Deichmann Cipőkereskedelmi Korlátolt Felelősségű Társaság – €50,000 Fine (Hungary, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Deichmann was fined €50,000 for not handling customer requests to view surveillance footage properly. The company wrongly told a customer that only police could access the footage, which violated GDPR rules. Businesses should ensure they have clear processes for handling data requests.
What happened
Deichmann failed to provide a customer access to surveillance footage, claiming it was only accessible to police.
Who was affected
The affected individuals were customers who requested access to surveillance footage of themselves.
What the authority found
The authority found that Deichmann violated GDPR by not allowing customers to access surveillance footage and by not properly handling data requests.
Why this matters
This fine highlights the importance of businesses having clear procedures for customer data access requests, including surveillance footage. Companies should ensure they comply with GDPR requirements for transparency and access.
GDPR Articles Cited
A customer of the Deichmann company claimed that after an in-store purchase he did not receive the correct amount of money back from the cashier. The customer initially did not notice that he paid with a larger bill, and only later noticed and informed Deichmann. Since the facts were disputed, the customer asked the company to view the video recording in which the customer appeared as he was paying. Deichmann informed the customer that the recording can only be accessed by the police following an official request. The customer filed a police report, but the camera recording was no longer available by the time of the request. Following this situation, the NAIH conducted an ex officio investigation into the company and found that Deichmann was operating cameras extensively throughout the country, with cameras in all 129 of its stores. The DPA found that the controller had breached multiple GDPR provisions in connection to data subject access requests. Amongst these, the company did not keep separate records of the data subject requests that it had been receiving. Did the data controller fulfill its obligations under the GDPR in connection with data subject access requests? The DPA first held that the request to access the camera images does fall within the scope of Article 15(1) GDPR. Furthermore, the NAIH emphasised that the controller's claims were incorrect with regards to the footage only being accessible to the police. Apart from Article 15(3), the DPA held that the data controller must also give data subjects access to the part of the recording in which that person appears. The NAIH also pointed to the importance of Article 12(4) and offering data subjects adequate explanations on the reasons for a controller's refusal to act on a data subject's request. Regarding the deletion of the recording, the DPA held that Deichmann breached Article 18(1)(c). The controller should have kept the data following the data subject's request, until his legal claim was set
Related Enforcement Actions (0)
No other enforcement actions found for Deichmann Cipőkereskedelmi Korlátolt Felelősségű Társaság in HU
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
3 September 2020
Authority
Nemzeti Adatvédelmi és Információszabadság Hatóság
Fine Amount
€50,000
20,000,000 HUF
GDPRhub ID
gdprhub-2870About this data
Cite as: Cookie Fines. Deichmann Cipőkereskedelmi Korlátolt Felelősségű Társaság - Hungary (2020). Retrieved from cookiefines.eu
Last updated: