Stiffer GDPR fines from the Hungarian data protection authorities are becoming more common
A new era of data protection began in the EU when the General Data Protection Regulation of the European Parliament and of the Council, commonly known as the GDPR entered into force. More than two-and-a-half year later, it seems that the national authorities have had enough time to set up an effective control mechanism for the regulation.
The GDPR entrusts imposition of effective, proportionate and dissuasive penalties for breaches of the GDPR to the national authorities, in Hungary to the National Authority for Data Protection and Freedom of Information (NAIH). The authority’s fining practice has changed since the initial, milder phase. Nothing proves this better than the 100 million HUF (280 000 EUR) fine imposed by NAIH in 2020 against the domestic subsidiary of a global telecommunications company. This was the highest domestic fine in Hungary to date. It is important to know that not only dominant economic operators can expect large fines for breaches of the GDPR. NAIH also keep tabs on the data protection activities of micro, small and medium-sized enterprises. As a concrete example, in the case of a medium-sized enterprise, the authority imposed a fine of 8 million HUF (23 000 EUR) for a breach of data management obligations
Companies dissatisfied with the decision imposing a fine can appeal through an administrative lawsuit. In practice, in most cases the courts find the authority’s procedure and the amount of fine imposed to be rightful and legitimate. Therefore, if the appeal is unsuccessful, the court will order the appellant to pay not only the fines imposed but also the legal costs incurred.
The increasing amount of higher fines is not only typical in Hungary: this practice is noticeable throughout the EU. For example, the German data protection authority fined a fashion company 35 million EUR for recording the personal data of its employees illegally.
In summary, with the end of the initial milder, transitional period, the authorities are monitoring GDPR compliance more strictly, across the whole of the EU. Accordingly, companies must also be more careful when it comes to data protection.
In order to avoid fines- whatever the amount – it is necessary to act consciously, both as a private individual and as a company. It is more cost-effective to bear the cost of setting up a GDPR operation and preparing the necessary documentation than to pay millions in fines!
Source: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Text with EEA relevance)