06 March 2019

The Hungarian data protection authority, the NAIH has imposed the first data protection fine in December 2018 which was based on the infringement of the GDPR. It appears that in relation with the „first cuckoo” the NAIH applied the so called „early bird” discount known as a marketing strategy. Indeed, the fine was not particularly high considering that it should be imposed because of the infringement of data subject rights. Well, let’s see the details of the case.

1. Why did the procedure start?

The Controller operates a camera surveillance system at his premises, where the Data Subject showed up in July 2018 for administration purposes. A few days later, the Data Subject contacted the Controller expressing that he would like to watch the recordings mace of him and be provided with a copy of it. Further he requested the Controller no to erase the recordings for 5 years since he needs them to use in different procedures.

The Controller, as it is set out in the GDPR, answered the Data Subject within 30 days. He replied that he has not restricted the processing of the camera recording, that means he erased them, since the reasons invoked by the Data Subject do not support his request. In the Controller’s view the recordings could only prove that the Data Subject showed up at his premises but could not prove in which particular case and what has been discussed.

As usual, the Data Subject was annoyed and filed a complaint with the NAIH. And as usual, as the NAIH started to investigate, he found some problems.

2. Why was the right of access infringed?

First, the NAIH found it problematic that the Controller would not let the Data Subject to watch the recording and refused to provide him with a copy.

In this regard, the Controller claimed that the Data Subject has not justified clearly why he would need the recordings that means in which procedures he wanted to use them. The Controller claimed that based on the Security Services Act, which in fact sets forth that the data subjects shall justify his legitimate interest in order to prevent the erasure of the recordings.

Nevertheless, the NAIH emphasized that the GDPR, contrary to the Security Services Act, does not set out additional conditions in relation with the right to access. That means that the Data Subject does not have to justify why he needs the recordings in order to be able to watch them or to request a copy.

Thus, the NAIH established that given that the Controller laid down additional conditions in relation with the exercising of the right to access and refused to comply with the Data Subject’s request because it did not meet those extra conditions, he infringed the Data Subject’s right to access.

3. What was wrong with the erasure of the recordings?

In relation with the Data Subject’s request for restriction of processing, the Controller claimed that the Data Subject has not clearly indicated why the erasure of the recordings would be against his legitimate interest and for what particular legal procedure would he need them. That is why the Controller, instead of restricting the data processing, has erased the recordings.

However, the NAIH recalled, that for restriction request to be well-founded it is enough that the data subject submits that he would need the recording for exercising his legal claims. There is no need for further justification especially in a case where the erasure of the recording could prevent the enforcement of the claim.

The NAIH considered that the Controller could not have refused the execution of the request because he thought that it is not appropriate or necessary for the exercising of the claim. In fact, the Controller cannot assess those factors, since the GDPR does not set out such additional conditions in relation with the right to restriction of processing. To sum up, by erasing the recordings, the Controller has infringed the Data Subject’s right to restriction of processing.

4. What did the Controller also mess up?

As written below, the Controller answered in exemplary fashion, within 30 days to the Data Subject.

Unfortunately, the Controller succeeded to crown the infringement of the Data Subject’s rights in his response. In fact, he failed to inform the Data Subject about his remedies.

Indeed, by not drawing the Data Subject’s attention that the he can lodge a complaint with the NAIH or he can seek judicial remedy, the Controller again infringed the GDPR.

5. What factors did the NAIH consider in relation with the fine?

The NAIH itself thinks that the first fine imposed because of the infringement of the GDPR is kind of symbolic. It seems to be true, because this amount is not too extreme in comparison with the similar or even higher fines imposed by the NAIH before the entering into force of the GDPR.

When assessing the amount of the fine, the NAIH considered as an aggravating factor that the Controller caused real harm to the Data Subject and that the recordings cannot be restored, thus the Data Subject’s harm cannot be remedied.

The fact that the legal environment could confuse the Controller, particularly that the Security Services Act in force is in contradiction with the GDPR which could mislead the Controller has been considered by a mitigating factor by the NAIH. Further, the NAIH has taken into account that the Controller has committed such an infringement for the first time.

And what is the lesson that you can learn from the above? First and foremost, that you shall always thoroughly examine the data subject’s request and only refuse it if you are 100% sure that it is unfounded. In case you still decide to refuse the request, do not forget to inform the data subject about the possibility of the complaint.