Hungarian DPA fined Forbes for failing to carry out a legitimate interest assessment in relation to two of their publications and to inform data subjects in advance about the results.
The Hungarian DPA came to a decision this July, to fine Forbes for violating various articles of the GDPR with regard to two of the company’s publications. The EDPB recently reported that in relation to both printed and online versions of the Forbes publication in September 2019 and in January 2020, one containing the largest family undertakings, and the other, the 50 richest Hungarians, the Publisher violated the GDPR. In addition, the Authority accused Forbes of failing to provide adequate information to the Complainants about all the essential circumstances of data processing, and of their rights to object to the processing of their personal data.
The company infringed on several sections of the GDPR in releasing those publications.
In both of the DPA’s decisions, No. NAIH/2020/1154/9 of 23 July 2020, and No. NAIH/2020/838/2 of 23 July 2020, Forbes was found to have been in infringement of Article 6(1)(f) of the GDPR. This article states that “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
In failing to inform the Complainants of their option to exercise their rights, Forbes infringed on Articles 5(1)(a), 5(2), 12(1) and 12(4), as well as Articles 14, 15 and 21(4) of the GDPR. The relevant sections of Article 5 of the GDPR calls for personal data to be processed lawfully, fairly and in a transparent manner, and that the controller is in fact responsible for, and must be able to demonstrate compliance with the aforementioned requirements. Article 12 outlines the fact that the controller must take appropriate measures to provide any relevant information to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. It also mentions that if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay of the reasons why, within no more than one month of receipt of the data subject’s request. Articles 14 and 15 speak to the right of the data subject, to obtain from the controller, confirmation as to whether or not their personal data is being processed and to obtain access to information on the personal data being processed, and also clear information on where this data has been obtained, together with other relevant elements around the processing. In this instance, Forbes also denied the data subjects the right to object to the publishing of this personal data, by neglecting to inform them and gain their consent, which violates Article 21.
The Hungarian DPA fined Forbes and gave the company several orders for corrective action.
The Hungarian DPA imposed a fine of 5,600 € for one of the infringements and 7,000 € for the other. The company was also ordered to undertake several corrective actions. Forbes was ordered to meet its obligation to provide information to the Complainants in relation to the data processing, including information concerning the interests of the Publisher, as well as of Complainants considered in the course of interest assessment and the result of the interest assessment, the information on the right to object and the information concerning possibilities of the enforcement of rights. The company will also need to modify its practices related to providing information in advance in accordance with the legal regulations in force and the provisions of these decisions, and to carry out the interest assessment including the second
individual interest assessment following the objection in accordance with the legal regulations
and these decisions, if in the course of data processing envisaged in the future, the Publisher intends to use legitimate interest as the legal basis.
The Authority is not opposed to “rich lists” but maintains that they must be done in accordance with the GDPR and preferably with minimal information released on data subjects.
When the Hungarian DPA arrived at its position on the matter, it also did not decide that lists of businessmen and companies should never be made in this form of Fashion. Forbes may compile lists, on the basis of business data that is accessible to the public, however the publication of those lists is subject to the requirements of the GDPR, and the publisher as controller has to comply with these stringent requirements. The general practice in the Hungarian market, of which the authority approves is that the various rich lists or publications listing the richest Hungarians, did not in all cases include the name of the data subject, but rather initials and minimal information instead of presenting the activities of the data subject. The publishing of this personal data should follow the well grounded objection by the data subject.
