Blog
Blog » A RECORD GDPR FINE OF HUF 100 MILLION – THE PRICE OF THE PROCRASTINATION
A RECORD GDPR FINE OF HUF 100 MILLION – THE PRICE OF THE PROCRASTINATION
17 June 2020
The Data Protection Authority imposed the highest fine ever in Hungary against Digi Távközlési és Szolgáltató Kft. because of the infringement of the GDPR. Let’s see what led to the record fine of HUF 100 Million.
1. Facts
DIGI learnt from an ethical hacker that on his webpage www.digi.hu certain test databases are available which contain the personal data of his clients and subscribers to his newsletter. The ethical hacker used a security loophole on the webpage in order to access to client data.
DIGI notified the Data Protection Authority about the data breach within 72 hours who started an investigation based on the notification.
However the decision published by the Data Protection Authority does not contain exact figures, it is certain that DIGI stored the personal data of a large number of data subjects and because of their detailedness the data records would enable identity theft or fraud.
2. Insufficient data security measurements
Based on the investigation the Data Protection Authority established that the data breach happened because DIGI did not implement data security measures to ensure a level of security appropriate to the risks.
On the one hand, the security loophole used by the ethical hacker has been known for 9 years and a bug fix was already available but DIGI did not install it because it was not the part of the official update-package.
On the other hand, DIGI did not use encryption in relation to the personal data contained by the test data although encryption as a necessary data security measure is specifically mentioned by the GDPR.
3. Infringement of data protection principles
As we speak, plane crashes usually happen because of more mistakes and that was also the case regarding DIGI’s data breach.
Besides the inappropriate data security measures, a basic problem was that the test databases should have been deleted a long time ago. Indeed, DIGI created the test databases for his client data to be available temporarily until he fixes the mistake in his systems which hinders the availability of the client data.
Since DIGI has not deleted the test database after the correction o the mistake that is to say after the personal data were no longer necessary for the purpose of the data processing, DIGI infringed the principles of “purpose limitation” and “storage limitation”.
4. Circumstances which influenced the amount of the fine
When imposing the record fine the Data protection Authority considered as aggravating circumstances among other the fact that the data breach was the consequence of data security loophole for which a free bug fix was available a long time ago and that the absence of the encryption increased the risk of a data breach. The Data Protection Authority has also taken into account that the data breach concerned several personal data of a large number of data subjects compared to the number of the population of Hungary.
The Data Protection Authority considered as a mitigating factor that he has not yet established any infringements regarding DIGI and that DIGI acknowledged that he should have already deleted the test databases.
The fact that DIGI notified the Data Protection Authority within the 72 hours’ deadline and that DIGI cooperated during the investigation was not taken into account as a mitigating factor since these are the legal obligations of any controller.
5. Lesson learnt
The most basic lesson of the case is that you should delete the obsolete data and databases right after the purpose of processing has disappeared.
Further it is important to pay attention to the data security measures. The kind of data protection measurements which shall be applicable is influenced by a lot of factors for example the quantity or the sensitivity of the processed personal data and the available resources.
Nevertheless, it is clear that in case a data security measure is necessary and the technical feasibility exists, the Data Protection Authority will not be tolerant if a data breach happens because the controller has not implemented those security measurements.
-
CAN A JUDICIAL ERROR CREATE HUNGARIAN JURISDICTION DESPITE A PLACE OF PERFORMANCE ABROAD?
Can a defendant, domiciled abroad, be sued in Hungary under the Brussels I Regulation in the event of defective performance of an international sales contract if the place of performance is abroad? Can the jurisdiction of a Hungarian court be established based on the fact that the lower court expressly established its jurisdiction at the beginning of the litigation? How is the EXW clause to be interpreted within the meaning of the Brussels I Regulation? In our article, we analyse the recent decision of the Supreme Court of Hungary.
Read more » -
CAN YOU REQUEST ‘COVID-19 VACCINATED’ CERTIFICATION FROM YOUR EMPLOYEE IN HUNGARY?
In the recent weeks, a number of questions have been arisen whether the employer may know the data contained by the „immunity card”, which aim is to certify immunity to coronavirus. Is the employer entitled to request information from the employee regarding the immunity card or store the information concerning its employee? In this article we answer the above questions on the basis of the information („Information”) of Hungarian National Authority for Data Protection and Freedom of Information.
Read more » -
DO YOU HAVE TO TERMINATE THE REPLACEMENT EMPLOYEES’ CONTRACT IN HUNGARY?
In the event of a longer leave of a worker, it is common for employers to hire a replacement worker with fixed term contract to make up for the missing workforce. When the replaced worker returns, a labour dispute may arise. In the legal case presented in our article, the Supreme Court examined how the employment relationship of the replacement employee terminates at the end of the replacement. From our article you can learn about the decision of the Supreme Court and what to look for as an employer to make the closing of the replacement smooth. (In our article, we examine the court decision published under No. BH 2021.2.51)
Read more »