January 2024

1. Governing Texts

In Hungary, the current main national law on personal data protection is Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (as amended by Act XXXVIII of 2018 (only available in Hungarian here) to implement the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')) (only available in Hungarian here) ('the Act'). The Act sets out the general framework for data protection and is supervised by the National Authority for Data Protection and Freedom of Information ('NAIH').

1.1. Key acts, regulations, directives, bills

The Act applies to all kinds of data processing operations, except to the processing of personal data by a natural person in the course of a purely personal or household activity. This is an addition to the GDPR and covers manual data processing operations as well.

The Act is applicable if:

• the data controller's main establishment or only place of business in the EU is in Hungary; or
• the data processing operations of a data controller or its data processor are related to:
  • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in Hungary; or
  • the monitoring of the data subjects' behavior as far as their behavior takes place within Hungary.

At the request of the NAIH, a local Government notary may be involved in the verification of the actual circumstances of the data processing activities of a data controller. In particular, the scope of the personal data processed, the means of the operations, and the technical and organizational measures.

The NAIH's administrative deadline for closing the data protection authority procedure is 150 days, excluding the length of time between the receipt of the notice requesting information for ascertaining the relevant facts of the case, until such information is provided. If the NAIH exceeds this deadline by more than two times, it can no longer impose a fine, however, other sanctions can still be imposed, for e.g., a request to cease the unlawful data processing.

Other significant provisions in the Act include:

• establishment of specific and permanent confidentiality obligations for data protection officers ('DPOs'). Organizations should revise the confidentiality clauses of the contracts with their DPOs to ensure harmonization with the Act;
• the NAIH will convene and set the agenda of the 'conference of DPOs' each year. This conference would serve as a regular interaction point between DPOs and the NAIH;
• in accordance with the GDPR, organizations are not required to register their data processing operations with the NAIH anymore and must record their own data processing operations in line with Article 30 of the GDPR;
• as of January 1, 2022, the NAIH is entitled to order the erasure of certain unlawfully processed personal data ex officio, without the request of the data subject; and
• NAIH may, in the course of an administrative procedure or an administrative investigation, order the temporary removal of unlawfully processed electronic data by the hosting provider in the case of children or special or criminal personal data. It is also subject to the condition that there is an imminent and serious risk of an irreparable breach of the right to the protection of personal data.

Harmonization of sectoral laws with the GDPR

A number of sector-specific laws have been amended to guarantee harmonization with the GDPR, including:

• Act I of 2012 on the Labor Code (only available in Hungarian here) ('the Labor Code');
• Act XCIII of 1993 on Labor Safety (only available in Hungarian here) ('the Labor Safety Act’);
• Act XLVII of 1997 on the management and protection of health and related personal data (only available in Hungarian here) ('the Medical Data Act');
• Act XXI of 2008 on the protection of human genetic data, human genetic tests and research, and the rules for the operation of biobanks(only available in Hungarian here) ('the Human Genetic Information Act');
• Act LXVI of 1992 on personal data and address records of citizens (only available in Hungarian here);
• Act CXXXIII of 2005 on security services and the activities of private investigators (only available in Hungarian here) ('the Security Services Act');
• Act CXIX of 1995 on the use of name and address information serving the purposes of research and direct marketing (only available in Hungarian here) ('the Direct Marketing Act'); and
• Act XXV of 2023 on complaints and public interest disclosures, and on the rules of whistleblowing notifications (only available in Hungarian here) ('the Whistleblowing Act').

The main amendments to the abovementioned laws are outlined below:

The Labor Code:

• the employer must inform the employee in writing about the restriction of their personality rights. This includes the circumstances justifying the necessity and proportionality of the restriction. This is not the same as the balancing test that the employer has to carry out in the case of data processing on the basis of legitimate interest. Information should be made in a written form and published in a customary and generally known method at the workplace, such as by email or on the company intranet;
• the employer, the works committees, and trade unions may process the personal data of employees for the purpose of labor relations and the employer also for the purpose of establishing, fulfilling, terminating, or enforcing the employment relationship. The employee may be required to present a document for this purpose, but the above data controllers do not have the option of making copies. Employees should also be informed in writing about these data processing operations, including by communication methods customary and generally known at the workplace (i.e., communication by email or publication on the company intranet);
• biometric identification of employees is possible to prevent risks to human life, physical integrity, health, or to protect significant interests and materials protected by law or regarded as hazardous or dangerous (e.g., classified data, explosives, hazardous substances, and nuclear materials);
• the employer may process criminal personal data to determine whether the candidate or the employee is subject to the exclusion or restriction criterion specified by the law or the employer. An employer may determine such a criterion if the employment of the person concerned in a particular job would threaten the employer's substantial financial interests, trade secrets, or a significant interest protected by law. The employer must specify both the restrictive or exclusionary criteria and the conditions for the processing of criminal data, either by email or via the intranet, if this is in line with the customary and generally known method at the workplace; And
• employees may not use the IT tools provided by the employer (i.e., computer, telephone, or even an employer's Wi-Fi network) for private purposes unless the employer explicitly authorizes private use. Regardless of this fact, whether the IT or computing tool used for work is the employer's or the employee's property, its control can only cover the data related to the employment relationship. The employer must also inform an employee in writing of the terms of any inspection, either by email or by publication on the intranet, if this is in accordance with the customary and generally known method at the workplace.

The Labor Safety Act:

• in the case of teleworking, the employer exercises the right of supervision primarily by electronic means. However, the employer or its representative must routinely inspect work conditions at the place of teleworking and ensure that they are compliant with the requirements, and that the employees have knowledge of and observe the provisions pertaining to them. Consequently, this may also mean that the employer carries out the supervision at the employee's home. At the same time, the workers' representative for occupational safety may enter the property where teleworking is performed with the employee's consent. The supervision cannot, however, impose a disproportionate burden on the employee or on any other person using the place of teleworking, nor infringe the privacy or dignity of the employee. The rules for the supervision, including data protection requirements, should be laid down in advance. In addition, in the context of regular teleworking, further data protection issues arise in relation to the use of information technology and IT tools provided for work and of the permission of their use for private purposes, as the employer may be exposed to greater risks, for example in relation to security or data protection incidents. Therefore, it may be appropriate to provide specific rules on confidentiality and security in the context of teleworking as well.

Security Services Act:

• in the case of the use of an electronic surveillance system, the legal basis for data processing is the legitimate interest of the company or a third party for all affected persons contrary to the previous rules which required relying on legitimate interest for processing employee data and on implied consent (by entry to the territory affected by surveillance) for processing data of other persons (for e.g., clients, visitors);
• electronic monitoring systems may be used only in private areas;
• in accordance with the amendment, controllers would be entitled to determine the purpose for which they install an electronic monitoring system (for e.g., protection of classified information, storage of biological and chemical substances, etc.), and the period necessary to keep recordings (for e.g., with a view to civil law claim enforcement, defense in official proceedings, filing a criminal report, or other specific deadlines) contrary to the previous rules, which maximized storage periods generally in three working days (with minor exceptions) and applied pre-defined purposes of monitoring (for e.g., protection of assets, storage of hazardous materials, etc.); and
• requests for and access to recordings will be governed by the GDPR (especially subject access rights) and the legal provisions governing the official requests for information from each authority. The reason and time of recording and the person accessing it must be recorded in the relevant minutes.

The Direct Marketing Act:

Based on the amendment to the Direct Marketing Act, the name and address can be requested, collected, or transferred in the future for direct marketing purposes:

• from the State's name and address register;
• from the customer or the person who was in contact with the data collector;
• from a published database, name and address book, phonebook, directory, statistical list; and
• from another similar person or body.

The Whistleblowing Act:

• With the adoption of the Whistleblowing Act, the legislator transposed the provisions of the Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937) ('the Whistleblowing Directive') into Hungarian law and created minimum standards to ensure effective protection of persons who report abuse of certain EU laws. The Whistleblowing Act is applicable from July 25, 2023, replacing Act CLXV of 2013 on Complaints and Public Interest Disclosure. The Whistleblowing Act covers employment relationships under the Labor Code, as well as employment relationships as an agent, contractor, civil servant, judicial employee, sole proprietor, and one or more person law firms. Any information concerning an unlawful or suspected unlawful act, omission, or any other abuse may be reported.

Medical Data Act:

• the rules of the GDPR will apply to the processing of personal data relating to the circumstances of a deceased person's death and the cause of death, as well as to the deceased person's health records;
• as of January 1, 2022, the processing of health and identity data may also be used to track individual patient journeys;
• permitted goals of the processing of health and personal identification data (i.e., the promotion of health preservation, improvement, maintenance, and enforcement of patient rights, etc.) are further defined in the Medical Data Act; and
• the amendment also eliminates the obligation to appoint a DPO. The GDPR, however, requires that the controller or the processor appoints a DPO when the processing of health data (on a large scale) is the main activity. Based on the practice of the NAIH, data processing by a particular specialist or healthcare professional does not fall within this scope, so only hospitals and major healthcare providers are obliged to appoint a DPO.

Human Genetic Information Act:

Genetic samples or data may only be transferred to a third country and may be imported from a third country where the GDPR and the data transfer conditions of the Human Genetic Information Act are met. Specifically, a third country must recognize:

• adequacy decision taken by the European Commission;
• the existence of appropriate guarantees under the GDPR;
• the transmission only of genetic samples encoded for human genetic testing; and
• notification on the transfer of genetic samples and data to a third country (in a manner incapable of personal identification) to the competent health administration.

1.2. Guidelines

Before the GDPR, the NAIH issued a guideline concerning preparation for the GDPR. The one-page guideline contains the general description of the 12 most important tasks for GDPR compliance (only available in Hungarian here). The tasks related to the following: data protection awareness, data mapping, privacy information obligations, individuals' data protection rights, access rights, the legal basis of data processing operations, revision of privacy consents, protection of children's rights, data breach management, Privacy by Design and Default, Data Protection Impact Assessments ('DPIAs'), DPOs, and competence of the data protection authorities.

The NAIH has issued a statement on the application and legal assessment of social media modules used on websites, how to obtain consent legally, and the obligations of website operators (only available in Hungarian here). The statement confirmed that the website operator is the data controller for all personal data collected and transmitted over its website. However, the website operator's control is limited to the operations for which it defines the underlying purposes and means. The website operator is not considered a data controller after the transfer of personal data when the social media provider has conducted further data processing. According to the NAIH, the use of the social media module requires user consent. Users must be able to decide individually whether or not to consent to the operation of a given type of cookie (the users must be able to decide whether they agree to the data processing in question, such as the operation of a particular cookie).

The NAIH has issued guidance on how employers can lawfully determine whether an employee is protected against COVID-19 (only available in Hungarian here). For certain occupations or employees, it may be necessary and proportionate for employers to know whether the employee is protected against COVID-19 in line with labor law, occupational health and safety, and the work organization. The employer can only ask employees to present their COVID-19 Protection Certificate and the application for a COVID-19 vaccination. The company cannot make copies of them, store them in any form and manner, or transfer them on to third parties. The employer can only record that the employee is certified as being protected against COVID-19 and can record how long this protection will last. Employers must prepare an objective risk assessment on a job-by-job or employee-by-employee basis with the guiding principles of safeguarding the life and health of protected workers, other workers, and third parties (i.e., customers), and being in full compliance with their obligations.

In a recent statement on data protection requirements for drones intended for use by local authorities, the NAIH has declared that using drones to notice and explore certain illegal activities, such as illegal landfills, illegal building activities, etc. raises significant data protection concerns. Even the normal use of drones is a very strong interference with privacy, as the device can indiscriminately collect data about anything and anyone that comes into its field of vision, which would be an unusually wide scope. In determining the possible legal bases for the processing, it should also be borne in mind that the use of a drone for the purpose of detecting illegal activity cannot be based on the consent of the data subject, who is not in a real and free position to decide whether they wish to be recorded by the drone. Drones are usually fast and unnoticeable, merely their presence can cause a chilling effect among citizens, and the risk of processing for purposes other than the original purpose is particularly high. It should also be noted that flying a drone without permission over residential areas carries a penalty under Section 422/A of Act C of 2012 on the Hungarian Criminal Code (only available in Hungarian here).

The NAIH has opened an ex officio investigation into the lawfulness of the data processing activities related to purchasing fuel at the cost-capped price (according to the mandatory law on fuel price restrictions) due to a large number of the data subjects' complaints and has issued a statement on the processing of personal in connection with scanning the barcode on the registration permit of petrol stations. The underlying question arises because operators of petrol stations may, under the mandatory local law on fuel price restrictions, check and record either the barcode of a vehicle's registration permit or the vehicle's registration number, when purchasing fuel at a capped price. Where the operator of the petrol station opts for recording such data, it will transmit the recorded information to the Hungarian tax authority for the purposes of tax audit. The NAIH emphasized that the operators should provide comprehensive information to the customers pursuant to Articles 13(1) and (2) of the GDPR at the place of processing in connection with the above.

According to the NAIH's statement (only available to download in Hungarian here) on the change of the data controller in the event of a merger, the successor company will be entitled by law to process the data and will be deemed to have obtained the personal data processed directly from the data subjects. It will therefore be subject to the rights and obligations under the GDPR. As regards the obligation to inform, the NAIH underlined that if the predecessor is deemed to have informed the data subjects about the data collection, it is sufficient for the successor to provide only new information related to the processing.

The NAIH has published a notice on private accommodation providers, as it was not clear whether they qualify as data controllers (only available to download in Hungarian here). The NAIH stated that in case of activities that serve business purposes, it is irrelevant whether the controller of the personal data is a natural or legal person, since it falls within the scope of the GDPR, and the controller is bound by its provisions. The accommodation provider is obliged by law to record the data of its guests in order to protect the rights of the data subjects and others, and the lawfulness of the processing is therefore based on this. The accommodation provider must inform the data subjects at the moment of data collection in accordance with Articles 13(1) and (2) of the GDPR. The NAIH also underlined that the privacy notice and the privacy policy are not the same. The GDPR does not explicitly impose an obligation for controllers to establish a data protection policy, however, Article 24(2) requires controllers to apply internal data protection rules as part of the technical and organizational measures implemented to ensure the protection of personal data, where this is proportionate to the processing activity. On the contrary, all accommodation establishments must have a privacy notice that must cover every detail of the data processing (for e.g., camera system, newsletters, and discount schemes). In case the accommodation provider does not have a website, and therefore the information cannot be provided to the data subject at the moment of booking, the privacy notice must be physically available at the accommodation. If the accommodation provider has a website, it will also be necessary to have a privacy notice about processing data while using the website (including cookies), and it should be clearly available on the website. The NAIH pointed out that data processing in relation to accommodation services does not typically pose a high risk to the rights and freedoms of data subjects, therefore accommodation providers are not typically required to carry out a DPIA or appoint a DPO.

1.3. Case law

See the section on enforcement decisions below for relevant decisions of the NAIH.

2. Scope of Application

2.1. Personal scope

No national law variations, except on deceased individuals (see above). In addition, the data of private entrepreneurs is considered as personal data.

2.2. Territorial scope

No national law variations.

2.3. Material scope

For processing activities, where the GDPR is not applicable (including processing of manual, unstructured documents), the specific rules of the Act apply, which mostly reflect the provisions of the GDPR with a number of deviations (for e.g., requests of data subjects must generally be answered within 25 days). Such rules also fully govern data processing for law enforcement, national security, and national defense purposes, bearing in mind that the implementing national law of the Data Protection Directive with respect to Law Enforcement (Directive (EU) 2016/680)  is the Act in Hungary.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The main regulator is the NAIH.

3.2. Main powers, duties and responsibilities

The NAIH may initiate a number of procedures, including:

• an inspection in case of a report lodged by anyone with a reference to the breach of data protection rights, as well as in case of any breach of the right to be informed about public data and data rendered public, or in case of the imminent threat of such breaches;
• an inspection procedure initiated at the request or at the discretion of NAIH;
• a secrecy supervisory procedure concerning the classification of national classified data;
• a court procedure (especially in case of the breach of the right to be informed about public data and data rendered public);
• approval of Binding Corporate Rules ('BCRs');
• cooperation with third-country authorities and international organizations;
• certification (the practice of which is still unclear due to the novelty of this duty); and
• initiation of a criminal offense or disciplinary procedure.

4. Key Definitions

Data controller: No national law variations.

Data processor: No national law variations.

Personal data: No national law variations.

Sensitive data: No national law variations.

Health data: No national law variations.

Biometric data: No national law variations.

Pseudonymization: No national law variations.

5. Legal Bases

5.1. Consent

No national law variations.

5.2. Contract with the data subject

No national law variations.

5.3. Legal obligations

Articles 6(1)(c) and (e) of the GDPR enable data processing if:

• it is necessary for compliance with a legal obligation to which the controller is subject; or
• for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The Act defines these kinds of data processing operations as 'mandatory data processing operations' and provides that organizations can rely only on laws and municipality decrees in these cases.

Such laws and municipality decrees shall mean the following:

• the identity of the data controller;
• the purpose, terms, and conditions of the data processing;
• the type of data;
• the access rights to the data; and
• when it is necessary to revise the data processing purpose.

If an organization is processing personal data on the basis of legal instruments that are not laws or municipality decrees (e.g., Governmental decrees, or decrees from a ministry or an authority such as the Hungarian Central Bank or the National Media and Infocommunications Authority), it may choose another legal basis, e.g., legitimate interest. However, this restrictive provision may be in conflict with Recital 41 of the GDPR, which provides that, 'where [the GDPR] refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned.'

In the case of 'mandatory data processing operations,' data controllers must periodically assess whether particular data processing is necessary for achieving its purpose. The Act also addresses the case when the relevant law/municipality decree does not define the time for this. In such a case, the data controller shall revise the purpose itself at least every three years, calculated from the commencement of the processing. The data controller shall:

• document the circumstances and results of such revision; and
• keep such documentation for 10 years and present it to the NAIH at its request.

Data controllers must revise pre-GDPR data processing operations by May 25, 2021, at the latest.

The NAIH confirmed that even though the rules of the Act on mandatory data processing operations provide that processing must be based on laws or municipality decrees, this obligation only burdens the legislator and not the data controllers in general (only available in Hungarian here). This also means that data controllers may base their processing operations necessary for complying with legal obligations on Article 6(1)(c) of the GDPR, even when such legal obligation is prescribed by another legal instrument besides laws or municipality decrees (e.g., by a Government decree or a ministerial decree).

5.4. Interests of the data subject

No national law variations.

5.5. Public interest

No national law variations.

5.6. Legitimate interests of the data controller

No national law variations.

5.7. Legal bases in other instances

No national law variations.

6. Principles

No national law variations.

7. Controller and Processor Obligations

7.1. Data processing notification

There are no national requirements with respect to notification/registration. The NAIH may inspect whether a company registered its data processing activities before May 25, 2018 (when it was still mandatory) but will not sanction the omission of such reporting.

7.2. Data transfers

Any data controlled by certain entities (expressly listed in the relevant law) can only be processed in an IT system in the territory of Hungary. The National Cyber Security Center ('the Center') may approve that a listed entity transfer the operation of an IT system to another EU Member State. However, even the Center may not consent to any processing outside the EU.

Entities who have been designated as 'operators of critical infrastructure' can only process data in IT systems that are operated within the EU. There is no possibility to ask for any further exemption from an authority for the restriction of operating IT systems in the EU.

7.3. Data processing records

In practice, NAIH can request documents for an undefined period of time.

7.4. Data protection impact assessment

The NAIH also published on its webpage the open-source software developed by the French data protection authority ('CNIL'), which assists data controllers in the preparation of DPIAs.

The NAIH also published an exemplary list ('the Hungary Blacklist') concerning processing activities subject to conducting a DPIA and possible prior consultation with the NAIH.

The Hungary Blacklist provides the following types of processing operations requiring a DPIA:

• where the processing of biometric data for the purpose of uniquely identifying a natural person refers to systematic monitoring;
• where the processing of biometric data for the purpose of uniquely identifying a natural person concerns vulnerable data subjects, in particular, concerning children, employees, and mentally ill people;
• where the processing of genetic data is carried out in connection with sensitive data or data of a highly personal nature;
• where the purpose of the processing of genetic data is to evaluate or score a natural person;
• scoring: the purpose of data processing is to assess certain characteristics of the data subject, and its result has an effect on the quality or the provision of the service provided and to be provided to the data subject;
• credit rating: the purpose of data processing is to assess the creditability of the data subject by way of evaluating personal data on a large scale or systematically;
• solvency rating: the purpose of data processing is to assess the solvency of the data subject by way of evaluating personal data on a large scale or systematically;
• further use of data collected from third persons: the purpose of data processing is the use of personal data collected from third persons in the decision to refuse or cancel service to the data subject;
• the use of the personal data of pupils and students for assessment. The purpose of data processing, regardless of whether tuition is at primary, secondary, or advanced level, is to record and examine the preparedness, achievement, aptitude, and mental state of pupils and students, and the data processing is not statutory;
• profiling: the purpose of data processing is profiling by way of evaluating personal data on a large scale and systematically, especially when it is based on the characteristics of workplace performance, financial status, health condition, personal preferences or interests, trustworthiness or conduct, residence or movement of the data subject;
• anti-fraud activity: the purpose of data processing is to use credit reference, anti-money-laundering or anti-terrorism financing, and anti-fraud databases for screening clients;
• smart meters: the purpose of data processing is the application of 'smart meters' set up by public utility providers;
• automated decision-making producing legal effects or similarly significant effects. The purpose of data processing is to make decisions with legal effects or other significant effects on natural persons, which decisions might result in the exclusion of or discrimination against individuals in certain cases;
• systematic surveillance. Systematic and large-scale surveillance of data subjects in public areas or spaces by camera systems, drones, or any other new technology;
• location data: where the processing of location data refers to systematic monitoring or profiling;
• monitoring employee work. Where the purpose of data processing is the systematic and extensive processing and assessment of employee's personal data in the course of the monitoring of employee work, including, e.g., placing GPS trackers in vehicles, and camera surveillance against theft or fraud;
• processing of considerable amounts of special categories of personal data. Under Recital 91 of the GDPR, processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional, or lawyer;
• the processing of considerable amounts of personal data for law enforcement purposes;
• processing of large amounts of data related to vulnerable data subjects for purposes different from the original purpose, in the case of, e.g., the elderly, children, and mentally ill persons;
• the processing of the personal data of children for profiling, automated decision making, marketing purposes, or providing them information society-related services directly;
• the use of new technologies for data processing. This includes the processing of large amounts of data obtained via sensor-equipped devices (e.g., smart televisions, smart household appliances, smart toys, etc.) and transferred through the Internet or other channels, and such devices providing data on the characteristics of the financial status, health condition, personal interests, trustworthiness or conduct, residence or movement of the natural person, and such data form the basis of profiling;
• the processing of health data. In respect of large amounts of special data processed by hospitals, healthcare providers, and private medical services or non-medical practitioners with a large clientele. This also includes the processing of health data collected from members of major sports establishments or workout rooms;
• when the data controller is planning to set up an application, tool, or platform for use by an entire sector to process also special categories of personal data; and
• the purpose of data processing is to combine data from various sources for matching and comparison purposes.

The NAIH did not publish any exemplary or exhaustive lists concerning processing activities not subject to conducting a DPIA and possible prior consultation with NAIH so far.

7.5. Data protection officer appointment

Data controllers and data processors must publish the contact details of their DPOs and communicate them to NAIH through the DPO Reporting System (only available in Hungarian here), and by registering on the DPO online registry (only available in Hungarian here). The NAIH must make the DPO information that it has received publicly available (Article 70(B)(1)(c) of the Act). DPOs registered with the NAIH can be found through a search tool (only available in Hungarian here). The NAIH will convene and set the agenda of the conference of DPO each year. This conference serves as a regular interaction point between DPOs and the NAIH.

Organizations that appoint a DPO are under an obligation to notify their name, postal, and email address to the NAIH, as well as a change of such data (Article 25(L)(4) of the Act). The privacy statement on the NAIH's website (only available in Hungarian here) ('the Privacy Statement') further specifies that the NAIH may also process phone numbers of DPOs. In line with the Privacy Statement, when a DPO is notified, the NAIH will assess the notification and reach out to the email address provided in the notification, if the notified DPO does not confirm the notification within 15 days, the NAIH will consider the notification as non-compliant and will not disclose information about the notified individual.

The retention period of data of a notified DPO in the reporting system will be processed for as long as necessary, i.e., until the NAIH receives information that a person no longer performs their role as a DPO (the Privacy Statement and Article 70(B)(3)(c) of the Act). The conference of DPOs ('the Conference'), which is convened by the NAIH at least once a year, serves as a channel of communication between the NAIH and the DPOs in Hungary, in order to ensure uniform application of data protection rules. Furthermore, the NAIH is tasked with determining the agenda of the Conference (Article 25(N)(1) and (2) of the Act).

7.6. Data breach notification

No variation or exemption was introduced concerning breach notification obligation.

Data controllers must notify personal data breaches to the NAIH through the Personal Data Breach Reporting System (only available in Hungarian here). The reporting form is also available on the NAIH's website, if a company wants to report the breach on paper.

7.7. Data retention

As regards specific archiving rules, it is advisable to retain data until the relevant period of limitation has expired. A number of circumstances can make it difficult to establish the date on which this period expires, and there are also a couple of rules under the laws that regulate various specific retention obligations in connection with specific documents (e.g., the general period of limitation for civil law claims, employment-related documents, safe-keeping of accounting documents and tax returns, employer's certificates concerning social security and workplace accident allowance, declarations on social security entitlement, etc.) Any concerns regarding the retention obligation pertaining to a particular document are assessed on a case-by-case basis. Usually, employment-related data (e.g., internal correspondence) can be kept for three years, data with civil law nature (e.g., contract data, information on commitments) can be kept for five years, and if the document is relevant for accounting purposes (e.g., certificate of performance or payment), the retention period is eight years.

7.8. Children's data

The Act does not provide for deviations from the GDPR in relation to the offer of information society services directly to a child and the processing of the personal data of a child, which shall only be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.

7.9. Special categories of personal data

The Act provides that data controllers can process personal data relating to criminal convictions and offenses in accordance with the rules on the processing of special categories of personal data. The practical implication of the above is that companies can process such data mainly:

• based on the explicit consent of the individual;
• for carrying out the obligations and exercising specific rights in the field of employment and social security and social protection law; or
• for the establishment, exercise, or defense of legal claims.

The NAIH clarified in respect of the processing of moral certificates that in case of processing criminal data, the data controller also has to refer to a condition under Article 9(2) of the GDPR concerning the processing of special categories of personal data besides relying on a legal basis under Article 6(1) of the GDPR. The NAIH further clarified that for employers processing moral certificates of new employees, the applicable legal basis would be Article 6(1)(f) of the GDPR in addition to Article 9(2)(b) of the GDPR (only available in Hungarian here).

7.10. Controller and processor contracts

There are no specific requirements for Hungary and the provisions of the GDPR apply.

8. Data Subject Rights

8.1. Right to be informed

No national law variations.

8.2. Right to access

No national law variations.

8.3. Right to rectification

No national law variations.

8.4. Right to erasure

No national law variations.

8.5. Right to object/opt-out

No national law variations.

8.6. Right to data portability

No national law variations.

8.7. Right not to be subject to automated decision-making

No national law variations.

8.8. Other rights

Deceased data subjects

The Act ensures that within five years of the death of an individual, the person designated by the individual – in an administrative declaration, public document, or a private document with full probative force – may exercise the data protection rights of the deceased. In the absence of such provision, the close relative of the deceased may exercise the right to rectification, as well as the right to object to the data processing, the right to be forgotten, and the right to the restriction of the processing.

Besides such rules, a number of sectoral laws also stipulate that for the processing of certain types of data of deceased people, the rules of the GDPR apply (e.g., health records of deceased persons, and insurance data).

9. Penalties

In its decision following the data protection authority's procedure, NAIH may:

• impose sanctions prescribed by the GDPR;
• in case of data processing for law enforcement, national security, and national defense purposes, may order the rectification of data, its blockage, erasure, or destruction, prohibit the unlawful processing of personal data or their cross-border transfer, and may impose data protection fines. The extent of fines corresponds with those provided by the GDPR; and
• in the case of budgetary organizations (such as a local government), the possible amount of data protection fine is limited to HUF 20 million (approx. $57,769).

In Hungary, GDPR compliance is challenging for a wide range of small and medium-sized enterprises ('SMEs'). Pursuant to a specific provision in the Act, the NAIH has issued guidance in which it stated that it will usually warn a data controller or processor at the first infringement of the GDPR or local data protection laws in lieu of imposing a fine (only available in Hungarian here). Such a rule, however, only provides an orientation to the NAIH, which may also use other measures in case of a first breach if it deems such measures necessary and fitting for the circumstances of the case. In the case of continuous breaches, the NAIH may impose fines even on private persons, individual entrepreneurs, or SMEs.

9.1 Enforcement decisions

The NAIH is still very active. In 2022, a total of 7,619 cases were initiated by the NAIH, extending from previous years, and together with the cases, there were thus 9,725 cases pending. The most noticeable change is that the number of official investigations increased by a third compared to the previous year (from 630 to 940), however, the number of other official procedures increased just as sharply (from 556 to 708), while the number of data protection investigations and consultation type cases did not exceed the previous year's level. Compared to previous years, there have been no changes in the topics covered by the requests. The NAIH received 890 personal data breach notifications in 2022, which is about 7% more than in the previous year.

The NAIH has issued decisions, among others, on the following issues:

• with regard to the installation of security cameras in public places, the NAIH reiterated that the surveillance of public places (e.g., streets) is only possible in a narrow scope, according to explicit legal provisions, as this activity may violate the privacy of the person being monitored by the camera, by processing personal data even against their will (only available to download in Hungarian here);
• as regards the legal basis for workplace CCTV, the NAIH stated that the absolute limit in respect of the installation of workplace CCTV is respect for human dignity, and therefore cameras cannot be used for the permanent, unintended surveillance of workers and their activities. The use of an electronic surveillance system whose purpose is to influence the behavior of workers at work, including the permanent observation and monitoring of workers by means of cameras, is also considered unlawful (only available to download in Hungarian here);
• a healthcare service provider charged a fee for the copying of medical records when fulfilling a data subject's request under Article 15 of the GDPR, in relation to which the NAIH ruled that the first copy of a medical record is free of charge even if the record has already been provided to the data subject once during a previous medical examination (only available to download in Hungarian here);
• in connection with sending newsletters for direct marketing purposes, the NAIH has once again stated that processing of personal data for marketing purposes is specific, and referred to in Article 21(2) of the GDPR, which provides that the data subject may object, at any time, to the processing of personal data relating to them for direct marketing purposes and, if they do so, the personal data may no longer be processed for such purposes. In such a case, the controller has no discretion as to whether or not to delete the personal data to the processing of which the data subject has objected (only available to download in Hungarian here);
• the branch office of an insurance service provider must comply with local data protection laws as well, notwithstanding the rules of its parent companies and the so-called 'general good' rules (only available in Hungarian here);
• the branch office of an insurance service provider must not appoint a DPO, provided that its group DPO is easily accessible and the staff of the branch office has the language skills to communicate with the DPO (only available in Hungarian here);
• the local branch offices of foreign companies can act as individual data controllers, however, they must always consider whether they are joint controllers with their parent company, subject to the specific circumstances of the actual data processing (only available in Hungarian here);
• there are no obligations for the DPO to attend mandatory training (only available in Hungarian here);
• managing directors, IT, and HR heads cannot be DPOs (only available in Hungarian here);
• the DPO cannot be 'faceless.' One entity can appoint multiple DPOs, but it must clearly name the person who bears the privacy responsibility for the entity (only available in Hungarian here);
• the NAIH broadly interprets the terms 'filing system' and the processing of personal data other than by 'automated means' (e.g., manual data processing). They cover any set of personal data, which is accessible or can be searched according to specific criteria (e.g., registers, lists, or paper documents stored in dossiers and folders) (only available in Hungarian here);
• company emails that contain the name of a natural person and the name of a natural person contact at a company can be personal data. When a company provides such data to its contracting party, the legal basis of such data provision is the performance of the employment agreement with the relevant contact person. The contracting party must process the data of the contact persons based on its legitimate interests, subject to a balancing test (only available in Hungarian here);
• companies must prepare an internal data protection policy only if it is proportionate in relation to the data processing activities (only available in Hungarian here);
• the NAIH accepts that an organization does not have control over Meta's Facebook data processing operations, however, data protection compliance in respect to the personal data collected by the organization itself (e.g., the data of the users on its Facebook page) is of primary importance (only available in Hungarian here);
• the legitimate interest of the operator of a webpage (Article 6 (1)(f) of the GDPR) may be relied on in case of applying cookies, which are deemed necessary for the operation of the webpage, whereas the consent of the individual should be required for cookies unnecessary for such purpose (e.g., statistical cookies, marketing cookies) (only available in Hungarian here);
• the NAIH further clarified whether it is in compliance with the GDPR to promote subscribing to newsletter services by providing benefits to data subjects. The NAIH found that providing benefits for newsletter subscription does not contradict the GDPR in itself if the voluntary nature of consent (subscription) is not affected and the data subject is not forced to use the service. In general, it means that if the data subject revokes their consent, they may only lose access to the service directly in connection with the consent (i.e., access to the newsletter service in case of the subscription); and
• the NAIH confirmed that during the current COVID-19 pandemic brought on by mass infections, organizations (i.e., businesses, associations, institutions) can measure the temperature of individuals if all of the following conditions are met:
  • the individual is entering territory, property, or buildings owned or used by the organization;
  • measurement is applied uniformly to all persons wishing to enter (whether the individual is in an employment relationship or otherwise);
  • personal identification of the subject whose body temperature is being measured is not included in the process; and
  • measurement does not in any way involve the recording, further storage, or transmission of data (only available in Hungarian here).

Notable cases under the GDPR

Right to access:

An individual visited a company's office and asked to inspect certain documents related to a dispute. The company refused the request, and the individual requested a copy of relevant CCTV recordings as evidence in the litigation. The company refused the request, arguing that the recordings did not support the individual's claims, but only proved that he was present in a given place at a given time.

The NAIH found that the company infringed the individual's access rights, and clarified the following principles on the right to access (only available in Hungarian here):

• a company cannot request any justification from an individual making a data request; and
• a data controller is not in a position to determine whether the required data would be necessary for the individual's litigation purposes.

The NAIH imposed a fine of HUF 1 million (approx. $2,905) against the company. It considered the following circumstances when determining the amount of the fine:

• the nature of the breach;
• the fact that the deleted recordings could not be recovered;
• the fact that this was the company's first infringement under the GDPR;
• the net sales revenue of the data controller company in the preceding year was HUF 15.3 billion (approx. $44 million); and
• Hungarian rules on CCTV operation were not in line with the GDPR by the time of the decision because they stipulated that if an individual requested a company not to delete a CCTV recording, they had to prove that the recording affected their rights or legal interests.

Fine against a bank:

The NAIH has issued a fine of HUF 500,000 (approx. $1,453) on a bank for failing to comply with the principle of accuracy under the GDPR (only available in Hungarian here). The procedure was initiated at the request of an individual after the bank mistakenly sent SMS messages about his credit card debt to the telephone number of another person. After receiving an incorrect telephone number from the client at the time of contracting, the bank did not comply with the individual's request to erase the data and continued to send SMS messages to the incorrect telephone number.

In its decision, the NAIH made the following findings:

• the bank does not have to delete a telephone number processed by mistake if the error is reported by a third person who is not properly identified;
• as soon as the inaccuracy of a telephone number becomes certain, however, the bank must erase the given data. It should also review the contract of the complaining individual, which can confirm whether an error has taken place; and
• the bank should have restricted the processing of the data in question until the accuracy of the telephone number was certified.

Fine on a debt collector for breaching the principles of transparency and data minimization:

The NAIH imposed a fine of HUF 500,000 (approx. $1,453) on a debt collector for breaching the principles of transparency and data minimization (only available in Hungarian here). An individual satisfied their claim to the debt collector and afterward, according to the GDPR, requested information on his processed data, and requested that his email address and other personal data be erased, which was declined by the debt collector.

The NAIH stated that the debt collector breached the principle of transparency by not appropriately informing the individual on the rules of backup copies and by referring to an internal policy, which is not public and not accessible to the individual. The NAIH highlighted that companies should minimize the data required for client identification, that all internal company policies on data processing be fully transparent to clients, and that policies for making backup copies of data be revised to reflect the GDPR. When issuing the fine, the NAIH did not take into account the company's worldwide annual turnover or income, as it had in previous decisions based on the GDPR, and instead focused on the results of its business activities. This discrepancy suggests there is still no unified practice in Hungary for assessing fines.

Fine for unsatisfactory balancing test:

A financial institution failed to delete the telephone number of its client at his request for possible claim enforcement purposes. Following the client's complaint, the NAIH determined that (only available in Hungarian here):

• the balancing test was too broad and covered more than one data processing purpose, which would have necessitated the preparation of separate balancing tests. The balancing test specified only economic and convenience aspects and failed to prove the priority of the data controller's interests over that of the individual and contained irrelevant findings (e.g., the data controller complies with data security requirements);
• the telephone number in itself is not necessary for claim enforcement. Written form correspondence is sufficient for communication with the debtor or client; and
• regarding the fine, the NAIH took into account both the income and the profits of the data controller's company. It is highlighted that in previous cases, the NAIH took into account such indicators separately, meaning that there is still no solid practice for this in Hungary.

Data protection fine for sending mails to the wrong recipients:

The NAIH imposed a fine of HUF 100,000 (approx. $290) on a social and child welfare institution for a data breach concerning sending letters to the wrong recipients (only available in Hungarian here). The nine letters concerned affected 18 data subjects and included sensitive information, especially data on children, as well as criminal data. The controller only performed a risk analysis and informed the NAIH of the breach more than 20 days after becoming aware of the breach, which enhanced the risk of the breach on the affected data subjects. In addition to imposing a fine, the NAIH highlighted the importance of proper and immediate risk analysis, as well as the adoption of breach management guidelines to minimize or terminate the negative consequences of the breach on the data subjects and to reassess data security measures applied by the controller.

Fine for unlawful processing of data of festival visitors:

The NAIH imposed a fine of HUF 30 million (approx. $86,995) on a local company hosting the biggest music festivals in Hungary (only available in Hungarian here). The case started in 2016 when a number of festival visitors complained to the NAIH about the controller's data processing practice at the entrance of the festivals, which included scanning identity documents and making video recordings. It is highlighted in the case that initially, the controller relied on the consent of the festival visitors for its entry control and argued that the consent of the visitors was voluntary due to the fact that they had a free choice to visit the festival or not.

Later on, the controller relied on legitimate interest and argued that processing data at the entrance of the festivals served as its legitimate interest as well as the visitors' interest to avoid misuse of tickets and entry armbands, and to prevent acts of terrorism and further crimes (e.g., drug traffic) from taking place at the scene of the festivals. The NAIH highlighted in its decision that the controller may have a financial interest in preventing the misuse of tickets and armbands but failed to properly assess the scope of data necessary for entry control and to apply necessary measures for such purposes.

As regards the calculation of the fine, the NAIH took into account, as aggravating circumstances, the fact that the controller breached both the principle of purpose limitation and data minimization, processed the data of hundreds of thousands of festival visitors unlawfully and willfully, and that the controller is a market-leading company in the field of festival organization. The NAIH also took into account the sales revenue of the controller for the business year of 2017, which reached over HUF 1.2 billion (approx. $3.47 million).

Non-sufficient cooperation with data subject concerning camera recordings and breaching the right to access:

The NAIH further imposed a fine of HUF 700,000 (approx. $2,030) on a local bank (only available in Hungarian here). The data subject requested a copy of camera recordings capturing his image, which the company had refused referencing other persons' personality rights and its trade secrets. With regard to the inspection of camera recordings and the provision of their copies, the NAIH recommended blurring out other persons on the recordings, as well as trade secrets if deemed necessary by the company in the given case. In case of processing data to comply with a legal obligation of the company, the company must specify such legal obligation in the respective data protection notice.

Ruling on data erasure and data-device destruction

The NAIH issued a ruling on the erasure of personal data and the destruction of data carriers (e.g., disks, pen drives, and electronic data) used for storing personal information. Focusing on both employee and client data, the ruling stated that companies must erase personal data in such a way that no links can be made to the identities of individuals. In case of electronically stored data, the mere reformatting of hard disks or other data-storage devices or carriers is not enough. According to the NAIH, companies may use free software products such as DBAN or a form of HDD-wipe software to perform deletions. If companies outsource data erasure (especially, the destruction of data-carrier devices) to third-party service providers, the provider should be certified and able to issue an official destruction protocol at the end of the process (the NAIH provides no further details on certification).

Companies must verify the erasure of data in writing, although the possession of a destruction protocol may be sufficient as long as it includes the full information verifying the data erasure, such as identification of the data carrier (e.g., registration or serial number) and the method used to destroy the device. Unfortunately, the NAIH does not offer further details, such as how this protocol is able to prove the actual destruction of a particular piece of data linked to one individual.

Fine for delayed breach notification

As abovementioned in the context of fines for sending mail to the wrong recipients, the NAIH imposed a fine of HUF 100,000 (approx. $290) on an unnamed social and child welfare institution for the late notification of a data breach. The organization had sent nine letters to incorrect recipients, containing sensitive information on 18 individuals, including contact information for children and their families, criminal record data, and information related to child-protection proceedings.

As part of GDPR-mandated breach management, the institution had performed a risk analysis based on the Recommendations for a methodology of the assessment of severity of personal data breaches developed by the European Network and Information Security Agency ('ENISA') and had introduced a double-control process when addressing letters, and implemented specific data protection training. Nevertheless, the institution only informed the NAIH of the breach more than 20 days after becoming aware of the data breach. As a mitigating factor, the NAIH accepted the institution's excuse that the person responsible for breach management did not have the capacity to deal with the case (only available in Hungarian here).

Fines for insufficient balancing tests and failing to fulfill subject access

The NAIH imposed fines in two separate cases, involving balancing tests and subject access.

In the first case, the NAIH imposed a fine of HUF 600,000 (approx. $1,743), representing 0.003% of the offender's revenue for the preceding year, against a Hungarian employer for sending the tax certificate of an employee to another individual, which constituted a notifiable personal data breach under the GDPR.

Furthermore, the NAIH established that the employer failed to provide data requested by an employee within one month (as required by the GDPR) and did not specify whether it was necessary to extend the deadline.

The NAIH ordered the employer to provide the employee with copies of the requested information and documents within the one-month deadline, including tax, social security, and pension reports (T1041 and M30 forms) for the employee, the date, and the amount of tax paid by the employee, any missing payment periods, and the employee's scope of work (only available in Hungarian here).

In the second case, the NAIH imposed a fine of HUF 2 million (approx. $5,809), or 0.0027% of the offender's revenue for the preceding year, on a telco company and another fine of HUF 1 million (approx. $2,905), or 0.013% of the offender's past year's revenue, on a claim management company as a result of legitimate interest balancing tests and their decision in choosing an incorrect legal basis for data processing for claim management purposes.

In one case, an unknown fraudster used the personal data of the complainant in a telephone call to illegally conclude a subscription but failed to pay the service fees later on. As a result, the telco company refused to conclude a subscription contract with the complainant because its fraud prevention database indicated that the complainant had an unfulfilled debt.

The telco company already sold and assigned the underlying claim to the claim management company. The complainant submitted a subject access request to clarify the accuracy of the data held in the company's database since it disputed the fact that it previously had a contract with the telco and owed it money. The investigation revealed the fraud.

The NAIH has established the following general provisions, which every data controller must fulfill: the legitimate interest balancing test must specify a potential fraud, its repeated attempts, how the processing of personal data serves its prevention, and why the data are necessary and relevant for this purpose. Furthermore, the test should measure the data controller's interest against the rights and interests of the data subject. The data controller must suspend all data processing until it prepares a proper test.

In the case of data processing in connection with the assignment of claims, the appropriate legal basis is typically the legitimate interest of the assignee to enforce the claim.

In case of fraud, the data controller must provide the complainant with a copy of the call recording with the fraudster, but it should make the personal data of the people mentioned in the call unrecognizable (only available in Hungarian here).

Fines for unlawful access to workplace emails

The NAIH imposed fines in two cases related to monitoring workers. In both cases, the employers failed to provide proper privacy information on the use of their employees' data and did not have appropriate internal policies in place.

In the first case, an employee was on sick leave when his employer checked his desktop, laptop, and emails to ensure that his work-related duties were being covered in his absence. The employer then suspended his account. The employee complained to NAIH, claiming that he did not receive pre-notification and did not have the chance to copy and delete his private information (e.g., telephone numbers, and messages). NAIH fined the employer HUF 1 million (approx. $2,905) (only available in Hungarian here).

In the second case, the employer restored the mailbox of a director who had left the company a year before and found an email containing a work-related legal document. Similar to the first case, the director complained he received no warning that his former inbox would be activated and did not have a chance to copy and delete his private information. (e.g. passwords, financial information, etc.). NAIH fined the employer HUF 500,000 (approx. $1,453) (only available in Hungarian here).

In these cases, NAIH agreed with the employer's argument that an absent employee who has failed to perform his tasks represents an integrity risk with financial and legal consequences. Hence, it is in an employer's legitimate business interest to take steps to prevent or mitigate these risks. NAIH also recognized that it may be necessary to archive the mailbox of former employees for security purposes, but stated that employers must comply with data protection rules in all cases.

Fines for an IT security breach at a telco

The NAIH imposed a data protection fine of HUF 100 million (approx. $290,551) on a Hungarian telco company for an IT security breach alongside allowing unauthorized access to the personal data of customers.

In addition to the fine, the NAIH ordered the company to review its databases containing personal data, determine whether applying encryption is justified to ensure security and to inform the NAIH of the results of the review.

The company created a large test database of customer and subscriber data for troubleshooting purposes but failed to delete it once the underlying errors were corrected and the database was no longer needed.

A white-hat hacker accessed the test database through the company website, hacking into the personal data of customers that included the following information: name, birth name, mother's name, place and date of birth, address, ID card number, personal ID number, email address, mobile phone number, landline number, bank account number, telecom contract data, and data relating to the services used. By exploiting the discovered vulnerability, the hacker was also able to access another database used for direct marketing purposes, which contained a subscriber newsletter and system administrator data that in turn provided access to the website interface.

The hacker informed the company of the breach and the vulnerability of its systems.

The NAIH found after an investigation that the company did not apply appropriate technical and organizational measures proportionate to the risks because:

• the vulnerability of the company's open-source content management system had been known for more than nine years and was listed on the official website of the software developer together with the method for repairing that error;
• although an official patch for the error was not created, an unofficial repair was publicly available for anyone, free of charge; and
• the storing of plain-text data of a sensitive nature in the database constitutes a high-level security issue, which can be eliminated by using appropriate encryption.

The NAIH also established that the test database contained sufficient personal data to make customers vulnerable to identity theft or misuse of identity. In addition, the information accessible via the system administrator also left customers open to both identity theft and illegal access to even more personal data (only available in Hungarian here).

Fine for failure to provide access to private emails

The NAIH imposed a fine of HUF 200,000 (approx. $581) on a company for unlawfully denying a former employee access to archived private emails.

In addition to the fine, the NAIH ordered the company to cooperate with the employee, conduct a review within 15 days, determine the personal data contained in the former employee's archived email account that should be considered private in nature, and give the employee access to these private personal emails.

The decision, however, also features some unprecedented findings favorable to employers. According to the NAIH, the former employee is not entitled to request the release of his entire email correspondence, and the employer cannot be expected to sort through the former employee's private emails independently.

A former employee requested that their previous employer provide access to the 2018 archive of the employee's work email account, which was partially of a private nature, and concerned scientific publications pertaining to research activities conducted in the context of his employment relationship.

The company denied the request for the following reasons:

• the former employee is no longer entitled to indicate the company in scientific publications, therefore it has no interest that could justify the request to have access to the email account;
• the access would jeopardize the company's financial and economic interests and would also endanger trade secrets;
• since an employment lawsuit is pending between the company and the former employee, providing access would enable the former employee to destroy evidence; and
• the company was not able to identify the scope of the private personal data (e.g., the scientific publications, the release of which the former employee had requested).

In its decision, the NAIH confirmed the following:

• data contained in a work email account constitutes personal data, irrespective of whether the emails pertain to work or private correspondence;
• emails pertaining to work, such as emails potentially containing trade secrets, are protected, and as a result, the former employee's full email correspondence cannot be released;
• access to emails of a private nature must be ensured. A work email account, however, potentially contains such a large quantity of sent and received emails that the employer cannot be expected to sort through it all. The appropriate measure would have been to notify the former employee that he is no longer entitled to indicate the company in his future scientific publications, which would have made it unnecessary for the former employee to request the release of the full 2018 archive of his work email account. Furthermore, the company should have informed the former employee that it is fully open to release his private emails, provided that he indicates the exact emails required and the data medium on which he wishes to receive these emails; and
• private emails may be released, but the former employee must select the required emails from a list of contents or by participating in the sorting together with the company.

Fine levied for data breach related to COVID-19 rapid test

The NAIH has imposed a HUF 10 million (approx. $29,055) fine on the 11^th District Public Health Department of the Government Office of the Capital City Budapest for failing to apply data security measures commensurate with the risks entailed in processing health data when it transmitted an Excel file containing a database of health and contact information to general practitioners.

According to the NAIH, the data breach was linked to the following factors:

• the sender did not sort information according to each general practitioner's district, enabling doctors to see the personal data of both their patients and patients under the care of other doctors;
• the transmitted file lacked access protection or encryption to guarantee confidentiality; and
• the file was sent by way of simple emails that could be viewed by anyone.

Although the Government Office warned the general practitioners about the confidentiality of health data and to delete the data of patients not belonging to their districts, the above activity resulted in a high-risk data breach, which it failed to report to the NAIH and the data subjects.

In its decision, the NAIH established the following:

• the data breach resulted from the Government Office's failure to implement appropriate technical and organizational measures to safeguard the confidentiality of health data during the transmission;
• the sender should have sorted the personal data on a district-by-district basis before transmission, thus ensuring that general practitioners could only access the data of patients in their own districts and not those of other patients, even if urgent action was necessary; and
• the lack of security measures may have resulted in personal data being disclosed to recipients who were entitled to access a fraction of the data (i.e., only the data applicable to each doctor-patient relationship).

Fine levied for the mismanagement of a data subject request regarding CCTV operations

The NAIH conducted a proceeding against a shoe trade company and examined how the company handled the data subject access requests in relation to its CCTV operations, including its internal procedure. The person involved in the case bought a shoe from the company. He alleged that the cash was not properly returned to them at the cashier, and he asked the company to have access to the CCTV recording of the incident and not to delete the recording until the situation was clarified. The company informed that it could only issue camera footage to the police. Moreover, the company did not block the recording, but deleted it after the retention period, so despite filing a complaint with the police, the recording was no longer available. The company did not justify to the applicant why it did not grant them access to the recordings, and it did not have any data protection regulations regarding CCTV recordings at all. The company kept a systematic record of incoming messages but did not separate the data protection but registered the data subject's complaint, which was otherwise a data protection issue, as a consumer protection complaint. The NAIH has imposed a HUF 20 million (approx. $58,110) on the company.

Fine levied for unlawful voice recordings

One customer reported to the NAIH that a voice recording was made at the customer service office of a telecommunications service provider during the administration, but those concerned were not (adequately) informed. (The complainant accidentally noticed that a microphone was installed.) In its decision, the NAIH condemned the service provider in view of the fact that it could not identify the conflicting interests or did not present the interests of the data subjects in any form in the legitimate interest-balancing test. The test included general consideration, not consideration by type of administration/type of interests/type of purposes. The NAIH found that the service provider had made a sound recording of personal customer service administration during the period under review without a proper legal basis. Furthermore, the prior information provided by the service provider was also inadequate, as the privacy notice was available on the company's website, but the customer service did not provide information on the existence or availability of such privacy notice. Prior to the commencement of the recording, the data subjects were provided with information only on the fact of the data processing – the information on the other relevant circumstances of the data processing was not easily accessible. Due to the above, the authority considered it necessary to impose a data protection fine of HUF 60 million (approx. $174,331). Namely, during the period under review, the service provider - in all its stores in total – liaised with 45,000 to 55,000 people per month at its personal customer services, the number of those affected thus calculated in the order of millions.

Data breach of a medical website

The NAIH received a complaint according to which medical findings and referrals managed in the appointment system of the website operated by the data controller can be publicly accessed or downloaded by unauthorized users.

The NAIH has determined that this is a directory leakage vulnerability. The vulnerability affected two websites where documents with .pdf extensions containing patient findings were stored. Instead of displaying the requested interface, the web server lists all the content on the web server by invoking the URLs. This allowed anyone with the knowledge of the links to access the documents stored on the online interface without registering on the site.

The data controller was not able to determine exactly how long the vulnerability had existed, it had only been informed of it from the NAIH. Based on the log files, the data controller could not detect unauthorized access, hence, in the course of its risk analysis, it found that it was not likely to pose a risk to the rights and freedoms of those concerned. Therefore, the controller did not consider it appropriate to report the breach to the NAIH and inform those concerned.

The NAIH found that the data controller had violated GDPR's data security requirements and the obligation to report the breach due to its inability to detect external access.

The data controller was obliged by the NAIH to pay a fine of HUF 7.5 million (approx. $21,791).

Unlawful access to customer data at a travel agency

The personal data of customers was available to anyone through a website operated by a travel agency. Thus, passengers' names, contact details, address details, identity card, and passport numbers, booking and travel information, dates, destination, accommodation, contract details, and the specific travel contract were accessible to the public.

The complainant found this by browsing the internet and typing her father's name into a Google search engine, and then, through one of the hits, they were able to open the database without any authorization checks. Thus, the database was also crawled by Google's search engine and made the data stored in it searchable.

The NAIH found that a vulnerability was left in the development of the travel agency's website due to the omission of various IT security measures (e.g., testing, vulnerability testing) and careless design of the website that allowed public access to the database. Customer data continuously uploaded to the travel agency's live contract database was transferred through a 'forgotten' connection point to the test database previously created by the website developer. However, due to inadequate protection, the test database became available to everyone through the website, so virtually anyone could follow the updating and management of customer data on the Internet. Neither the data controller nor the data processor previously knew about the public availability of the database.

Through the vulnerability, until its elimination, 781 individuals and a total of 309 travel contracts were affected, approximately 2,500 personal data.

The NAIH found that the data management travel agency had commissioned an inappropriate data processor to design the website, could not guarantee the security of the personal data processed, and did not inform those concerned about the high-risk personal data breach.

NAIH also found that the data processor in charge of developing and operating the website did not subject the website to proper security checks, and vulnerability tests and acted with a high degree of negligence in its development.

NAIH ordered the travel agency to pay a HUF 20 million (approx. $58,110) data protection fine and the website development company a HUF 500,000 (approx. $1,453) data protection fine.

Data breach as the result of incorrect configuration on the web servers

A financial service provider reported a personal data breach to the NAIH. On the internet interface created by the service provider for data sharing, due to an incorrect configuration on the web servers, contracts, and portfolio statements created for individuals became publicly available.

Out of a total of about 200 customer data stored on the site affected by the incident, the incident concerned the personal data of 50 customers: identity data (name, date of birth, place of birth, identity card number, tax identification number, and nationality), contact information (address, e-mail address, and telephone number), and financial information (portfolio value).

According to the NAIH, the financial service provider would have been expected to regularly check the incorrectly configured system with vulnerability tests performed by internal and external experts. It would also have been expected of the data controller to ban search engine crawlers in the case of the data processing in question, i.e., to ban the listing of data stored on the web server.

NAIH obliged the data controller to pay a HUF 2 million (approx. $5,811) data protection fine in view of the application of insufficient security measures.

Emotion recognition system powered by artificial intelligence

A bank used artificial intelligence ('AI') based speech-signal processing technology in its customer service, that automatically analyzed a list of keywords and the emotional state of the speaker. The bank used the results to monitor the quality of calls, prevent complaints, rate the quality of work, and increase the efficiency of its call-handling staff. The results of the detected keywords and emotions were also stored along with the call, and the calls could be replayed within the voice analytics software for up to 45 days. The software ranked the calls and provided recommendations according to the priority of the callers to be contacted.

The NAIH launched a procedure against a bank for the shortcomings of its automatic AI analysis of recordings of customer service calls, which included assessing the emotional state of the speaker and other characteristics.

The NAIH's findings:

The NAIH did not rule the AI analysis of recorded customer service calls unlawful, it found the following shortcomings:

• the bank's customer service privacy notice did not contain any substantive information on voice analysis. The privacy notice only mentioned quality assurance and complaint prevention as the data processing purposes.
• The bank-based data processing on its legitimate interest in retaining customers and improving the efficiency of its internal operations. However, the different data processing operations related to these interests were not separated either in the privacy notice or in the balancing of interest test ('LIA').
• The bank's DPIA concluded that this processing is high-risk for a number of reasons. However, the DPIA did not provide substantive solutions to address these risks.
• The bank did not actually examine the proportionality of the data processing and its effects on data subjects and trivialized the significant risks to fundamental rights. It expressly failed to consider the right of data subjects to adequate information and their right to object.

NAIH ordered the bank to pay a HUF 250 million (approx. $726,378) data protection fine, which is the highest fine imposed by the NAIH for violations of data protection laws so far.

Public disclosure of personal data in the national directory

The NAIH investigated the data processing of a mobile service provider on the basis of a complaint from a data subject, who complained that his name, address, and telephone number were publicly available in the public directory of the data controller, despite the fact that he had not consent to their disclosure. Further, they repeatedly asked the mobile service provider to delete their personal data from the online directory, and the mobile service provider only complied with this deletion request on the third attempt. The mobile service provider acknowledged that the data subject's requests for erasure had not been implemented due to technical and administrative errors: the first request for deletion was processed and the necessary steps for deletion were taken, however, due to a technical error, the actual deletion of the personal data did not take place and remained available on the public notice interface, and the data subject's second request for deletion was incorrectly recorded in the data controller's internal records as 'closed' due to a one-off operator error.

Regarding the public disclosure of personal data in the online directory, the NAIH found during the investigation that under the terms of a subscriber agreement between the data subject and the data controller for a top-up card, service concluded in 2015, the data subject did not consent to the data controller publishing his name, permanent address, and phone number as part of his subscriber data in the public national directory maintained by the data controller. However, at the time of the contract renewal in 2018, according to the statement of the data controller, the declarations made by the data subject were amended, and he gave consent to public disclosure of his data in the directory. The data controller provided a screenshot with a ticked checkbox to demonstrate the validity of this statement.

According to the NAIH, a screenshot with a ticked checkbox does not suffice the conditions for accountability pursuant to Article 5(2) of the GDPR, as in the absence of the contract signed by the parties it cannot demonstrate that the consent was freely given, specific, informed and an unambiguous indication of the data subject's wish according to Articles 4 and 7 of the GDPR.

In relation to the failure to comply with the data erasure requests, the NAIH found that the controller's procedures were in breach of the GDPR as well.

NAIH ordered the mobile service provider to pay a HUF 5 million (approx. $14,527) data protection fine.

Failure to identify proper legal basis relating to processing of personal data after completing pre-credit assessment and credit assessment

According to the complaint filed with the NAIH, a bank rejected the complainant's loan application and later notified them of a new credit assessment based on the personal data recorded in connection with the rejected loan application, even though the complainant did not request a new loan offer.

In relation to the legal basis for the processing of personal data for the purposes of pre-credit assessment and credit assessment, the NAIH found that the bank lawfully based its processing of personal data for the purpose of the pre-credit assessment and credit assessment process on Article 6(1)(b) of the GDPR until the time such assessments are completed.

However, contrary to the practice of the bank, the processing of personal data after such assessments have been completed, cannot be based on the same contractual basis, if no contract was concluded as a result of the pre-credit and credit assessments. Following an order from the NAIH to modify this legal basis in order to bring the data processing in compliance with the provisions of the GDPR, the bank modified the legal basis to Article 6(1)(f) of the GDPR.

The NAIH stated that the bank has properly modified the legal basis of its data processing on its legitimate interest pursuant to Article 6(1)(f) of the GDPR. However, the NAIH, in its analysis of the legitimate LIA, found that when comparing the interests of the data controller and the data subject, it did not address the processing of the pre-credit assessment, but only examined the 'credit assessment.' The NAIH found further inconsistency in the LIA, as it incorrectly stated that it applied 'also to data processing relating to loans granted in the course of a pre-credit assessment', which means data processing where loans were also granted, even though the data processing subject to the LIA is 'retention of personal data collected in the course of credit assessments in cases where a contract has not been concluded'.

Based on the above, according to the NAIH, the LIA regarding the retention of personal data obtained in the course of the pre-credit assessment is flawed in such a way that it is not suitable to demonstrate the existence of a legal basis and the NAIH ordered the bank to delete the personal data in question.

NAIH ordered the bank to pay a HUF 30 million (approx. $87,165) data protection fine.

Public area surveillance system using facial recognition cameras in the administrative area of Siófok

The NAIH launched an investigation after it was informed about it via press reports of the intent of the Municipality of Siófok ('Municipality') to install a 39-camera system with facial recognition AI to monitor the public space. (the decision is only available to download in Hungarian here).

In its investigation, the NAIH declared that according to the responses provided to them, the public domain camera system had been installed in Siófok since 2014, operated by the Municipality, by means of a cooperation agreement with the police in the field of crime prevention and public safety. Within this context the police had contributed to the development of the camera system, beginning in 2020, and a technology company provided the technical support for the processing of the recordings.

The Municipality claimed that the use of the surveillance was justified based on the thousands of people who were visiting the nightclubs in the affected area and the increasing number of crimes. However, the NAIH found that the mass processing of biometric data under Section 7(3) of Act LXII of 1999 on Public Area Surveillance (only available in Hungarian here) and Section 42(2) of Act XXXIV of 1994 on the Police (only available in Hungarian here) was not sufficiently justified, since biometric data is subject to special protection as special category of data, and therefore, the current Hungarian legislation does not allow the operation of a public area surveillance system which processes biometric data.

The NAIH further identified shortcomings in the cooperation agreement between the Police and the Municipality. Additionally, the NAIH found that the police and the Municipality were joint controllers for the data processing in question, and identified a violation on the part of each such joint controller in relation to the absence of a data processing agreement pursuant to Section 25/B(1) of the Act, which regulates the tasks and responsibilities related to the performance of the controller's obligations.

In addition, the NAIH found that the obligation under Article 25/F(4) of the Act to keep data recorded in the register of controllers and processors in an electronic logbook for ten years after deletion of the processed data could not be fulfilled, since the activities of users can be viewed in the system only for 30 days.

Finally, the NAIH identified the technology company as a data processor for the processing in question and found that it had modified, deleted, and created access roles in the surveillance processing system without the knowledge of the Municipality, thereby infringing Article 25/D(3)(a) of the Act, stating that a data processor may only act on the written instructions of the controller.

In consideration of the above findings, the NAIH found that the Municipality and the Police had processed personal data unlawfully through the camera surveillance system. In relation to the technology company, the NAIH decided to impose a fine of HUF 500,000 (approx. $1,453) (decision only available to download in Hungarian, here).

Lawfulness of data processing for direct marketing purposes

The NAIH imposed a fine of HUF 80 million (approx. $232,441) in an investigation into a company's practices related to direct marketing (only available to download in Hungarian here). In its procedure, NAIH found that the company had processed the contact details (name and address) of approximately 300,000 to 400,000 data subjects in the context of sending a postal notification inviting them to a free hearing test without adequate information, without a specific and real purpose and without an adequate legal basis.

The company claimed that letter assessing the need for hearing tests were only sent to persons listed in the database provided by the Ministry of Interior, which were requested every two to three months for market research. After receiving the data, competent employees of the company transferred them to a separate, secure server, and the entire contents of the device were irretrievably deleted after the transfer. The company argued that the legal basis of the data processing was the consent of the data subjects, and the data subjects had the possibility to withdraw their consent at the Ministry of Interior or the controller if they did not wish their personal data to be processed further.

The NAIH held in its decision, that the company violated Article 6(1) of the GDPR, since if the data subject did not take any active steps to give its consent, the data controller cannot consider the silence as an affirmative act as a proper legal basis for data processing. Moreover, in the case of consent as a legal basis, the data subjects have to be informed before giving their consent, which was clearly lacking in this case as well.

Furthermore, as of April 26, 2019, the Direct Marketing Act was amended, thus it no longer provided a basis for direct marketing requests. However, the company continued its practice. According to the NAIH, from March 2021, the company requested the data for market research purposes in order to comply with the changed legal requirements, only to continue its processing for direct marketing purposes. Consequently, NAIH found that the company violated the purpose limitation principle under Article 5(1)(b) of the GDPR, since it misled the data subjects and the Ministry of Interior by disguising the true purpose of the processing, thereby also violating the principle of fairness under Article 5(1)(a) of the GDPR. The NAIH also held that the company had violated Articles 14(1), 14(2), and 12(1) of the GDPR, hence it failed to provide clear and transparent information.

Necessity of consent by purpose and separation from other declarations

The NAIH imposed a fine of HUF 30 million (approx. $87,165) after the company handled contact data of thousands of individuals in the absence of adequate prior privacy information, a concretely defined purpose, and a valid legal basis (decision only available to download in Hungarian here).

In its procedure, the NAIH instructed the company to delete contact data used for direct marketing purposes for which it cannot obtain new, appropriate consent, or does not have another valid legal basis for processing them (e.g., contractual contact).

The NAIH's most important findings regarding the duties of the companies include:

• separate consent is required for each purpose and channel. In the text of privacy consent, receiving direct marketing 'electronically' is a too broad term. Individuals must be able to choose if they only wish to consent to direct marketing in certain channels (e.g., only by post, only by phone, or only by email, or by any combination of these). This does not preclude the provision of an option where consent can be given to all specified purposes at the same time. It should, however, be possible to give separate consent only for certain purposes. Companies must review the design of their privacy consents – primarily, the number of checkboxes and the way they are worded;
• separate consent is required for Google LLC and Facebook advertising. Direct marketing sent via other channels (e.g., targeted advertisements on the Google and Facebook advertising systems) also requires separate consent, and separate information must be provided on the use of similar mass-automated advertising systems. Companies must also review the design of their privacy consent and the content of their privacy notices;
• specific information is required on the marketing method. The purpose of processing contact data cannot be a flexible goal such as 'receiving more favorable offers'. Direct marketing is an umbrella concept, and companies must indicate the specific implementation (e.g., sending advertisements on their own or third-party products on a given channel or specific channels). Companies must also highlight in their privacy notices any important circumstances that are not customary, and individuals may not reasonably expect, such as a foreign data processor and its clear, concise, easily understandable role. Companies must review the text of their privacy consents and the content of their privacy notices; and
• companies must provide information on the location of their privacy notice for the currently used communication channel. In the case of offline communication, it is not enough to refer only to the availability of the online privacy notice, because there may be many individuals who do not have internet access or cannot find the information on the internet during or before ordering by mail or telephone. Companies must review the information they provide on the availability of their privacy notice.

The significance of this decision is that this was the very first time that the NAIH has addressed the method for obtaining consents, especially how many different consents are required to perform direct marketing activities through different channels.

Legal compliance of the website's cookie consent framework

The NAIH investigated the data controller's practice of placing cookies on the tenyek's website and tv2's website.

According to the NAIH, tv2 unjustifiably prevented its users from rejecting cookies by displaying a pop-up window on tenyek website with two options, first one called 'OK, continue' to accept the settings invisibly, and the second one 'privacy notice' to redirect the user to the tv2 website. Clicking on the latter button brought up another pop-up window for cookie management, with a 'further options' button at the bottom, next to the repeated 'ok, next' button. Clicking on the 'further options' button brought up a pop-up window with 'reject all' and 'accept all' options, below which, in a scroll bar in about one-eighth of the pop-up window, the privacy notice on cookies was displayed, with an average of 2 to 4 lines of information at a time. At the bottom, the buttons 'partners', 'legitimate interest', and 'save and exit' were found. Nevertheless, according to the privacy notice, tv2 only placed cookies with the user's consent. Expecting the user to read the privacy statements of the 754 partners linked under the 'partners' tab and withdraw consent from each of them is not a transparent and fair condition, according to the NAIH.

This decision of the NAIH is the only one so far to sanction cookie-related data processing, address the dark patterns encountered in cookie placement, such as unreasonable blocking of cookie rejection with multiple successive pop-ups and redirects, unreasonable additional actions required from users when rejecting more than 700 partners one by one, and misleading information regarding consent under Article (1)(a) of the Act and legitimate interest under Article 6(1)(f) of the GDPR. Therefore, the NAIH imposed a fine of HUF 10 million (approx. $29,055).

Validity of electronic direct marketing consent

The NAIH launched an ex officio inspection of the data controller's processing of data related to the provision of its service and the conduct of electronic direct marketing ('EDM'). When subscribing, the acceptance of the general terms and conditions for the service also constituted consent to EDM, i.e., it was only possible to make this declaration once, without the possibility for the subscriber not to accept or opt-out of the sweepstakes rules. The general terms and conditions did not contain a provision on EDM. The data controller acknowledged that its practice was not in line with data protection law and changed its practice accordingly decision only available to download in Hungarian here).

The data controller has breached its obligation to provide information, which should include when and under what conditions the data processing based on the data subject's consent in relation to EDM will cease. The legal basis for the EDM processing was unlawful, on the one hand because, as a rule in the absence of sufficient information, the processing of data without consent is unlawful in itself, and also separately given consent was not made available in case of the general terms and conditions and the EDM.

It is important that data subjects are fully informed, and that, in the case of consent as a legal basis, it should be possible to give consent to each 'service' separately. Therefore, the NAIH imposed a fine of HUF 2 million (approx. $5,812).

Webshop data processing and right to erasure

The data subject contacted the NAIH claiming that, despite having requested the company to delete the data subject’s personal data, the data subject received an email from the company ( decision only available to download in Hungarian here).

According to the company, the data subject ordered a birthday newspaper from their online store and during the ordering process agreed that electronic communication would take place at the email address. According to them, once the data subject indicated that it did not wish to receive emails, their data was deleted. The company claimed that the problem may have been that the database had been resynchronized and that this may have caused the data subject to receive another email. The company argued that although the data subject's personal details had been deleted from all their lists, they should have kept the basic details of the purchase.

Nevertheless, a screenshot taken at the NAIH later showed that the data subject's phone number and email address were still available.

According to the company, the legal basis for the processing is the performance of the contract and the methods and characteristics of data storage are described in the general data privacy notice, which the data subject has been made aware of.

The NAIH found that the company's actions concerning the preservation of receipt were in accordance with the Accounting and VAT Act's regulations and were not unlawful.

The NAIH found that, regarding the data processing for marketing purposes, on the one hand, there was no prior notification and information and, on the other hand, only the privacy notice contained a reference to the processing for marketing purposes, but no other documents, therefore the company had breached Article 6 of the GDPR. Since the general terms and conditions do not contain any information on data processing either, acceptance of the same does not legally constitute consent to the processing of data related to the sending of newsletters.

As regards the deletion of personal data, the NAIH found that the data subject had made an early and unambiguous request for the deletion of personal data and, despite the hacking/resynchronization, the company should have taken this request into account, in breach of Article 17 of the GDPR. Therefore, the NAIH imposed a fine of HUF 500,000 (approx. $1,453).

Information on the recording of customer service calls

The data controller's sales representative made a telephone call to the data subject to inform that a switch to a different type of network due to the data subject's network expansion is necessary. During the call, the representative indicated the purpose of the call but did not refer to the voice recording. Later, several phone calls were made in which the sales representative deviated from the text (decision only available to download in Hungarian here).

Further on, the data controller admitted that the sales representative deviated from the text after the introductory sentence, missed the identification, and only mentioned to the subscriber that the conversation was being recorded, but did not provide him with detailed information.

The NAIH has established that the data subject's voice is considered personal data under the GDPR. According to Article 12 of the GDPR, the data controller must take appropriate measures to ensure that all information relating to the processing of personal data is provided in a concise, transparent, intelligible, and easily accessible form. The fact that the data controller is a legal person does not affect the liability of its employees for any omissions.

The NAIH found that the information provided by the data controller was incomplete. The NAIH stressed the importance of prior information so that the data subject is aware of its rights, including the right to object.

The NAIH imposed a fine of HUF 5 million (approx. $14,528).

Data processing for enforcement purposes and related balancing of interests and the lawfulness of transfers

The data controller transferred the outstanding balance on the data subject's credit account to a new account and linked the personal data to the new account without consent. The data controller also transmitted the personal data to a notary and the Central Credit Information System Ltd. and other bodies without consent (decision only available to download in Hungarian here).

Regarding the processing of the file, the data controller's interest in the case may have been the enforcement of the claim, the successful recovery of the claim, or the activities of the credit institution.

The data controller, as a business entity under the Accounting Act, is required to keep the records relating to the claim for eight years. The data on the receipt cannot be deleted under the Accounting Act, so everything on the receipt can be retained according to the NAIH.

As regards the processing of personal data, the NAIH has stated that they are essential for contacting and enforcing the law, the doubts only relate to the telephone number. According to the NAIH, the legal basis was inadequate, as is the argument that the telephone number is necessary to contact the company since contact can also be made by post.

The NAIH ordered the phone number to be deleted from the register and imposed a data protection fine of HUF 1 million (approx. $2,905).

Refusal to issue documents relating to health status

The data subject suffered from cancer and used the services of the data controller in connection with his medical condition (decision only available to download in Hungarian here).

The data subject requested the release of all health and personal information in the data controller's possession that it did not disclose for reasons of data security, only that which the data subject had previously obtained.

The legal basis for the processing was the performance of the contract and the retention period was uniformly 'the duration of the legal relationship underlying the service.' The data controller also claimed that the privacy notice available on the website and the contact form contain information on data processing. It further claimed that the refusal to disclose the data was not based on data security grounds, but that the data subject did not specify exactly the requested data.

The NAIH has classified data processing into three categories, namely, set of data, data concerning health, and personal data relating to professional activities. In relation to the access request, the NAIH found that the data controller was obliged to provide a full copy of the personal data, which it refused to do without giving reasons. As regards the information on data processing, the data subject did not receive sufficient information from the contact form or the datasheet. Furthermore, the information on the website did not refer to professional services.

Regarding facilitating the exercise of data subjects' rights, the lack of information made it difficult for the data subjects to exercise their rights and remedies and did not offer alternatives to the applicant to meet the data subject's request.

The NAIH imposed a fine of HUF 1 million (approx. $2,905).

Camera surveillance and data processing for marketing purposes in beauty salons

The data subjects complained that there were 32 cameras in every room (office, operator, corridor, reception, etc.) of the data controller's headquarters, recording both employees and guests. The cameras were also capable of monitoring employees at work and at rest, as well as guests during treatment. The cameras recorded sound as well as images (decision only available to download in Hungarian here).

The data controller provided information about the image recordings, but not about the audio recordings and their real purpose. In addition, the data controller also engaged in a practice whereby they asked their guests to provide contact details of their acquaintances and thus advertised their treatments. According to the communication from the data controller, a consultation form is filled out by each guest at the reception, but the telephone number and email address are not always recorded. In the consultation form, the question of whether the client is interested in an aesthetic procedure is answered 'yes' and the client's data (name, age, telephone number) are recorded on a separate Excel sheet. According to the company, the surveillance is for the protection of guests and staff.

The NAIH's investigation found that neither the legal basis for the use of the camera, nor the method of consent, nor the information itself, both from employees and guests, was adequate. Moreover, no one was informed about the audio recording, and thus there was a serious breach of privacy and the provisions of the GDPR.

The NAIH also found problems with the processing of clients' data and the referral system used (satisfied clients provided contact details of their friends). The privacy notice did not provide information on the consent and data processing of the marketing contact form on the beauty salon's website.

The NAIH found that the data controller did not guarantee the confidentiality of the data processing and did not take measures to protect personal data in the operation of the camera system, as the server cabinet was left open, and the images of the cameras and the stored recordings were easily accessible without any purpose by typing the username on a piece of paper stuck to the monitor.

The NAIH imposed a fine of HUF 30 million (approx. $86,995).

Data security and policy deficiencies of databases involved in a data breach at DIGI Távközlési és Szolgáltató Kft (retrial)

In 2018, the data controller (Digi Telecommunications and Services Ltd.) temporarily moved the personal data of nearly 300,000 subscribers to a test database to overcome a technical error. A hacker attack on this database revealed a detectable and remediable security vulnerability, which the data controller failed to properly secure, in violation of Article 32 (1) and (2) of the GDPR. The Metropolitan Court of Budapest found that the temporary transfer of the data complied with the purpose limitation requirement, but that the storage on the test database was lawful only for the time necessary to remedy the failure, in accordance with the limited storage requirement. The data controller negligently failed to delete the test database after the error had been corrected, thereby creating a data breach (the decision is only available in Hungarian here).

The NAIH investigated the activities of the data controller in relation to Article 5 (1) (b) and (e) and Article 32 (1) and (2) of the GDPR. In the context of the purpose limitation, the NAIH found that the storage of the data concerned in the test database was lawful only until the failure was rectified. In the context of the limited storage, it found that storage beyond the failure was also unlawful, in the absence of encryption of the data. In relation to Article 32 (1) and (2) of the GDPR, the NAIH found that the security vulnerability could have been detected and corrected. The lack of control by the data controller, the failure to use the available functionality of the protection software, and the storage of a large amount of unencrypted data in this database posed a high risk and provided the basis for unauthorized access to occur.

The NAIH imposed a fine of HUF 80 million (approx. $232,499).

Inadequate data protection incident handling practices – failure to erase personal data appropriately

On the website of the predecessor of the data controller, the complaint investigation reports were available, (as data of public interest) which contained personal data (name and address) due to the failure to anonymize them. The NAIH closed the case after the deletion of the documents. Two years later, the NAIH received a new request that the deleted documents were again available on the website of the successor data controller. Upon verification, it was concluded that the document could not be found directly on the website, however, could only be accessed by knowing the exact link and saving it. The error could have been caused by the fact that the deletion of the data from the backend servers was not taken care of. This time, the NAIH has imposed a fine of HUF 16 million (approx. $46,500) for failure to report the incident and for technical measures that did not comply with the GDPR (the decision is available only in Hungarian here).

Failure to comply with an access request

The data subject requested on several occasions from the data controller, (which provides internet, fixed telephony, and broadcasting service) the restriction of the processing of their personal data (decision only available to download in Hungarian here). The data controller processed the personal data for contracting and to keep accounting records. Pursuant to the request of the data subject, the data controller used the data not only for contacting but also for various marketing purposes.

The NAIH concluded that the response to the data subject's request for access sent by the data controller on October 26, 2018, in which the data controller highlighted the relevant provisions of the general terms and conditions, infringed Article 15(1) of the GDPR by not specifically informing the data subject about the use of their personal data. The NAIH imposed a data protection fine of HUF 500,000 (approx. $1,453).