Tue, Jul
55 New Articles

Data Protection Authority Imposes Highest Post-GDPR Fine

Data Protection Authority Imposes Highest Post-GDPR Fine

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The Hungarian National Authority for Data Protection and Freedom of Information (the "Authority" or "NAIH") recently imposed a fine of HUF 100m (approx. EUR 285,000) on one of the biggest electronic communication service providers Digi Távközlési Szolgáltató Kft. ("Digi"). This is the highest data protection fine imposed in Hungary since the entry into force of the GDPR and the highest ever fine levied in Hungary for a violation of data protection regulations.

An ethical hacker discovered a vulnerability affecting Digi's website, based on which it was possible to access a "test database" that contained a significant amount of personal and sensitive data of Digi's subscribers (e.g. name, data and place of birth, email address and password, bank account number, willingness to pay). The ethical hacker informed Digi of this vulnerability and Digi took corrective action and submitted a breach notification to the Authority within 72 hours as prescribed by the GDPR.

In the mandatory investigation following the notification of the breach, the Authority examined all relevant circumstances of the case. Digi stated that the test database was created in connection with the correction of an earlier error that made subscribers' personal data inaccessible (Digi's webserver did not reach the database server). Digi did not encrypt the database because it believed that access restriction and provisioning provided sufficient protection of the personal data concerned. However, it turned out that the ethical hacker was able to access Digi's database and the user data of the system administrators.

The Authority found Digi to be in violation of the principle of purpose limitation by not deleting the test database after the troubleshooting process and the correction of system errors. As soon as Digi solved the problem, the purpose of the data processing was eliminated and the test database should have been deleted. Thereby, Digi also violated the storage limitation.

In addition, the Authority established that the cause of the data breach was the lack of appropriate data security. According to an IT expert, the system vulnerability uncovered by the ethical hacker could have easily been filtered out by an application which scrutinises the vulnerability by automatism, which was available on the market. The lack of encryption not only increased the risk of a data breach, but made a substantial amount of personal and sensitive data accessible to unauthorised persons, which could result in identity theft. The involvement of system administrators' user data further increased the severity of the data breach, making it possible to give access to the administration board of the website.

The case has not only highlighted the importance of IT security and the prevention of unauthorised access to personal data as the core part of data protection, but also showed the importance of implementing systems that apply the principles of the GDPR in practice.

By Dorottya Gindl, Attorney at Law, and Daniel Gera, Counsel, Schoenherr

Hungary Knowledge Partner

Nagy és Trócsányi was founded in 1991, turned into limited professional partnership (in Hungarian: ügyvédi iroda) in 1992, with the aim of offering sophisticated legal services. The firm continues to seek excellence in a comprehensive and modern practice, which spans international commercial and business law. 

The firm’s lawyers provide clients with advice and representation in an active, thoughtful and ethical manner, with a real understanding of clients‘ business needs and the markets in which they operate.

The firm is one of the largest home-grown independent law firms in Hungary. Currently Nagy és Trócsányi has 26 lawyers out of which there are 8 active partners. All partners are equity partners.

Nagy és Trócsányi is a legal entity and registered with the Budapest Bar Association. All lawyers of the Budapest office are either members of, or registered as clerks with, the Budapest Bar Association. Several of the firm’s lawyers are admitted attorneys or registered as legal consultants in New York.

The firm advises a broad range of clients, including numerous multinational corporations. 

Our activity focuses on the following practice areas: M&A, company law, litigation and dispute resolution, real estate law, banking and finance, project financing, insolvency and restructuring, venture capital investment, taxation, competition, utilities, energy, media and telecommunication.

Nagy és Trócsányi is the exclusive member firm in Hungary for Lex Mundi – the world’s leading network of independent law firms with in-depth experience in 100+countries worldwide.

The firm advises a broad range of clients, including numerous multinational corporations. Among our key clients are: OTP Bank, Sberbank, Erste Bank, Scania, KS ORKA, Mannvit, DAF Trucks, Booking.com, Museum of Fine Arts of Budapest, Hungarian Post Pte Ltd, Hiventures, Strabag, CPI Hungary, Givaudan, Marks & Spencer, CBA.

Firm's website.

Our Latest Issue