Blog » SZIGET FESTIVAL FINED RECORD HUF 30 MILLION FOR GDPR BREACHES – WHAT WENT WRONG?
SZIGET FESTIVAL FINED RECORD HUF 30 MILLION FOR GDPR BREACHES – WHAT WENT WRONG?
26 June 2019
A few days prior to the first anniversary of the entry into force of the GDPR the Hungarian Data Protection Authority imposed the biggest data protection fine in Hungary so far. The target was the biggest Hungarian festival organizer company thanks to whom the public may enjoy the SZIGET, the VOLT or the Balaton Sound Festival. The Data Protection Authority reviewed the check-in system of the festival and the data processing in relation with the check-in. In our short article we summarize the mistakes the Authority identified.
1. The check-in system
The Data Protection Authority (DPA) has examined the activity of the organizer of the festivals („Organizer”) for many years and in the present case the DPA reviewed both the activities before and after the entry into force of the GDPR: Given that the fine was imposed only in relation with the data processing after the entry into force of the GDPR, I only deal with this issue in the article.
The organizer has started to build up the current check-in system which was inspired primarily by the terrorist attacks in Paris in 2015. In the period concerned with the fine the check-in happened as follows: when the visitor of the festival at the entry changes his ticket for an armband, his name, other data and photo is gained from his identity document without scanning or copying, or if it is impossible to gain the photo, the staff makes a photo on the spot.
After that these data is assigned to the RFID chip on the armband with further information about which area on which days may be visited by the owner of the armband. Then, the armband is scanned at every entry and the visitor’s photo, name, gender and birth date appear on the screen which makes it possible for the staff to identify the visitor.
2. Why is this all needed?
The organizer mentioned basically two separate aim or interest, which in his opinion justify the data processing at the check-in.
On the one hand, in the Organizer’s view by the identification of the visitors the protection of the personal security may be achieved and the potential perpetrators may be filtered.
On the other hand, by assigning the armband to a certain person misuses may be prevented such as the possibility of the entry into the festival by more persons with the same armband or that scalpers sell the tickets for a higher price.
The Organizer thought that these legitimate interests override the data protection related rights of the visitors, and he supported his view with a legitimate interest assessment test. Indeed, he based the data processing to his own and the visitors’ legitimate interest.
3. Safeguarding the visitors’ personal security
Though the DPA recognized that the Organizer has a legitimate interest to be able to organize safe festivals, he considered unlawful the data processing carried out by the Organizer for this purpose mainly for two reasons.
In the DPA’s view firstly, the prevention of the crimes such as terrorist attacks are in fact objectives of the public interest and the Organizer does not have the appropriate measures to achieve it. The achievement of that goals are indeed the task of the authorized state organs and authorities. The Organizer should pursue this aim by another means such as by cooperating with the authorities, carrying out physical check or using metal detectors.
Secondly, the DPA thinks that the data processing in relation with the check-in is not capable to prevent crimes. Indeed, the Organizer does not have a reference-database with which he could compare the data collected at the check-in, thus in reality he is not able to filter the possible perpetrators by this method.
4. Filtering the misuses
In this regard, the DPA established that the Organizer has a legitimate economic interest to filter misuses and that interest may override the data protection related rights of the visitors.
Nevertheless, the lawfulness of the data processing is failed in relation with this purpose as well, basically because of the following reason.
The personalization of the tickets (with the armbands) and the connected data processing may only prevent that more persons try to enter to the festival with the same armband.
However, this type of data processing may not prevent the activity of the scalpers. In the reality the scalper does not change the ticket for an armband and then sells the armband. The typical thing is that the scalper sells the ticket previously bought by him and sells it for a higher price. This type of activity cannot be prevented by the personalization of the armbands. It is the icing on the cake that the DPA thought that the Organizer processed certain data (e.g. birth date, gender) which was not necessary for the prevention of misuse at all.
5. The record fine
The DPA imposed a fine of HUF 30 Million towards the Organizer. As mentioned in the introduction, in Hungary such high amount of fine was unprecedented mainly because the highest possible fine before the entry into force of the GDPR was HUF 20Million which was imposed only one time.
In the present case the DPA considered as aggravating factors the significant number of the visitors, and that the Organizer is the leader on the market of festival-organization. Further, the DPA has taken into account that previously he warned the Organizer several times that he does not consider the data processing activity as lawful.
As mitigating factor, the DPA considered that the Organizer has changed his practices at least partly and he does not process the data based on (invalid) consent and does not scan the whole identity card.
As the example of the SZIGET Festival shows during the data processing the ends do not always justify the means. Even if the purpose of your data processing is valid and lawful by choosing the inappropriate measure you may undermine the lawfulness of you whole data processing, thus it is worth to be careful.
Hungary: Steps Towards Differentiating Between Domestic and International Procedural Public Policy
Drawing a well-defined line of demarcation between domestic and international public policy when enforcing foreign arbitral awards sends a clear pro-arbitration message from national courts in any jurisdiction. Does Hungarian case law come close to this level of sophistication? This post analyses this question in the context of procedural public policy, and it does so based on two recent appellate court decisions rendered in the context of enforcement of arbitral awards in accordance with the New York Convention.Read more »
EU ISSUED NEW GDPR STANDARD CONTRACTUAL CLAUSES – WHEN AND HOW TO USE THEM?
During summer 2021, the European Commission published two new "standard contractual clauses" on data protection regulation, which can be applied on the one hand, to the legal relationship between data controllers and data processors covered by the GDPR , and to the transfers of personal data to third countries, on the other. In this article, we answer the questions: what these SCCs regulate, how do they differ from the previous SCCs and how can your company use the new SCCs?Read more »
CAN THE NON-COMPETITION AGREEMENT BE VALID WITHOUT A PRECISE COMPENSATION IN HUNGARY?
The non-compete agreement may provide protection of the legitimate economic interests of the employer even after the termination of employment relationship. However, the Hungarian Labour Code lays down strict requirements for the agreement. In our article we analyse a recent decision of the Supreme Court about the importance of the precise determination of the compensation, so you as an employer can conclude a valid non-compete agreement.Read more »