First GDPR violation fine imposed in Hungary

The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) has issued a penalty fine for the violation of GDPR for the first time. According to Dániel Ódor, Head of Taylor Wessing Budapest’s Data Protection team, the decision, although far from revolutionary, does shed some light on the Authority’s evolving approach and market players are well advised to take the necessary steps to avoid a similar fine.

The first case

The HUF 1 million fine was imposed by NAIH after the applicant filed a complaint claiming that his rights to access his personal data were infringed. The applicant submitted a request to the company to view and obtain a copy of a security camera recording showing him at the company’s reception. He asked the company not to delete the recording for five years claiming that he needed it in unrelated legal disputes.

The company denied the request, arguing that they had no legal obligation to comply as the applicant failed to verify a legal interest that could have compelled them to comply based on Hungarian statutory law.

NAIH agreed with the complaint that the applicant filed following the incident and imposed a fine. The experts of Taylor Wessing Budapest’s Data Protection team believe that the decision is not only important as it is the first NAIH fine imposed following the entering into force of GDPR but also because it is an indicator of what attitude to expect from the authority in the coming years.

What does this decision mean?

In its decision, NAIH confirmed that even though the relevant Hungarian statute requires the user to verify its legal interest when making such requests (i.e. connected to CCTV recordings), GDPR, which does not impose such a burden on the person whose data are concerned, is directly applicable here and the relevant Hungarian statute cannot form the basis for denying the request.

GDPR overrules national law

The correctness of the legal argument underlying NAIH’s decision is hard to deny. Part of GDPR’s importance is exactly the fact that it is directly applicable, and – unless expressly enabled by the regulation – national laws may not undermine the protection it grants to data subjects all around the EU.

Market players are, however, hard-pressed to comply with GDPR when national legislation is not in full harmony with its provisions, as is many times the case in Hungary.

“NAIH’s recent decision is especially important because it firmly confirms the primacy of GDPR over national legislation, providing data subjects, controllers, and processors alike with a much-needed guidance on how to behave when the GDPR and national legislation seems to be in contradiction with one another. Although a bill recently submitted to Parliament aims to reduce the number of such contradictions, some will likely remain, and NAIH seems unhesitant to apply GDPR’s harsher rules. As such, companies who so far refrained from changing their practices on the assumption that Hungarian law provides them some cover, should act decisively now, before it becomes too late,” warned dr. Dániel Ódor, Head of Taylor Wessing Budapest’s Data Protection team.

Source: Taylor Wessing