While the amount of administrative fine in the GDPR is only a theoretical maximum, fines imposed in specific cases could serve as important practical compass in several respects: on the one hand, the level of fines is indicative itself, and on the other hand, it is also important for data controllers and processors to see which articles of the GDPR are regularly cited in the decisions, what are the most important criteria that are taken into account by the authorities when deciding on the legal consequences (including fines) in a given case.
Below I collect the decisions of the Hungarian Data Protection Authority (NAIH) imposing fines (published in 2020) and I also indicated the articles of the GDPR that were referred to in the decisions by the authority. The below list is regularly updated. (The list of the GDPR fines imposed in 2019 is available here.) (Last updated: 06.02.2021)
| No. and date of the decision | Amount of the GDPR fine | Quoted Articles of the GDPR | Summary |
|
NAIH/2020/32/4 (04.03.2020) |
EUR 290 (HUF 100,000) |
|
A picture was posted on Facebook in the course of a political campaign showing the ripping off campaign posters by the data subject (who was the director of a company owned by the local municipality), who was with his daughter (whose face was blurred but based on the FB post, she could have been identified). |
|
NAIH/2020/166/5 (26.03.2020) |
EUR 2,890 (HUF 1,000,000) |
|
Due to an administrative mistake by an employee of the controller (Bank), the data subject's personal data were registered and sent to the Central Credit Information System (CCIS) in connection with a loan agreement, without being a party in the agreement (i.e. the data subject had no link to the given agreement or the loan). Based on the information available in the CCIS, the data subject's request to receive a loan was rejected by an other financial institution (the data subject realised the mistake when he was rejected). |
|
NAIH/2020/2555 (09.03.2020) |
EUR 870 (HUF 300,000) |
|
The telephone number of the data subject was recorded as contact data in connection with an enforcement of a debt related to a customer different from the data subject (i.e. the data subject was not the debtor, only a contact person). The controller knew that the data is not related to its client and that there was no formal authorization from the debtor to the data subject regarding the debtor's representation towards the controller. The controller was unable to prove the existence of the data subject's consent. The data controller complied with Article 11 (2) of the GDPR and deleted the inaccurate data from its register, so no infringement of the GDPR occurred in this respect. |
| NAIH/2020/200/5 (19.03.2020) |
EUR 5,800 (HUF 2,000,000) |
|
The controller did not fulfill its obligation regarding the right of access of video recordings and the restriction of processing was lifted without providing prior information to the the data subject who has obtained restriction of processing. By these acts, the controller made it impossible to the data subject to exercise his rights. The controller was also unable to prove that its data processing activities concerning the CCTV operation in the investigated period of time had been in compliance with the applicable data protection rules. |
| NAIH/2020/1137 (24.01.2020) |
EUR 1,450 (HUF 500,000) |
|
A printed client list of an accounting firm that also included personal data (name, birth information, social security number, login information to a Governmental portal, etc.) became available for unauthorised access. In the course of its investigation, the Hungarian DPA identified gaps in data security measures and also in the controller's incident management policy. |
| NAIH/2020/1160 (18.05.2020) |
EUR 290,000 (HUF 100,000,000) |
|
Based on an investigation initiated by the Hungarian DPA after a data beach reported by the controller, the DPA concluded that the contoller had not applied adequate data security measures to protect its users' data. The vulnerabilty was found by a hacker, who reported the same to the controller. This vulnerability made it possible to reach databases containing personal data through the homepage of the controller. It was also declared by the DPA that the controller's failure to apply encryption to the database increased the risk regarding the personal data affected. The infrignmenet of the pronciples of purpose limitation and storage limitation was also established since a database created for correcting of failures had not been deleted after the completion of the task. |
| NAIH/2020/34/3 (08.06.2020) |
EUR 580 (HUF 200,000) |
|
The controller rejected the data subject's right of access to the data subject's (ex-employee of the controller) archived e-mail account. The DPA accepted that a full access to the account was not justified but the data subject should have received access to his/her private e-mails (since the private use of the email account had been possible). The data controller did not provide proper information to the data subject when the data subject's request was rejected and this did not help the data subject in exercising his/her rights. |
| NAIH/2020/308 (22.01.2020) |
EUR 5,700 (HUF 2,000,000) |
|
The controller did not reply to the data subject's request properly since it gave only general information about its data processing activities without answering the specific questions of the data subject. In addition to this, the controller referred to the fact that the data subject's questions were replied earlier and it was accepted by the courts in the legal dispute between the parties (res iudicata). However, the Authority found that the information requested by the data subject was not the same that had been previously answered by the controller. |
| NAIH/2020/974 (09.07.2020) |
EUR 2,890 (HUF 1,000,000) |
|
An MP collected signatures from data subjects to support an initiative and the data collected were also used for purposes to get in touch with supporters (i.e. communication purposes in connection with political activities). However, according to the Hungarian DPA, the legal basis for processing the contact data for communication purposes lacked the proper legal basis as the consents were invalid (the two purposes of processing, i.e. supporting the initiative and communication with the supporters were not separated properly). According to the Hungarian DPA, the information provided to the data subjects did not cover all relevant aspects of data processing. |
| NAIH/2020/4365 (28.05.2020) |
EUR 2,890 (HUF 1,000,000) + EUR 1,450 (HUF 500,000) |
|
The case was in connection with the enforcement of claims. It is worth noting that the data processor was also fined (EUR 1,450) since he acted out of the scope as data processor when provided false information to the data subject. |
| NAIH/2020/1154 (23.07.2020) |
EUR 5,780 (HUF 2,000,000) |
|
The Hungarian DPA carried out an inspection in connection with the list of the 50 wealthiest Hungarians and the list of the biggest family-owned businesses published by Forbes Hungary. The DPA concluded that the balancing test was not properly prepared and the data subjects had not received proper information about all relevant aspects of the data processing. The DPA examined the collision between the right to protection of personal data and the freedom of expression and information, including processing for journalistic purposes in line with Art. 85. The request of the data subjects' regarding the erasure of their data was rejected with reference to Art. 17 (3) a): "In the present case, therefore, Article 17 (3) (a) of the General Data Protection Regulation provides the balance between the right of erasure and the exercise of the right to freedom of expression and information, thus ensuring, inter alia, freedom of the press and in case of online versions of lists, the freedom of the Internet." (Further details are available here). |
| NAIH/2020/838 (23.07.2020) |
EUR 7,225 (HUF 2,500,000) |
|
The Hungarian DPA carried out an inspection in connection with the list of the 50 wealthiest Hungarians and the list of the biggest family-owned businesses published by Forbes Hungary. The DPA concluded that the balancing test was not properly prepared and the data subjects had not received proper information about all relevant aspects of the data processing. The DPA examined the collision between the right to protection of personal data and the freedom of expression and information, including processing for journalistic purposes in line with Art. 85. The request of the data subjects' regarding the erasure of their data was rejected with reference to Art. 17 (3) a): "In the present case, therefore, Article 17 (3) (a) of the General Data Protection Regulation provides the balance between the right of erasure and the exercise of the right to freedom of expression and information, thus ensuring, inter alia, freedom of the press and in case of online versions of lists, the freedom of the Internet." (Further details are available here). |
| NAIH/2020/643/6 (17.07.2020) |
EUR 1,390 (HUF 500,000) |
|
Using CCTV at workplace. The Authority also examined whether the application of CCTV shall be deemed as a separate data processing activity if there is no recordings. |
| NAIH/2020/193/8. (23.07.2020) |
EUR 1,667 (HUF 600,000) |
|
The (former) employer did not fulfil the request to rectify or erase the old address of the (former) employee. In addition to this, perosonal data of the employee were transferred to a third party without a proper legal basis in connection with providing in-kind benefits (cafeteria) to the employees. |
| NAIH/2020/35/3. (16.07.2020) |
EUR 2,890 (HUF 1,000,000) + EUR 1,450 (HUF 500,000)
|
|
The case was in connection with the enforcement of claims, including data processing in connection with property valuation. |
| NAIH/2020/2204/8. (03.09.2020) |
EUR 55,000 (HUF 20,000,000) |
|
The data controller implemented technical and organisational measures that were deemed as not adequate to fulfill the data subjects' requests for exercising their rights in connection with video surveillance at the shops of the data controller. |
| NAIH/2020/952 (27.04.2020) |
EUR 20,833 (HUF 7,500,000) |
|
The data controller did not apply proper security measures regarding its online database that contained, among others, medical records. In addition to this, the controller did not fulfil its obligations in connection with the management of the data breach (with special regard to the false evaluation of the potential risks in connection with the data breach). |
|
NAIH/2020/1866/5. (23.07.2020) |
EUR 13,900 (HUF 5,000,000) |
|
Unlawful data processing in connection with financial intermediary activities: data processing without legal basis and without providing proper information to the data subjects. The controller kept no records of its processing activities and no written agreement with the processor had been concluded. |
|
NAIH/2020/66/21 (09.12.2020) |
EUR 56,000 (HUF 20,000,000) + EUR 1,400 (HUF 500,000) |
|
The data controller did not make a proper evaluation of the processor involved in the development of the controller's website. The vulnerability of the website lead directly to a data breach. The processor was also fined directly (EUR 1,400) due to the fact that the processor infringed its data security obligations under the GDPR. |
|
NAIH/2020/2729/15 (14.10.2020) |
EUR 1,960 (HUF 700,000) |
|
The data subjects did not receive proper information regarding the use of a CCTV system at the workplace. The cameras might have recorded areas where the employees spent their resting periods. |
|
NAIH/2020/159/10. (05.10.2020) |
EUR 1,680 (HUF 600,000) |
|
The data subject's request to correct his/her address was not fulfilled, consequently a false address were further processed by the controller. |
|
NAIH/2020/2760/9 (13.08.2020) |
EUR 5,600 (HUF 2,000,000) |
|
Processing of the phone number and the e-mail address without a proper legal basis following the assignment of the claim. |
|
NAIH/2020/687/2. (06.08.2020) |
EUR 5,600 (HUF 2,000,000) + EUR 5,600 (HUF 2,000,000) |
|
Data processing in connection with the assignment of a claim, where several data controllers involved in the process made mistakes. |
|
NAIH/2020/2758/4. (29.09.2020) |
EUR 170,000 (HUF 60,000,000) |
|
The data controller conducted voice recording regarding all customer-related transactions at its shops without defining proper purposes for such data processing and the data processing had no proper legal basis. The custormers did not receive proper information regarding such data processing activities. |
|
NAIH/2020/2546/15. (16.12.2020) |
EUR 99,000 (HUF 35,000,000) |
|
The financial institution copied documents regarding the pregnancy that contained sensitive personal data, including medical data that were not necessary for providing the discounted loan for those who were expecting a baby. |
|
NAIH/2020/54/4. (10.12.2020) |
EUR 23,000 (HUF 8,000,000) |
|
An university processed personal data, including special categories of data unlawfully in connection with providing regular scholarship based on the applicants social status. |
