By Bálint Halász
The Hungarian Data Protection Authority (DPA) has imposed a fine of HUF 10,000,000 (approximately €35,700) on an online real estate marketplace as a result of its unauthorised data processing activities. This is the first time the Hungarian regulator has imposed the maximum fine under Hungary’s new Privacy Act, which took effect on 1 January.
The National Authority for Data Protection and Freedom of Information (NAIH) has the power to impose fines between HUF 100,000 and HUF 10,000,000 (approximately €360 to €35,700). While the Privacy Act does not provide clear guidance on the rationale behind the calculation of fines, it sets out that the NAIH has to consider all the circumstances of the case, including the range of data subjects affected by the infringement, the significance of the infringement and whether it has been a recurring breach.
The data controller fined was Weltimmo s.r.o., a company established in Slovakia and having two Hungarian individuals as members. The controller had been operating on an online real estate marketplace for a few years, under domain names ingatlanbazar.com and ingatlandepo.com. These websites became infamous for misleading customers by initially offering free services but invoicing high fees after the expiry of a trial period. The controller refused to allow customers to opt out and refused to remove ads already expired if a customer did not pay their invoices. Furthermore, the controller also transferred customer data to external receivables management providers without consent or notification.
The decision imposing the fine was published on the NAIH’s website together with a press release (both in Hungarian). These set out that both the NAIH and the previous data protection commissioner’s office had been receiving numerous complaints from customers for several years. While the commissioner previously did not have the opportunity to impose a fine, the decisions made by him acknowledged that Weltimmo’s data processing practices did not comply with Hungarian law.
In its recent decision, the NAIH highlighted Weltimmo’s noncompliance with the currently applicable Privacy Act, setting out that the controller had failed to comply with several statutory provisions, including requirements regarding notification and purpose limitation. Further, the controller had also processed and transferred personal data with no legal basis. The decision is subject to appeal.
The NAIH imposed the maximum fine on the basis that the controller had engaged in non-compliant data processing activities for several years, and during this period certain Hungarian authorities, including the data protection commissioner’s office, the NAIH and the Hungarian Competition Authority, had received numerous complaints from customers and competitors. Further, the NAIH also considered that the controller had failed to respond to their enquiries. The NAIH also warned the controller that it may be entitled to impose multiple fines if it does not take steps to recover compliance.
It remains to be seen whether the NAIH will be able to collect the fine from the Slovak company. Provided that the decision becomes final, this case will be the first extraterritorial enforcement action carried out by the NAIH.
As mentioned above, the Hungarian Competition Authority had already investigated the operation of these websites and in December 2011 ruled that Weltimmo and its affiliated company, which was established in the Seychelles, violated the Act on Unfair Commercial Practices which implemented the EU Unfair Commercial Practices Directive (2005/29/EC). In the latter decision, the competition authority imposed a fine of HUF 1,100,000 (approximately €3,900) on Weltimmo and HUF 4,500,000 (approximately €16,000) on its affiliated company. Both entities appealed this decision, and the proceedings are currently pending before courts. It is also worth mentioning that the competition authority had also filed a class action with the Hungarian court, requesting the court to establish that the terms applied by the above companies were unfair, and that the court should therefore declare them invalid. In April, the first instance court agreed with the Hungarian Competition Authority and ruled that certain clauses of the terms applied by these entities were unfair so it also declared these clauses invalid. This court ruling is also subject to appeal.
Bálint Halász is an Associate in the Intellectual Property Group of Bird & Bird’s Budapest Team. His practice areas include IT and privacy and data protection law. He is a member of the Budapest Bar and of the Council of Copyright Experts, the Hungarian Group of AIPPI, the Hungarian Association for the Protection of Industrial Property and Copyright, the Hungarian Trademark Association and the Hungarian Copyright Forum Association.
If you want to comment on this post, you need to login.