Hungary
Hungarian political party
GDPR enforcement action by Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) on 2019-04-05.
Case details
- Authority
- Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
- Date
- 2019-04-05
- Controller / Processor
- Hungarian political party
- Sector
- Public Sector and Education
- Quoted Articles
- Art. 33 (1) GDPR, Art. 33 (5) GDPR, Art. 34 (1) GDPR
- Type of violation
- Insufficient fulfilment of data breach notification obligations
Summary
NAIH imposed a fine of HUF 11,000,000 (EUR 34,375) on an undisclosed Hungarian political party for failing to notify the NAIH and relevant individuals about a data breach, and failing to document the breach according to GDPR Article 33.5. As mandated by law, the fine was based on 4% of the party's annual turnover and 2.65 % of its anticipated turnover for the coming year.
The breach was the result of a cyber attack by an anonymous hacker who accessed and disclosed information on the vulnerability of the organisation’s system – a database of more than 6,000 individuals – and the command used for the attack. The system was vulnerable to attack because of a redirection problem with the organisation's webpage. After the attacker published the command, even people with low IT knowledge were able to retrieve information from the database.
Related fines