Hungarian DPA Fines Forbes

Sep 7, 2020

Source: European Data Protection Board

The Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information, hereinafter: Authority) imposed a total of 4.5 million forints in data protection fines on Mediarey Hungary Services Zrt. (hereinafter: Publisher), the publisher of the Hungarian Forbes magazine in two cases.

NAIH/2020/1154

The Authority established in its decision No. NAIH/2020/1154/9 of 23 July 2020 that by not carrying out proper interest assessment in relation to the printed and the on-line versions of the Forbes publication containing the largest family undertakings published in September 2019 and the printed and the on-line versions of the Forbes publication containing the 50 richest Hungarians published in January 2020, and by failing to inform the Complainants (the data subjects) in advance about the results of comparing the legitimate interests of its own and of a third party (the public) and of the Complainants, the Publisher infringed Article 6(1)(f) of the General Data Protection Regulation. 

Furthermore, the Authority established that by not providing adequate information to the Complainants about all the essential circumstances of data processing and of the right of the Complainants to object to the processing of their personal data, and by failing to provide information on the possibilities of the Complainants to enforce their rights in its response to the requests of Complainants to exercise their rights as data subjects , the Publisher infringed Article 5(1)(a), Article 5(2), Article 12(1) and (4), Article 14, Article 15 and Article 21(4) of the General Data Protection Regulation.

NAIH/2020/838

The Authority established in its decision No. NAIH/2020/838/2 of 23 July 2020 that by not carrying out proper interest assessment in relation to the printed and the on-line versions of the Forbes publication containing the largest family undertakings published in January 2019 and the printed and the on-line versions of the Forbes publication containing the 50 richest Hungarians published in September 2019 and by failing to inform the Complainants (the data subjects) of the results of comparing the legitimate interests of its own and of a third party (the public) and of the Complainants, the Publisher infringed Article 6(1)(f) of the General Data Protection Regulation.

Furthermore, the Authority established that by not providing adequate information on all the essential circumstances of processing to the Complainants and about the Complainants rights to object to the processing of their personal data and in spite of the information it learned it failed to demonstrate after the objection that the data processing was justified by legitimate reasons of compelling force overriding the interests, rights and freedoms of the Complainants and in its responses to the Complainants’ requests aimed at exercising their rights as data subjects, the Publisher infringed Article 5(1)(a), Article 5(2), Article 12(1) and (4), Article 14 and Article 21(1) and (4) of the General Data Protection Regulation.

Because of the infringements established, the Authority reprimanded the Publisher in both cases and at the same time ordered it 
–    to meet its obligation to provide information to the Complainants in relation to the data processing, including information concerning the interests of the Publisher, as well as of Complainants considered in the course of interest assessment and the result of the interest assessment, the information on the right to object and the information concerning possibilities of the enforcement of rights;
–    to carry out the interest assessment including the second individual interest assessment following the objection in accordance with the legal regulations and these decisions, if in the course of data processing envisaged in the future, the Publisher intends to use legitimate interest as the legal basis;
–    to modify its practices related to providing information in advance in accordance with the legal regulations in force and the provisions of these decisions.

Because of the established infringements, the Authority imposed a data protection fine of 2 million forints in its decision NAIH/2020/1154/9 and 2.5 million forints in its decision NAIH/2020/838/2 on the Publisher.

The reason for the difference in the amounts of the fines is that despite the fact that the Publisher was aware of the specific circumstances of the Complainants in the case constituting the subject matter of decision NAIH/2020/838/2, the Publisher failed to carry out an individual interest assessment, the result of which would have demonstrated that data processing was justified by legitimate reasons of compelling force overriding the interests, rights and freedoms of the Complainants even after the objection by the Complainants.

The Authority did not arrive at a position that it was not at all possible to make lists of businessmen and companies and reports on them in this form. Forbes may compile lists on the basis of business data accessible to the public, but the publication of the lists is subject to the stringent requirements of the General Data Protection Regulation and the Publisher as controller must comply with these requirements.

The Authority supports the practice present also in the Hungarian market, according to which the various rich lists or publications listing the richest Hungarians do not in all cases include the name of the data subject and/or an entry on the data subject provided that it has sufficiently grounded reasons, and they display a single letter instead of the full name, and minimal information instead of the entry presenting the activities of the data subject (e.g. the name of the given industry, the magnitude of the assets associated with the data subject) following the well-grounded objection by the data subject.

A petition for review was submitted to the Fővárosi Törvényszék (Budapest Tribunal) by the Publisher against decision NAIH/2020/838/2 and by both parties against decision NAIH/2020/1154/9.

You can read the origional press release on the Hungarian DPA website here.

For more information, please contact the Huganian DPA here: privacy@naih.hu

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Recent news

January plenary – adopted documents

During its January plenary, the EDPB adopted: Coordinated Enforcement Action, Designation and Position of Data Protection Officers 17 January 2024 Publication Type: Other Topics: GDPR enforcement Cooperation between authorities Members: EDPB English Download file 1...

read more