NAIH decision results in increased data protection obligations

Hungary

In a recent decision involving a financial institution, Hungary’s Authority for Data Protection and Freedom of Information (“NAIH”) provided more specific guidance for companies on how to comply with the Data Protection Act in their day-to-day operations. Although the decision targeted the data processing practices of a particular financial institution most of the NAIH’s findings apply to other industries too.

In its decision, NAIH made the following remarks:

  • It is not permissible to photocopy the IDs of customers who appeared personally and presented their IDs for client screening purposes. According to NAIH, banks should accept the data in IDs as authentic and a photocopy for further verification is not necessary.
  • Banks should not process data on the criminal background of prospective customers as it is not necessary for the conclusion of loan agreements.
  • Customers must specifically consent to the processing of their data following a negative credit evaluation.
  • Companies must obtain consent for each data processing purpose – in particular, companies must request the customer’s consent to receive advertisements or market surveys separately from the “general” consent.

Privacy policies must define “marketing purposes” for data processing, for example, does this include using the customers’ data in marketing materials. (Click here for the NAIH’s Recommendation on Privacy Notices (only in Hungarian).)

  • In the case of data collection via physical correspondence, the privacy policy must also be provided to the customers via post.
  • Banks may record customer calls without the customers’ consent only in the case of complaint handling; recording other calls requires prior and informed consent.
  • Privacy policies must specifically list the data processed, and the underlying legal basis for processing (consent, legitimate interest, or the particular section of the applicable law).
  • Companies should provide detailed information on their data transferees in the privacy policy – broad terms, like “service providers” or “a financial intermediary” are insufficient.

NAIH may impose a fine of between HUF 100,000 and 20,000,000 (approx. EUR 300 to 66,000) for failure to comply with the above obligations. In the case of the given financial institution’s failure to comply with the above requirements, NAIH imposed a fine of HUF 2,000,000 (approx. EUR 6,600) - around 4% of the financial institution’s annual income.

It is also worth noting that, as of 1 January 2016, the deadlines for companies to fulfil data subjects’ requests to access, correct, block or delete their personal data decreased from 30 days to 25 days. Therefore, it is of primary importance for Hungarian banks, and other companies subject to Hungarian data protection laws, to revise their privacy policies and practices to correspond to this change and the other resulting from the NAIH decision.

For more information, please contact us.