26 June 2019

A few days prior to the first anniversary of the entry into force of the GDPR the Hungarian Data Protection Authority imposed the biggest data protection fine in Hungary so far. The target was the biggest Hungarian festival organizer company thanks to whom the public may enjoy the SZIGET, the VOLT or the Balaton Sound Festival. The Data Protection Authority reviewed the check-in system of the festival and the data processing in relation with the check-in. In our short article we summarize the mistakes the Authority identified.

1. The check-in system

The Data Protection Authority (DPA) has examined the activity of the organizer of the festivals („Organizer”) for many years and in the present case the DPA reviewed both the activities before and after the entry into force of the GDPR: Given that the fine was imposed only in relation with the data processing after the entry into force of the GDPR, I only deal with this issue in the article.

The organizer has started to build up the current check-in system which was inspired primarily by the terrorist attacks in Paris in 2015. In the period concerned with the fine the check-in happened as follows: when the visitor of the festival at the entry changes his ticket for an armband, his name, other data and photo is gained from his identity document without scanning or copying, or if it is impossible to gain the photo, the staff makes a photo on the spot.

After that these data is assigned to the RFID chip on the armband with further information about which area on which days may be visited by the owner of the armband. Then, the armband is scanned at every entry and the visitor’s photo, name, gender and birth date appear on the screen which makes it possible for the staff to identify the visitor.

2. Why is this all needed?

The organizer mentioned basically two separate aim or interest, which in his opinion justify the data processing at the check-in.

On the one hand, in the Organizer’s view by the identification of the visitors the protection of the personal security may be achieved and the potential perpetrators may be filtered.

On the other hand, by assigning the armband to a certain person misuses may be prevented such as the possibility of the entry into the festival by more persons with the same armband or that scalpers sell the tickets for a higher price.

The Organizer thought that these legitimate interests override the data protection related rights of the visitors, and he supported his view with a legitimate interest assessment test. Indeed, he based the data processing to his own and the visitors’ legitimate interest.

3. Safeguarding the visitors’ personal security

Though the DPA recognized that the Organizer has a legitimate interest to be able to organize safe festivals, he considered unlawful the data processing carried out by the Organizer for this purpose mainly for two reasons.

In the DPA’s view firstly, the prevention of the crimes such as terrorist attacks are in fact objectives of the public interest and the Organizer does not have the appropriate measures to achieve it. The achievement of that goals are indeed the task of the authorized state organs and authorities. The Organizer should pursue this aim by another means such as by cooperating with the authorities, carrying out physical check or using metal detectors.

Secondly, the DPA thinks that the data processing in relation with the check-in is not capable to prevent crimes. Indeed, the Organizer does not have a reference-database with which he could compare the data collected at the check-in, thus in reality he is not able to filter the possible perpetrators by this method.

4. Filtering the misuses

In this regard, the DPA established that the Organizer has a legitimate economic interest to filter misuses and that interest may override the data protection related rights of the visitors.

Nevertheless, the lawfulness of the data processing is failed in relation with this purpose as well, basically because of the following reason.

The personalization of the tickets (with the armbands) and the connected data processing may only prevent that more persons try to enter to the festival with the same armband.

However, this type of data processing may not prevent the activity of the scalpers. In the reality the scalper does not change the ticket for an armband and then sells the armband. The typical thing is that the scalper sells the ticket previously bought by him and sells it for a higher price. This type of activity cannot be prevented by the personalization of the armbands. It is the icing on the cake that the DPA thought that the Organizer processed certain data (e.g. birth date, gender) which was not necessary for the prevention of misuse at all.

5. The record fine

The DPA imposed a fine of HUF 30 Million towards the Organizer. As mentioned in the introduction, in Hungary such high amount of fine was unprecedented mainly because the highest possible fine before the entry into force of the GDPR was HUF 20Million which was imposed only one time.

In the present case the DPA considered as aggravating factors the significant number of the visitors, and that the Organizer is the leader on the market of festival-organization. Further, the DPA has taken into account that previously he warned the Organizer several times that he does not consider the data processing activity as lawful.

As mitigating factor, the DPA considered that the Organizer has changed his practices at least partly and he does not process the data based on (invalid) consent and does not scan the whole identity card.

As the example of the SZIGET Festival shows during the data processing the ends do not always justify the means. Even if the purpose of your data processing is valid and lawful by choosing the inappropriate measure you may undermine the lawfulness of you whole data processing, thus it is worth to be careful.