Data Protection Authority Imposes Highest Post-GDPR Fine

Published date06 July 2020
Subject MatterPrivacy, Data Protection
Law FirmSchoenherr Attorneys at Law
AuthorMr D'niel Gera and Dorottya Gindl

The Hungarian National Authority for Data Protection and Freedom of Information (the "Authority" or "NAIH") recently imposed a fine of HUF 100m (approx. EUR 285,000) on one of the biggest electronic communication service providers Digi T'vk'zlési Szolg'ltató Kft ("Digi"). This is the highest data protection fine imposed in Hungary since the entry into force of the GDPR and the highest ever fine levied in Hungary for a violation of data protection regulations.

An ethical hacker discovered a vulnerability affecting Digi's website, based on which it was possible to access a "test database" that contained a significant amount of personal and sensitive data of Digi's subscribers (e.g. name data and place of birth, email address and password, bank account number, willingness to pay). The ethical hacker informed Digi of this vulnerability and Digi took corrective action and submitted a breach notification to the Authority within 72 hours as prescribed by the GDPR.

In the mandatory investigation following the notification of the breach, the Authority examined all relevant circumstances of the case. Digi stated that the test database was created in connection with the correction of an earlier error that made subscribers' personal data inaccessible (Digi's webserver did not reach the database server). Digi did not encrypt the database because it believed that access restriction and provisioning provided sufficient protection of the personal data concerned. However, it turned out that the ethical hacker was able to access Digi's database and the user data of the system administrators.

The Authority found Digi to be in violation of the principle of purpose limitation by not deleting the...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT