Hungary: What Can We Learn from the Annual Report of the Hungarian DPA (NAIH)

Hungary: What Can We Learn from the Annual Report of the Hungarian DPA (NAIH)

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) recently published its annual report for 2021, which contains some useful information for data controllers.

In 2021, NAIH opened a total of 56 ex officio investigations and official proceedings in relation to the GDPR and 2,161 new investigations and official proceedings in response to complaints (of which 184 were related to a data breach). This shows that the overwhelming majority of procedures are initiated by request. This may be due to the limited capacity of the NAIH and to the fact that, due to growing awareness of privacy rights and concerns, more and more individuals are turning to the NAIH for help with alleged or actual breaches of their personal data.

In view of this trend, data controllers are well advised to pay increased attention to data protection compliance. Compliance with the GDPR is becoming an increasingly important factor in processing the personal data of data subjects (e.g. employees, customers) and includes the need to comply with the prior information obligation, to clarify the purposes and legal bases of the data processing and the scope of the data, to properly document consents and to prepare the test for balancing the interests of controllers and data subjects required by the GDPR. In relation to the latter, it should be stressed that the NAIH analyses the content of the balancing tests in detail particularly often. A balancing test must be carried out in all cases where the legal basis for the processing is the legitimate interest of the data controller or a third party (Article 6(1)(f) GDPR). The  authorities have a great deal of experience in preparing balancing tests, and knowledge of such tests is necessary for a thorough and appropriate assessment of the interests involved. The NAIH critically examines when the controller carried out the balancing test (whether the test precedes the start of data processing) and whether the data controller has properly weighed the various aspects (relevance of its legitimate interest, rights and freedoms of the data subject, necessity and proportionality and other principles of the GDPR). 

In its 2021 report, the NAIH underlines that drawing up a document (e.g. the balancing test) does not in itself constitute compliance with the obligations. For example, in the description of the most significant Hungarian case to date (250 million HUF) involving the use of artificial intelligence by a bank, the NAIH emphasised that the content of the documentation did not meet the requirements. The bank only documented that the data processing was necessary to pursue its interest but did not actually examine proportionality and the data subjects’ interests, while trivialising the significant risks to fundamental rights.

The NAIH also mentions the shortcomings of a test of balancing of interests in its description of another significant case (concerning an investigation into the fundraising activities of a foundation). Here, the NAIH describes how the balancing test failed to consider the rights and freedoms of data subjects and to include an analysis of the impact of the processing on data subjects and a justification of why the interests of the foundation prevailed over these. 

The NAIH's report also shows that in many cases, data controllers do not carry out a proper risk assessment in the event of a personal data breach (incident). In a number of cases, data controllers classified a higher-risk incident as risk-free and thus failed to notify the data subject, i.e. failed to comply with the obligations imposed by the GDPR in relation to high-risk incidents. In many cases, the NAIH was only notified of high-risk incidents via a public interest notification, as in many cases the data controllers themselves were not even aware of the incident or had not identified the incident as a personal data breach. It should be kept in mind that the NAIH will assess the failure to notify the personal data breach as an aggravating factor in its proceedings.

A number of recommendations and guidelines have been produced in the context of incident classification and related risk assessment. At the initiative of the NAIH, the European Data Protection Board (EDPB), developed its Guideline 1/2021, which contains a practical description of typical data breaches.

By Emese Simon, Senior Associate, and Edina Czegledy, Counsel, Noerr