Hungary’s National Authority for Data Protection and Freedom of Information (NAIH) imposed an administrative fine of HUF 80 million (approximately EUR 195,000), for violations of Articles 5, 6, 12 and 14 of the RODO. Data subjects received unsolicited correspondence sent to them by post, even though they had not given their prior consent.
The sender of the correspondence was unable to demonstrate that the data subjects had consented to the processing of their personal data. Recipients’ personal data were not collected for specific, explicit and legitimate purposes because the sender did not provide information confirming the purpose of the processing.
Information about the processing of personal data provided by the sender did not contain relevant information necessary to ensure transparent processing. Data subjects were not informed of the possibility to lodge a complaint with the supervisory authority.
The NAIH took the following aggravating factors into account when issuing its decision:
- the nature of the breaches is particularly serious;
- the breach mainly affected older persons who are less able to assess the lawfulness of the processing of their personal data; and
- the unwarranted processing is a serious omission caused by the practice of the mail sender.