The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) imposed a fine of one million five hundred thousand forints on the Hungarian Basketball Federation (MKOSZ) for illegal processing of personal data in connection with the public database maintained by the Federation.
NAIH examined data processing practice of MKOSZ based on a complaint lodged in connection with the register used by the Federation. The publicly available database maintained by MKOSZ contained personal data like name, birth information, height, residential address and portrait of 65 thousand players, including 30 thousand minors.
MKOSZ argued that the processing of personal data of data subjects was carried out based on the consent of the players (or their parents) and the purpose of data processing was to make player licences available and verifiable and to fulfil legal obligations of organising tournaments.
NAIH pointed out that the consents (if there were any) could not be considered as voluntary since it was the condition of granting players’ licences, therefore, players did not have a choice in that question. NAIH also pointed out that disclosing personal data in an internet database available and searchable by anyone was not necessary to reach the aims of the data processing.
NAIH drew attention to the unlawful practice that the Federation did not set the period of data processing and eventually, the database of MKOSZ contained personal data of data subjects who were no longer members of the Federation.
The relatively low amount of the fine is because NAIH made its decision based on the legislation prior to the entry into force of GDPR. Fines would have been undoubtedly higher in case of applying GDPR rules.
The case made it clear once again that it is an important obligation to check and to regularly review lawfulness of data processing in respect of legal basis, proper information or any other means.