Hungarian authority fines data controller EUR 7,500 data breach and rules free online services not suitable for high-risk processing

In the latest decision of the National Authority for Data Protection and Freedom of Information (NAIH), a data controller for a political party, responsible for a data breach where six Excel files were made publicly available through a file-sharing site, must pay a fine of HUF 3 million (EUR 7,500) for infringing data-security provisions of the EU's General Data Protection Regulation (GDPR) and failing to cooperate with the Authority. The breached Files contained a list of personal data (e.g. names, telephone numbers, email addresses, addresses, ID card numbers) of political party members and the party’s operational data. In total, the breach affected approximately 2,000 data subjects.

In the present case, the Authority found that the personal data of members, supporters and activists associated with the political party constituted high-risk processing, according to recital 75 of the GDPR, which states that processing data inked to political opinion should be considered inherently risky. In this context, the GDPR also considers it a risk if the processing could lead to discrimination or if the processing involves a large number of data subjects. The processing that could give rise to identity theft or misuse is also considered to be a risk under the GDPR.

The range of data in the Files made it possible to identify those who are sympathetic to a political party and perform different tasks in its operation. The way the Files were processed resulted in high-risk for the privacy of the data subjects, since membership of a political organisation, even past membership, reflects the political opinions of the individual. Data concerning political opinions fall into a special category of personal data under Article 9(1) of the GDPR and are subject to stricter rules. The data controller in this case gave senior party officials and activists access to the Files through a link. As a result, thousands of data subjects were able to access the Files online at the same time without restrictions. The Authority found in this context that free online services that allow users to create and edit files online while interacting with other users in real time do not meet a level of data security proportionate to the risks posed by high-risk processing since files from these online services can be easily exported and saved to the personal computers of users without any access control.

Despite repeated requests for information, the data controller failed to demonstrate to the Authority exactly what measures were taken to ensure that the controller's data processing complied with the relevant provisions of the GDPR for handling a data breach.

Aggravating and mitigating circumstances

In the imposition of fines, the Authority assessed the following as aggravating circumstances:

• the data breaches concerned personal data of a large number of data subjects;
• the data security weaknesses arose in relation to data processing where special categories of personal data on political opinions were processed together with contact details;
• the data breaches were considered a systemic problem as the incident was not the result of a single security breach; and
• the data controller failed to cooperate with the Authority during the investigation.

Mitigating circumstances included:

• the Authority was not aware of any information in the course of the procedure indicating that the data subjects had suffered any specific harm or damage as a result of the infringement; and
• the NAIH also considered that the controller had no history of previous infringements in the processing of personal data.

The fact that the Authority was made aware of the breach through an incident report was not explicitly taken into account as a mitigating circumstance.

What can data controllers do to avoid fines?

In terms of precautions to avoid possible fines, data controllers should consider the following measures:

• files should be processed and stored in an internal system (e.g. dedicated server) or in a reputable, safe cloud service with state-of-the-art encryption and traceable access controls (e.g. password protection with access control and internal logging);
• public word-processing applications should be avoided for sensitive data;
• always cooperate with the Authority following the notification of a data breach;
• the negative impact of the incident should be minimised as much as possible.

For more information on data protection regulations in Hungary, contact your CMS client partner or local CMS experts.

The article was co-authored by Daniella Huszár.