14
Mon, Jul
42 New Articles

Data Protection Authority Imposes Highest Post-GDPR Fine

Data Protection Authority Imposes Highest Post-GDPR Fine

Hungary
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The Hungarian National Authority for Data Protection and Freedom of Information (the "Authority" or "NAIH") recently imposed a fine of HUF 100m (approx. EUR 285,000) on one of the biggest electronic communication service providers Digi Távközlési Szolgáltató Kft. ("Digi"). This is the highest data protection fine imposed in Hungary since the entry into force of the GDPR and the highest ever fine levied in Hungary for a violation of data protection regulations.

An ethical hacker discovered a vulnerability affecting Digi's website, based on which it was possible to access a "test database" that contained a significant amount of personal and sensitive data of Digi's subscribers (e.g. name, data and place of birth, email address and password, bank account number, willingness to pay). The ethical hacker informed Digi of this vulnerability and Digi took corrective action and submitted a breach notification to the Authority within 72 hours as prescribed by the GDPR.

In the mandatory investigation following the notification of the breach, the Authority examined all relevant circumstances of the case. Digi stated that the test database was created in connection with the correction of an earlier error that made subscribers' personal data inaccessible (Digi's webserver did not reach the database server). Digi did not encrypt the database because it believed that access restriction and provisioning provided sufficient protection of the personal data concerned. However, it turned out that the ethical hacker was able to access Digi's database and the user data of the system administrators.

The Authority found Digi to be in violation of the principle of purpose limitation by not deleting the test database after the troubleshooting process and the correction of system errors. As soon as Digi solved the problem, the purpose of the data processing was eliminated and the test database should have been deleted. Thereby, Digi also violated the storage limitation.

In addition, the Authority established that the cause of the data breach was the lack of appropriate data security. According to an IT expert, the system vulnerability uncovered by the ethical hacker could have easily been filtered out by an application which scrutinises the vulnerability by automatism, which was available on the market. The lack of encryption not only increased the risk of a data breach, but made a substantial amount of personal and sensitive data accessible to unauthorised persons, which could result in identity theft. The involvement of system administrators' user data further increased the severity of the data breach, making it possible to give access to the administration board of the website.

The case has not only highlighted the importance of IT security and the prevention of unauthorised access to personal data as the core part of data protection, but also showed the importance of implementing systems that apply the principles of the GDPR in practice.

By Dorottya Gindl, Attorney at Law, and Daniel Gera, Counsel, Schoenherr

Hungary Knowledge Partner

DLA Piper is a global law firm with lawyers located in more than 40 countries throughout the Americas, Europe, the Middle East, Africa, and Asia Pacific. This positions us to help clients with their legal needs around the world.

With more than 60 lawyers, including 14 partners, and a staff of over 140, DLA Piper Hungary is one of the largest international law firms operating in Hungary. What makes us stand out is that we offer not only legal services but also tax and business advisory support in a fully integrated manner. We maximize synergies between legal, tax, and business advisory services to offer a unique service for our clients, particularly in regulated industries such as energy, infrastructure, life sciences, banking, and telecommunications.

We are a true full-service firm, providing our private and public sector clients with advice on all aspects of their business. This includes transaction-related advice, people and employment, commercial dealings, litigation, information technology, media and communications, intellectual property, insurance, tax, real estate, and restructuring plans.

DLA Piper Hungary has received numerous professional awards and is consistently ranked among the top law firms in Hungary by international rankings. We are ranked #1 by Mergermarket among the law firms active in Hungary based on the volume of M&A deals handled between 2005 and 2024.

Firm's website.

Our Latest Issue