Blog » SZIGET FESTIVAL FINED RECORD HUF 30 MILLION FOR GDPR BREACHES – WHAT WENT WRONG?
SZIGET FESTIVAL FINED RECORD HUF 30 MILLION FOR GDPR BREACHES – WHAT WENT WRONG?
26 June 2019
A few days prior to the first anniversary of the entry into force of the GDPR the Hungarian Data Protection Authority imposed the biggest data protection fine in Hungary so far. The target was the biggest Hungarian festival organizer company thanks to whom the public may enjoy the SZIGET, the VOLT or the Balaton Sound Festival. The Data Protection Authority reviewed the check-in system of the festival and the data processing in relation with the check-in. In our short article we summarize the mistakes the Authority identified.
1. The check-in system
The Data Protection Authority (DPA) has examined the activity of the organizer of the festivals („Organizer”) for many years and in the present case the DPA reviewed both the activities before and after the entry into force of the GDPR: Given that the fine was imposed only in relation with the data processing after the entry into force of the GDPR, I only deal with this issue in the article.
The organizer has started to build up the current check-in system which was inspired primarily by the terrorist attacks in Paris in 2015. In the period concerned with the fine the check-in happened as follows: when the visitor of the festival at the entry changes his ticket for an armband, his name, other data and photo is gained from his identity document without scanning or copying, or if it is impossible to gain the photo, the staff makes a photo on the spot.
After that these data is assigned to the RFID chip on the armband with further information about which area on which days may be visited by the owner of the armband. Then, the armband is scanned at every entry and the visitor’s photo, name, gender and birth date appear on the screen which makes it possible for the staff to identify the visitor.
2. Why is this all needed?
The organizer mentioned basically two separate aim or interest, which in his opinion justify the data processing at the check-in.
On the one hand, in the Organizer’s view by the identification of the visitors the protection of the personal security may be achieved and the potential perpetrators may be filtered.
On the other hand, by assigning the armband to a certain person misuses may be prevented such as the possibility of the entry into the festival by more persons with the same armband or that scalpers sell the tickets for a higher price.
The Organizer thought that these legitimate interests override the data protection related rights of the visitors, and he supported his view with a legitimate interest assessment test. Indeed, he based the data processing to his own and the visitors’ legitimate interest.
3. Safeguarding the visitors’ personal security
Though the DPA recognized that the Organizer has a legitimate interest to be able to organize safe festivals, he considered unlawful the data processing carried out by the Organizer for this purpose mainly for two reasons.
In the DPA’s view firstly, the prevention of the crimes such as terrorist attacks are in fact objectives of the public interest and the Organizer does not have the appropriate measures to achieve it. The achievement of that goals are indeed the task of the authorized state organs and authorities. The Organizer should pursue this aim by another means such as by cooperating with the authorities, carrying out physical check or using metal detectors.
Secondly, the DPA thinks that the data processing in relation with the check-in is not capable to prevent crimes. Indeed, the Organizer does not have a reference-database with which he could compare the data collected at the check-in, thus in reality he is not able to filter the possible perpetrators by this method.
4. Filtering the misuses
In this regard, the DPA established that the Organizer has a legitimate economic interest to filter misuses and that interest may override the data protection related rights of the visitors.
Nevertheless, the lawfulness of the data processing is failed in relation with this purpose as well, basically because of the following reason.
The personalization of the tickets (with the armbands) and the connected data processing may only prevent that more persons try to enter to the festival with the same armband.
However, this type of data processing may not prevent the activity of the scalpers. In the reality the scalper does not change the ticket for an armband and then sells the armband. The typical thing is that the scalper sells the ticket previously bought by him and sells it for a higher price. This type of activity cannot be prevented by the personalization of the armbands. It is the icing on the cake that the DPA thought that the Organizer processed certain data (e.g. birth date, gender) which was not necessary for the prevention of misuse at all.
5. The record fine
The DPA imposed a fine of HUF 30 Million towards the Organizer. As mentioned in the introduction, in Hungary such high amount of fine was unprecedented mainly because the highest possible fine before the entry into force of the GDPR was HUF 20Million which was imposed only one time.
In the present case the DPA considered as aggravating factors the significant number of the visitors, and that the Organizer is the leader on the market of festival-organization. Further, the DPA has taken into account that previously he warned the Organizer several times that he does not consider the data processing activity as lawful.
As mitigating factor, the DPA considered that the Organizer has changed his practices at least partly and he does not process the data based on (invalid) consent and does not scan the whole identity card.
As the example of the SZIGET Festival shows during the data processing the ends do not always justify the means. Even if the purpose of your data processing is valid and lawful by choosing the inappropriate measure you may undermine the lawfulness of you whole data processing, thus it is worth to be careful.
IS THE JUDGE BIASED BECAUSE OF UNFAVOURABLE JUDGMENT IN OTHER CASE?
Can a judge be disqualified from deciding the legal dispute on the grounds of bias if he has delivered a judgment unfavourable to the plaintiff in another case? Can a court be biased if the plaintiff has "challenged" a previous decision of the court before the European Court of Human Rights? In this article, we answer these questions by analysing a recent judgment of the Hungarian Supreme Court.Read more »
CAN INCOMPATIBLE WORKPLACE BEHAVIOUR BE A GROUND FOR DISMISSAL IN HUNGARY?
Refusal of employer 's instructions, unjustified absence, intentional damage: some cases where the justification for dismissing an employee is relatively easy to determine. What happens, however, if the employee does not commit a severe breach of duty similar to the one above, but his or her colleagues consider him incompatible, with whom it is impossible to cooperate, or even afraid of him or her. Can dismissal be justified by behaviour that is incompatible with others and creates disharmony in the working environment? In our article, we seek the answer to this question in the light of Hungarian judicial practice.Read more »
CAN A JUDICIAL ERROR CREATE HUNGARIAN JURISDICTION DESPITE A PLACE OF PERFORMANCE ABROAD?
Can a defendant, domiciled abroad, be sued in Hungary under the Brussels I Regulation in the event of defective performance of an international sales contract if the place of performance is abroad? Can the jurisdiction of a Hungarian court be established based on the fact that the lower court expressly established its jurisdiction at the beginning of the litigation? How is the EXW clause to be interpreted within the meaning of the Brussels I Regulation? In our article, we analyse the recent decision of the Supreme Court of Hungary.Read more »