Blog
Blog » THE FIRST CUCKOO HAS ARRIVED – HERE IS THE FIRST HUNGARIAN GDPR-FINE
THE FIRST CUCKOO HAS ARRIVED – HERE IS THE FIRST HUNGARIAN GDPR-FINE
06 March 2019
The Hungarian data protection authority, the NAIH has imposed the first data protection fine in December 2018 which was based on the infringement of the GDPR. It appears that in relation with the „first cuckoo” the NAIH applied the so called „early bird” discount known as a marketing strategy. Indeed, the fine was not particularly high considering that it should be imposed because of the infringement of data subject rights. Well, let’s see the details of the case.
1. Why did the procedure start?
The Controller operates a camera surveillance system at his premises, where the Data Subject showed up in July 2018 for administration purposes. A few days later, the Data Subject contacted the Controller expressing that he would like to watch the recordings mace of him and be provided with a copy of it. Further he requested the Controller no to erase the recordings for 5 years since he needs them to use in different procedures.
The Controller, as it is set out in the GDPR, answered the Data Subject within 30 days. He replied that he has not restricted the processing of the camera recording, that means he erased them, since the reasons invoked by the Data Subject do not support his request. In the Controller’s view the recordings could only prove that the Data Subject showed up at his premises but could not prove in which particular case and what has been discussed.
As usual, the Data Subject was annoyed and filed a complaint with the NAIH. And as usual, as the NAIH started to investigate, he found some problems.
2. Why was the right of access infringed?
First, the NAIH found it problematic that the Controller would not let the Data Subject to watch the recording and refused to provide him with a copy.
In this regard, the Controller claimed that the Data Subject has not justified clearly why he would need the recordings that means in which procedures he wanted to use them. The Controller claimed that based on the Security Services Act, which in fact sets forth that the data subjects shall justify his legitimate interest in order to prevent the erasure of the recordings.
Nevertheless, the NAIH emphasized that the GDPR, contrary to the Security Services Act, does not set out additional conditions in relation with the right to access. That means that the Data Subject does not have to justify why he needs the recordings in order to be able to watch them or to request a copy.
Thus, the NAIH established that given that the Controller laid down additional conditions in relation with the exercising of the right to access and refused to comply with the Data Subject’s request because it did not meet those extra conditions, he infringed the Data Subject’s right to access.
3. What was wrong with the erasure of the recordings?
In relation with the Data Subject’s request for restriction of processing, the Controller claimed that the Data Subject has not clearly indicated why the erasure of the recordings would be against his legitimate interest and for what particular legal procedure would he need them. That is why the Controller, instead of restricting the data processing, has erased the recordings.
However, the NAIH recalled, that for restriction request to be well-founded it is enough that the data subject submits that he would need the recording for exercising his legal claims. There is no need for further justification especially in a case where the erasure of the recording could prevent the enforcement of the claim.
The NAIH considered that the Controller could not have refused the execution of the request because he thought that it is not appropriate or necessary for the exercising of the claim. In fact, the Controller cannot assess those factors, since the GDPR does not set out such additional conditions in relation with the right to restriction of processing. To sum up, by erasing the recordings, the Controller has infringed the Data Subject’s right to restriction of processing.
4. What did the Controller also mess up?
As written below, the Controller answered in exemplary fashion, within 30 days to the Data Subject.
Unfortunately, the Controller succeeded to crown the infringement of the Data Subject’s rights in his response. In fact, he failed to inform the Data Subject about his remedies.
Indeed, by not drawing the Data Subject’s attention that the he can lodge a complaint with the NAIH or he can seek judicial remedy, the Controller again infringed the GDPR.
5. What factors did the NAIH consider in relation with the fine?
The NAIH itself thinks that the first fine imposed because of the infringement of the GDPR is kind of symbolic. It seems to be true, because this amount is not too extreme in comparison with the similar or even higher fines imposed by the NAIH before the entering into force of the GDPR.
When assessing the amount of the fine, the NAIH considered as an aggravating factor that the Controller caused real harm to the Data Subject and that the recordings cannot be restored, thus the Data Subject’s harm cannot be remedied.
The fact that the legal environment could confuse the Controller, particularly that the Security Services Act in force is in contradiction with the GDPR which could mislead the Controller has been considered by a mitigating factor by the NAIH. Further, the NAIH has taken into account that the Controller has committed such an infringement for the first time.
And what is the lesson that you can learn from the above? First and foremost, that you shall always thoroughly examine the data subject’s request and only refuse it if you are 100% sure that it is unfounded. In case you still decide to refuse the request, do not forget to inform the data subject about the possibility of the complaint.
-
When should employers pay the consideration for non-compete obligation in Hungary?
The Hungarian Labour Code does not specify the due date of the consideration for non-compete obligation, which resulted in legal uncertainty. Based on the recent case law, the judiciary filled this gap with legal interpretation. In our article we summarize this recent development in Hungarian labour law practice.
Read more » -
ARBITRATION PROCEEDINGS IN HUNGARY
The Hungarian arbitration procedure, compared to the Hungarian state court procedure, is much simpler, less formal. However, it is still necessary to know these simpler procedural rules, to conclude the dispute successfully. Consequently, we summarize below the most important procedural principles and rules based on the Hungarian Arbitration Act and on the Rules of Procedure.
Read more » -
Can Parties Choose a Foreign Court in a Purely Domestic Transaction in the EU?
Can the parties domiciled in the same EU Member State conclude a choice-of-court agreement conferring jurisdiction on the court of another EU Member State in a purely domestic transaction? Should the choice of a foreign court be considered as a sufficient international element, in itself, to trigger the application of the Brussels Ibis Regulation? The CJEU decided this long-standing debate between subjectivist and objectivist approaches to “internationality” in a recent judgment.
Read more »