Recently, the Hungarian Data Protection Office (NAIH) imposed fines in two major cases. Both could have been avoided with care and compliance with data protection rules.
In the first case, a credit institution not named in the decision, for the purpose of evaluating “maternity loan” applications copied and stored electronically and on paper copies of the maternity books, adoption decisions, abortion or stillbirth documents requested from each applicant. The credit institution terminated the infringement immediately at the beginning of the official proceedings, nevertheless, NAIH imposed a significant amount of data protection fines on the bank. According to the reasoning of the decision – emphasizing the data principle against the document principle – the data in the documents were sensitive data, which in the end were not actually used by the bank, on the other hand, their collection was not justified. By such data processing, the credit institution violated the GDPR multiple times. It violated the principle of data minimisation because it stored and processed data that was not necessary to achieve the goal. It further breached the principle of data processing linked to adequate legal basis and also failed to provide information. Many of the provisions in GDPR are easy to breach if we do not think through which data are absolutely necessary when establishing a customer relationship. We comply with GDPR if we do not store or process other data than those absolutely necessary and hide other data or otherwise make them unrecognizable.
In the other case, UPC Hungary violated data protection rules with its practice carried out before its merger, which was also sanctioned by NAIH with a significant amount of fine. UPC followed the practice of placing a brief and incomplete information on the take-a-number machine that a voice recording will be made during personal administration, which will be stored for 5 years, but if the customer protests, the recording will be immediately interrupted and cancelled upon request. The voice recording was done using a microphone visible to the customer in front of the administrator, which indicated with a red light that a voice recording was in progress.
The NAIH found that UPC had violated multiple provisions of the GDPR by failing to provide an adequate legal basis for data processing and information on data processing, as well as violating the principles of purpose limitation and data minimization.
Both of the fines and the underlying regulatory procedure could have been avoided if the enterprises had complied with the GDPR principles and informed their customers about data processing in an appropriate manner and content, and had processed only data that was strictly necessary for the performance of their activities.