This year the National Authority for Data Protection and Freedom of Information (hereinafter: NAIH, or the Authority) celebrates the 10th anniversary of its establishment and has published its 2021 Activity Report (“The National Authority for Data Protection and Freedom of Information’s Activity Report for 2021”, the full report is available here). In this article, we briefly review the 9 major data protection cases covered by the Authority in the report and summarise the key lessons and our observations.
1. Application of artificial intelligence to the analysis of customer service voice recordings (NAIH-7350/2021., NAIH-85/2022.)
At a bank, a customer service phone line was recorded, and voice analytics software was used to automatically analyse the speaker’s emotional state, mood and use of certain keywords in the audio of the calls using speech signal processing based on artificial intelligence. Based on the analysed parameters, the voice analysis software compiled a list of recorded conversations according to specific criteria. The bank stated the purpose of data processing in quality control and complaint prevention, and the legal basis of data processing in the legitimate interest of retaining customers and increasing the efficiency of its internal operations, and did not inform customers about voice analysis, and thus profiling and automated decision-making, in its data processing notice, thus excluding the right of data subjects to object to data processing and violating the requirement of informing data subjects under the GDPR. Furthermore, the bank did not carry out a proper balancing of interest test, it only determined that the processing was necessary to pursue its legitimate interest and did not actually examine proportionality or the data subject’s side. The Authority also imposed a sanction of a 250 million HUF data protection fine on the bank.
Observations and lessons learned from the case:
Due to the fact that AI typically does not require human intervention or requires very limited human intervention, it poses specific data protection risks, and it is therefore essential that data controllers consult the designated Data Protection Officer (DPO) or the Authority before implementing AI-based processing. In the context of the legitimate interest legal ground, it is important to stress that it is not intended to allow a controller to process personal data for any reason in the absence of other legal grounds for not doing so.
2. The lawfulness of data processing in the context of fundraising activities of NGOs: possible legal bases, information obligations (NAIH-3211/2021.)
One foundation was looking for people to fundraise for it, who could potentially donate. The legal basis for the processing was Article 6(1)(e) of the GDPR, which states that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and Government Regulation No. 350/2011 (XII. 30.) on certain issues of management, fundraising and public benefit of non-governmental organisations. The Foundation sent a new letter of information by post to donors 3 months after the cheque was paid, in case they had not previously requested the deletion of their personal data. The legal basis for the processing of data for the purpose of recruiting funders was the legal basis under Article 6(1)(e) of the GDPR, and the Foundation underlined that it had a legitimate interest in the processing. In its privacy notice, the Foundation indicated the legal basis for processing as the consent of the data subjects. However, the Foundation did not identify any legal provision requiring it to perform a public task, as the legislation it cites does not provide for such a task, nor did the Foundation justify the consent of the data subjects to the processing. The Authority found that the Foundation had processed the personal data of its donors without a valid legal basis in order to contact the data subjects after the donation, as the consent lacked the necessary content to be valid.
Observations and lessons learned from the case:
The lawfulness of processing can be established if the controller has a valid legal basis for processing the personal data for all processing purposes and if the data subject has been given adequate information and choice as to the purposes for which the personal data will be processed. The principle of accountability for obtaining the data subject’s consent applies, i.e. the controller must be able to demonstrate that the data subject’s consent has been obtained properly and validly.
3. Customer satisfaction survey based on legitimate interest (NAIH-2857/2021)
After the requesting party had his vehicle inspected/serviced by the defendant as a professional service, he provided the requested party with his e-mail address. To this e-mail address, he received an e-mail from the requested party to measure his satisfaction, on the basis of which he expressed his opinion. He subsequently received an unsolicited e-mail to this e-mail address requesting him to complete a satisfaction questionnaire in relation to the above, followed by another e-mail requesting him to complete the questionnaire again due to his lack of response. The emails did not come from the requested party, but from a third-party sender who could not be identified by the requesting party. The requesting party’s consent to the transfer was not sought and was not informed. According to the facts revealed during the NAIH’s investigation, the e-mails in question were sent by the importer, who had a contractual relationship with the requesting party, through a data processor, and therefore the data controller for the e-mail in question was not the requested party but the importer. The importer could not substantiate how the data it was processing were related to the stated purposes of satisfaction measurement and complaint handling. A data protection fine of 5 million HUF was imposed in the case.
Observations and lessons learned from the case:
The processing of personal data of an unnecessary nature and in excessive amounts for the purposes of the processing infringes the principle of data minimisation, and the lawfulness of the processing and the legitimate interest of the controller under Article 6(1)(f) of the GDPR as the legal basis for the processing cannot be established, since the processing of personal data that are unnecessary, excessive, not necessary for the purpose of the processing and not adequate for that purpose constitutes a disproportionate intrusion into the rights and freedoms of data subjects and a risk to their privacy. The processing of personal data which is not necessary for the purposes for which the processing is carried out and which is not based on a legitimate interest of the controller which is not duly substantiated and justified may constitute an infringement of the law and may lead to the imposition of a data protection fine.
4. Data processing in relation to the condominium camera system (NAIH-5896/2021., previous case numbers: NAIH/2019/3200., NAIH/2020/1000.)
An important finding of the decision concerns the legal basis for the processing of data. The condominium cited Section 25 of the Condominium Act – the number of votes required to decide on the installation of cameras – as the legal basis for the processing of data in connection with the camera system. However, the Authority disagreed with this, as it considered that the legal basis for the processing could be that of a legitimate interest within the meaning of Article 6(1)(f) of the GDPR. This is because the interest of the condominium as data controller and of the owner with at least two thirds of the total ownership may, in certain circumstances, override the right to the protection of personal data of the owners who did not vote in favour of the camera system, taking into account the result of the vote. Moreover, given that in the case under investigation, some of the condominium’s cameras also monitored public areas and the condominium did not use any solutions to block public areas, the Authority concluded that the condominium operated public area surveillance cameras without legal basis. The Authority censured the condominium for the infringements and ordered it to continue its data processing in relation to the camera surveillance if it wishes to do so lawfully, on the basis of an appropriate legal basis, after carrying out the necessary balancing of interests, in compliance with the legal basis requirements under Article 6(1)(f) of the GDPR, and not to operate public surveillance cameras, i.e. to cease data processing in relation to these cameras or to change the angle of view of the cameras.
Observations and lessons learned from the case:
The data controller is entitled to extend the camera surveillance to the immediate vicinity of the area owned by the data subject, subject to appropriate technical or organisational measures, such as the use of a cordon to cover an area not relevant for the purpose of the surveillance. However, in the case of a controller who does not use public area masking solutions or who operates a camera system specifically targeting public areas, the controller must apply all the provisions of the GDPR for data controllers, must base its processing on an appropriate legal basis.
5. Unlawful disclosure of a sound recording – unlawful processing of personal and special personal data of a minor data subject (NAIH-1743/2021)
In a kindergarten, a recording of a conversation was secretly made without the consent of the parent of the child named in the audio recording, and then posted on a Facebook group, in which information was given about the personal and specific health condition of a child in the kindergarten class. The recording was removed from the Messenger group but sent to three other people by email. According to the person who made the recording, the reason for making the recording was that it included professional information that was difficult to recall later, and the purpose of posting the recording was to inform other parents that a child with a medical condition was attending their group and that this information was in the child’s best interest. However, in its decision, the Authority found that the purpose of the sharing of the recording as stated by the respondent could not be considered a legitimate purpose under the GDPR and that the processing of the data by sharing the recording was without legal basis. The Authority issued a warning to the recorder for the infringements.
Observations and lessons learned from the case:
The GDPR provides enhanced protection for special categories of personal data, including the personal data of children as data subjects. When processing such personal data, data controllers should therefore exercise increased care. In addition, the making of an audio recording and its disclosure without the consent of the data subject, without prior information, is unlawful in principle where it does not serve the public interest or the protection of vital interests.
6. Display of personal and special personal data of minors in the media (NAIH-68/2021., Previous case number: NAIH-6450/2020.)
The applicant, through the legal representative of a minor child, contacted the Authority in relation to a report on a national commercial television channel. This news report described the street, the house, its burnt roof structure, detailed that the injured young person was in a life-threatening condition and gave the boy’s first name. The Authority concluded in the procedure that the report, taken together with all the information given, was sufficient and in its entirety to enable some viewers to identify the person concerned. However, the controller had neither a proper purpose nor a legal basis for disclosing health data about the identifiable data subject. The Authority imposed a data protection fine of five million HUF and ordered the deletion of the data.
Observations and lessons learned from the case:
The processing described in the case did not have a lawful legal basis because the reference to journalism as an activity in the public interest invoked by the controller cannot generally be accepted as a legal basis for processing in the Authority’s view, and several court judgments have confirmed that the legal basis for such processing is the legitimate interest of the controller.
7. Content of the data subject’s right of access to data generated during forensic investigations (NAIH-7689/2020; Previous case number: 2658/2021)
The complainant took part in a forensic examination, after which he asked the expert to provide him with copies of all the data he had provided during the examination and copies of the expert’s professional data relating to the evaluation of the tests. After analysing the GDPR, the law on experts, the Constitution and the professional rules applicable to experts, the Authority concluded that the right of access to these data could not be exercised due to the independence of the expert, the interests of other parties to the procedure concerned by the secondment and the exclusion of other data subjects’ rights (rectification, erasure) on the data to be accessed. In addition to the data provided by the data subject and the content of the expert opinion, the data subject is not entitled to access any indicators, markings or other technical material not indicated in the expert opinion and generated in the course of the expert’s professional work, and the Authority has therefore not ordered the disclosure of copies of such data.
Observations and lessons learned from the case:
It is incompatible with the principles and ideology of the GDPR and the applicable national legislation for the data subject to submit a request for access in circumvention of the legal requirements in order to review the work of the expert, even to influence the outcome of a subsequent expert opinion..
8. Access to health data concerning the psychiatric treatment of minors, limitations on the right of access (NAIH-1612/2020; Previous case number: NAIH-103/2021)
A mother, acting as the child’s legal representative, wanted to know the complete records of the psychiatric treatment of a minor child. The health care provider refused to provide a copy, citing Article 193 of Act CLIV of 1997 on Health Care, which provides that “in the case of a psychiatric patient, the patient’s right to access to medical records may be exceptionally restricted if there are reasonable grounds to believe that access to the medical records would seriously jeopardise the patient’s recovery or violate the personal rights of another person”. The Authority has required the controller to verify in detail, for each document held on the child, whether the conditions for disclosure are met.
Observations and lessons learned from the case:
The use of a legal authorisation to refuse to comply with the right of access must not be without purpose and does not allow for the imposition of a restriction of the right of access to the entire file without a detailed examination. The controller is not entitled to restrict the right of access of the applicant/represented person in general without examining the justification in detail.
9. Handling of contact telephone numbers during the information campaign on the COVID-19 pandemic (NAIH-1366-1/2022.; previous case number: NAIH/2020/3082.)
The Authority received more than a hundred complaints about the data processing practices of the Jobbik Hungary Movement (hereinafter: Jobbik) in its telephone information campaign on the COVID-19 pandemic. According to the complainants, the telephone calls were made to telephone numbers which they had previously declared that they did not wish to receive telephone contact for advertising purposes, and they were not informed during the call of the purposes for which their personal data were processed or the source of the data. In the course of its investigation procedure, the Authority found, inter alia, that it considered the legal basis under Article 6(1)(f) of the GDPR to be acceptable for public telephone numbers, whereas Jobbik did not have a legal basis for the telephone numbers for which the data subjects did not consent to being contacted for direct marketing, information, public opinion polls or market research or expressly objected to such contact by means of a statement, and therefore infringed Article 6 of the GDPR with regard to this processing. In view of this, the Authority has requested Jobbik to stop collecting, among other things, telephone numbers for which the subscriber has declared that he or she does not wish to be contacted for the purposes of direct marketing, information, opinion polling, market research or economic advertising. As Jobbik complied with the Authority’s request, the NAIH decided not to open an administrative procedure, but published its request on its website.
Observations and lessons learned from the case:
It is necessary to identify the appropriate legal basis for each processing operation separately, and it is not acceptable to combine and treat each processing operation as one processing operation on the basis of a single legal basis. In addition, the explicit and voluntary consent of the data subject must be lawfully obtained by the controller in all cases where no other legal basis is applicable and acceptable in the circumstances of the processing.
If you need help from a GDPR lawyer, please contact us at one of our contact details:
Phone: +36 30 648 5521
E-mail: dmp@dmp.hu
