Denied data subject access request: first GDPR fine in Hungary

Share on facebook
Share on twitter
Share on linkedin

Denied data subject access request: first GDPR fine in Hungary

The Hungarian National Authority for Data Protection and Freedom of Information (the ‘NAIH’) recently issued a decision dealing with breaches of data protection rules set by the European General Data Protection Regulation (the ‘GDPR’), namely Article 15 of the GDPR on the right of access of the individual.

For the first time since the effectivity of the new regulation, the Authority also imposed a fine on the data controller, amounting to 1,000,000 HUF (approx. EUR 3,100).

The facts

An individual visited the data controller’s office in person and asked to inspect certain documents related to a dispute. The company refused the request, and the individual requested a copy of relevant CCTV recordings as evidence in the litigation regarding its claim. The company refused the request, arguing that the recordings did not support the individual’s claims, but only proved that he was present in a given place at a given time, as the cameras did not record sound. As it turned out, the company even deleted the recording afterwards. The individual then turned to the Authority and launched a data protection proceeding against the infringing company.

The decision

After reviewing this case, NAIH found that the company infringed the individual’s right of access, and set forth the following principled regarding access requests:

  1. the data controller cannot request any justification from an individual making a data request;
  2. the data controller is not in a position to determine whether the required data would be necessary for the individual’s litigation purposes.
The fine that was imposed by the Hungarian supervisory authority represents 6.5 % of the data processor’s annual net sales revenue. The NAIH considered the following circumstances when determining the amount of the fine:
  1. the nature of the breach;
  2. the fact that the deleted recordings could not be recovered;
  3. the fact that this was the company’s first infringement under the GDPR;
  4. the net sales revenue of the company in the preceding year was HUF 15.3
    million (EUR 48,000).

The bottom line

A key takeaway from this new decision is that companies in Hungary and around Europe should update their procedures and policies regarding SARs (Subject Access Requests). The supervisory authorities around Europe are ramping up their actions against companies infringing the rights of individuals, as evidenced by the recent decision of the Information Commissioners Office.

Take action now with our Business solution, which makes it super simple to handle subject access requests at scale, while also showcasing transparency and trust to your clients!

Shopping Basket