02
Fri, May
36 New Articles

Recent Trends in Data Protection Enforcement in Hungary

Recent Trends in Data Protection Enforcement in Hungary

Hungary
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The Hungarian Data Protection and Freedom of Information Authority (NAIH) released its annual report on March 31, 2020, regarding the Agency’s activities in 2019, including detailed enforcement statistics.

Despite the unprecedented workflow fluctuation in 2018 and 2019 at NAIH, its resources in budget and staff have grown in the past year and as a result, it handled more cases in 2019 than in previous years. We expect that this trend will continue in the coming years despite the current COVID-19 pandemic and that data protection fines will increase.

In 2019 the NAIH initiated 11,619 new cases involving data protection, freedom of information, and other consultation topics. The number of data protection investigation cases (1,738) has more than doubled, the number of administrative audit cases (568) has increased by 250%, and the number of data protection administrative procedures has more than quadrupled (276) since the previous year. The number of data protection consultation cases, however, has slightly decreased, from 2,409 to 2,053 (a 20% decrease), which is likely due to the NAIH’s “no response” policy, effective since October 2018, under which the NAIH will not respond to data protection consultation requests unless the case is significant. Data controllers made a total of 506 data protection incident reports to the NAIH, which resulted in 52 data protection administrative procedures in 2019.

The NAIH’s investigations focused mainly on secret surveillance and illegal CCTV monitoring; illegal employee e-mail searches in the corporate mailbox; the processing of trademark union membership data; call recording; illegal photography; data retention issues; transparency and communications; privacy compliance in debt collection activities; missing incident management measures or notifications to the NAIH; compliance with data subject rights and requests; and the illegal use of national identifiers. It seems that the NAIH’s activities focus heavily on debt collection agencies and insurance and financial service providers. For instance, the NAIH concluded that Hungarian debt collection agencies are not able to rely on a contractual legal basis to continue to process data following a voluntary assignment and contractual subrogation of debt. This also means that debtors can object against the processing of data if debt collectors use the debtors’ personal data for their debt collection activities, and that debt collectors must conduct and document detailed legitimate interest tests if they process debtors’ personal data. Cases against financial institutions mostly involved data subject complaints related to: (i) the identification of data subjects; (ii) timely responses to data subject requests; and (iii) transparency regarding data retention issues.

The NAIH’s activity report shows that most of the cases handled by the NAIH fell within the scope of GDPR enforcement. The NAIH imposed and collected HUF 113 million (approximately EUR 312,000) in data protection fines in 2019 – almost three times higher than the previous year. The fines are expected to increase again in 2020, because the NAIH announced that it will increase its staff from 104 to 117 and its budget will increase from 3.5 million to 4.5 million euros in 2020. Thus, we expect that the NAIH will be more active regarding the prosecution of data protection violations.
The number of data-protection-related court cases remains low, as in 2019 the NAIH obtained a final decision only in five cases. It is remarkable that that, since the NAIH’s establishment in 2012, it has never once failed to prevail on the merits (i.e., data-protection-substantive-law issues) before courts.

Summarizing the activity report of NAIH, the Hungarian agency has significantly increased its enforcement activities and imposed higher fines since the GDPR became applicable and this trend may continue in 2020. In addition, in 2019 businesses became more and more aware of their data protection obligations, as the NAIH also actively held and sponsored various data protection courses and conferences. However, it has become increasingly difficult to obtain a reliable standpoint on data protection matters or to establish regular working contacts with the NAIH, as the authority’s strict “no response” policy regarding inquiries from businesses remains in effect.

By Adam Liber, Partner, and Tamas Bereczki, Partner, Provaris

Hungary Knowledge Partner

DLA Piper is a global law firm with lawyers located in more than 40 countries throughout the Americas, Europe, the Middle East, Africa, and Asia Pacific. This positions us to help clients with their legal needs around the world.

With more than 60 lawyers, including 14 partners, and a staff of over 140, DLA Piper Hungary is one of the largest international law firms operating in Hungary. What makes us stand out is that we offer not only legal services but also tax and business advisory support in a fully integrated manner. We maximize synergies between legal, tax, and business advisory services to offer a unique service for our clients, particularly in regulated industries such as energy, infrastructure, life sciences, banking, and telecommunications.

We are a true full-service firm, providing our private and public sector clients with advice on all aspects of their business. This includes transaction-related advice, people and employment, commercial dealings, litigation, information technology, media and communications, intellectual property, insurance, tax, real estate, and restructuring plans.

DLA Piper Hungary has received numerous professional awards and is consistently ranked among the top law firms in Hungary by international rankings. We are ranked #1 by Mergermarket among the law firms active in Hungary based on the volume of M&A deals handled between 2005 and 2024.

Firm's website.

Our Latest Issue