NAIH (Hungary) - NAIH-3932-5/2024
From GDPRhub
| NAIH - NAIH-3932-5/2024 | |
|---|---|
 | |
| Authority: | NAIH (Hungary) |
| Jurisdiction: | Hungary |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 12(1) GDPR Article 13 GDPR Article 32 GDPR 16/A. § 1997. évi CLV. törvény a fogyasztóvédelemről |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | |
| Decided: | 02.07.2024 |
| Published: | |
| Fine: | 80,000,000 HUF |
| Parties: | ALDI MAGYARORSZÁG ÉLELMISZER Élelmiszer Kereskedelmi Betéti Társaság |
| National Case Number/Name: | NAIH-3932-5/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Hungarian |
| Original Source: | NAIH (in HU) |
| Initial Contributor: | fb |
The DPA fined Aldi HUF 80,000,000 (€204,000) in connection to its age verification practices when selling alcohol. It found that data subjects could not easily access information and that they could not be asked for an ID when there was no doubt they were over 18.
English Summary
Facts
The controller, a supermarket company, conducted verifications about the age of customers wanting to buy alcoholic beverages. In addition to asking for an ID card, in some shops the controller also recorded the date of birth of the data subjects, while in other shops it did not.
Moreover, another complaint concerned the fact that the controller asked elderly data subjects for an ID, even though it was evident that they were not under 18.
Finally, according to the data subjects, no information under Article 13 GDPR was not provided to them. Therefore, they could not know which was the legal basis and the duration of the processing.
For these reasons, several data subjects filed a complaint with the DPA.
Holding
First, the DPA found that the data subjects were not able to have sufficient information about the processing at hand, since no sign was put in the controller’s shops. Moreover, the staff were not able to provide more information or to inform the data subjects where to find more information about the data processing. Furthermore, the DPA noted that the practices varied between the stores.
Therefore, the DPA held that the information provided by the controller was insufficient, not easily accessible and not transparent. As a consequence, it found a violation of Article 5(1)(a), 12(1), 13(1) and 13(2) GDPR.
Secondly, the DPA noted that Article 16/A(4) of the Consumer Protection Act of 1997 (1997. évi CLV. Törvény a fogyasztóvédelemről) requires alcohol sellers to ask for an ID card only when they are in doubt that the buyer could be under 18 years old. When this doubt does not exist, like in the case of a 70-year-old man, this obligation does not apply. Therefore, the controller could not rely on Article 6(1)(c) GDPR.
As a consequence, the DPA found a violation of Article 6(1) GDPR.
Thirdly, the DPA found that recording the date of birth in the cash register system violated Article 5(1)(c) GDPR. Indeed, the DPA considered that there was a method of achieving the objective which was appropriate but less harmful to the data subjects and involved fewer processing operations.
Finally, the DPA held that the controller did not implement adequate measures to protect the personal data of data subjects in its stores since, for example, data subjects were required to state their date of birth aloud and other customers could hear it.
On these grounds, the DPA issued a fine of HUF 95,000,000 (€242,000), then lowered to HUF 80,000,000 (€204,000).
Moreover, it ordered the controller to display in each of its shops, in a prominent place and in a readily accessible format for data subjects, its current privacy notice, drawn up in accordance with Article 13 GDPR.
Comment
This decision is issued after an appeal by the controller before the Metropolitan Court of Justice (Fővárosi Törvényszéknek). The court found that the recording of date of birth did not constitute processing of personal data since this only piece of information cannot allow to identify a person. It confirmed the remainder.
The DPA took this judgement into account and lowered the amount of the fine from HUF 95,000,000 (approx. €242,0000) to HUF 80,000,000 (approx. €203,000).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH-3932-5/2024 Subject: decision
H A T A R O Z A T
By the National Data Protection and Freedom of Information Authority (hereinafter: the Authority)
ALDI HUNGARY FOOD Food Trade Deposit Company
(head office: 2051 Biatorbágy, Mészárosok útja 2., company registration number: 13-06-058506; the
hereinafter: Mandatory) in connection with the purchase of alcoholic beverages established in the summer of 2022 and
thereafter, in the period until the decision with case number NAIH-3227-3/2023 becomes final
the personal data of natural persons of the implemented data management practices
regarding its protection and the free flow of such data, as well as a
in Regulation 2016/679 (EU) repealing Directive 95/46/EC (the
hereinafter: the general data protection regulation) compliance with the regulations
in the official data protection procedure (main case) NAIH-3227-3/2023
annulling point 3 of the decision made in the case number (hereinafter: Decision) and a
105.K.701.548/2023/11 obligates the authority to a new procedure in this regard. on November 7, 2023
judgment of the Budapest court, delivered on 7 December 2023, and communicated to the Authority on 7 December 2023 (
hereinafter: Judgment) initiated ex officio under case number NAIH-3932/2024,
in its repeated official data protection procedure, the Authority makes the following decisions:
1. Established in point 1 of the Resolution and upheld by the Metropolitan Court
based on legal violations, taking into account the provisions of the Judgment; the Obliged Authority
obligates ex officio within 30 days of this decision becoming final
HUF 80,000,000, i.e. eighty million HUF
to pay a data protection fine.
2. The Authority on information self-determination and freedom of information
CXII of 2011 Act (hereinafter: Infotv.) based on point a) of § 61, paragraph (2).
ex officio orders the identification data of the Obligor in its final decision
disclosure by publication
a) on the website of the Authority, furthermore
b) on the opening page of the Obligor's website, clearly visible and easily accessible
place, within 30 days of the decision becoming final, and there
be available for at least 30 days.
The Obligor is obliged to fulfill the obligation prescribed in point 2, sub-point b) of this decision
must be in writing within 30 days of its becoming final - the supporting evidence
along with its submission - certify it to the Authority.
In case of non-fulfilment of the obligation prescribed in sub-point b) of point 2, the Authority shall order a
implementation of the decision.
No procedural costs were incurred in the procedure.
There is no place for administrative appeal against this decision, but from the announcement
within 30 days from the date of issue, with a letter of claim addressed to the Capital Tribunal
can be challenged in a lawsuit. The claim must be submitted electronically to the Authority, which
1 The NAIH_K01 form is used to initiate an administrative lawsuit: NAIH_K01 form (16.09.2019) The
form can be filled out using the general form filling program (ÁNYK program).
.………………………………………………………………………………………………………………………………………… ……………………..
1055 Budapest Tel.: +36 1 391-1400 naih.hu/adatkezelesi-tajekoztatok
Falk Miksa utca 9-11 KR ID: 429616918 ugyfelszolgalat@naih.hu 2
forwards it to the court together with the case documents. The request for the holding of the trial is submitted by the
must be indicated in the application. For those who do not receive full personal tax exemption
the fee for the judicial review procedure is HUF 30,000, the lawsuit is subject to the right to record fees. THE
Legal representation is mandatory in proceedings before the Metropolitan Court.
I N D O C O L A S
I. History, basic case
(1) The Authority has received several notifications regarding the compulsory purchase of alcoholic beverages
regarding the new data management practice established in connection with In submissions
they complained about significantly different data management practices in individual stores. THE
according to the whistleblowers, they did not hand over data management information even upon request
to those concerned, and neither did the cashiers, so the date of birth
in connection with its recording, the legal basis and duration of the data management was not known. Whistleblowers
based on his information, the Obligee's stores in several settlements also contain alcohol
in the case of buying drinks - based on notification at the cash desk, according to other complaints
by way of obligation to hand over an identity card - recorded the customer's birth certificate
his time. According to another complaint, the cashier did not know the purpose of data recording and
to provide information regarding its legal basis, and the regional manager indicated that
to the store manager that the data of the identity card cannot be recorded
necessary in the event that the buyer's legal age can be established in another way,
customers were not informed of this fact. A whistleblower complained that he
you are apparently over 70 years old, but you still had to prove your age.
(2) Based on the above, on August 19, 2022, the Authority ex officio data protection authority
initiated a procedure in order to check that the Obliger's alcohol content
whether the data management practices established in connection with the purchase of drinks are adequate
requirements contained in the general data protection regulation.
(3) During the procedure, the Authority invited the Obligee to make a statement several times
in order to clarify the facts; as well as on general administrative regulations
2016 CL. Act (hereinafter: Act), on-site without prior notice
conducted inspections in two randomly selected stores of the Obligor.
(4) March 30, 2023, adopted in the official data protection procedure initiated ex officio.
In point 1 of the Decision dated
offended him
a) point a) of Article 5 (1) of the General Data Protection Regulation;
b) point c) of Article 5 (1) of the General Data Protection Regulation;
c) Article 6 (1) of the General Data Protection Regulation;
d) Article 12 (1) of the General Data Protection Regulation;
e) Paragraphs (1) and (2) of Article 13 of the General Data Protection Regulation;
f) paragraphs (1) and (4) of Article 32 of the General Data Protection Regulation.
(5) Transparency contained in Article 5 (1) point a) of the General Data Protection Regulation
violation of the principle of
on-site) was not available for those interested in purchasing alcoholic beverages
the related data management established by the Obligor is transparent; it is essential
those involved did not have the opportunity to learn about its circumstances, because it was not posted
https://www.naih.hu/kozig-hatarozat-birosagi-felulvizsgalata 3
appropriate, containing essential information related to the actual data management
data management information; and at the request of the stakeholders and representatives of the Authority a
Obliged employees could not even verbally provide information on the related matter
about the online availability of the data management information sheet or the data management is essential
on its circumstances [see: Paragraph (129) of the Decision's justification].
(6) The principle of transparency was also violated by the fact that in the Obligor's stores, as well as
the alcoholic beverages at the cash registers were also significantly different within each store
actual related to verifying the age of persons intending to buy
data management practice, accordingly, it was not transparent for those concerned
data management concerning them [see: paragraph (134) of the justification of the Decision].
(7) Obliged by Art. Order on notification according to § 76 [NAIH-6989-16/2022
order no.] violated Article 5 (1) of the General Data Protection Regulation
the principle of transparency according to paragraph a) of the data management realized by logging
also by not ensuring the transparency of data management for those concerned
for, since he did not provide information in the period between August 4 and 11, 2022
for those concerned in relation to data management; August 12 and 31, 2022
in the period between
to those concerned on the Website (https://www.aldi.hu/hu/homepage.html) and the Ákr. 68-69. §
during the inspection in his stores about the fact that all keys of the cash register
is struck (and therefore, in the case of purchasing an alcoholic drink, the customers' date of birth
is) was logged, and that these log files are for 180 days after recording
were also stored, and for them the data processor used by the Obligor
also has access; finally, that from September 1, 2022, the Ákr. according to § 76
up to the date of the order on notification, it has not been modified by the relevant Obligor
data management information, and therefore still did not inform the data subjects above
explained [see: paragraph (141) of the reasoning of the Decision].
(8) "easy
"accessible" criterion was violated by the fact that the Obligor did not provide adequate
measures in order to provide data management to the data subjects
related information in an easily accessible manner in each store and
make it available in the form [see: Paragraph (148) of the Decision's justification].
(9) The obligee violated paragraphs (1) and (2) of Article 13 of the General Data Protection Regulation,
considering that the Obligor at the time of obtaining the personal data
was not made available to the data subjects by Article 13 of the General Data Protection Regulation
The information specified in paragraphs (1) – (2) is the data processing affected by the procedure
in connection with [see: paragraph (157) of the justification of the Decision].
(10) The Obligor is the period between August 4, 2022 and August 31, 2022
Article 6 (1) of the General Data Protection Regulation has not been verified
for processing the data of data subjects who have 18.
in connection with reaching their age, the CLV of 1997 on consumer protection. law (a
hereinafter: Fgytv.) 16/A. "doubt" as defined in paragraph (4) of Sec
about whom - clearly visible to anyone given his old age -
it was clear that they had reached the age of eighteen. Since e
in connection with personnel, the Authority was also unable to identify the Obligee ex officio
a legal position or individual decision concerning data management
would create a relevant legal obligation, so the Obligor violated the general
Article 6 (1) of the Data Protection Regulation [see: (165) of the reasons for the Decision
paragraph]. 4
(11) Article 6 (1) of the General Data Protection Regulation was also violated by the fact that a
The obligee wrongly imposes a legal burden on him in general, covering all customers
identified this legal place and the legal norms governing it as an obligation - thus
in particular, the general data protection decree and the Fgytv. - not properly
applied, the applicability of the legal obligation applicable to it has been over-extended
by entering personal data into the cash register system in the log files
when recording, as Fgytv. 16/A. Paragraph (4) of § only the age credit
it is awaiting proper proof, so it did not have an adequate legal basis for the recording.
[see: paragraph (166) of the reasoning of the Decision]
(12) The Fgytv. 16/A. Doubt in the case of purchasing an alcoholic beverage based on § (4).
in this case, the customer must be asked to provide creditable proof of age (i.e. in
in the event that it cannot be clearly established that the alcoholic beverage is to be purchased
whether the intending person has reached the age of eighteen or not). The Obliged
however, in the period between August 4, 2022 and August 31, 2022, Fgytv. 16/A.
The phrase "in case of doubt" defined in paragraph (4) of §, statutory
exceeding the provision, in addition to it in a general manner, in the Obligor's own words
he prescribed "the development of its systematic use" in the position of shop assistant
to buy each alcoholic beverage for its employees
mandatory verification of the age of the intending person. By doing so, he offended the general
also the principle of data saving contained in Article 5 (1) point c) of the data protection decree
– which, regardless of the legal basis, must be taken into account during all data processing
to the data controller - as it is in the case of customers who have obviously reached the age of 18
handled and recorded data not relevant to the purposes of data management
in its system [see: paragraph (169) of the justification of the Decision].
(13) The general data protection regulation during the sales process of alcoholic beverages
Based on the definition of Article 4, point 2, both to prove age
inspection of a suitable identity card, both suitable for proof of age
date of birth read from the ID or date of birth provided by the customer
entering it into the cash register system, recording it and keeping it in its log files for 180 days
its storage can be considered a data management operation. Over-view operations in general
however, its mandatory provision was not absolutely necessary for the purpose that those concerned
Must establish the age of 18. The Obligor thereby violated the
contained in Article 5 (1) point c) of the General Data Protection Regulation
the principle of data saving, because there is a suitable one to achieve the goal, however, the affected parties
a method that is less harmful for him and involves fewer data management operations, so a
processing of personal data was not limited to the necessary extent [see: the Decision
paragraph (174) of its justification].
(14) Contained in paragraphs (1) and (4) of Article 32 of the General Data Protection Regulation
data security requirements are violated by the fact that the Obligor's stores, as well as
the stakeholders did not develop appropriate measures within some stores
to protect your personal data; the procedure prescribed by the Obligor was not applied;
as well as certain stakeholders in the case of the purchase of alcoholic beverages, the cashiers
at his express request, he had to announce his birth clearly for others as well
their date [see: paragraph (181) of the reasoning of the Decision].
(15) Due to the violations established in point 1 of the Resolution, the Authority shall amend Resolution 2.
in point obliged the Obligor to
a) aimed at verifying age in the case of purchasing alcoholic beverages
its data management practices are brought into line with the general data protection regulation
with its provisions, as well as Fgytv. 16/A. with paragraphs (1) and (4) of § 5
only when in doubt check the age of the buyers and during
do not record data at the log file level either, and change the relevant
data management information;
b) display the data processing carried out there in each store
according to Article 13 of the General Data Protection Regulation
its effective data management information for those concerned
in a clearly visible place, in an easily accessible form.
(16) Based on the violations established in point 1 of the Decision, the Authority, the data management
due to its illegality, in point 3 of the Decision, the Obligee was ex officio obliged to a
HUF 95,000,000 within 30 days of the decision becoming final, i.e.
to pay a HUF ninety-five million data protection fine.
(17) The Authority, in point 4 of the Decision, Infotv. On the basis of point a) of paragraph (2) of § 61
ex officio ordered the identification data of the Obligor in its final Decision
publicizing it by publishing it on the website of the Authority, and a
On the opening page of the mandatory website, in a clearly visible and easily accessible place, a
Within 30 days of the decision becoming final, and it should be available there at least
for 30 days.
(18) On April 26, 2023, the Obligor paid the Authority the amount of Decision 3.
HUF 95,000,000 data protection fine imposed in point [see: NAIH-3227-4/2023
document with case number].
(19) Obligor in his statement received by the Authority on April 28, 2023 (NAIH-3227-
declaration with case number 5/2023) submitted that he modified his practice, a
"On April 14, 2023, the person requesting to enter the age was deleted from the cash register software
software element". In his statement, the obligee also informed the Authority that
that the data processing carried out in stores has been modified and published
data management information on activities.
(20) In the action addressed to the Metropolitan Court, the Obligor (as plaintiff) the Decision
He requested the annulment of points 1, 3 and 4.
(21) In its judgment (case number NAIH-3932-1/2024), the Capital Court referred to Decision 3.
point, and the Authority (as a defendant) for a new procedure in this round
obliged. In addition to this, the Capital Court rejected the claim.
(22) According to paragraph [41] of the Justification of the Judgment, “[…] the court established that it is
the defendant's decision regarding the preservation of the date of birth in the diary file a
the legal basis of the violations established in point 1 of the provision, as well as the
regarding the provision imposing a fine of HUF 95,000,000 on the plaintiff (point 3)
illegal. In relation to point 3, the decision was made by Kp. Section 89, subsection (1) b)
annulled it by applying point 1 and sent the defendant to a new procedure in this round
obliged. In relation to the data management implemented with insight and input a
the plaintiff did not dispute points 1 a) and c)-f) of the operative part of the decision, thus
in this part, the court did not affect the decision, and the court referred to point 1 b)
the legal basis of the infringement established in accordance with sub-section, as well as the decision to the public
with regard to point 4 ordering the filing of the claim, the Kp. Section 88, paragraph (1), point a).
rejected based on Taking into account all of this, point 1 of the decision
annulment was not justified because the defendant is the plaintiff
evaluated its data management as a unit and established a violation, and with the insight
and in relation to data management implemented by input, 6 contained in point 1
a violation of provisions exists regardless of whether with respect to preservation
the same findings were not legal.".
(23) Based on paragraph [42] of the Justification of the Judgment, "In the repeated procedure,
the defendant must make his decision taking into account that the plaintiff a
did not commit during the preservation of the date of birth in the log file
infringement. Again, you have to decide whether it is implemented with insight or input
applicable due to violations established in connection with data management
on legal consequences, with the fact that in the event of a fine, the amount of the violation
it must be defined taking into account the narrower range of its scope; in the log file
circumstances related to preservation should not be taken into account during the consideration and
cannot be evaluated as an aggravating circumstance with the mandatory age verification (insight,
entry) the longer period of the violation established in connection. The amount of the fine
therefore, ignoring all these circumstances, it should be more proportionate.".
(24) In view of the above [see: paragraphs (1) – (23) of the reasons for this decision] – the
With the exception of point 3 of the Decision - the rest of the Decision became final.
II. Repeated data protection official procedure
(25) Based on the Judgment, the data protection authority repeated on December 7, 2023
proceedings have been initiated.
(26) Neither the Authority nor the Obligor submitted any objections to the Judgment
request for revision (see file number NAIH-3932-2/2024).
(27) The Art. Officially known by the authority and public knowledge based on Section 62 (3).
facts do not need to be proven. In view of this, in the case number NAIH-3227/2023, as well as the
Document material created under case number NAIH-6989/2022 was officially approved by the Authority
is considered a known fact.
(28) In the order of the Authority, case number NAIH-3932-3/2024, sent through Cégkapu
notified the Obligee about the repeated data protection official procedure; as well as
informed the Obligor that, within the scope determined by the Judgment, the repeated
can make a statement in the subject of official data protection proceedings. The Authority's order was issued by
Mandatory Downloaded on March 5, 2024.
(29) Mandatory declaration for order number NAIH-3932-3/2024 March 11, 2024.
was received by the Authority in e-Paper (case number NAIH-3932-4/2024
statement). In his statement, the Obligor submitted that case number NAIH-3932-3/2024
in accordance with the provisions of the order, the Obligor did not submit a review request either
against the Judgment, "for his part, he also sees that the case can be definitively closed as soon as possible
kept in front of”. Based on the contents of the declaration, the Obligee "the main case is administrative and
in the court stage, he presented the statements that the Fővárosi
The Tribunal took into account, still unchanged, when reaching the Judgment
maintains".
(30) In its statement with case number NAIH-3932-4/2024, the Obligor requested that the present
a decision to be made in a repeated data protection official procedure a
The Authority shall form it in accordance with the provisions of the Justification of the Judgment (see: the Judgment
Paragraphs [41] and [42] of his reasoning). The Obligor also requested that a
Authority “when determining the amount of the fine, please take into account that
since according to the Judgment, keeping the date of birth in a diary file does not qualify
of data management, the duration of illegal behavior is also a fraction of the originally 7
established". The obligee also requested that the Authority from the reasons for the decision
omit the "exact sum indication" of the Obligor's annual transaction number.
(31) During this repeated data protection official procedure, the Authority in the Judgment
he did not conduct a new evidentiary procedure beyond those specified, as well as new evidence
were not used either.
III. Applied legal sources
(32) Based on Article 2 (1) of the General Data Protection Regulation according to the present case
the general data protection regulation shall be applied to data management.
(33) On the basis of Article 4, point 1 of the General Data Protection Regulation, personal data is identified
or any information relating to an identifiable natural person (“data subject”);
the natural person who directly or indirectly, in particular, can be identified
an identifier such as a name, number, location data, online identifier or a
physical, physiological, genetic, intellectual, economic, cultural or natural person
can be identified based on one or more factors related to his social identity.
(34) Based on Article 4, point 2 of the General Data Protection Regulation, data management is personal
conducted on data or data files in an automated or non-automated manner
any operation or set of operations, such as collecting, recording, organizing,
segmentation, storage, transformation or change, query, insight, use,
communication by means of transmission, distribution or otherwise making it available,
alignment or linking, restriction, deletion or destruction.
(35) According to Article 4, point 7 of the General Data Protection Regulation, a data controller is a natural person
or legal person, public authority, agency or any other body that a
purposes and means of processing personal data independently or together with others
defines; if the purposes and means of data management are EU or member state law
determine, the data controller or the particulars regarding the designation of the data controller
aspects can also be determined by EU or member state law.
(36) Pursuant to Article 31 of the General Data Protection Regulation, the data controller and
data processor, as well as - if any - the data manager or the data processor
during the execution of the tasks of its representative with the supervisory authority - its inquiry
based on - cooperates.
(37) Pursuant to Article 58, Paragraphs (1) – (2) of the General Data Protection Regulation:
"(1) The supervisory authority, acting in its investigative capacity:
a) instructs the data manager and the data processor, or, where applicable, the data manager
or the representative of the data processor to perform its tasks
provides necessary information;
b) conducts investigations in the form of data protection audits;
c) perform the certificates issued in accordance with Article 42 (7).
review;
d) notifies the data manager or the data processor assumed by this regulation
of violation;
e) receives access to its tasks from the data controller or data processor
for all personal data and all information necessary for its performance; and
f) the data controller is given access in accordance with EU or member state procedural law
or to any premises of the data processor, including all data processing
used equipment and tools. 8
(2) Acting within the supervisory authority's corrective powers:
a) warns the data manager or the data processor that some planned
its data management activities are likely to violate the provisions of this regulation;
b) condemns the data manager or the data processor if its data management activities
violated the provisions of this regulation;
c) instructs the data controller or the data processor to fulfill e
your request regarding the exercise of your rights according to the regulation;
d) instructs the data manager or the data processor that its data management operations - given
in a specified manner and within a specified time - harmonize e
with the provisions of the decree;
e) instructs the data controller to inform the data subject about the data protection incident;
f) temporarily or permanently restricts data management, including data management
also its prohibition;
g) in accordance with Articles 16, 17 and 18, orders the personal
correcting or deleting data, or restricting data management, as well as a
In accordance with Article 17, paragraph (2) and Article 19, it is ordered by the addressees
notification of this to whom or to whom the personal data has been disclosed;
h) revokes the certificate or instructs the certification body to comply with Articles 42 and 43
to revoke a properly issued certificate, or is instructed by the certifier
organization not to issue the certificate if the conditions for certification are no longer met
are not fulfilled;
i) imposes an administrative fine in accordance with Article 83, the given case
depending on your circumstances, you are beyond the measures mentioned in this paragraph
instead of them; and
j) orders directed to a recipient in a third country or an international organization
suspension of data flow."
(38) Pursuant to Article 83 (1) – (5) of the General Data Protection Regulation:
"(1) All supervisory authorities ensure that (4), (5), (6) of this decree
due to the violation referred to in paragraph 1, the administrative penalty imposed under this article
fines should be effective, proportionate and dissuasive in each case.
(2) The administrative fines, depending on the circumstances of the given case, are subject to Article 58 (2)
in addition to or instead of the measures mentioned in points a)-h) and j) of paragraph
impose. When deciding whether it is necessary to impose an administrative fine,
and when determining the amount of the administrative fine in each case
due consideration shall be given to:
a) the nature, severity and duration of the infringement, taking into account the one in question
the nature, scope or purpose of data management, as well as the number of data subjects whom the
affected by the infringement, as well as the extent of the damage suffered by them;
b) the intentional or negligent nature of the infringement;
c) damage suffered by data subjects on the part of the data controller or data processor
any measures taken to mitigate;
d) the degree of responsibility of the data manager or data processor, taking into account the
technical and organizational measures undertaken by him on the basis of Articles 25 and 32
measures;
e) relevant violations previously committed by the data controller or data processor;
f) remedying the violation with the supervisory authority and the possible negative nature of the violation
extent of cooperation to mitigate its effects;
g) categories of personal data affected by the infringement;
h) the manner in which the supervisory authority became aware of the violation is special
taking into account whether the data manager or the data processor announced the
infringement and, if so, in what detail; 9
i) if against the concerned data controller or data processor earlier - in the same
in the subject - the measures referred to in Article 58 (2) were ordered
one of them, compliance with the measures in question;
j) whether the data manager or the data processor has complied with Article 40
to approved codes of conduct or approved certification under Article 42
for mechanisms; as well as
k) other aggravating or mitigating factors relevant to the circumstances of the case
factors, such as acquired as a direct or indirect consequence of the infringement
financial gain or avoided loss.
(3) If a data manager or data processor is the same data management operation
with respect to related data management operations - you are intentional
due to negligence - violates several provisions of this regulation, the full amount of the fine
may not exceed the amount determined in the case of the most serious violation.
(4) Violation of the following provisions - in accordance with paragraph (2) - at most
with an administrative fine of EUR 10,000,000, or in the case of businesses
with an amount of no more than 2% of the total annual world market turnover of the previous financial year
vulnerable; of the two, the higher amount must be imposed:
a) in terms of the data manager and the data processor, Articles 8, 11, 25-39, 42 and 43
obligations defined in Article;
b) as defined in Articles 42 and 43 with regard to the certification body
obligations;
c) as defined in Article 41, Paragraph 4, with regard to the control organization
liabilities;
(5) Violation of the following provisions - in accordance with paragraph (2) - at most
with an administrative fine of EUR 20,000,000, or in the case of businesses
with an amount not exceeding 4% of the total annual world market turnover of the previous financial year
should be punished, with the higher amount of the two being imposed:
a) the principles of data management - including the conditions of consent - of Articles 5, 6, 7 and 9
properly;
b) the rights of the data subjects 12-22. in accordance with Article;
c) third country recipient or international organization for personal data
44-49. in accordance with Article;
d) IX. obligations according to the law of the Member States adopted on the basis of chapter;
e) the instruction of the supervisory authority according to Article 58 (2), or
temporary or permanent limitation of data processing or data flow
non-compliance with its suspension notice or Article 58 (1)
failure to provide access in violation of paragraph
(39) Infotv. Pursuant to Section 2 (2) of the General Data Protection Regulation, there
shall be applied with the additions contained in the specified provisions. It's common
data processing not covered by Article 2 (1) of the Data Protection Regulation
regarding Infotv. With regard to paragraph (4) of § 2: "Personal data referred to in (2)
and (3) for treatment not covered by paragraph
a) in Article 4, II-VI, and VIII-IX of the general data protection regulation. chapter,
as well as
b) Sections III-V of this Act. and VI/A. In its chapter, in addition to § 3., 3., 4., 6., 11., 12., 13., 16.,
17., 21., 23–24. point, paragraph (5) of § 4, § 5 (3)–(5), (7) and (8)
paragraph, paragraph (2) of § 13, § 23, § 25, § 25/G. § (3),
in paragraphs (4) and (6), 25/H. in paragraph (2) of § 25/M. § (2),
the 25/N. § 51/A. (1) of § § 52–54. §, § 55 (1) and (2)
in paragraph 56–60. in §, 60/A. (1)–(3) and (6) of § § 61 (1)
in points a) and c) of paragraph 61, paragraphs (2) and (3) of § 61, paragraph (4) b) 10
and paragraphs (6)–(10), and 61/A–61/D. § 62-71. §-in,
in Section 72, Sections (1)–(5) of Section 75 and Section 75/A. § and in Annex 1
certain provisions shall apply."
(40) Infotv. Based on paragraphs (2) – (2a) of § 38:
"(2) The Authority's task is to protect personal data, as well as the public interest and
control of the enforcement of the right to access public data in the public interest
and promotion, as well as the free flow of personal data within the European Union
facilitating.
(2a) Established for the supervisory authority in the general data protection regulation
tasks and powers of legal entities under the jurisdiction of Hungary
as defined in the general data protection regulation and this law
is exercised by the Authority."
(41) Infotv. According to § 60, paragraph (1), the right to the protection of personal data
in order to enforce it, the Authority, at the request of the person concerned, data protection
initiates official proceedings and can initiate official data protection proceedings ex officio. The
for official data protection procedure, Art. rules must be applied in Infotv
with specified additions and according to the general data protection regulation
with differences.
(42) Infotv. 60/A. § (1) in the official data protection procedure
administrative deadline of one hundred and fifty days, which does not include the facts
from the invitation to provide the data necessary for its clarification until its fulfillment
spreading time. The Akr. Pursuant to § 103, paragraph (3), in ex officio proceedings, the
only the duration of the suspension of the procedure is not included in the administrative deadline. The
for the application of procedural deadlines, in other § 52 shall be applied.
(43) Infotv. Based on § 61, paragraph (1):
"(1) In the decision made in the official data protection procedure, the Authority
a) with the data management operations specified in paragraphs (2) and (4) of § 2
in connection with the general data protection regulation
may apply legal consequences, especially upon request or ex officio
may order unlawfully processed personal data in the manner determined by it
to be executed, or temporarily or permanently in other ways
can limit data processing,
b) with the data management operations defined in § 2, paragraph (3).
in context
ba) can establish the fact of unlawful processing of personal data,
bb) can order the correction of personal data that does not correspond to reality,
bc) may order the blocking or deletion of unlawfully processed personal data or
destruction,
bd) may prohibit the unlawful handling of personal data,
be) may prohibit the transmission or transfer of personal data abroad,
bf) may order the information of the data subject, if the data controller does so unlawfully
omitted or denied, and
bg) can impose fines,
c) defined in Article 41 (1) of the General Data Protection Regulation
general data protection against an organization performing control activities
legal consequences defined in Article 41 (5) of the Decree
can apply." 11
(44) Infotv. According to § 61, paragraph (2):
"(2) The Authority may order in its decision - the data controller or the data processor
disclosure by publishing your identification data, if
a) the decision affects a wide range of persons,
b) it was brought in connection with the activities of a body performing a public task, or
c) the severity of the infringement justifies disclosure."
(45) Infotv. Warning in the Authority's procedure based on Section 61 (3).
its application is excluded if the Authority imposes a fine based on the regulations applicable to its consideration
establishes the necessity of its imposition.
(46) Infotv. Pursuant to § 61, paragraph (7), the implementation of the Authority's decision is a
included in a decision, to carry out a specific act, defined
in relation to an obligation to conduct, tolerate or cease a
It is undertaken by an authority. In case of a final or administrative lawsuit, the Authority a
illegal as determined in a final decision by an administrative court
data affected by data management - the court, prosecutor's office or other authority is different
in the absence of this provision - these data cannot be deleted or destroyed
in the case of criminal proceedings or other official or judicial proceedings, the criminal proceedings
from the start date of the criminal proceedings or with a final decision of the court
until its completion by a non-final order, or by the prosecution
or the investigative authority terminates proceedings that cannot be challenged with further legal remedies
until its decision is made, and in the case of other official or judicial proceedings, this
from the start date until the final or legally binding end.
(47) Infotv. On the basis of § 71, paragraph (1), during the Authority's procedure - the
to the extent and for the time necessary to conduct it - you can manage it all personally
data, as well as secrets protected by law and secrets bound to the exercise of a profession
qualified data that are related to the procedure and that are managed
necessary for the successful completion of the procedure.
(48) Infotv. According to § 71, paragraph (2), the Authority shall act lawfully during its procedures
obtained document, data or other means of proof in other proceedings
you can use it.
(49) The Art. Based on Section 5 (1), the client can make a statement at any time during the procedure,
you can comment.
(50) The Art. Based on § 6, all participants in the procedure are obliged to act in good faith and
to cooperate with other participants. No one's behavior can be directed by the authorities
to deceive or to unjustifiably delay decision-making or execution.
The good faith of the client and other participants in the procedure must be assumed in the procedure.
The authority bears the burden of proving bad faith.
(51) The Art. Based on paragraphs (1) - (2) of § 13, if the law does not require that the customer is personal
proceedings, instead of his legal representative, or by him or his legal representative
a person authorized by, and the client and his representative can also act together. Yogi
the procedure of a person's legal representative is considered a personal procedure.
(52) The Art. On the basis of § 14, the authorized representative has the right to represent - if it is a
disposal register does not include - must certify. The power of attorney
must be included in a public document or a private document with full evidential force or in a protocol
must be said. If nothing else appears from the power of attorney, it is covered by procedure 12
for all related statements and actions. If the right of representation
due to revocation, termination or the death of the client or authorized representative
ceases, the termination of reporting to the authority against the authority, a
it is effective against other customers from the moment it is communicated to them.
(53) The Art. 27, the authority is the client and other participants in the procedure
natural personal identification data and the type of business necessary for identification
personal data specified in the regulatory law, and - if the law
does not provide otherwise - essential for the successful conduct of the procedure
processes other personal data as necessary. The authority ensures that the law
secret protected by and other data protected by law (hereinafter together: protected data)
should not be made public, should not come to the knowledge of an unauthorized person, and is protected
the protection of data defined by law must also be ensured in the procedure of the authority.
The authority in the course of its procedure to conduct it - defined by law
manner and scope – manages the protected data that are related to its procedure,
and the handling of which is necessary for the successful completion of the procedure.
(54) The Art. Based on § 33, paragraph (1), the client at any stage of the procedure and its
you can consult the document created during the procedure even after its completion.
(55) The Art. On the basis of § 33, paragraph (4), during the inspection of the documents, the copy entitled to it,
you can prepare an extract or - against the reimbursement of costs specified in a government decree
- you can request a copy, which the authority will certify upon request.
(56) The Art. Pursuant to § 34, it is not possible to inspect the draft decision. Unrecognizable
and the document or a part of the document from which a conclusion can be drawn
to protected data or to personal data that can be known by law
specified conditions are not met, unless the data - not including the classified
data - the lack of knowledge of it would prevent the person entitled to inspect the document from e
in the exercise of his rights guaranteed by law. Based on the request, the authority is
provides access to documents - even after the end of the procedure - or in an order
rejects.
(57) The Art. According to § 62, paragraph (3), it is officially known by the authority and is public knowledge
facts do not need to be proven.
(58) The Art. Based on the provisions of paragraphs (1) - (2) of § 77, the person whose obligation
violates it through his own fault, the authority obliges him to reimburse the additional costs caused,
and may be subject to procedural fines. The minimum amount of the procedural fine in each case
ten thousand forints, the maximum amount - unless the law provides otherwise -
five hundred thousand HUF in the case of a natural person, legal entity or other organization
one million forints.
(59) The Art. On the basis of § 103, paragraph (1), in ex officio proceedings, the Ákr. upon request
the provisions relating to initiated procedures in the Acr. VII. with the deviations included in chapter
must be applied.
(60) The Art. On the basis of § 104, paragraph (1) point b), the authority in its area of competence
initiates the procedure ex officio if ordered to do so by a court.
(61) The Fgytv. 16/A. § (1) is prohibited under the age of eighteen
for a person - with the exception of medicines that can only be issued on medical prescription -
to sell or serve alcoholic beverages. 13
(62) The Fgytv. 16/A. According to paragraph (4) of § defined in paragraphs (1)–(3).
in order to enforce the restriction, the company or its representative in case of doubt
invites the consumer to provide creditable proof of age. Age is appropriate
in the absence of proof, the sale or service of the product must be refused.
ARC. Judgment
(63) In its judgement, the Metropolitan Court of Appeal considered point 3 of the Decision
Act I of 2017 on the Code of Procedure (hereinafter: Law) § 89 (1) paragraph b)
annulled it on the basis of point and obliged the Authority to proceed with a new procedure in this regard. This
moreover, the Metropolitan Court rejected the claim.
(64) The Metropolitan Court explained in paragraph [27] of the Justification of the Judgment that the
"the court found that after the purchase, in the given cash register, the entry
as a result of a keystroke in the form of a string of numbers in the format "NNHHYYYYYY".
a recorded and stored date of birth was not considered personal data because the data subject
identification was no longer possible. The date of birth is all in this form
together with keystrokes, any other data that can be associated with the data subject
without, it was stored solely for the purpose of troubleshooting and not for the identification of the data subject.
The number line of the date of birth recorded by keystroke during storage is not the customer,
as a natural person, but made it possible to identify the purchase [...] From all this
therefore, the preservation of the date of birth in the log file for 180 days was not implemented
and data management".
(65) Pursuant to paragraph [42] of the Justification of the Judgment, this repeated data protection
in an official procedure, the Authority must make its decision taking into account that
the Obligor "did not commit in the field of keeping the date of birth in the diary file
infringement".
(66) In its judgment, the Metropolitan Court also emphasized that (see: the Judgment
Paragraph [41] of its justification), that the annulment of point 1 of the Decision is for that reason
was not justified, because in that the Authority handled the Obligor's data as a unit
evaluated and established a violation; and realized with insight and input
with regard to data management, the provisions contained in point 1 of the Decision
its violation exists regardless of whether the same with regard to preservation
findings, according to the Metropolitan Court, "were not legal".
(67) Pursuant to the above [see paragraphs (63) – (66) of the reasons for this decision]
therefore, in view of all the circumstances of the case, the Metropolitan Court in its Judgment so
decided that, contrary to the provisions of the Decision, "the date of birth in the diary file
By keeping it for 180 days, the Obligee did not carry out data management".
V. Legal Consequences
V.1. Data protection fine
(68) Pursuant to paragraph [42] of the Justification of the Judgment, the Authority should "Repeatedly decide
is required in connection with the data management implemented with insight or input
on the legal consequence applicable due to established violations, with the fact that
in the case of imposing a fine, its amount is a narrower scope of the scope of the violation
must be determined taking into account; related to retention in the log file
circumstances should not be taken into account during the consideration and cannot be assessed as aggravating
as a circumstance in connection with the mandatory age verification (inspection, entry) 14
a longer period of established infringement. The amount of the fine is therefore all this
disregarding circumstances, it should be proportionally less.".
(69) The Authority pursuant to Article 58(2)(i) and Article 83 of the General Data Protection Regulation
(2) also imposes a data protection fine instead of or in addition to the other measures
can impose.
(70) In the matter of whether, in this repeated data protection official procedure, it is justified
e the imposition of a data protection fine, the Authority has discretion based on the law
decided acting in his authority, taking into account Infotv. § 61. Paragraph (1) point a), that is
Infotv. 75/A. §, as well as Article 83 (2) of the General Data Protection Regulation
and Article 58 (2) of the General Data Protection Regulation. The Authority considered it
all the circumstances of the case, paying special attention to the provisions of the Judgment and
established that in the present repeated data protection official procedure a
warning and conviction are neither proportionate nor dissuasive in themselves
would be a sanction, therefore the imposition of the fine is necessary in view of the Obligee's market
situation, the general and national nature of the practice it introduced and the significant
to the person concerned. In this case, the protection of personal data - which is the Authority
task - no, based on the totality of the fine imposition circumstances detailed below
is available without imposing a data protection fine. The imposition of fines is both special and
it also serves general prevention, according to which the decision not only
On the Authority's website, but on the opening page of the Obligor's website, clearly and easily
is also published in an accessible place.
(71) When determining the amount of the fine, the Authority took into account, above all,
that the Metropolitan Court decided in its Judgment that “the date of birth
keeping it in a log file for 180 days did not implement data management" (see: az
Paragraph [27] of the Justification of the Judgment); the Obligee “the date of birth in the log file
he did not commit a violation of the law during the preservation of the
paragraph [42]). However, the Authority cannot dispense with the fact that in the Decision
established additional, fundamental violations of the general data protection regulation
Belonging to the category of fines with a higher amount according to Article 83, paragraph (5), point a).
are considered violations of the law, based on this the maximum fine that can be imposed is EUR 20,000,000,
and in the case of enterprises, the total annual world market turnover of the previous financial year
an amount of up to 4%, the higher of the two must be imposed.
(72) When determining the amount of the fine (95,000,000 HUF) imposed by the Authority in the Decision
took into account the data for 2021, on the basis of which the Obligor's sales
its net sales revenue in 2021 was HUF 315,282,601,000. At the same time, the Authority also
took into account that, in comparison, the taxable profit of the Obligor is HUF 8,504,878,000
was this year [see paragraph (184) of the Decision's justification].
(73) During the determination of the fine in this repeated data protection official procedure
in view of the period of existence of the violations, the Authority is the Obliger's 2021
business year taken into account.
(74) Based on the 2021 data, it must be taken into account by the Authority
Based on HUF 315,282,601,000, the legal maximum of the fine is
in the case HUF 12,611,304,040. Compared to this, the HUF 80,000,000 included in this decision
HUF data protection fine 0.025% of the net sales of the debtor's sales, i.e
significantly below the maximum fine amount. 15
(75) When determining the amount of the data protection fine, the Authority uses the following mitigating factor
circumstances were taken into account:
- September 2022 employees employed as a mandatory store salesperson
From day 1, customers will only be called in case of doubt about their age loan
proof of eligibility in case of purchase of alcoholic beverages; what the Judgment
Paragraph [39] of its justification also contains [Article 83 of the General Data Protection Regulation
(2) point a)];
- The violation affected a narrow range of categories of personal data of the persons concerned, a
recording was limited to the customers' date of birth [General Data Protection Regulation
Article 83(2)(g)];
- The Authority assessed that the primary purpose of the measure introduced by the Obliger
protection of persons under the age of eighteen (which the Judgment
Paragraph [35] of its justification is also confirmed), the consumer protection law
compliance with the regulations as fully as possible, there was no question about that
information that the other was aimed at obtaining an unlawful advantage [general
Article 83 (2) point k) of the Data Protection Regulation].
(76) When determining the amount of the data protection fine, the Authority takes into account the Judgment
Also for paragraph [42] of his reasoning - he took the following aggravating circumstances
taking into account:
- Obliged - on the basis of paragraph [39] of the Justification of the Judgment, which is not contested by him -
committed several legal violations and violated other fundamental provisions, therefore the Authority
considered the nature of the violations to be of medium seriousness, to which it belongs
evaluation based on paragraph [39] of the Reasoning of the Judgment not even like that
it is unreasonable that the Obligor's practice of keeping it in the log file is "no
was unlawful" [General Data Protection Regulation Article 83 (2) point a)];
- The number of those involved was significant, as stated in the Justification of the Judgment [33]
also confirmed [Article 83 (2) of the General Data Protection Regulation
point a)];
- The violations existed at the national level [see: (38) and
Paragraphs (120)], were not ad hoc in that August 4, 2022 and
In the period between August 31, 2022, the Obligor prescribed it in a general manner
for the age of each person intending to buy alcoholic beverages
mandatory inspection; as well as paragraphs [33] and [38] of the Justification of the Judgment
confirmed [General Data Protection Regulation Article 83 (2) point a)];
- Data management operations are opaque for a longer period of time to those concerned
were due to the fact that the information on data management was not easily accessible,
incomplete information was provided to those concerned in several aspects; this is it
Paragraph [32] of the Justification of the judgment also confirmed [general data protection
Regulation Article 83 (2) point a)];
- As a result of the data management, certain data subjects who have reached the age of 18 are Obliged
hindered in their right to contract (see: case number NAIH-6989-5/2022
minutes page 6; minutes of case number NAIH-6989-6/2022, page 6); what it is
Paragraph [37] of the Justification of the judgment also confirms [general data protection decree
Article 83(2)(a)];
- Based on several reports received against the Obligor, the Authority detected a
The probability of the unlawful nature of the mandatory data management practices, which
resulted in the ex officio proceeding under case number NAIH-6989/2022; this Judgment 16
It was also confirmed by paragraph [34] of its justification [general data protection decree 83.
Article (2) point h)].
(77) When determining the amount of the data protection fine, the following circumstances – a
As stated in paragraph (187) of the justification of the decision - the fine
their extent was neither aggravated nor alleviated, they had a neutral effect:
- After completing the proof procedure, the obligee put it on his website
Effective from January 17, 2023, the investigated data management operations and
fully describing the recipients - however, the mandatory age check
is still unclear regarding - modified data management
information, however, the date of the committed violation (August 4, 2022 -
31.), it is no longer possible to assess the mitigation of the damage
of a measure taken in order to [general data protection regulation Article 83 (2)
point c)];
- Mandatory after completion of the proof procedure on January 16 and 17, 2023
in the context of personal education, the revised data protection was introduced in the meantime
documents with the regional managers, who were then given the task of
to be replaced in all stores by January 31, 2023 at the latest
data protection documents, however, the date of the breach (2022)
in view of the period that has passed since August 4 - 31), the mitigating factor can no longer be evaluated
as circumstances [General Data Protection Regulation Article 83 (2) point c];
- To establish a data protection violation by the Obligor, the general data protection
due to violation of the regulation, it has already taken place twice, however, these
infringements were evaluated by the Authority in this official data protection procedure
did not consider it relevant in terms of data management [NAIH-987/2021
case number (previous case number: NAIH/2020/8690) and case number NAIH-1044/2021
(previous case number: NAIH/2020/2255) data protection investigation procedure] [general
Article 83 (2) point (e) of the Data Protection Regulation];
- The Obligee cooperated with the Authority during the procedure, but this is a matter for the judge
practice and legal obligation based on the practice of the Authority, its absence
could be an aggravating circumstance. This is also stated in paragraph [36] of the Justification of the Judgment
confirmed [General Data Protection Regulation Article 83 (2) point f)].
(78) The Authority, when determining the amount of the data protection fine, in the Decision
originally 4 relievers; It took into account 6 aggravating and 4 neutral circumstances [see:
paragraphs (185) – (187) of the justification of the Decision]. Reasoning for Judgment [42]
Pursuant to paragraph
no longer evaluated the longer duration of the infringement as an aggravating circumstance (which
The justification for the decision was found in the 3rd indent of paragraph (186).
in addition to the additional circumstances according to which the violations are on a national level
existed, they were not random). Paragraph [42] of the Justification of the Judgment stated
also that the Authority is “related to the preservation in the log file
circumstances should not be taken into account during the consideration". In view of this, however, the
during this repeated data protection authority procedure, the Authority is the data protection fine
when determining its extent, it no longer took into account as a mitigating circumstance the
It was evaluated in the 2nd indent of paragraph (185) of the justification of the decision
circumstance on the basis of which, according to the Obligor's statement, the personal data
in relation to the log files containing the protection measures proportionate to the risks
applied [general data protection regulation Article 83 (2) point d)]. 17
(79) Considering paragraphs [30], [31] and [42] of the Justification of the Judgment, the Authority
during the imposition of a fine in a repeated data protection official procedure a
the amount of the fine, taking into account the narrower range of the scope of the violation
determined; circumstances related to retention in the log file a
did not take it into account during consideration; and did not assess it as an aggravating circumstance
in connection with the mandatory age verification (inspection, input).
a longer period of established infringement. However, the Authority cannot waive it
from the fact that the Obligor - based on paragraph [39] of the Reasoning of the Judgment, neither by him
disputed - committed several violations; violated several fundamental provisions; furthermore
the number of those affected was significant; and the violations existed at the national level,
they were not random.
(80) The above [see: paragraphs (68) – (79) of the reasons for this decision] and the case
based on all its circumstances, the Authority originally considered 6 in the Decision
due to aggravating circumstances during the present repeated data protection official procedure 1
circumstance (longer duration of the violation) was no longer assessed as aggravating
as a circumstance, so - even though not every violation can be of the same weight
consider - the fine originally imposed by the Authority in the Decision (HUF 95,000,000)
reducing its amount by roughly 1/6 (HUF 15,000,000) and
thus decided to impose a data protection fine of HUF 80,000,000 in total. The present
the amount of the data protection fine imposed in the decision - the Reasoning of the Judgment [42]
taking into account the provisions of paragraph - it became proportionately less than a
Fine originally imposed in a decision.
(81) Based on the above and all the circumstances of the case, the Authority is the deciding party
considered the imposition of a data protection fine in the amount of proportional and dissuasive
effective both in terms of special and general prevention, which
amount is still significantly below the maximum fine; at the same time a
is proportional to the severity of violations, it is the sales data for 2021
in comparison, it cannot represent a disproportionate financial burden for the Obligor.
In other cases, this amount may be significantly different based on individual circumstances,
does not bind the Authority in other matters.
(82) On April 26, 2023, the obligee paid to the Authority in point 3 of the Decision
imposed a HUF 95,000,000 data protection fine [see: file number NAIH-3227-4/2023].
In view of this, the Authority acts ex officio in the Decision and in this decision
payment of the difference in the data protection fine to the Obligor
repayment.
(83) In view of the period of existence of the violations, as well as the fact that the Authority has a
When making a decision, you did not have to apply the European Data Protection Act
Administrative fines for the board according to the general data protection regulation
04/2022 on its calculation. guidelines no. (hereinafter: Guidelines), thus
the Authority also omits it during the current repeated data protection official procedure
the use of reserved items. At the same time, the Authority notes that the Guidelines
if applied in the present case, the amount of the data protection fine is significant
would exceed the amount of the fine contained in both the Decision and this Decision.
V.2. Publication of the decision
(84) Pursuant to paragraph [42] of the Reasoning of the Judgment, the Authority "Repeatedly decides
is necessary in connection with the data management implemented with insight or input
on the legal consequence applicable due to established violations". 18
(85) Infotv. Pursuant to § 61, paragraph (2): "The Authority may order in its decision - that
by publishing the identification data of the data manager or the data processor -
disclosure if
a) the decision affects a wide range of persons,
b) it was brought in connection with the activities of a body performing a public task, or
c) the seriousness of the infringement justifies disclosure."
(86) In point 4 of the Decision, the Authority referred to Infotv. On the basis of point a) of paragraph (2) of § 61
ex officio ordered the identification data of the Obligor in its final Decision
publicizing it by publishing it on the website of the Authority, and a
On the opening page of the mandatory website, in a clearly visible and easily accessible place, a
It must be available at least within 30 days of the decision becoming final
for 30 days.
(87) Based on the provisions of paragraph [40] of the Justification of the Judgment, the final Decision –
Obligatory and on the website of the Authority
in connection with its order, the Capital Court established that the Authority e
specifically provided by Infotv. It was founded on point a) of paragraph (2) of § 61, which
was clearly stated in point 4 of the operative part of the Decision and the Decision
also in paragraph (194) of its justification. The Authority is the disclosure
not by the weight of the infringement, but by the fact that the Decision
affected a wide range of people. With attention to the fact that the Obligor a
objectionable data management practices on a general basis, nationally, for all stores
comprehensively ordered, i.e. the challenged practice during the investigation period, all
he ordered it to be used in the case of a person buying an alcoholic drink, without a doubt
it can be established that the Decision affected a wide range of persons. In itself e
due to circumstances, the Authority is Infotv. could order it on the basis of point a) of paragraph (2) of § 61
publication of the Decision.
(88) On the basis of the above, the Metropolitan Court made the Decision public
with regard to point 4 of the order, the Obligor's claim is submitted to Kp. Section 88, paragraph (1), point a).
rejected based on (see paragraph [41] of the Justification of the Judgment).
(89) Considering that the Obligor - based on paragraph [39] of the Justification of the Judgment
not even disputed by him - he committed several violations of law, several principled provisions as well
violated, the Authority considered the nature of the violations to be moderately serious, which
its assessment as such was not even based on paragraph [39] of the Justification of the Judgment
it is unreasonable that the Obligor's practice of keeping it in the log file "was not
illegal". The number of people involved was significant, the violations are all the Obliger
they existed on a national level covering his business and were not of an ad hoc nature, and a
a wide range of natural persons were affected.
(90) Since the decision made in this repeated data protection official procedure
is closely related to the Decision, to be evaluated together with the above
considering [see: paragraphs (84) – (89) of the justification of this decision] – a
Similar to the decision - the Authority is Infotv. On the basis of point a) of paragraph (2) of § 61
ordered ex officio in the present repeated data protection official procedure
final decision by publishing the Obligor's identification data
not only on the Authority's own website, but also on the Obligor's website
on the opening page of its website, in a clearly visible and easily accessible place, the present
for at least 30 days from the decision becoming final
in duration. 19
VI. Other questions
(91) The competence of the Authority is defined by Infotv. It is defined by paragraphs (2) and (2a) of § 38,
its jurisdiction covers the entire territory of the country.
(92) This decision of the Authority is based on Art. §§ 80-81 and Infotv. It is based on paragraph (1) of § 61.
The decision of the Ákr. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. 112.
against the decision based on § a, § 114, paragraph (1), and § 116, paragraph (1)
there is room for legal redress through an administrative lawsuit.
(93) The rules of administrative proceedings are set out in Kp. determine. The Kp. Based on § 12, paragraph (1).
the administrative lawsuit against the Authority's decision falls within the competence of the courts, a
sued by Kp. On the basis of § 13. paragraph (3) point a) point aa) the Metropolitan Court
exclusively competent. The Kp. According to § 27, subsection (1), point b) in a legal dispute,
in which the court has exclusive jurisdiction, legal representation is mandatory. The Kp. Section 39
According to paragraph (6), the submission of the claim is an administrative act
does not have the effect of postponing its entry into force.
(94) The Kp. Paragraph (1) of § 29 and, in view of this, the 2016 Code of Civil Procedure
CXXX. is applicable according to § 604 of the Act, electronic administration and confidential
CCXXII of 2015 on the general rules of services. Act § 9 paragraph (1).
b), the client's legal representative is obliged to maintain electronic contact.
(95) The time and place of filing a claim against the Authority's decision is set out in Kp. Section 39
(1) is defined. About the possibility of a request to hold the hearing
information from Kp. It is based on paragraphs (1) – (2) of § 77. The fee for the administrative lawsuit
XCIII of 1990 on the levy. Act (hereinafter: Itv.) 45/A. § (1)
is determined by paragraph From the advance payment of the tax, the Itv. Section 59 (1)
paragraph and point h) of § 62 paragraph (1) exempt the person who initiated the procedure.
(96) If the Obligor does not adequately certify the fulfillment of the prescribed obligation, a
The authority considers that the obligation was not fulfilled within the deadline. The Akr. § 132.
according to, if the obligee did not comply with the obligation contained in the final decision of the authority
enough, it is enforceable. The Akr. Pursuant to § 133, paragraph (1), the execution – if
unless otherwise provided by law or government decree - the decision-making authority
orders. The Akr. Pursuant to paragraph (1) of § 134, enforcement - if it is a law,
government decree or local government decree in the case of municipal authorities
does not provide otherwise - it is undertaken by the state tax authority. Infotv. Section 61 (7)
based on paragraph 1, the implementation of the Authority's decision was included in the decision,
to carry out a specific act, to perform a specific behavior, to tolerate or
in relation to the obligation to stop, the Authority undertakes.
Budapest, according to the electronic signature and time stamp
Dr. Habil. Attila Péterfalvi
president, c. university teacher
