First GDPR violation fine imposed in Hungary

The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) has issued a penalty fine for the violation of GDPR for the first time. According to Dániel Ódor, Head of Taylor Wessing Budapest’s Data Protection team, the decision, although far from revolutionary, does shed some light on the Authority’s evolving approach and market players are well advised to take the necessary steps to avoid a similar fine.

The first case

The HUF 1 million fine was imposed by NAIH after the applicant filed a complaint claiming that his rights to access his personal data were infringed. The applicant submitted a request to the company to view and obtain a copy of a security camera recording showing him at the company’s reception. He asked the company not to delete the recording for five years claiming that he needed it in unrelated legal disputes.

The company denied the request, arguing that they had no legal obligation to comply as the applicant failed to verify a legal interest that could have compelled them to comply based on Hungarian statutory law.

NAIH agreed with the complaint that the applicant filed following the incident and imposed a fine. The experts of Taylor Wessing Budapest’s Data Protection team believe that the decision is not only important as it is the first NAIH fine imposed following the entering into force of GDPR but also because it is an indicator of what attitude to expect from the authority in the coming years.

What does this decision mean?

In its decision, NAIH confirmed that even though the relevant Hungarian statute requires the user to verify its legal interest when making such requests (i.e. connected to CCTV recordings), GDPR, which does not impose such a burden on the person whose data are concerned, is directly applicable here and the relevant Hungarian statute cannot form the basis for denying the request.