Blog » SZIGET FESTIVAL FINED RECORD HUF 30 MILLION FOR GDPR BREACHES – WHAT WENT WRONG?
SZIGET FESTIVAL FINED RECORD HUF 30 MILLION FOR GDPR BREACHES – WHAT WENT WRONG?
26 June 2019
A few days prior to the first anniversary of the entry into force of the GDPR the Hungarian Data Protection Authority imposed the biggest data protection fine in Hungary so far. The target was the biggest Hungarian festival organizer company thanks to whom the public may enjoy the SZIGET, the VOLT or the Balaton Sound Festival. The Data Protection Authority reviewed the check-in system of the festival and the data processing in relation with the check-in. In our short article we summarize the mistakes the Authority identified.
1. The check-in system
The Data Protection Authority (DPA) has examined the activity of the organizer of the festivals („Organizer”) for many years and in the present case the DPA reviewed both the activities before and after the entry into force of the GDPR: Given that the fine was imposed only in relation with the data processing after the entry into force of the GDPR, I only deal with this issue in the article.
The organizer has started to build up the current check-in system which was inspired primarily by the terrorist attacks in Paris in 2015. In the period concerned with the fine the check-in happened as follows: when the visitor of the festival at the entry changes his ticket for an armband, his name, other data and photo is gained from his identity document without scanning or copying, or if it is impossible to gain the photo, the staff makes a photo on the spot.
After that these data is assigned to the RFID chip on the armband with further information about which area on which days may be visited by the owner of the armband. Then, the armband is scanned at every entry and the visitor’s photo, name, gender and birth date appear on the screen which makes it possible for the staff to identify the visitor.
2. Why is this all needed?
The organizer mentioned basically two separate aim or interest, which in his opinion justify the data processing at the check-in.
On the one hand, in the Organizer’s view by the identification of the visitors the protection of the personal security may be achieved and the potential perpetrators may be filtered.
On the other hand, by assigning the armband to a certain person misuses may be prevented such as the possibility of the entry into the festival by more persons with the same armband or that scalpers sell the tickets for a higher price.
The Organizer thought that these legitimate interests override the data protection related rights of the visitors, and he supported his view with a legitimate interest assessment test. Indeed, he based the data processing to his own and the visitors’ legitimate interest.
3. Safeguarding the visitors’ personal security
Though the DPA recognized that the Organizer has a legitimate interest to be able to organize safe festivals, he considered unlawful the data processing carried out by the Organizer for this purpose mainly for two reasons.
In the DPA’s view firstly, the prevention of the crimes such as terrorist attacks are in fact objectives of the public interest and the Organizer does not have the appropriate measures to achieve it. The achievement of that goals are indeed the task of the authorized state organs and authorities. The Organizer should pursue this aim by another means such as by cooperating with the authorities, carrying out physical check or using metal detectors.
Secondly, the DPA thinks that the data processing in relation with the check-in is not capable to prevent crimes. Indeed, the Organizer does not have a reference-database with which he could compare the data collected at the check-in, thus in reality he is not able to filter the possible perpetrators by this method.
4. Filtering the misuses
In this regard, the DPA established that the Organizer has a legitimate economic interest to filter misuses and that interest may override the data protection related rights of the visitors.
Nevertheless, the lawfulness of the data processing is failed in relation with this purpose as well, basically because of the following reason.
The personalization of the tickets (with the armbands) and the connected data processing may only prevent that more persons try to enter to the festival with the same armband.
However, this type of data processing may not prevent the activity of the scalpers. In the reality the scalper does not change the ticket for an armband and then sells the armband. The typical thing is that the scalper sells the ticket previously bought by him and sells it for a higher price. This type of activity cannot be prevented by the personalization of the armbands. It is the icing on the cake that the DPA thought that the Organizer processed certain data (e.g. birth date, gender) which was not necessary for the prevention of misuse at all.
5. The record fine
The DPA imposed a fine of HUF 30 Million towards the Organizer. As mentioned in the introduction, in Hungary such high amount of fine was unprecedented mainly because the highest possible fine before the entry into force of the GDPR was HUF 20Million which was imposed only one time.
In the present case the DPA considered as aggravating factors the significant number of the visitors, and that the Organizer is the leader on the market of festival-organization. Further, the DPA has taken into account that previously he warned the Organizer several times that he does not consider the data processing activity as lawful.
As mitigating factor, the DPA considered that the Organizer has changed his practices at least partly and he does not process the data based on (invalid) consent and does not scan the whole identity card.
As the example of the SZIGET Festival shows during the data processing the ends do not always justify the means. Even if the purpose of your data processing is valid and lawful by choosing the inappropriate measure you may undermine the lawfulness of you whole data processing, thus it is worth to be careful.
NOW WHAT WITH DATA TRANSFERS TO THE UNITED STATES? – CONSEQUENCES OF THE FRESH EU JUDGEMENT
The recent judgement of the European Court of Justice (CJEU) invalidating the EU-US Privacy Shield raised several questions concerning international personal data transfers. Companies who normally transfer personal data to the U.S. and use U.S.-based service providers are asking themselves: are we still allowed to do this? If not, what should we do now? In this short article we will explain the judgement of the CJEU and the current situation.Read more »
CAN EMPLOYERS WITHHOLD WAGE DURING INTERNAL INVESTIGATION IN HUNGARY?
Can employers withhold the wage of employees because of an ongoing internal investigation? Is the suspicion that the employee caused damage sufficient to hold back mone, or the payment cannot be refused in this case? We analyse the recent decision of the Hungarian Supreme Court and answer this question in this article.Read more »
CAN FOREIGN LEGAL SUCCESSORS BE SUED IN HUNGARY ON CONTRACTUAL BASIS? – RULING OF SUPREME COURT
Due to the protective measures of the EU Recast Brussels I Regulation (1215/2012), persons domiciled in an EU member state can be sued in another member state only in limited cases. One of these exceptions is the jurisdiction granted by the Regulation to courts of the place of the performance of a contract. However, does this exception apply in cases of legal succession or subrogation? The Supreme Court addressed this issue in a recent decision.Read more »