Blog » SZIGET FESTIVAL FINED RECORD HUF 30 MILLION FOR GDPR BREACHES – WHAT WENT WRONG?
SZIGET FESTIVAL FINED RECORD HUF 30 MILLION FOR GDPR BREACHES – WHAT WENT WRONG?
26 June 2019
A few days prior to the first anniversary of the entry into force of the GDPR the Hungarian Data Protection Authority imposed the biggest data protection fine in Hungary so far. The target was the biggest Hungarian festival organizer company thanks to whom the public may enjoy the SZIGET, the VOLT or the Balaton Sound Festival. The Data Protection Authority reviewed the check-in system of the festival and the data processing in relation with the check-in. In our short article we summarize the mistakes the Authority identified.
1. The check-in system
The Data Protection Authority (DPA) has examined the activity of the organizer of the festivals („Organizer”) for many years and in the present case the DPA reviewed both the activities before and after the entry into force of the GDPR: Given that the fine was imposed only in relation with the data processing after the entry into force of the GDPR, I only deal with this issue in the article.
The organizer has started to build up the current check-in system which was inspired primarily by the terrorist attacks in Paris in 2015. In the period concerned with the fine the check-in happened as follows: when the visitor of the festival at the entry changes his ticket for an armband, his name, other data and photo is gained from his identity document without scanning or copying, or if it is impossible to gain the photo, the staff makes a photo on the spot.
After that these data is assigned to the RFID chip on the armband with further information about which area on which days may be visited by the owner of the armband. Then, the armband is scanned at every entry and the visitor’s photo, name, gender and birth date appear on the screen which makes it possible for the staff to identify the visitor.
2. Why is this all needed?
The organizer mentioned basically two separate aim or interest, which in his opinion justify the data processing at the check-in.
On the one hand, in the Organizer’s view by the identification of the visitors the protection of the personal security may be achieved and the potential perpetrators may be filtered.
On the other hand, by assigning the armband to a certain person misuses may be prevented such as the possibility of the entry into the festival by more persons with the same armband or that scalpers sell the tickets for a higher price.
The Organizer thought that these legitimate interests override the data protection related rights of the visitors, and he supported his view with a legitimate interest assessment test. Indeed, he based the data processing to his own and the visitors’ legitimate interest.
3. Safeguarding the visitors’ personal security
Though the DPA recognized that the Organizer has a legitimate interest to be able to organize safe festivals, he considered unlawful the data processing carried out by the Organizer for this purpose mainly for two reasons.
In the DPA’s view firstly, the prevention of the crimes such as terrorist attacks are in fact objectives of the public interest and the Organizer does not have the appropriate measures to achieve it. The achievement of that goals are indeed the task of the authorized state organs and authorities. The Organizer should pursue this aim by another means such as by cooperating with the authorities, carrying out physical check or using metal detectors.
Secondly, the DPA thinks that the data processing in relation with the check-in is not capable to prevent crimes. Indeed, the Organizer does not have a reference-database with which he could compare the data collected at the check-in, thus in reality he is not able to filter the possible perpetrators by this method.
4. Filtering the misuses
In this regard, the DPA established that the Organizer has a legitimate economic interest to filter misuses and that interest may override the data protection related rights of the visitors.
Nevertheless, the lawfulness of the data processing is failed in relation with this purpose as well, basically because of the following reason.
The personalization of the tickets (with the armbands) and the connected data processing may only prevent that more persons try to enter to the festival with the same armband.
However, this type of data processing may not prevent the activity of the scalpers. In the reality the scalper does not change the ticket for an armband and then sells the armband. The typical thing is that the scalper sells the ticket previously bought by him and sells it for a higher price. This type of activity cannot be prevented by the personalization of the armbands. It is the icing on the cake that the DPA thought that the Organizer processed certain data (e.g. birth date, gender) which was not necessary for the prevention of misuse at all.
5. The record fine
The DPA imposed a fine of HUF 30 Million towards the Organizer. As mentioned in the introduction, in Hungary such high amount of fine was unprecedented mainly because the highest possible fine before the entry into force of the GDPR was HUF 20Million which was imposed only one time.
In the present case the DPA considered as aggravating factors the significant number of the visitors, and that the Organizer is the leader on the market of festival-organization. Further, the DPA has taken into account that previously he warned the Organizer several times that he does not consider the data processing activity as lawful.
As mitigating factor, the DPA considered that the Organizer has changed his practices at least partly and he does not process the data based on (invalid) consent and does not scan the whole identity card.
As the example of the SZIGET Festival shows during the data processing the ends do not always justify the means. Even if the purpose of your data processing is valid and lawful by choosing the inappropriate measure you may undermine the lawfulness of you whole data processing, thus it is worth to be careful.
CAN YOUR DEBTOR ESCAPE LIQUIDATION BY SETTING OFF CLAIMS IN HUNGARY?
The initiation of a liquidation procedure is an effective debt collection method, since the debtor may only avoid being liquidated by paying the claim if the conditions specified in the Act on Bankruptcy Proceedings and Liquidation (Bankruptcy Act) are met. For this reason, in the case of liquidation, one of the most common defences of the debtor is the reference to offsetting. But can the debtor refer to offsetting without limitation during liquidation? In our short article we answer this question.Read more »
CONSTRUCTION TRUSTEESHIP IN HUNGARY - GETTING PAID IN CONSTRUCTION PROJECTS AS SUBCONTRACTOR
Construction trusteeship, as mandatory collateral management of major private construction projects in Hungary, strives for protecting subcontractors against non-paying general contractor, by allowing direct payments from employer under certain conditions. How does it work in practice and what are the limits of subcontractor protection? We address these issues in this article.Read more »
DO NOT USE THESE WORDS WHEN REGISTERING A TRADEMARK IN HUNGARY
Do you plan to register a word or slogan as a trademark in Hungary? You should be careful, if you plan to refer to your company’s activities, because using general and describing words may cause problems either during the registration procedure, or later when someone else wishes to use your trademark. This time we will focus on the importance of having a unique trademark.Read more »