It has been more than a year since the European Union’s data protection regulation, the infamous GDPR has come to effect. Inspections from the data protection authority (NAIH) were expected and so were companies to be found ‘guilty’. The first Hungarian GDPR fine has been recently published.
The purpose of GDPR is to protect natural person’s data and provide free flow of data in the European Union. The regulation was published in the Official Journal of the European Union on 27 April 2016, although it did not come into effect until 25 May 2018, leaving a nearly two-year long preparation time. In Hungary, the National Authority for Data Protection and Freedom of Information (NAIH) is the appointed authority who is responsible to examine infringements of GDPR and to impose fine if necessary. In the first four months of its application, GDPR triggered nearly a thousand procedures in front of NAIH. One of these procedures ended with fine of 1 million HUF (a bit more than 3,000 EUR).
In the procedure in question, video recordings were made on the claimant and were not deleted despite their request. Neither was their request on restricting the storage time of data to 5 years fulfilled. Interestingly, the owner of the recordings declined the request to delete and to restrict storage of these data referring to GDPR as well. The claimant was informed of the explanation in a letter.
As a response, the claimant turned to NAIH. The authority has cleared the facts based on information from both parties, and established a breach. The owner of the recordings claimed that the claimant had not justified their request as per GDPR. But NAIH established that in this particular case no circumstances would have justified the denial of the request.
According to the authority, imposing a fine was necessary because the other party did not satisfy the claimant’s requests as provided by GDPR, nor did they inform the claimant about possible remedies against their decision. According to GDPR, the amount of the fine shall not be more than the higher of twenty million euros or 4% of the company’s income from the previous financial year. In this case, the company’s income was 15 million HUF in the preceding year, i.e. the fine was higher than 4% of the turnover. Based on this, it can be established that NAIH considered the above breach as severe.