Blog » THE FIRST CUCKOO HAS ARRIVED – HERE IS THE FIRST HUNGARIAN GDPR-FINE
THE FIRST CUCKOO HAS ARRIVED – HERE IS THE FIRST HUNGARIAN GDPR-FINE
06 March 2019
The Hungarian data protection authority, the NAIH has imposed the first data protection fine in December 2018 which was based on the infringement of the GDPR. It appears that in relation with the „first cuckoo” the NAIH applied the so called „early bird” discount known as a marketing strategy. Indeed, the fine was not particularly high considering that it should be imposed because of the infringement of data subject rights. Well, let’s see the details of the case.
1. Why did the procedure start?
The Controller operates a camera surveillance system at his premises, where the Data Subject showed up in July 2018 for administration purposes. A few days later, the Data Subject contacted the Controller expressing that he would like to watch the recordings mace of him and be provided with a copy of it. Further he requested the Controller no to erase the recordings for 5 years since he needs them to use in different procedures.
The Controller, as it is set out in the GDPR, answered the Data Subject within 30 days. He replied that he has not restricted the processing of the camera recording, that means he erased them, since the reasons invoked by the Data Subject do not support his request. In the Controller’s view the recordings could only prove that the Data Subject showed up at his premises but could not prove in which particular case and what has been discussed.
As usual, the Data Subject was annoyed and filed a complaint with the NAIH. And as usual, as the NAIH started to investigate, he found some problems.
2. Why was the right of access infringed?
First, the NAIH found it problematic that the Controller would not let the Data Subject to watch the recording and refused to provide him with a copy.
In this regard, the Controller claimed that the Data Subject has not justified clearly why he would need the recordings that means in which procedures he wanted to use them. The Controller claimed that based on the Security Services Act, which in fact sets forth that the data subjects shall justify his legitimate interest in order to prevent the erasure of the recordings.
Nevertheless, the NAIH emphasized that the GDPR, contrary to the Security Services Act, does not set out additional conditions in relation with the right to access. That means that the Data Subject does not have to justify why he needs the recordings in order to be able to watch them or to request a copy.
Thus, the NAIH established that given that the Controller laid down additional conditions in relation with the exercising of the right to access and refused to comply with the Data Subject’s request because it did not meet those extra conditions, he infringed the Data Subject’s right to access.
3. What was wrong with the erasure of the recordings?
In relation with the Data Subject’s request for restriction of processing, the Controller claimed that the Data Subject has not clearly indicated why the erasure of the recordings would be against his legitimate interest and for what particular legal procedure would he need them. That is why the Controller, instead of restricting the data processing, has erased the recordings.
However, the NAIH recalled, that for restriction request to be well-founded it is enough that the data subject submits that he would need the recording for exercising his legal claims. There is no need for further justification especially in a case where the erasure of the recording could prevent the enforcement of the claim.
The NAIH considered that the Controller could not have refused the execution of the request because he thought that it is not appropriate or necessary for the exercising of the claim. In fact, the Controller cannot assess those factors, since the GDPR does not set out such additional conditions in relation with the right to restriction of processing. To sum up, by erasing the recordings, the Controller has infringed the Data Subject’s right to restriction of processing.
4. What did the Controller also mess up?
As written below, the Controller answered in exemplary fashion, within 30 days to the Data Subject.
Unfortunately, the Controller succeeded to crown the infringement of the Data Subject’s rights in his response. In fact, he failed to inform the Data Subject about his remedies.
Indeed, by not drawing the Data Subject’s attention that the he can lodge a complaint with the NAIH or he can seek judicial remedy, the Controller again infringed the GDPR.
5. What factors did the NAIH consider in relation with the fine?
The NAIH itself thinks that the first fine imposed because of the infringement of the GDPR is kind of symbolic. It seems to be true, because this amount is not too extreme in comparison with the similar or even higher fines imposed by the NAIH before the entering into force of the GDPR.
When assessing the amount of the fine, the NAIH considered as an aggravating factor that the Controller caused real harm to the Data Subject and that the recordings cannot be restored, thus the Data Subject’s harm cannot be remedied.
The fact that the legal environment could confuse the Controller, particularly that the Security Services Act in force is in contradiction with the GDPR which could mislead the Controller has been considered by a mitigating factor by the NAIH. Further, the NAIH has taken into account that the Controller has committed such an infringement for the first time.
And what is the lesson that you can learn from the above? First and foremost, that you shall always thoroughly examine the data subject’s request and only refuse it if you are 100% sure that it is unfounded. In case you still decide to refuse the request, do not forget to inform the data subject about the possibility of the complaint.
ILF CONFERENCE IN MILAN – PRESENTATION - TAKEAWAYS FROM FIRST GDPR PENALTIES
This May we participated in the European Conference of International Law Firms in Milan, where our managing partner Richard Schmidt held a presentation to members of ILF on recent developments of European Data Protection Law. The presentation focused on the lessons learnt from the first GDPR fines imposed by the national data protection authorities of various European jurisdictions in the 1st year of GDPR.Read more »
CAN YOU PAY MORE FOR THE SAME WORK IN HUNGARY? - FRESH DECISION OF THE CURIA
Are you negotiating on salary with a new colleague in Hungary? Even if salary is subject to free negotiation, a higher salary for the same work can cause a tension in wage levels. In our short article we summarize the fresh decision of the Curia which can serve as a compass in relation with the applicability of the equal pay principle.Read more »
CONSTRUCTION TRUSTEESHIP IN HUNGARY – SCOPE AND GENERAL PROVISIONS
Collateral management is a key issue in every construction project. In Hungary a special regime, the so-called construction trusteeship protects the interest of the participants of major private construction projects, and secures that contractors and subcontractors receive their remuneration for the work performed.Read more »