The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) recently imposed fines in two separate cases, involving balancing tests and subject access.
In the first case, the NAIH imposed a fine of HUF 600,000 (EUR 1,851 representing 0.003% of the offender’s revenue for the preceding year) against a Hungarian employer for sending the tax certificate of an employee to another individual, which constituted a notifiable personal-data breach under the EU's General Data Protection Regulation (GDPR).
Furthermore, the NAIH established that the employer failed to provide data requested by an employee within one month (as required by the GDPR) and did not specify whether it was necessary to extend the deadline.
The NAIH ordered the employer to provide the employee with copies of the requested information and documents within the one-month deadline, including tax, social security and pension reports (T1041 and M30 forms) for the employee, the date and the amount of tax paid by the employee, any missing payment periods, and the employee’s scope of work.
Based on this ruling, CMS recommends that companies ensure that their subject access request procedures are in accordance with the NAIH’s requirements in this case, and should – in particular – avoid delays in responding and fulfilling requests for copies of documents. It is clear that sending a message to an employee that more time is necessary to fulfil the subject-access request is not sufficient for postponing a deadline.
In the second case, the NAIH imposed a fine of HUF 2,000,000 (EUR 6,170 or 0.0027% of the offender’s revenue for the preceding year) on a telco company and another fine of HUF 1,000,000 (EUR 3,085 or 0.013% of the offender’s past year's revenue) on a claim management company as a result of legitimate interest balancing tests and their decision in choosing an incorrect legal basis for data processing for claim management purposes.
In one case, an unknown fraudster used the personal data of the complainant in a telephone call to illegally conclude a subscription, but failed to pay the service fees later on. As a result, the telco company refused to conclude a subscription contract with the complainant because its fraud prevention database indicated that the complainant had an unfulfilled debt.
The telco company already sold and assigned the underlying claim to the claim management company. The complainant submitted a subject-access request to clarify the accuracy of the data held in the companies’ database since it disputed the fact that it previously had a contract with the telco and owed it money. The investigation revealed the fraud.
The NAIH has established the following general provisions, which every data controller must fulfil:
- The legitimate interest balancing test must specify a potential fraud, its repeated attempts, how the processing of personal data serves its prevention, and why the data are necessary and relevant for this purpose. Furthermore, the test should measure the data controller’s interest against the rights and interests of the data subject. The data controller must suspend all data processing until it prepares a proper test.
- In case of data processing in connection with the assignment of claims, the appropriate legal basis is typically the legitimate interest of the assignee to enforce the claim.
- In case of fraud, the data controller must provide the complainant with a copy of the call recording with the fraudster, but it should make the personal data of the people mentioned in the call unrecognisable.
Companies should review their legitimate interest balancing tests and subject access request procedures and make sure they are in line with NAIH’s findings in this case, particularly regarding fraud prevention and the management of assigned claims.
If you have any questions on the above decisions of NAIH, please contact one of our local CMS experts:
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.