National Health Insurance Fund of Hungary – €1,200 Fine (Hungary, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Hungary's National Health Insurance Fund was fined for not responding to a person's request about their COVID-19 vaccine registration data. The delay and lack of information violated GDPR rules on timely responses and transparency. This case highlights the importance of responding promptly to data requests, especially during high-demand periods.
What happened
The National Health Insurance Fund of Hungary delayed responding to a person's request about their vaccine registration data.
Who was affected
Individuals who registered for the COVID-19 vaccine and whose data was accessible via the Fund's website.
What the authority found
The authority found that the Fund violated GDPR by not providing timely and complete responses to data access requests.
Why this matters
This case underscores the need for organizations to manage data requests efficiently, even during busy times. It serves as a reminder that high demand does not exempt companies from GDPR compliance.
GDPR Articles Cited
On 25 March 2021, the data subject noticed that the National Health Insurance Fund Manager (NEAK) “published” information on its website that the data subject registered for the COVID-19 vaccine. By entering their social security number and date of birth, anyone who knew these pieces of personal information, could check the validity of a person’s registration. The data subject e-mailed the controller on the same day, objecting to the processing of his personal data on the website. On 6 April 2021, the data subject sent another e-mail to the controller, this time invoking their right of access under Article 15 GDPR. They also requested the controller to send the date and IP address from which the data subject requested the vaccination registration. As they did not receive any answer from the controller, the data subject turned to the DPA on 11 May 2021. The controller neither responded to the DPA's request for clarification, nor did it inform the DPA of the reason for the delay and when the data subject could expect a substantive response. Therefore, the DPA carried out an on-site visit at the premises of the controller on 24 November 2021. During the visit, the DPA found that the controller logged all the data requests in accordance with the requirements of its privacy policy and had the data subject’s request as well. The controller responded to the data subject only after the visit of the DPA, on 26 November 2021, and even then not in substance, saying: “As reasoning for the delay, we would like to mention that (...) NEAK has received nearly 70,000 requests for vaccine registration.” The controller also claimed to process and respond to thousands of inquiries per day, using the same number of human resources employees it had before the COVID-19 pandemic. The DPA found that the controller's reply did not contain any information on the right to lodge a complaint or to seek redress. Therefore, the DPA declared an infringement of Article 12(3) GDPR and Article 12
Related Enforcement Actions (0)
No other enforcement actions found for National Health Insurance Fund of Hungary in HU
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
9 August 2022
Authority
Nemzeti Adatvédelmi és Információszabadság Hatóság
Fine Amount
€1,200
GDPRhub ID
gdprhub-5322About this data
Cite as: Cookie Fines. National Health Insurance Fund of Hungary - Hungary (2022). Retrieved from cookiefines.eu
Last updated: