Magyar
Deutsch
Decesion examines the data management affecting the personal data of employees and customers
On February 6, 2023, the National Data Protection Authority (NAIH) imposed a fine of HUF 30,000,000 on a beauty center in Budapest for continuously recording work and monitoring guests, violating Article 5(1)(a) and (b) and Article 6(1) of GDPR.
This decision provides explanations on data collection practices, data management, defining data processing purposes, and the use of camera surveillance systems. It also examines the data management affecting the personal data of employees and customers in the beauty center.
The NAIH received several complaints about the company’s operations, including the use of cameras in every room on the premises and the alleged listening in on employees and customers in the manager’s office. The investigation showed that the company had installed and operated 32 cameras throughout the beauty center, including the entrance, corridors, reception area, offices, and treatment and diagnostic rooms. The company also collected and processed a significant amount of personal data, including sensitive information, violating several provisions of GDPR and the Data Protection Act.
The company failed to provide adequate information and descriptions required by GDPR, and no proper impact assessment was conducted. The NAIH also discovered that the company engaged in a referral practice asking customers to provide the names and contact details of acquaintances to offer them free treatments.
The decision of the National Data Protection Authority to impose a fine of HUF 30,000,000 on the beauty salon was based on several violations of data protection rules, such as failing to provide a legal basis for the use of CCTV cameras in different places, collecting personal data without the consent of the data subjects, and failing to inform properly. The Authority’s decision also banned camera data management at the beauty center.
The decision contains important findings about how businesses use camera and surveillance systems in the workplace and in providing their services. It is worth noting that even before the decision was made, the NAIH fined the company twice, in the amounts of 500,000 HUF and 600,000 HUF, for not fulfilling its obligation to provide information, and for sending its responses to NAIH’s questions late and incompletely. Therefore, it is important to take NAIH’s requests on data management seriously and be prepared to respond appropriately.
The decision also shows how the fine was calculated based on certain criteria and the mitigating and aggravating circumstances. It also makes clear that with proper preparation, such a high fine could have been avoided.
Many entrepreneurs view data protection as an unnecessary burden. However, this decision shows that it is important to take it seriously because data management laws are strict on data collection, informing affected parties of their rights, documenting data management, and managing data properly. It is worth investing energy into preventing NAIH investigations. We suggest that you have your current data management practices examined by an expert to continue your business activities with as little risk as possible.
The budlegal team can help you continue your business activities with appropriate data management processes.
The full decision of the NAIH can be found here: https://www.naih.hu/hatarozatok-vegzesek/file/647-szepsegszalonban-vegzett-kameras-megfigyeles-es-marketing-celu-adatkezeles