative act as a proper legal basis for data processing. Moreover, in case of consent as a legal basis, the data subjects have to be informed before giving their consent, which was clearly lacking in this case as well.
Furthermore, as of 26 April 2019, 'the Direct Marketing Act was amended, thus it no longer provided a basis for direct marketing requests. However, the company continued its practice. According to the NAIH, from March 2021, the company requested the data for market research purposes in order to comply with the changed legal requirements, only to continue its processing for direct marketing purposes. Consequently, NAIH found that the company violated the purpose limitation principle under Article 5(1)(b) of the GDPR, since it misled the data subjects and the Ministry of Interior by disguising the true purpose of the processing, thereby also violating the principle of fairness under Article 5(1)(a) of the GDPR. The NAIH also held that the company had violated Articles 14(1), 14(2) and12(1) of the GDPR, hence it failed to provide clear and transparent information.
Necessity of consent by purpose and separation from other declarations
The NAIH imposed a fine of HUF 30 million (approx. €75,870) after the company handled contact data of thousands of individuals in the absence of adequate prior privacy information, a concretely defined purpose, and a valid legal basis (the decision is available only in Hungarian here).
In its procedure the NAIH instructed the company to delete contact data used for direct marketing purposes for which it cannot obtain a new, appropriate consent, or does not have another valid legal basis for processing them (e.g. contractual contact).
The NAIH's most important findings regarding the duties of the companies include:
- Separate consent is required for each purpose and channel. In the text of a privacy consent, receiving direct marketing 'electronically' is a too broad term. Individuals must be able to choose if they only wish to consent to direct marketing in certain channels (e.g. only by post, only by phone or only by e-mail, or by any combination of these). This does not preclude the provision of an option where consent can be given to all specified purposes at the same time. It should, however, be possible to give separate consent only for certain purposes. Companies must review the design of their privacy consents – primarily, the number of checkboxes and the way they are worded.
- Separate consent is required for Google LLC and Facebook, Inc. advertising. Direct marketing sent via other channels (e.g. targeted advertisements on the Google and Facebook advertising systems) also require separate consent, and separate information must be provided on the use of similar mass automated advertising systems. Companies must also review the design of their privacy consents and the content of their privacy notices.
- Specific information is required on the marketing method. The purpose of processing contact data cannot be a flexible goal such as 'receiving more favourable offers'. Direct marketing is an umbrella concept, and companies must indicate the specific implementation (e.g. sending advertisements on their own or third-party products on a given channel or specific channels). Companies must also highlight in their privacy notices any important circumstances that are not customary, and individuals may not reasonably expect, such as a foreign data processor and its clear, concise, easily understandable role. Companies must review the text of their privacy consents and the content of their privacy notices.
- Companies must provide information on the location of their privacy notice for the currently used communication channel. In the case of offline communication, it is not enough to refer only to the availability of the online privacy notice, because there may be many individuals who do not have internet access or cannot find the information on the internet during or before ordering by mail or telephone. Companies must review the information they provide on the availability of their privacy notice.
The significance of this decision is that this was the very first time that the NAIH has addressed the method for obtaining consents, especially how many different consents are required to perform direct marketing activities through different channels.