Budapest Főváros Kormányhivatala XI. kerületi Hivatala – €25,000 Fine (Hungary, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Budapest Government Office's XI District shared sensitive patient data through an unprotected email, leading to a data breach. The Hungarian data protection authority fined them EUR 25,000 for not securing the data properly. This case highlights the importance of using secure methods when handling sensitive information.
What happened
The Budapest Government Office's XI District emailed an unprotected Excel sheet with patient data to general practitioners, causing a data breach.
Who was affected
Patients whose sensitive health data was shared with unauthorized general practitioners.
What the authority found
The Hungarian authority found that the District Office breached data protection rules by sharing patient data without proper security measures.
Why this matters
This case underscores the need for organizations to secure sensitive data, especially when sharing it electronically. It serves as a reminder to use encryption or passwords to protect personal information.
GDPR Articles Cited
A public interest disclosure was made to the Hungarian DPA (NAIH) detailing a personal data breach. In the given case, the XI. District Office of Budapest Government Office (In Hungarian: "Budapest Főváros Kormányhivatala XI. kerületi Hivatala"; hereinafter referred to as "District Office") transferred by email (in an Excel sheet attached to the email) the data of 1153 patients to general practitioners (physician) in the XI, XII and XXII Districts of Budapest related to the COVID testing of patients. The Excel sheet was not protected by password or by other means. A person (who was not even a general practioner originally addressed by the District Office) forwarded the above referred Excel sheet and the District Office's related email to the NAIH in the form of a public interest disclosure. The NAIH examined whether the transferring of patient data by the District Office constituted a personal data breach, the related risks to the rights and freedoms of natural persons, as well as the breach management of the District Office. It is worth noting that after the receipt of the NAIH's inquiry concerning the personal data breach, the District Office requested the opinion of the data protection officer of the Budapest Government Office. The data protection officer was of the opinion that the above transfer of patient data by email by the District Office constituted a personal data breach, but that the breach did not result in a risk to the rights and freedoms of natural persons since it was only received by general practitioners who are subject to professional secrecy. The NAIH decided that the transfer of patient data by email by the District Office constituted a data breach, since the personal data (involving sensitive data) was forwarded to general practitioners who did not have the right to access such data. This also means that the District Office should have only sent the data of patients to the competent general practitioners in the given district with password p
Related Enforcement Actions (0)
No other enforcement actions found for Budapest Főváros Kormányhivatala XI. kerületi Hivatala in HU
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
14 March 2021
Authority
Nemzeti Adatvédelmi és Információszabadság Hatóság
Fine Amount
€25,000
10,000,000 HUF
GDPRhub ID
gdprhub-3466About this data
Cite as: Cookie Fines. Budapest Főváros Kormányhivatala XI. kerületi Hivatala - Hungary (2021). Retrieved from cookiefines.eu
Last updated: