Hungarian Data Protection Authority (HDPA) imposed a 15.000 EUR fine on Budapest Police Headquarters (BPH) because an employee lost a 4GB pendrive with personal data of the entire BPH staff including police officers’ birth name, date of birth, mother’s name, social security number, position. The pendrive contained data on a total of 1.733 people.
Author: Dr. Nándor Barta
Hennelné dr. Komor Ildikó Ügyvédi Iroda
Roosevelt Irodaház – House of Business – Tower “C”
H-1051 Budapest, Széchenyi István tér 7-8.
Phone: +36 30 345 0191 email: office@komorhennel.hu
The Case
On January 11, a BPH employee reported the loss of the pendrive to his principal, meaning that the principal had already learned of the incident that day. An internal investigation was then ordered to clarify the circumstances of the incident, which ended on 8 February. The investigation found that the incident could be considered high-risk because it affected more than publicly available data.
BPH filed its incident report with the HDPA on 25 February, which was received by the authority on 28 February.
HDPA’s reasoning
In its decision HDPA found that BPH had not complied with the regulations of the GDPR in connection with the data protection incident, as it failed to fulfil its obligation to report the incident without undue delay. The case should have been reported within 72 hours of becoming aware of it.
BPH had 72 hours under GDPR to weigh the risks posed by the incident and report it to the authority if their internal investigation found that the incident posed a risk to the rights and freedoms of those involved. In this case, 45 days passed between the accident and the notification, which is fifteen times the notification deadline required by the General Data Protection Regulation. Therefore, HDPA imposed a fine of 15.000 EUR on BPH.
HDPA also complained that the DPO was notified late, long after the incident was detected. Moreover, the BPH’s incident management did not comply only with the GDPR, but also with the data controller’s own internal incident management procedures.
Key takeaways
What’s interesting in this case is that later on BPH notified the authority that they found the missing pendrive, which was in the service car of the employee all along, so it did not fall into unauthorized hands. However, this fact did not make any difference in terms of the fine.
HDPA emphasized that notification is mandatory in principle and can only be ignored if it is likely that there is no risk to the rights and freedoms of those affected. However, in this case, even assessing the level of risk was difficult, which in itself indicates that notification was necessary.
The authority pointed out that if the data controller is not entirely sure about its risk assessment or does not yet have all the information to carry it out, but it can determine that a data protection incident has occurred, a phased notification is an acceptable solution.
The fine
The fine seems relatively small considering the volume and impact of the incident. It is important to indicate that the Hungarian Act on Data Protection allows for a limitation on the amount of fines when it comes to public authorities and government bodies. This means that unlike the fine limits set by GDPR, the imposed fine can only go up to 57.000 EUR in terms of Hungarian public authorities and government bodies.
Conclusion
Employees shall undergo a data protection training in order to handle incidents correctly and in line with the GDPR’s requirement. Internal procedures and data breach notification systems shall also be continuously maintained to provide effective protection and the ability to report privacy incidents on time.
Due to the short notification deadline set by the GDPR, this process must be smooth, with minimal disruptions to allow time for risk assessment.