What are the authority’s criteria for imposing fine since the GDPR being in effect? – The president of the National Authority for Data Protection and Freedom of Information (the “NAIH”) gave insights in September at a conference.

The NAIH has started to do the honours of GDPR last year and has since released quite a few resolutions in various matters related to the new law. In such resolutions, the authority has imposed fines on the controlled organizations due to non-compliance with the provisions of the GDPR.  Such fines weren’t extremely high, not even in the context of the numbers of the Hungarian economy. There was one case though where a fine of HUF 11 million (i.e. approx. EUR 32,000) was imposed in connection with the concealment of a privacy incident.

From the NAIH resolutions so far it is becoming clear that the compliance of the data protection measurements and compliance of the handling of privacy incidents is a primary factor during the controlling of compliance by NAIH. The resolutions are available on NAIH’s website and are worth a bit of time to look at them as many conclusions can be drawn from them as whether the company is compliant or not. One conclusion which we have drawn was that the NAIH will primarily check upon controlling whether general principals of the data protection are followed by the company or not. Further to that, each data controller shall handle with due respect and efforts if a data protection request is submitted with them by the data owner regarding the controlling of the data. Also, it is advisable to be cautious with each act of recording or transferring data – thorough planning in advance is advised to avoid breach of data protection provisions.

Attila Péterfalvi, the president of NAIH has released a statement with regard the most important experiences made since the GDPR being in effect. In his statement he has emphasized that „during the first year of the applicability of the GDPR, the NAIH has recieved more than 385 reporting of data privacy incidents, the majority of which was caused by human errors, for instance, that an email was sent to a wider circle of recipients than as intended, or in another case data carriers were lost, which contained personal data, but complaints have been submitted regarding the handling of email accounts, and the handling of medical documents.” Thus it just cannot be emphasized enough that „if an incident should occur, the data controller shall report it to NAIH within 72 hours and the reporting shall include what measurements they have undertaken to repair the consequences of the incidents. If the risk factor of the incident is high, for instance sensitive data was lost, in that case the data owners are to be notified, or if there were too many data owners affected, the public is to be notified, and at the same time, the incident is to be repaired.” – warned Attila Péterfalvi.

Based on all of the above, we are of the view that each organization, may it be a company or a private entrepreneur or other, shall conduct a self-controlling procedure to determine whether the above depicted problems could be detected within their procedures as well in the case of a controlling by the NAIH and thus what changes to its practices, information sheets and rules of procedures are to be implemented so as to comply.