Hungarian DPA’s 2015 Annual Report Published

The Hungarian Data Protection and Freedom of Information Agency recently released its 2015 annual report, including enforcement statistics. The report shows a significant increase in the number of cases handled by the DPA again in 2015. This trend is expected to continue in 2016, given the DPA’s stated 2016 enforcement priorities, summarized below. It also shows an immediate interest in national BCR approval requests, which have been possible in Hungary only since 1 October 2015. As the DPA’s activity increases, the amount of data protection fines is likely to become higher.

The DPA received 7594 new cases – including data protection, freedom of information and other consultation issues – and 2655 complaints. The number of DPA audits also significantly increased. The DPA conducted data protection investigations in 1902 cases and established illegal data processing in 288 data protection cases. Also, it launched 30 new administrative procedures based on illegal data processing.

The report shows that the majority of the cases handled by the DPA fell within the scope of the DPA’s published enforcement priorities for 2015, which were to focus on (i) the data processing activities of debt collection agencies, (ii) product presentation events, and (iii) data processing for telemarketing purposes. This demonstrates that market participants can rely on the DPA’s enforcement priorities to guide the DPA’s likely resource allocation relative to enforcement actions.

The report states that the DPA handled 144 international cases and that 54 DPA investigations had an international dimension.

The total amount of data protection fines imposed by the DPA in 2015 was HUF 94 million (ca. EUR 300,000). This is more than the double the amount of the fines issued in 2014 (HUF 45 million) and four times the amount of fines imposed in 2013 (HUF 23 million). Since October 2015, the maximum DPA fine amount was increased from HUF 10 million to HUF 20 million and the trend of increasing fines is expected to continue in 2016.

In 2015, the DPA was involved in 11 administrative lawsuits against DPA decisions. The majority of those cases were filed against the DPA in the previous years.

The Hungary DPA received three national BCR approval requests in 2015. We expect that more such requests will be filed in 2016, given the EU Court decision concerning the invalidation of the Safe Harbor.

The DPA received 12 554 notifications to the Data Protection Register, including 9,965 electronic and 2,589 hard copy filings. This indicates a significant growth in the number of DPA notifications compared to the previous year’s figure. (In 2014, 9,950 filings were made with the DPA, compared to 11 686 in 2013 and 12,166 in 2012.) The DPA announced in 2016 that it would soon change its current registration system, to permit only electronic filings. The exact timetable for that change, however, has not yet been determined.

The DPA released four recommendations in 2015, on (i) data subject notice requirements; (ii) data processing concerning class reunions; (iii) the fate of online data after death; and (iv) on the burden of costs relating to access to health records.

We expect that in 2016, the Hungary DPA will become more active in reviewing privacy notices and auditing the activities of employment agencies, given that its 2016 enforcement priorities focus on (i) data processing relating to anonymous job advertisements and (ii) compliance with data subject notice requirements.