Blog » GDPR PENALTY FORECAST – OUR PRESENTATION AT BELGABIZ
GDPR PENALTY FORECAST – OUR PRESENTATION AT BELGABIZ
23 April 2018
How often did the Hungarian Data Protection Authority impose penalties in the last five years? What was the average amount of penalties? Will be there any change after 25th May 2018, when the GDPR comes into force? We addressed these questions in our presentation made at BELGABIZ.
We were invited by BELGABIZ, the Business Club of Belgian and Hungarian enterprises in Hungary, to make a presentation on GDPR, since the D-Day is getting closer.
The managing partner of our law firm, dr.Richard Schmidt LL.M, EU law specialist, has chosen a topic that concerns mostly Hungarian businesses: how much they have to pay in case of a non-compliance with GDPR?
Richard answered the above question on the basis of last 5 years’ statistics of Hungarian Data Protection Authority, by comparing the current and future legal background.
Penalty as No. 1. Sanction
Under the current national data protection law, in case of non-compliance the Hungarian Data Protection Authority has 7 (seven) kind of sanctions. Among these only 1 (one) is the pecuniary penalty, while the other 6 (six) are non-pecuniary measures.
Even if penalty is only one out of seven sanctions, the statistics of the last five years of the authority clearly show that penalties were applied in the vast majority of cases.
The decrease in 2016 is due to the judgment of the Supreme Court, interpreting the Hungarian law on small and medium size enterprises (SMEs).
By its landmark decision, the highest Hungarian judicial forum ruled that in case an SME infringes privacy laws, no pecuniary penalty can be imposed for the first time. Yet, one year after, in 2017, the authority has already used this type of sanction twice more, than in 2016.
Average amount of penalties
According to the law in effect, the maximum amount of the penalty for data breaches can be HUF 20 Million.
The statistics show that the average amount was around 1 Million HUF in 2013, but after that year there was a strong increasing trend, up to cca. HUF 5 Million, which is the average amount of penalty imposed for non-compliance with data protection laws at the moment.
Changes after GDPR
When GDPR enters into force, the following major changes will take place.
First, the landmark decision of the Supreme Court, protecting SMEs will be no more applicable, because it was based on the interpretation of national law. The GDPR, being a European source of law, will overwrite the national provisions.
So, the data protection authority will be able to fine SMEs, even in case of a first fault.
Second, the upper limit of pecuniary penalties will be raised from 20 Million HUF to 20 Million EUR, or to 4% of annual turnover of the non-compliant organisation, which means that the ceiling will be at least 300 times higher than before.
Based on the above, we can provide you with the following “penalty forecasts”:
1. Given that the GDPR will be applied by the Hungarian Data Protection Authority, whose No.1. sanction was the penalty in the last five years, we presume that pecuniary penalties will remain the most often used sanctions after the GDPR enters into force.
2. It is not hard to predict that a 300 times’ increase regarding the ceiling of the penalty will lead to an overall increase in the amount of penalties imposed in case of non-compliance with the GDPR.
We hope that these two reasons are convincing enough for everybody to take GDPR compliance seriously, and continue the preparation for the new data protection rules!
CAN YOUR DEBTOR ESCAPE LIQUIDATION BY SETTING OFF CLAIMS IN HUNGARY?
The initiation of a liquidation procedure is an effective debt collection method, since the debtor may only avoid being liquidated by paying the claim if the conditions specified in the Act on Bankruptcy Proceedings and Liquidation (Bankruptcy Act) are met. For this reason, in the case of liquidation, one of the most common defences of the debtor is the reference to offsetting. But can the debtor refer to offsetting without limitation during liquidation? In our short article we answer this question.Read more »
SZIGET FESTIVAL FINED RECORD HUF 30 MILLION FOR GDPR BREACHES – WHAT WENT WRONG?
A few days prior to the first anniversary of the entry into force of the GDPR the Hungarian Data Protection Authority imposed the biggest data protection fine in Hungary so far. The target was the biggest Hungarian festival organizer company thanks to whom the public may enjoy the SZIGET, the VOLT or the Balaton Sound Festival. The Data Protection Authority reviewed the check-in system of the festival and the data processing in relation with the check-in. In our short article we summarize the mistakes the Authority identified.Read more »
CONSTRUCTION TRUSTEESHIP IN HUNGARY - GETTING PAID IN CONSTRUCTION PROJECTS AS SUBCONTRACTOR
Construction trusteeship, as mandatory collateral management of major private construction projects in Hungary, strives for protecting subcontractors against non-paying general contractor, by allowing direct payments from employer under certain conditions. How does it work in practice and what are the limits of subcontractor protection? We address these issues in this article.Read more »