Blog » THE FIRST CUCKOO HAS ARRIVED – HERE IS THE FIRST HUNGARIAN GDPR-FINE
THE FIRST CUCKOO HAS ARRIVED – HERE IS THE FIRST HUNGARIAN GDPR-FINE
06 March 2019
The Hungarian data protection authority, the NAIH has imposed the first data protection fine in December 2018 which was based on the infringement of the GDPR. It appears that in relation with the „first cuckoo” the NAIH applied the so called „early bird” discount known as a marketing strategy. Indeed, the fine was not particularly high considering that it should be imposed because of the infringement of data subject rights. Well, let’s see the details of the case.
1. Why did the procedure start?
The Controller operates a camera surveillance system at his premises, where the Data Subject showed up in July 2018 for administration purposes. A few days later, the Data Subject contacted the Controller expressing that he would like to watch the recordings mace of him and be provided with a copy of it. Further he requested the Controller no to erase the recordings for 5 years since he needs them to use in different procedures.
The Controller, as it is set out in the GDPR, answered the Data Subject within 30 days. He replied that he has not restricted the processing of the camera recording, that means he erased them, since the reasons invoked by the Data Subject do not support his request. In the Controller’s view the recordings could only prove that the Data Subject showed up at his premises but could not prove in which particular case and what has been discussed.
As usual, the Data Subject was annoyed and filed a complaint with the NAIH. And as usual, as the NAIH started to investigate, he found some problems.
2. Why was the right of access infringed?
First, the NAIH found it problematic that the Controller would not let the Data Subject to watch the recording and refused to provide him with a copy.
In this regard, the Controller claimed that the Data Subject has not justified clearly why he would need the recordings that means in which procedures he wanted to use them. The Controller claimed that based on the Security Services Act, which in fact sets forth that the data subjects shall justify his legitimate interest in order to prevent the erasure of the recordings.
Nevertheless, the NAIH emphasized that the GDPR, contrary to the Security Services Act, does not set out additional conditions in relation with the right to access. That means that the Data Subject does not have to justify why he needs the recordings in order to be able to watch them or to request a copy.
Thus, the NAIH established that given that the Controller laid down additional conditions in relation with the exercising of the right to access and refused to comply with the Data Subject’s request because it did not meet those extra conditions, he infringed the Data Subject’s right to access.
3. What was wrong with the erasure of the recordings?
In relation with the Data Subject’s request for restriction of processing, the Controller claimed that the Data Subject has not clearly indicated why the erasure of the recordings would be against his legitimate interest and for what particular legal procedure would he need them. That is why the Controller, instead of restricting the data processing, has erased the recordings.
However, the NAIH recalled, that for restriction request to be well-founded it is enough that the data subject submits that he would need the recording for exercising his legal claims. There is no need for further justification especially in a case where the erasure of the recording could prevent the enforcement of the claim.
The NAIH considered that the Controller could not have refused the execution of the request because he thought that it is not appropriate or necessary for the exercising of the claim. In fact, the Controller cannot assess those factors, since the GDPR does not set out such additional conditions in relation with the right to restriction of processing. To sum up, by erasing the recordings, the Controller has infringed the Data Subject’s right to restriction of processing.
4. What did the Controller also mess up?
As written below, the Controller answered in exemplary fashion, within 30 days to the Data Subject.
Unfortunately, the Controller succeeded to crown the infringement of the Data Subject’s rights in his response. In fact, he failed to inform the Data Subject about his remedies.
Indeed, by not drawing the Data Subject’s attention that the he can lodge a complaint with the NAIH or he can seek judicial remedy, the Controller again infringed the GDPR.
5. What factors did the NAIH consider in relation with the fine?
The NAIH itself thinks that the first fine imposed because of the infringement of the GDPR is kind of symbolic. It seems to be true, because this amount is not too extreme in comparison with the similar or even higher fines imposed by the NAIH before the entering into force of the GDPR.
When assessing the amount of the fine, the NAIH considered as an aggravating factor that the Controller caused real harm to the Data Subject and that the recordings cannot be restored, thus the Data Subject’s harm cannot be remedied.
The fact that the legal environment could confuse the Controller, particularly that the Security Services Act in force is in contradiction with the GDPR which could mislead the Controller has been considered by a mitigating factor by the NAIH. Further, the NAIH has taken into account that the Controller has committed such an infringement for the first time.
And what is the lesson that you can learn from the above? First and foremost, that you shall always thoroughly examine the data subject’s request and only refuse it if you are 100% sure that it is unfounded. In case you still decide to refuse the request, do not forget to inform the data subject about the possibility of the complaint.
LAWFUL DISMISSAL IN HUNGARY - PART VI: TERMINATION WITHOUT NOTICE
In the last two articles of our series on “lawful dismissal” we present the most severe sanction that can be applied to an employee, the immediate (formerly: extraordinary) termination. This measure is applied in serious incidents only, so many employers believe that they will not need to use the sanction. But, as we know, the devil does not sleep and it is in the details, so the employer needs to be prepared for this scenario as well to avoid further inconvenience.Read more »
5 CURRENT GDPR-FINES ACROSS EUROPE – LEARN FROM OTHERS’ MISTAKES
The supervisory authorities in Europe controlling compliance with the GDPR have not sat on their hands in the last couple of months. In this short article we collected five interesting cases from the recent past. The wide discretionary powers of the data protection authority is well illustrated by the fact that sometimes the GDPR fine was only EUR 2000, but in another case a company has been fined for EUR 11,5 Million! Continue reading if you would like to avoid the same or similar expensive errors.Read more »
LAWFUL DISMISSAL IN HUNGARY - PART V: PROTECTION AGAINST DISMISSAL
In the previous articles on the lawful dismissal, we discussed that, ranging from the employee’s behaviour to the employer’s reorganization, there can be many legitimate reasons for dismissal by the employer. However, irrespective of the legitimate reason, the employment relationship cannot be terminated if the employee is protected against dismissal by law (i.e. the Labour Code). From our article, you can learn about these protections.Read more »