The Hungarian Data Protection and Freedom of Information Authority (NAIH) released its annual report on March 31, 2020, regarding the Agency’s activities in 2019, including detailed enforcement statistics.
Despite the unprecedented workflow fluctuation in 2018 and 2019 at NAIH, its resources in budget and staff have grown in the past year and as a result, it handled more cases in 2019 than in previous years. We expect that this trend will continue in the coming years despite the current COVID-19 pandemic and that data protection fines will increase.
In 2019 the NAIH initiated 11,619 new cases involving data protection, freedom of information, and other consultation topics. The number of data protection investigation cases (1,738) has more than doubled, the number of administrative audit cases (568) has increased by 250%, and the number of data protection administrative procedures has more than quadrupled (276) since the previous year. The number of data protection consultation cases, however, has slightly decreased, from 2,409 to 2,053 (a 20% decrease), which is likely due to the NAIH’s “no response” policy, effective since October 2018, under which the NAIH will not respond to data protection consultation requests unless the case is significant. Data controllers made a total of 506 data protection incident reports to the NAIH, which resulted in 52 data protection administrative procedures in 2019.
The NAIH’s investigations focused mainly on secret surveillance and illegal CCTV monitoring; illegal employee e-mail searches in the corporate mailbox; the processing of trademark union membership data; call recording; illegal photography; data retention issues; transparency and communications; privacy compliance in debt collection activities; missing incident management measures or notifications to the NAIH; compliance with data subject rights and requests; and the illegal use of national identifiers. It seems that the NAIH’s activities focus heavily on debt collection agencies and insurance and financial service providers. For instance, the NAIH concluded that Hungarian debt collection agencies are not able to rely on a contractual legal basis to continue to process data following a voluntary assignment and contractual subrogation of debt. This also means that debtors can object against the processing of data if debt collectors use the debtors’ personal data for their debt collection activities, and that debt collectors must conduct and document detailed legitimate interest tests if they process debtors’ personal data. Cases against financial institutions mostly involved data subject complaints related to: (i) the identification of data subjects; (ii) timely responses to data subject requests; and (iii) transparency regarding data retention issues.
The NAIH’s activity report shows that most of the cases handled by the NAIH fell within the scope of GDPR enforcement. The NAIH imposed and collected HUF 113 million (approximately EUR 312,000) in data protection fines in 2019 – almost three times higher than the previous year. The fines are expected to increase again in 2020, because the NAIH announced that it will increase its staff from 104 to 117 and its budget will increase from 3.5 million to 4.5 million euros in 2020. Thus, we expect that the NAIH will be more active regarding the prosecution of data protection violations.
The number of data-protection-related court cases remains low, as in 2019 the NAIH obtained a final decision only in five cases. It is remarkable that that, since the NAIH’s establishment in 2012, it has never once failed to prevail on the merits (i.e., data-protection-substantive-law issues) before courts.
Summarizing the activity report of NAIH, the Hungarian agency has significantly increased its enforcement activities and imposed higher fines since the GDPR became applicable and this trend may continue in 2020. In addition, in 2019 businesses became more and more aware of their data protection obligations, as the NAIH also actively held and sponsored various data protection courses and conferences. However, it has become increasingly difficult to obtain a reliable standpoint on data protection matters or to establish regular working contacts with the NAIH, as the authority’s strict “no response” policy regarding inquiries from businesses remains in effect.
By Adam Liber, Partner, and Tamas Bereczki, Partner, Provaris
