Hungary's data protection authority levies two EUR 3100 fines for privacy violations
The Hungarian data protection authority (NAIH) imposed fines against a financial institution and a local government office for the improper processing of the data of private citizens.
In the first case, the NAIH levied a fine of EUR 3100 against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company's legitimate interest to process this data in order to enforce a debt claim against the customer. As per the law, the assessed fine was based on 0.025% of the company's annual net revenue.
Phone numbers and balancing tests
In its decision, the NAIH emphasised that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation.
In its proceedings, the NAIH also reviewed the legitimate interest-balancing test prepared by the financial institution, which was the first time that the NAIH has looked into the details of such a test. As a result, companies are advised to review their balancing tests and modify them according to the NAIH’s following findings:
Tax IDs cannot be used as client identifiers
- Separate data processing purposes require separate balancing tests. The financial institution in the proceedings documented the balancing test only for processing the customer’s phone number for customer service development, but not for claims enforcement.
- Pure economic interests or convenience cannot override the interests of the customer. According to the NAIH, customers react and make decisions immediately in the case of phone calls. Therefore, phoning is a larger intrusion into their privacy than receiving posted mail.
- The balancing test must properly identify the interests of customers. The financial institution misleadingly stated that other contact methods incur more costs for both it and the customer.
- The test must not contain additional reasons for data processing. It was excessive when the financial institution also indicated that the purpose of the phone calls was for an assessment of claim enforcement.
- A general description of safeguards or mere references to or recommendations about applicable policies are not in a customer's legitimate interest.
According to the NAIH, companies cannot use an individual's tax ID for identification because processing it is a violation of the GDPR's data minimisation principle. In its ruling, the NAIH emphasised that private entities can only process tax IDs with the prior written consent of the client or to fulfil their data provision obligations to the tax authority.
Based on this NAIH decision, Hungarian companies should check their client identification procedures and make changes if this routine involves tax ID numbers.
In the second case involving whistleblowing, the NAIH imposed a fine of EUR 3,100 on a local government after an employee of an organisation that it supervised reported a public interest complaint directly to it against his employer. After the organisation learned of the complaint, it requested details in order to investigate, and the local government accidentally revealed the complainant's name. The NAIH considered it an aggravating factor that as a result of the data breach, the organisation fired the person who made the report.
For more information on these decisions and data protections regulations in Hungary, please contact one of the following local CMS experts: Dora Petranyi, Katalin Horvath and Marton Domokos.