Blog » THE FIRST CUCKOO HAS ARRIVED – HERE IS THE FIRST HUNGARIAN GDPR-FINE
THE FIRST CUCKOO HAS ARRIVED – HERE IS THE FIRST HUNGARIAN GDPR-FINE
06 March 2019
The Hungarian data protection authority, the NAIH has imposed the first data protection fine in December 2018 which was based on the infringement of the GDPR. It appears that in relation with the „first cuckoo” the NAIH applied the so called „early bird” discount known as a marketing strategy. Indeed, the fine was not particularly high considering that it should be imposed because of the infringement of data subject rights. Well, let’s see the details of the case.
1. Why did the procedure start?
The Controller operates a camera surveillance system at his premises, where the Data Subject showed up in July 2018 for administration purposes. A few days later, the Data Subject contacted the Controller expressing that he would like to watch the recordings mace of him and be provided with a copy of it. Further he requested the Controller no to erase the recordings for 5 years since he needs them to use in different procedures.
The Controller, as it is set out in the GDPR, answered the Data Subject within 30 days. He replied that he has not restricted the processing of the camera recording, that means he erased them, since the reasons invoked by the Data Subject do not support his request. In the Controller’s view the recordings could only prove that the Data Subject showed up at his premises but could not prove in which particular case and what has been discussed.
As usual, the Data Subject was annoyed and filed a complaint with the NAIH. And as usual, as the NAIH started to investigate, he found some problems.
2. Why was the right of access infringed?
First, the NAIH found it problematic that the Controller would not let the Data Subject to watch the recording and refused to provide him with a copy.
In this regard, the Controller claimed that the Data Subject has not justified clearly why he would need the recordings that means in which procedures he wanted to use them. The Controller claimed that based on the Security Services Act, which in fact sets forth that the data subjects shall justify his legitimate interest in order to prevent the erasure of the recordings.
Nevertheless, the NAIH emphasized that the GDPR, contrary to the Security Services Act, does not set out additional conditions in relation with the right to access. That means that the Data Subject does not have to justify why he needs the recordings in order to be able to watch them or to request a copy.
Thus, the NAIH established that given that the Controller laid down additional conditions in relation with the exercising of the right to access and refused to comply with the Data Subject’s request because it did not meet those extra conditions, he infringed the Data Subject’s right to access.
3. What was wrong with the erasure of the recordings?
In relation with the Data Subject’s request for restriction of processing, the Controller claimed that the Data Subject has not clearly indicated why the erasure of the recordings would be against his legitimate interest and for what particular legal procedure would he need them. That is why the Controller, instead of restricting the data processing, has erased the recordings.
However, the NAIH recalled, that for restriction request to be well-founded it is enough that the data subject submits that he would need the recording for exercising his legal claims. There is no need for further justification especially in a case where the erasure of the recording could prevent the enforcement of the claim.
The NAIH considered that the Controller could not have refused the execution of the request because he thought that it is not appropriate or necessary for the exercising of the claim. In fact, the Controller cannot assess those factors, since the GDPR does not set out such additional conditions in relation with the right to restriction of processing. To sum up, by erasing the recordings, the Controller has infringed the Data Subject’s right to restriction of processing.
4. What did the Controller also mess up?
As written below, the Controller answered in exemplary fashion, within 30 days to the Data Subject.
Unfortunately, the Controller succeeded to crown the infringement of the Data Subject’s rights in his response. In fact, he failed to inform the Data Subject about his remedies.
Indeed, by not drawing the Data Subject’s attention that the he can lodge a complaint with the NAIH or he can seek judicial remedy, the Controller again infringed the GDPR.
5. What factors did the NAIH consider in relation with the fine?
The NAIH itself thinks that the first fine imposed because of the infringement of the GDPR is kind of symbolic. It seems to be true, because this amount is not too extreme in comparison with the similar or even higher fines imposed by the NAIH before the entering into force of the GDPR.
When assessing the amount of the fine, the NAIH considered as an aggravating factor that the Controller caused real harm to the Data Subject and that the recordings cannot be restored, thus the Data Subject’s harm cannot be remedied.
The fact that the legal environment could confuse the Controller, particularly that the Security Services Act in force is in contradiction with the GDPR which could mislead the Controller has been considered by a mitigating factor by the NAIH. Further, the NAIH has taken into account that the Controller has committed such an infringement for the first time.
And what is the lesson that you can learn from the above? First and foremost, that you shall always thoroughly examine the data subject’s request and only refuse it if you are 100% sure that it is unfounded. In case you still decide to refuse the request, do not forget to inform the data subject about the possibility of the complaint.
Hungary: Steps Towards Differentiating Between Domestic and International Procedural Public Policy
Drawing a well-defined line of demarcation between domestic and international public policy when enforcing foreign arbitral awards sends a clear pro-arbitration message from national courts in any jurisdiction. Does Hungarian case law come close to this level of sophistication? This post analyses this question in the context of procedural public policy, and it does so based on two recent appellate court decisions rendered in the context of enforcement of arbitral awards in accordance with the New York Convention.Read more »
EU ISSUED NEW GDPR STANDARD CONTRACTUAL CLAUSES – WHEN AND HOW TO USE THEM?
During summer 2021, the European Commission published two new "standard contractual clauses" on data protection regulation, which can be applied on the one hand, to the legal relationship between data controllers and data processors covered by the GDPR , and to the transfers of personal data to third countries, on the other. In this article, we answer the questions: what these SCCs regulate, how do they differ from the previous SCCs and how can your company use the new SCCs?Read more »
CAN THE NON-COMPETITION AGREEMENT BE VALID WITHOUT A PRECISE COMPENSATION IN HUNGARY?
The non-compete agreement may provide protection of the legitimate economic interests of the employer even after the termination of employment relationship. However, the Hungarian Labour Code lays down strict requirements for the agreement. In our article we analyse a recent decision of the Supreme Court about the importance of the precise determination of the compensation, so you as an employer can conclude a valid non-compete agreement.Read more »