Digi Távközlési és Szolgáltató Kft. – CJEU Judgment (Hungary, 2022)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice of the European Union reviewed a case where a Hungarian internet and TV provider, Digi, copied customer data into a test database without proper safeguards. An ethical hacker discovered this security flaw and reported it. The court's decision highlights the importance of data protection and proper data management practices.
What happened
Digi copied personal data of one-third of its customers into a test database, which was later accessed by an ethical hacker due to a security flaw.
Who was affected
The affected individuals were 320,000 customers whose personal data was copied into the test database.
What the authority found
The Court of Justice examined whether Digi's actions complied with GDPR principles, focusing on data retention and security obligations.
Why this matters
This case underscores the need for companies to ensure data is securely managed and deleted when no longer needed. It serves as a reminder to regularly audit and secure test environments to prevent unauthorized access.
GDPR Articles Cited
This case concerned a Hungarian provider for internet and television services (controller) and the Hungarian DPA. A technical error caused problems for the functioning of the controller’s server. After this, the controller created a database for testing (test database), to which the personal data of one third of its customers was copied. This personal data was originally kept in another database (original database), which was coupled with the website of the controller. This original database contained personal data of subscribers for the controller's newsletter, for the purpose of direct marketing. The original database also contained data of system administrators who provided access to the interface of the website. On the 23 September 2019, the controller learned that an ethical hacker managed to get access to the test database which contained the data of 320,000 data subjects. The hacker notified the controller and provided a line of code from the test database as proof of the security issue. The controller fixed this issue, signed an NDA (Non Disclosure Agreement) with the hacker and gave him a reward. The controller also deleted the test database. The controller notified the DPA on 25 September 2019, which started an investigation into the controller. In its decision of 18 May 2020, the DPA held that the controller violated Articles 5(1)(b) GDPR and 5(1)(e) GDPR by not deleting the test database after conducting the necessary tests and fixing the errors. By not deleting this database, the controller kept the personal data of data subjects without any purpose for almost one and a half years. The DPA ordered the controller to investigate all its databases and also gave the controller a fine of 100,000,000 Forint (€248,000). The controller appealed this decision at the Fővárosi Törvényszék (Judge for the agglomeration of Budapest), which asked the following preliminary questions to the Court of Justice of the European Union (CJEU). 1) Should the purpose limitati
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for Digi Távközlési és Szolgáltató Kft. in HU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
20 October 2022
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-5368About this data
Cite as: Cookie Fines. Digi Távközlési és Szolgáltató Kft. - Hungary (2022). Retrieved from cookiefines.eu
Last updated: