Hungary

Fining practice

Trend: to date, have the national data protection authorities in Hungary focused on certain types of non-compliance with data protection law, or have the authorities stated that they will investigate certain types of non-compliance more closely in future? Do you see a focus on certain industries/sectors? If so, which ones?

It cannot be clearly stated that there is a tendency of singling out specific personal data processing scenarios. In general, employment-related issues, CCTV, the processing of health data, data processing by banks, insurance companies and debt enforcement organisations, voice recording by customer services, as well as the right to access and withdrawal of consent are the most frequent cases. In terms of types of violation, it can be observed that inappropriate legal bases and a lack of transparency are the leading causes for fines being imposed. Many violations relate to non-compliance with general principles of data processing, especially purpose limitation and data minimisation, and insufficient data security measures. It appears that fines tend to be higher when data protection violations occur in connection with a data breach.

The fines imposed so far do not show any targeted sectors/companies, but are balanced across multiple sectors, including finance, healthcare, telecommunication, education, debt management companies or administrations.

In future, it is expected that the Hungarian Authority for Data Protection and Freedom of Information ("Nemzeti Adatvédelmi és Információszabadság Hatóság”, “NAIH”) will remain active in investigating complaints and reported or detected data breaches. The NAIH has indicated that in the future it will monitor more closely the processing of data related to the online presence of companies (in particular, the use of cookies).

Overall, what was the most significant fine in Hungary to date (please specify the recipient, the amount, the type of violation, the sector, and provide a brief summary)? Has the fine been challenged in court? If it has: was this successful, or what is the status of the proceedings?

The highest fine for GDPR violation in Hungary was imposed on Budapest Bank on 8 February 2022 in an amount of approx. EUR 653,000 (HUF 250,000,000) due to unlawful AI analysis of customer calls which included assessing the emotional state and other characteristics of the speaker.

The NAIH found that the bank used AI-based speech-signal processing technology to automatically analyse a list of keywords and the emotional state of the customer. The results of the detected keywords and emotions were also stored along with the call, and the calls could be replayed within the voice analytics software for up to 45 days. The software ranked the calls and provided recommendations according to priority of the customers to be contacted.

The NAIH found that the bank’s customer service privacy notice did not contain any substantive information on voice analysis, it only mentioned quality assurance and complaint prevention as the purposes of the voice recording. Further, the bank has based the voice analytics on its legitimate interest in retaining customers and improving the efficiency of its internal operations, yet the different data processing operations related to these interests were not separated either in the privacy notice or in the balancing of interest test ("LIA").

The bank's data protection impact assessment ("DPIA") concluded that this processing is high-risk for several reasons. However, the DPIA did not examine the proportionality of the data processing and its effects on data subjects nor provide substantive solutions to address these risks.

The NAIH did not find the use of AI per se to be unlawful. However, the NAIH concluded that Budapest Bank failed to carry out its obligations as a data controller to perform an adequate DPIA and a LIA; therefore, it could neither rely on Article 6(1)(f) nor an alternative legal basis under Article 6(1) of the GDPR, thus leading to a violation of Articles 5(1)(a), 6(1) and 6(4) of the GDPR.

Organisation of authorities, procedure and publicising of fine proceedings

How is the data protection authority organised in Hungary? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

• The NAIH is responsible for the enforcement of the GDPR and the Hungarian Act 2011/CXII on Informational Self-determination and Freedom of Information (Infotv.)
• The NAIH is an autonomous administrative authority with its own legal personality. It does not report to any specific ministry.
• The NAIH consists of the Cabinets of the President and Vice-President and 9 main departments. The authority’s work is further organised into subgroups, expert subgroups, and taskforces.
• The NAIH has 108 staff members, including the President and all employees.
• The annual budget is set out as appropriation in the annual budget law. It is approximately EUR 4.2 million (HUF 1.62 billion) for 2023 as per Act 2022/XXV on the General Budget of Hungary for 2023.

How does a fine procedure work in Hungary? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

• NAIH may impose fines directly as part of its administrative proceedings.
• Administrative proceedings are governed by national law, namely the Act 2016/CL. on the General Law on Administrative Law (Ákr.) and Act 2011/CXII on Informational Self-determination and Freedom of Information (Infotv.).
• The authority shall initiate proceedings at the request of any individual (data subject) or may initiate proceedings on its own merits. The NAIH has 150 days in which to act. In case the facts of the case need more clarification, the NAIH may request that the parties provide more proof/information. The respective data controller or data processor is able to provide a response on both factual and legal aspects of the case, and it must also answer the specific questions asked by the NAIH. The NAIH carefully considers these before reaching its decision, which may, inter alia, involve the imposing of an administrative fine for a data protection violation(s).
• In specific cases, the NAIH may suspend its official proceedings if it raises an issue which falls within the competence of another body or person or should the NAIH be unable to reasonably decide without another decision or procedure undertaken by the NAIH which is closely related to the given case.
• To reflect the practicalities raised in recent administrative proceedings, the law now authorises the NAIH to order the erasure of unlawfully processed personal data in a manner specified by the NAIH, or temporarily or permanently restrict the processing of the data.
• Beyond its powers under the GDPR, the NAIH may oblige hosting providers and intermediary service providers to temporarily remove personal data if the delay in the protection of personal data would cause unavoidable and serious harm to a child, special personal data categories or criminal personal data.
• Data controllers and data processors may appeal against administrative fines with the competent courts within 30 days of the notification.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

• Data controllers and data processors shall pay the fine to the centralised collection account belonging to the NAIH (the respective decisions contain the precise account information).
• The fines imposed and collected by the NAIH are transferred to the central government budget in their entirety.

Is there a common, official calculation methodology of fines in Hungary (such as the fining models in the Netherlands or Germany)?

• There is no publicly available common calculation methodology. The NAIH refers to the Art. 29 Working Party’s WP 253 Guidelines on the application and setting of administrative fines.

Can public authorities be fined in Hungary? If they can: Where does this money go?

• Yes, the NAIH’s mandate encompasses imposing fines on public authorities for data protection violations, up to a limited amount, as outlined in § 61 (1), (3) of the Hungarian Act 2011/CXII. on Informational Self-determination and Freedom of Information. Concerning budgetary authorities, the fine’s amount may range between approximately EUR 250 – EUR 5,100 (HUF 100,000 – 20,000,000).

In Hungary, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

• NAIH may order the publication of its decision in an individual fine case, including the identification of the controller or processor, if: (a) the decision affects a wide range of persons, (b) it was made in the context of the activities of a public body, or (c) the seriousness of the infringement justifies disclosure.
• NAIH may publish its decisions in other individual fine cases too, by anonymising the identification of the controller or processor and the identifiable circumstances / trade secrets. (In the course of any given proceedings, controllers and processors may provide information in their submissions which they consider to be trade secrets and NAIH should mask these if it decides to publish the underlying decision).
• NAIH provides information on the commencement of an investigation or procedural steps only in very exceptional cases, usually when investigating a case where the circumstances (such as a potential data breach) became public via the media, and the media suggests that a statement from the NAIH would be welcome.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

• In addition to publishing information on individual fine cases, the NAIH also provides aggregated information on the total number of cases and the total amount of fines in its annual reports.
• In 2021, 1960 initial investigation procedures were in progress with the NAIH (compared to the 2400 procedures in 2020 and 738 procedures in 2019). As the result of the above initial investigations procedures, the NAIH initiated an official proceeding in 630 cases (compared to 690 cases in 2020 and 568 cases in 2019).
• The total fines imposed by the NAIH in 2021 were approx. EUR 193,000 (HUF 74,364,000), which is substantially lower than the 2020 amount (approx. EUR 641,027 - HUF 256,411,000).

Other legal consequences of non-compliance

Does Hungary have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

• For class actions, the general rules of Act CXXX of 2016 on the Hungarian Code of Civil Procedure apply. According to Section 37 of the above Act, more than one claimant may bring actions, if (i) the judgment would have a material effect on them even if they did not take part in the action, (ii) the claims arise from the same legal relationship, or (iii) the claims arise from a similar factual and legal basis and the jurisdiction of the same court may be established against all the defendants.
• Up to this point there are no available model declaratory proceedings or class actions under Hungarian data protection law.

What is more relevant in Hungary: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

• Court proceedings in the enforcement of GRPD violations are less relevant, overall. The possible reasons for this are litigation costs, longer proceedings, lack of established judicial practice and a lack of visibility as regards data protection cases.
• The fines imposed by the NAIH are considerably stronger tools, mostly due to the gravity of the fines, their general preventive effect and their visibility.
• Based on how actively the NAIH pursues data protection infringements, it can be assumed that its role in enforcing the GDPR is going to remain crucial in the foreseeable future.