Data protection is a cornerstone of the digital era, underpinning trust and security. The 2024 annual report of the National Authority for Data Protection and Freedom of Information (NAIH) illustrates how the Hungarian authority safeguards individuals’ rights, taking stringent action against violations. A total of HUF 335,383 million in fines was imposed, emphasizing the critical importance of data protection. This article provides a detailed analysis of the report’s most significant cases resulting in fines, offering insights and practical recommendations for businesses, public institutions, and individuals.
1. Artificial Intelligence (AI) and Data Protection: Banking Sector Investigation [NAIH-13860/2024]
Background
The NAIH conducted a targeted investigation into AI-based data processing in the Hungarian banking sector, focusing on the handling of customer data and the transparency of decision-making algorithms. The investigation was driven by the EU Artificial Intelligence Regulation (2024/1689) and the work of the European Data Protection Board (EDPB) on AI-related issues.
NAIH Findings
– Several banks’ AI systems failed to ensure transparency, particularly in automated decision-making (GDPR Article 22).
– Affected individuals were not adequately informed about the operation of AI algorithms or the logic behind decisions.
– The NAIH emphasized the importance of data minimization and proportionality when handling sensitive data, such as financial information.
– Fine: While the specific fine for this case was not detailed, the banking sector investigations resulted in fines totaling tens of millions of HUF for breaches of transparency and information obligations.
Lessons and Recommendations
– Organizations using AI must clearly communicate how algorithms function and ensure the possibility of human review.
– A Data Protection Impact Assessment (DPIA) is required for high-risk AI systems.
– Lack of transparency can lead to fines, so seeking expert support is advisable.
2. Data Breach: Lack of Access Controls
Background
A data controller suffered a data breach due to inadequate access controls, such as the absence of two-factor authentication. Sensitive customer data was accessed by unauthorized parties, posing significant risks. The NAIH investigated the adequacy of data security measures.
NAIH Findings
– The data controller violated GDPR Article 32 by failing to implement appropriate technical and organizational measures.
– The absence of two-factor authentication increased the breach’s risk, which could have been prevented.
– The NAIH highlighted the need for regular system reviews and vulnerability assessments.
– Fine: The data controller was ordered to pay a HUF 20 million fine for security deficiencies and the high-risk breach.
Lessons and Recommendations
– Implement robust security measures, such as two-factor authentication.
– Conduct regular vulnerability assessments and maintain logs for breach traceability.
– Develop an incident response protocol to enable swift action.
3. Workplace Surveillance: Unlawful Data Processing
Background
An employer operated surveillance cameras without informing employees, recording areas where monitoring was unjustified, such as changing rooms. The NAIH investigated the lawfulness of the surveillance following a complaint.
NAIH Findings
– The employer breached GDPR transparency and lawfulness principles (Article 5) by failing to inform employees.
– Camera placement was disproportionate, capturing areas where privacy should be protected.
– Workplace surveillance may only be based on legitimate interest (GDPR Article 6(1)(f)), subject to strict conditions.
– Fine: The employer was fined HUF 15 million for failing to meet information obligations and engaging in disproportionate data processing.
Lessons and Recommendations
– Employees must be informed about camera use, specifying locations and purposes.
– Avoid monitoring privacy-sensitive areas.
– Conduct a DPIA before deploying surveillance systems.
4. Healthcare Data Processing: Denial of Access Rights
Background
A private healthcare provider denied a patient access to their medical records, claiming the data was only available via the Electronic Healthcare Service Space (EESZT). The patient was unable to use EESZT and received no alternative access. The NAIH investigated the violation of access rights (GDPR Article 15).
NAIH Findings
– The provider breached GDPR Article 15 by failing to provide access and violated information obligations (GDPR Articles 13-14).
– Relying solely on EESZT does not exempt providers from ensuring direct access.
– The provider’s data processing notice was inadequate.
– Fine: The provider was fined HUF 10 million for denying access rights and failing to provide proper information.
Lessons and Recommendations
– Prepare a clear data processing notice detailing data subjects’ rights and access methods.
– Ensure direct access, especially for those unable to use EESZT.
– Regular staff training is recommended to prevent violations.
5. Failure to Comply with Central Public Data Registry Obligations
Background
A budgetary institution failed to meet its data submission obligations to the Central Public Data Registry, which ensures transparency of public funds. The NAIH initiated proceedings under Infotv. Section 30(2a).
NAIH Findings
– The institution violated Infotv. transparency requirements by not publishing financial data.
– Transparency of public funds is a fundamental societal interest, and failure to comply is a serious breach.
– The institution could not justify the non-disclosure.
– Fine: The NAIH imposed a HUF 50 million fine, the maximum for transparency violations.
Lessons and Recommendations
– Public entities must proactively publish financial data.
– Designate a responsible person and establish internal policies for data submission.
– Expert support can help ensure compliance.
6. Unlawful Processing of Detainee Data
Background
In a correctional facility, staff unlawfully shared a detainee’s personal data with a third party without legal basis during document checks. The NAIH investigated the processing under Infotv.
NAIH Findings
– The facility breached Infotv. and GDPR Article 5 principles of lawfulness and purpose limitation, as the data sharing was unnecessary.
– No adequate internal policies existed, and staff lacked data protection training.
– The detainee was not informed, violating transparency.
– Fine: The facility was fined HUF 8 million for unlawful processing and failure to inform.
Lessons and Recommendations
– Strict policies are required for handling sensitive data.
– Staff data protection training is essential.
– Data sharing must be based on legal authorization.
7. Covert Audio Recordings: Public Education Institution Case
Background
A parent covertly recorded a teacher during a parent-teacher meeting, intending to use it as evidence. The NAIH examined the recording’s GDPR compliance.
NAIH Findings
– A person’s voice is personal data, and recording it constitutes processing (GDPR Article 4).
– The “household exemption” did not apply, as the recording was used as evidence, falling under GDPR.
– The recording violated transparency and lawfulness principles (GDPR Article 5).
– Fine: No fine was imposed in this case, but similar cases involving unlawful public disclosure resulted in HUF 5-10 million fines.
Lessons and Recommendations
– Covert recordings are risky and lawful only with a valid legal basis.
– Schools should establish policies for such situations.
– Legal advice can help avoid fines.
Conclusion and Recommendation
The NAIH 2024 report underscores the severe consequences of data protection violations, evidenced by the HUF 335,383 million total fines and individual penalties ranging from HUF 8-50 million. Cases involving AI-based processing, data breaches, workplace surveillance, healthcare data, public data transparency, and detainee data highlight the necessity of compliance. The NAIH’s strict enforcement serves as a reminder for organizations to proactively address data protection obligations.
Recommendation: To avoid NAIH fines, engaging expert assistance is advisable. A data protection-specialized law firm with extensive experience in GDPR and Infotv. compliance, incident management, and impact assessments can provide support. For inquiries, the firm’s contact details are available to ensure secure and lawful data practices.
Dr. Miklós Péter, GDPR lawyer
