NAIH (Hungary) - NAIH-8303-2/2023: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=NAIH-8303-2/2023 |ECLI= |Original_Source_Name_1=NAIH |Original_Source_Link_1=https://gdprhub.eu/images/7/7e/NAIH_8303-2-2023.pdf |Original_Source_Language_1=Hungarian |Original_Source_Language__Code_1=HU |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_...")
 
mNo edit summary
Line 11: Line 11:


|Original_Source_Name_1=NAIH
|Original_Source_Name_1=NAIH
|Original_Source_Link_1=https://gdprhub.eu/images/7/7e/NAIH_8303-2-2023.pdf
|Original_Source_Link_1=https://gdprhub.eu/images/5/58/NAIH-8303-2-2023.pdf
|Original_Source_Language_1=Hungarian
|Original_Source_Language_1=Hungarian
|Original_Source_Language__Code_1=HU
|Original_Source_Language__Code_1=HU
Line 104: Line 104:
   The National Authority for Data Protection and Freedom of Information (hereinafter: Authority)
   The National Authority for Data Protection and Freedom of Information (hereinafter: Authority)
   XXX, represented by NOYB-European Center for Digital Rights (resident:
   XXX, represented by NOYB-European Center for Digital Rights (resident:
- Kl-stenb-rger Straße 60/33, 1200 Vienna, Austria; hereinafter referred to as: Notifier) filed a
XXX; hereinafter referred to as: Notifier) filed a
   notification that 24.hu (registered office: 1037 Budapest Montevideo u. 9.; hereinafter referred
   notification that 24.hu (registered office: 1037 Budapest Montevideo u. 9.; hereinafter referred
   United States of America. According to the notification, the Notifier visited the websitely to the
   United States of America. According to the notification, the Notifier visited the websitely to the

Revision as of 15:17, 10 June 2024

NAIH - NAIH-8303-2/2023
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 44 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published: 29.05.2024
Fine: n/a
Parties: 24.hu
National Case Number/Name: NAIH-8303-2/2023
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: lm

The DPA found that personal data was transferred to the US without a legal basis IN 2020, but that since such data transfers to the US would now be lawful pursuant to the EU-US Data Privacy Framework, the original circumstances of the complaint no longer exist.

English Summary

Facts

In August 2020, a data subject visited a news website, 24.hu, while being logged into their Facebook. The data subject observed that the controller processed her personal data (IP address and cookie settings) using a Facebook Connect cookie and transferred at least some of it to Facebook, Inc. (the processor) – i.e., to the United States (US). Represented by noyb (the European Centre for Digital Rights), the data subject filed a complaint with the Hungarian DPA (NAIH) claiming that the controller unlawfully transferred her data to a third country.

The data subject argued that the transfer of personal data to the US was an unlawful breach of the GDPR given Schrems II, which invalidated adequacy between the EU-U.S. Privacy Shield. In addition, the transfer could not be based on the standard data protection clauses set out in Article 46(2)(c) and (d) GDPR pursuant to Schrems I. Because the data controller was thus unable to adequately guarantee the protection of the personal data transferred, the data subject argued, it should be legally obliged to stop the transfer of personal data to the United States. Nonetheless, almost 1 month after the Schrems II judgment, the controller had not taken any action to stop the transfer. The data subject requested a full investigation by the DPA pursuant to Article 58(1) GDPR, as well as a suspension of the transfer pursuant to Article 58(2)(d), (f) and (j) GDPR.

The NAIH launched an inquiry. The NAIH determined that the data subject’s IP address, unique user cookie and context of visit (URL) were processed. It also noted that the controller’s data processing terms and Privacy Shield Terms continued to refer to the EU-US Privacy Shield despite its invalidation. In addition, the privacy policy did not mention recipients of personal data processed by the controller.

In a reply brief submitted on 7 January 2021, the controller stated that it was not aware of personal data processed by external organizations like Facebook. The controller acknowledged that several cookies transferred data to the US, but that the Facebook Connect cookie in particular transferred data to Ireland rather than to a third country. It claimed that consent was its legal basis for processing.

Holding

The NAIH concluded that the transfer of personal data had no legal basis given the controller's reliance on the invalidated EU-US Privacy Shield. It also considered that the controller had violated Article 28(1) GDPR by failing to use processors providing sufficient guarantees ensuring compliance with the GDPR.

However, the NAIH also considered that new circumstances had arisen since the harm had taken place. In particular, the EU-US Data Privacy Framework had entered into force during the course of the proceedings. As a result, the NAIH found that the circumstances giving rise to the inquiry no longer existed.

Comment

In this case, the NAIH acknowledged that the controller violated Articles 28 and 44 GDPR because it lacked a legal basis for the transfer of data. However, in the same breath, it terminated the complaint because the circumstances giving rise to the inquiry no longer existed.

It should be noted that, as a general matter, violations do not need to be ongoing to face repercussions under the GDPR. The correction of wrongdoing does not erase the harm.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Courtesy translation
                                                             Precedent:r: NAIH-NAIH/2020/7604.

  Central Media Group Ltd.
  Montevideo u. 9



  Subject: Termination of the inquiry

  Dear Central Media Group Zrt.,
  The National Authority for Data Protection and Freedom of Information (hereinafter: Authority)
  XXX, represented by NOYB-European Center for Digital Rights (resident:
XXX; hereinafter referred to as: Notifier) filed a
  notification that 24.hu (registered office: 1037 Budapest Montevideo u. 9.; hereinafter referred
  United States of America. According to the notification, the Notifier visited the websitely to the
  https://24.hu/ (hereinafter: Website) at 11:33:00 on 12 August 2020, while being logged in to
  the Facebook profile assigned to the Notifier’s Gmail address. According to the Notifier, the
  Data Controller has used the HTML code of Facebook Services, including Facebook Connect,
  Controller processed the Notifier’s personal data (at least the IP address and cookie settings).
  In the Notifier’s experience, at least some of his/her personal data were transferred to
  Facebook Inc., i.e., to the United States of America.
  According to the Notifier, the transfer of personal data to the United States of America is
  unlawful, in breach of the rules set out in Chapter V of the GDPR    1, given that the Court of
  Justice of the European Union, in its judgment in Case C-311/18 (hereinafter: the Schrems-II
  judgement) of 16 July 2020, had declared the Commission Implementing Decision (EU)
  Shield invalid. The Notifier argued that, on the basis of the reasoning set out in paragraph 95
  of the judgment of the Court of Justice of the European Union in Case C-362/14 (Schrems-I
  judgement), the transfer could not legitimately be based on the standard data protection
  Controller was unable to adequately guarantee the protection of the personal data transferred
  to Facebook Inc, and therefore it should be legally obliged to stop the transfer of personal data
  to the United States of America. Almost 1 month after the Schrems-II judgment, the Data
  Controller had not taken any action to stop the data transfer according to the Notifier.
  The Notifier also referred to Facebook Data Processing Terms, Privacy Shields Terms, and
  New Facebook Data Processing Terms. The Notifier drew the Authority’s attention to the fact
  that those documents continue to refer to the EU-US Privacy Shield, even if they had been
  competent under the General Data Protection Regulation to act against both the Dataity is


  1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
  with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General
  Data Protection Regulation)                                                2





Controller and the sub-processor Facebook Inc., and therefore requested the Authority to act
against both of them.

The Notifier requested the Authority to investigate the notification in accordance with Article
58(1) GDPR and establish


    (i)     which personal data were transferred to the United States, to another third country
            or to an international organisation;
    (ii)    which transfer mechanism under Article 44 GDPR et seqq.were the data transfers
            based upon;
    (iii)   whether the applied Facebook Business Tools Terms and the Facebook Data
            Processing Terms (versions in force at the time of the request and the version in
            force from 31 August 2020) comply with the requirements of Article 28 of the GDPR

            with regard to the transfer of personal data to a third country.

The Notifier also requested that the Authority immediately prohibit or order the suspension of
the transfer of data from the Data Controller and/or Facebook Ireland to Facebook Inc.
pursuant to Article 58(2)(d), (f) and (j) GDPR and to order the return of suchdata to the EU/EEA
or to a country that provides an adequate level of protection.

The notification also contains a request to impose an effective, proportionate and dissuasive

fine on the Data Controller, Facebook Ireland and Facebook Inc. on the basis of Article 83(5)(c)
GDPR, taking into account the fact that the Notifier is only one of thousands of users and no
steps had been taken to bring the data processing in line with the GDPR during the more than
one month elapsed between the notification and the Schrems-II judgment.

In line with Article 77(1) of the GDPR and Section 52(1) of the Act CXII of 2011 on Informational
Self-Determination and Freedom of Information (hereinafter: Infotv.), the Authority launched

an inquiry.

1.   Facts established by the Authority

1.1. The Authority concluded, on the basis of the imprint of the website https://24.hu, that the
     publisher is Central Media Group Zrt. (registered office: 1037 Budapest Montevideo u. 9.;
     registered No.: 01-10-048280), therefore, during the procedure, the Authority identified
     this company as the Data Controller in the notification.


1.2. At the request of the Authority, by letter dated 7 January 2021, the Data Controller stated
     that at the time of the initiation of the inquiry, Facebook Connect had not yet featured on
     the Website. At the same time, the codes used on the Website did transfer personal data,
     among others, to “Facebook” – however, the Data Controller did not indicate exactly
     whether it understood the legal entity Facebook Ireland Ltd. or Facebook Inc. Based on
     the Data Controller’s reply, the following personal data were processed: IP address,

     unique user ID (cookie) per organisation and context of visit (URL). However, the Data
     Controller was not aware of personal data processed by external organisations, such as
     “Facebook”. The Data Controller declared that consent is the legal basis for their
     processing of personal data.

1.3. According to the Data Controller’s statement, the relationship between external
     organisations and the Data Controller is governed by the General Terms and Conditions
     of the external organisations, while with “Facebook” they are not joint controllers, neither

     joint processors nor do they have a controller-processor relationship. In its statement, the
     Data Controller could identify where the data processing takes place only on the basis of                                                3





     assumptions. According to that, “service providers use their regional data centres which
     are geographically closest to their visitors for faster service”.


1.4. On the basis of the Specific Privacy Policy submitted by the Data Controller to the
     Authority, Facebook Ireland Ltd. (registered office: Ireland, Dublin, 2, 4 Grand Canal
     Square, Grand Canal Harbour) transfers personal data to the Data Controller and
     “Facebook” and the Data Controller are independent controllers. The personal data

     transmitted to the Data Controller from Facebook Ireland Ltd are as follows: name, e-mail
     address, Facebook ID. According to the Specific Privacy Policy, the Facebook Connect
     service assists with the StartLogin registration related to the Website, and if the data
     subject breaks the connection after entering a password, the Data Controller deletes the
     social ID (Facebook ID). However, the Notifier did not base the notification on the use of
     Facebook Connect, but claimed that only because the Facebook Connect service was

     embedded in the Website, certain personal data were transferred to the United States of
     America as a result of prior logging into a Facebook’s profile.

1.5. Recipients of personal data processed by the Data Controller are not mentioned in the
     Specific Privacy Policy. According to the General Data Processing Policy submitted by the

     Data Controller, the Data Controller and the external service providers, including
     “Facebook”, are independent data controllers. Section XIII of the General Data
     Management Policy deals with data management related to the activities of external
     service providers. This point mentions Facebook Inc., but not Facebook Ireland Ltd,
     among the providers of applications facilitating registration and entry (as interpreted by
     the Authority, the Facebook Connect feature included in the notification is also considered

     as such). The Data Controller’s General Data Processing Policy and Specific Privacy
     Policy, available on 21 September 2023, are consistent with the Policies attached to the
     statement of the Data Controller to the Authority dated 7 January 2021 with regard to the
     information on data processing related to Facebook Connect.


1.6. On the basis of a statement by the Data Controller, several cookies that it uses transfer
     data to the United States of America. These cookies are linked to Google, AWS
     CloudFront and AWS. However, according to the Data Controller’s statement, the cookie
     related to the Facebook Connect service transfers data to Ireland rather than to a third
     country. According to the statement, the purpose of the built-in Facebook services is to
     integrate Facebook appearances (‘follow’, ‘like’).


1.7. In its notification, the Notifier objected to the data transfer related to the Facebook Connect
     service and initiated the Authority’s proceedings against Facebook Inc. in addition to the
     Data Controller. Based on the content of the notification, the Authority extended the inquiry
     to Facebook Login, which replaced Facebook Connect        2, and Meta Platform Inc. as its
               3
     successor   to Facebook Inc. In view of the fact that during Authority’s inquiry Facebook
     Login featured on the Website, but it was not beyond reasonable doubt from which point
     in time this has been the case, the Authority accepted the Notifier’s statement concerning
     the transmission of data on 12 August 2023.

1.8. According to the documents submitted by the Notifier, the use of the Facebook Login

     service was subject to the terms and conditions of Facebook Business Tools Terms and
     Conditions, as well as the Data Processing Terms at the time of the event on which the




2https://developers.facebook.com/docs/facebook-login/overview
3https://www.nasdaq.com/market-activity/stocks/meta                                                4





     notification was based. Based on the Authority’s inquiry, Facebook Login has been           4

     subject to the terms of use of Meta Business tools since 25 April 2023.

2.   Legal assessment of the data processing activity under inquiry

2.1. According to Article 4(1) GDPR, “personal data” means any information relating to an

     identified or identifiable natural person (“data subject”); an identifiable natural person is
     one who can be identified, directly or indirectly, in particular by reference to an identifier
     such as a name, an identification number, location data, an online identifier or to one or
     more factors specific to the physical, physiological, genetic, mental, economic, cultural or
     social identity of that natural person. According toArticle 2(1) of theGDPR, that Regulation

     applies to the processing of personal data wholly or partly by automated means and to the
     processing other than by automated means of personal data which form part of a filing
     system or are intended to form part of a filing system.

2.2. As indicated in the notification, the Website also managed the IP address of the Notifier.
     The latter is personal data according to established European Union legal practice, as

     confirmed by the case law of the Court of Justice of the European Union. In the course of
     the processing under inquiry, the Data Controller itself acknowledged that it collects
     personal data from users visiting the Website using cookies.

2.3. According to Article 3(1) of the GDPR, that Regulation applies to the processing of

     personal data in the context of the activities of an establishment of a controller or a
     processor in the Union, regardless of whether the processing takes place in the Union or
     not. In accordance with Article 55(1), each supervisory authority shall be competent on
     the territory of its own Member State to carry out the tasks and exercise the powers
     conferred on it in accordance with the GDPR. Pursuant to Article 56(1), without prejudice

     to Article 55, the supervisory authority of the main establishment or of the single
     establishment of the controller or processor shall be competent to act as lead supervisory
     authority for the cross-border processing carried out by that controller or processor in
     accordance with the procedure provided in Article 60. In view of the fact that the Data
     Controller has its registered office and its head office in Hungary, in the present inquiry,

     the Authority has established its competence in relation to the Data Controller’s processing
     activities concerning personal data.

2.4. The Website publishes news available in Hungarian, most of which are of interest to
     Hungarian readers. The English version of the Website    5is not covered by the notification.

     Therefore, it can be concluded that cross-border processing within the meaning of Article
     4(23) GDPR is not carried out or only to a negligible extent, so the Authority is the only
     competent supervisory authority for the processing under consideration.

2.5. In the course of its proceedings, the Authority examined the processing of data related to

     the data transfer to the United States of America included in the notification. It is
     undisputed that, as a result of the posting of the Facebook Login service on the Website,
     certain personal data of the users of the Website were collected by the Data Controller
     and shared with Facebook Ireland Ltd. According to the judgment of the Court of Justice
     of the European Union in Case C-40/17 (‘Fashion ID’), a website operator who places on

     the website a social module enabling the browser of a website visitor to access the content
     provided by the provider of the social module and forwarding the visitor’s personal data to


4https://www.facebook.com/legal/businesstech?paipv=0&eav=AfZH5nJ8tW8SmAOvZgtsv4pnCcn6v_c-
  9gDHUcgvVbiWkOv4qFTDv2iwp6MAddpjwag&_rdr
5https://24.hu/same-in-english/                                                5





     that service provider may be regarded as a data controller. Therefore, the Data Controller
     is considered to be a data controller for the processing under inquiry.

2.6. The Data Controller claims that the General Terms and Conditions of Facebook Ireland
     Ltd. apply to the processing under consideration. According to the Data Controller, the

     Controller and Facebook Ireland Ltd. are independent data controllers. However,
     according to point 4 of the Facebook Business Tools Terms, which also applies to the use
     of Facebook Login, provided by the Notifier to the Authority and applicable at the time of
     the transfer of data, the Data Controller is considered to be the data controller for the
     services listed in points 2.a.i and 2.a.ii and Facebook Ireland Ltd. is a data processor.
     These services include linking the data provided by website visitors to Facebook
     (matching of user IDs), which, according to the Authority’s interpretation, may arise

     precisely in the case of the use of the Facebook login service. The Data Processing Terms
     document in force at the same time expressly provides that data controllers established in
     the European Union authorise Facebook Ireland Ltd to use Facebook Inc. as a sub-
     processor. The Authority therefore concluded that, at the time of the processing on which
     the notification was based, Facebook Ireland Ltd. was a data processor and Facebook
     Inc. was a sub-processor of the Data Controller.

2.7. Pursuant to Article 44 GDPR, any transfer of personal data which are undergoing

     processing or are intended for processing after transfer to a third country or to an
     international organisation, shall take place only if, subject to with the other provisions of
     the GDPR, the conditions laid down in Chapter V of the GDPR are complied with by the
     controller and the processor.

2.8. Given that the documents referred to in point 2.6 referred to the EU-US Privacy Shield as
     the legal basis for the transfer of personal data to a third country, which, however, was

     invalid at the time under consideration (12 August 2020), the Authority concluded that the
     transfer of personal data to a third country had no legal basis.

2.9. Pursuant to Article 28(1) GDPR, the controller shall only use processors that provide
     sufficient guarantees to implement appropriate technical and organisational measures in
     such a manner that processing will meet ht requirements of the GDPR and ensure the
     protection of the rights of data subjects. Therefore, the Data Controller could not lawfully
     use Facebook Login, as it involved the transfer of personal data to the United States.


2.10. The activities of Facebook Inc., which is a sub-processor for the processing under
     consideration, were not investigated by the Authority, given that pursuant to Article 5(2)
     GDPR, the controller is responsible for compliance with the principles governing the
     processing of personal data, and pursuant to Articles 28(1) and 29, (sub-)processors
     exercise the processing on behalf of the controller and in accordance with the instructions
     of the controller. During the proceedings, there was no indication that Article 28(10) would

     have been applicable.

2.11. The Authority also examined the new circumstances that arose during the procedure,
     in so far as they were applicable to the personal data processing operations related to the
     posting of Facebook Login on the Website. In this context, the Authority took into account
     the terms of use of Meta Business Tools Terms in force since 25 April 2023, the Meta
     Data Processing Terms in force since 25 April 2023, the Meta European Data Transfer
     Addendum in force since 7 September 2023, and Commission Implementing Decision

     2023/1795 pursuant to regulation (EU) 2016/679 of the European Parliament and of the
     Council on the adequate level of protection of personal data under the EU-US Data Privacy                                               6





    Framework, which entered into force on 10 July 2023 (‘the EU-US Data Privacy
    Framework’).


2.12. In accordance with point 5a of the Meta Business Tools Terms effective from 25 April
    2023, the Data Controller shall continue to be the Data Controller and Meta Platform
    Ireland Limited shall continue to be a data processor for the purposes of matching user
    IDs. Pursuant to Article 10 of the Meta Data Processing Terms, effective from 25 April

    2023, the processor may use sub-processors, which may also be established in the United
    States. The Meta European Data Transfer Addendum, effective from 7 September 2023,
    identifies this sub-processor: Meta Platforms, Inc., paragraph 2 of the same document,
    states that Meta Platforms, Inc. has “certified its participation in the EU-US data protection
    framework”.


2.13. Pursuant to Article 1 of the EU-US Data Privacy Framework, the United States ensures
    an adequate level of protection for personal data transferred to organisations included in
    the list of organisations participating in the data protection framework, which are
    maintained and made publicly available by the U.S. Department of Commerce. The
    Authority’s query confirmed that Meta Platforms Inc. is included in this list. Therefore, the

    Authority concluded that following a visit to the Website, personal data are lawfully
    transferred by the Controller and its processors to the United States of America.

2.14. The right to lodge a complaint under Article 77(1) of the GDPR does not imply the right
    of the Notifier to request an administrative fine, and as a result of an inquiry pursuant to
    Article 52 of the Infotv., imposing a fine is not possible.


2.15. On the basis of the facts established in the course of the inquiry, the Authority
    terminated the inquiry in accordance with Section 53(5)(b) of the Infotv. as the
    circumstances the circumstances giving rise to the inquiry no longer exist.

Budapest, according to electronic signature and time stamp




                                                          Dr. habil. Attila Péterfalvi
                                                                  President





















6OJ L 231 of 20 September 2023. P. 118.