The Hungarian Data Protection Authority (DPA) imposed a fine of HUF 750,000 (approximately 2,500 euros) on a direct marketing company. It also ordered it to revise its policies and seek new privacy consent from its users.

The company’s website enabled people to send fortune telling, virtual blessings and horoscopes to their friends. In consideration, the senders had to consent to receiving direct marketing messages from the company and its partners. The DPA launched its investigation after a complaint from a user who exercised its statutory right to unsubscribe from the direct marketing letters but still kept on receiving advertisements.

It is worth noting that the complainant turned to the DPA only regarding an unsolicited mail and did not raise any concerns regarding other privacy practices of the company. However, the DPA started to review the entire data processing operation, including the underlying documentation (privacy policies, processing agreements, server logs and the actual data transfers).

At the end, the DPA found a number of unlawful practices which would have remained under the DPA’s radar if there was no complaint regarding the unsolicited mail. Another lesson for companies: even the smallest noncompliance may result in a full-scale audit from the regulator.

During the investigation, it turned out that it is not only the company that provides future-telling: the DPA requested extensive internal records and information on the data processing, which are not expressly required by the applicable law, but the DPA may have reasonably expected their availability.

This regulatory approach may bring accountability, while at this stage only a future requirement under the draft EU data protection regulation, into the day-to-day operation of Hungarian companies. As a result, it is advisable for all companies to review their own practices, internal processes, newsletters, advertisements and privacy policies with a view to the findings of the DPA.

Here is a checklist to revise data processing practices on the basis of the DPA’s findings:

• Internal data transfer registry: It is mandatory to keep this registry but in practice there are still only a few companies that comply with this, although if the DPA should ever conduct an audit, it is the first document that it asks for. In this particular case, the DPA also requested for the documents containing information on which selection criteria the company uses to decide who receives the users’ data, together with the protocol on the specific data transfer.

• Internal direct marketing transfer registry: This specific registry is required by sectoral laws on advertising. In practice, it may be unnecessarily more burdensome to keep double records on data transfers: a single register, which indicates DM transfers separately, may provide greater transparency. Another factor to consider: DPA audits on direct marketing practices are typically started in relation to a specific marketing campaign, therefore it may be better to keep a separate registry for each campaign. This means more administration, but in this way, companies may prevent the investigation of those data processing practices which were originally under the DPA’s radar.

• Expressly dividing the tasks and responsibilities between the controller and data transferees in the relevant contracts: This can also be important simply because in the current case, the DPA specifically analysed whether the company and its partners are joint controllers, with joint and several liability.

• Keeping accurate database and employee information: The DPA also requested detailed information from the company on its databases (number, type, contents, copies, versions, recipients) and to name the IT professionals (employees, service providers) who were authorised to send out direct marketing messages.

• Access rights and data security: Furthermore, the DPA asked the company to provide (i) its policy regulating the fulfillment of data access and erasure requests, including the identification of the user exercising such right; and (ii) additional information on how the company ensures data security when transporting physical data. It might be useful to add rules on the above to the internal and external privacy policies.

• Internal instructions: The DPA provides that internal policies and organisational measures should be clear in sufficient detail on how the employees/contractors who carry out their data processing duties and access databases shall comply with the applicable laws and regulations.

• Revision of external privacy policies: The DPA also commented on the company’s external privacy policy and found that it would be important to (i) specify the actual data transfers and to avoid reference to “potential” data processing (e.g. use “will transfer data” instead of “may transfer data”; (ii) indicate whether the transferee is a controller or a processor; (iii) adjust the terms and definitions to the definitions used by the law; (iv) identify all data processors, and (v) detail the data processing purposes and the rights and remedies of the relevant people.

• Checkbox already filled in? Unlawful: The DPA also pointed out that a data processing consent is not free and express if the “yes” checkbox is ticked in advance by default and does not require any action from the user besides proceeding with the registration.

• Separate consent to different data transfers: According to the DPA, in case of multiple data transfers with different processing purposes (e.g. direct marketing messages from transferees in different industries) users shall provide their consent to each type of transfer separately. This expectation of the DPA can cause a number of practical difficulties. Neither the law nor the regulatory practice required this so far and it is questionable how to determine whether a processing has a different purpose so that separate consent is necessary. In order to minimise their risks, companies are advised to identify the purposes of data transfers in as much detail as possible, including links to the transferees’ privacy policies, together with the appropriate explanation in what ways a transfer relates to the original data processing purpose.

Other remarkable points in the DPA’s resolution

• Subsequent remedies: It is a novelty in the DPA’s practice that in this particular case it advised the company to seek a new consent from the existing users, in line with the privacy policy amended with a view to the DPA’s findings. The company shall delete the data of those users who do not repeat their consent. Such a process may significantly hinder the company’s business: How many users would provide a new consent to the company after having been notified that it is necessary because of former unlawful data processing practices?

• Determining the fine: The law only provides for the criteria for imposing a data protection fine without mentioning any factor that would mitigate its amount. In this case, the DPA emphasised that it can be a mitigating factor if the company appropriately amends its privacy policy already in the course of the investigation. When determining the amount of the fine, the DPA considered the position of the company at the market and the income indicated in its annual financial statements. This also goes beyond the general sanctioning criteria outlined in the law.