NAIH (Hungary) - NAIH-175-12/2022: Difference between revisions
No edit summary |
No edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 61: | Line 61: | ||
}} | }} | ||
The Hungarian DPA fined an organisation and its | The Hungarian DPA fined an organisation and its Chair approximately €8,000 each for failing to inform the signatories of a campaign about the processing of their personal data and several other GDPR violations. | ||
== English Summary == | == English Summary == | ||
Line 70: | Line 70: | ||
=== Holding === | === Holding === | ||
The DPA fined both controllers approximately | The DPA fined both controllers approximately €8,000 (HUF 3,000,000) each. Moreover, the DPA ordered the controllers to obtain valid consent from the data subjects and, in case of failure, delete the respective personal data. It also prohibited the controllers for the future from managing the data in the same way. The decision is based on several violations of the GDPR. | ||
First, the controllers processed the personal data without valid consent and therefore without a legal basis. The requirements for consent pursuant to [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] were not fulfilled. | First, the controllers processed the personal data without valid consent and therefore without a legal basis. The requirements for consent pursuant to [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] were not fulfilled. Also, since personal data revealing one's political opinions constitutes a special category of personal data under [[Article 9 GDPR#1|Article 9(1) GDPR]], explicit consent ([[Article 9 GDPR#2a|Article 9(2)(a) GDPR]]) would have been necessary for part of the processing operations. In addition, the controllers had not used two-factor authentication and the privacy policy was misleading. The DPA found that the data subject had not been able to express their will, making the consent invalid. | ||
Second, the DPA found a violation of the principle of data minimisation, [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]]. It found that the controllers had in reality intended to build a sympathy mass data base. | Second, the DPA found a violation of the principle of data minimisation, [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]]. It found that the controllers had in reality intended to build a sympathy mass data base. |
Latest revision as of 08:55, 24 March 2022
NAIH (Hungary) - NAIH-175-12/2022 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 9(1) GDPR Article 9(2)(a) GDPR Article 13 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 02.03.2022 |
Published: | 16.03.2022 |
Fine: | 6,000,000 HUF |
Parties: | n/a |
National Case Number/Name: | NAIH-175-12/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Hungarian |
Original Source: | naih.hu (in HU) |
Initial Contributor: | kc |
The Hungarian DPA fined an organisation and its Chair approximately €8,000 each for failing to inform the signatories of a campaign about the processing of their personal data and several other GDPR violations.
English Summary
Facts
The controllers are an organisation and its Chair.
In October 2020, the Chair launched a signature campaign against the introduction of compulsory vaccination both online and on paper. In addition to the purpose of the petition, the signatories were given the option to give their consent to be informed and contacted about the political activities of the Chair, thus indicating their political sympathy. They collected nearly 58,000 supporting signatures.
Holding
The DPA fined both controllers approximately €8,000 (HUF 3,000,000) each. Moreover, the DPA ordered the controllers to obtain valid consent from the data subjects and, in case of failure, delete the respective personal data. It also prohibited the controllers for the future from managing the data in the same way. The decision is based on several violations of the GDPR.
First, the controllers processed the personal data without valid consent and therefore without a legal basis. The requirements for consent pursuant to Article 6(1)(a) GDPR were not fulfilled. Also, since personal data revealing one's political opinions constitutes a special category of personal data under Article 9(1) GDPR, explicit consent (Article 9(2)(a) GDPR) would have been necessary for part of the processing operations. In addition, the controllers had not used two-factor authentication and the privacy policy was misleading. The DPA found that the data subject had not been able to express their will, making the consent invalid.
Second, the DPA found a violation of the principle of data minimisation, Article 5(1)(b) GDPR. It found that the controllers had in reality intended to build a sympathy mass data base.
Third, the controllers violated the principles of fairness, lawfulness and transparency pursuant to Article 5(1)(a) GDPR by misleading the data subjects about the purposes of data processing and the identity of the controller. In addition, Article 13 GDPR was violated because the controllers did not provide the data subjects with all information necessary.
Fourth, the DPA found an infringement of the principle of accountability, Article 5(2) GDPR because the controllers could not provide their compliance with Article 5(1) GDPR. In particular, the controllers did not carry out the data processing in such a way that they could prove at any time their compliance with the GDPR.
Finally, the DPA criticised the general conduct of the controllers in the proceedings. The controllers had not cooperated with the DPA.
When deciding on the fine, the DPA took into consideration the significance of the infringements since they concerned a current social issue, the large number of data subjects concerned, and the duration of the infringement.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH-175-12 / 2022. Subject: Decision History: NAIH-4769/2021. H A T A R O Z A T The National Authority for Data Protection and Freedom of Information (hereinafter: the Authority) shall: Cooperative Communities Association for the Living World (formerly Common Organization) Nominating 2018 party; current seat: 4463 Tiszanagyfalu, Széchenyi utca 47 .; represented by: Zsolt Ladó managing director; former headquarters: 1077 Budapest, Izabella u. 30 .; former representative of the organization: dr. György Gődény; hereinafter: Customer1) and dr. György Gődény (address: […]; hereinafter: Customer2) ‘I agree that no one should be required to be vaccinated and no one shall be punished or restricted in his absence. " national signature collection (a hereinafter referred to as "signature collection") take the following decisions in ex officio data protection proceedings: 1. The Authority shall determine that Client1 and Client2 are https://alairasgyujtes.online “I agree that no one should be required to be vaccinated and that no one shall be punished or restricted in his absence. " legal basis in connection with the collection of signatures the personal data of the data subjects are collected without prejudice to the data of natural persons protection of personal data and the protection of such data and repealing Directive 95/46 / EC Article 6 (1) of the General Data Protection Regulation (GDPR) and Article 9 (1). 2. The Authority shall determine that the Customer1 and the Customer2 by the purpose of data processing not clearly defined, in breach of Article 5 (1) of the General Data Protection Regulation the principle of purpose limitation set out in paragraph 1 (b). 3. The Authority finds that Client1 and Client2 by failing to provide clear, relevant and factual information to stakeholders on paper and by Implemented in connection with the collection of signatures on https: //alairasgyujtes.online all relevant circumstances of the processing, in breach of Article 5 of the General Data Protection Regulation. the principle of transparency referred to in Article 13 (1) (a) and Article 13 (1) to (2). 4. The Authority finds that Customer1 and Customer2 by their data controllers their quality was unclear, data subjects were misled by the data controller the purpose of the processing, in breach of Article 5 (1) of the General Data Protection Regulation. principle of due process in accordance with paragraph 1 (a). 5. The Authority finds that Customer1 and Customer2 by directing to the Authority they did not prove the lawfulness and transparency of the data processing, they violated the general rule accountability requirement of Article 5 (2) of the Data Protection Regulation. 6. Pursuant to Article 58 (2) (g) of the General Data Protection Regulation, the Customer1 and Customer2 to make this decision final within 30 days documented deletion of the signature collection via the https://alairasgyujtes.online page of the stakeholders, both for the initiative and for communication purposes online collected all personal information. ………………………………………………………………………………………………………… 1055 Budapest Tel .: +36 1 391-1400 ugyfelszolgalat@naih.hu Falk Miksa utca 9-11. Fax: +36 1 391-1410 www.naih.hu, 2 7. Pursuant to Article 58 (2) (d) and (g) of the General Data Protection Regulation, the Customer1 and Customer2 to make this decision final within 30 days (i) at the same time as providing full information on the processing, in connection with the collection of signatures previously on paper-based sheets of their personal data request a confirmatory statement of consent from the donor and / or (ii) in the absence of the consent of the data subject, delete “I agree that no one should be required to be vaccinated and no one should be punished for failing to do so or restrict. " in the context of national signature collection, the paper-based signature collector from stakeholders for both initiative and outreach purposes collected all personal information. 8. Pursuant to Article 58 (2) (f) of the General Data Protection Regulation, in connection with the collection of signatures, the continuation of data management in such a way that Customer1 and Customer2 complete immediately in connection with the collection of signatures both on paper and in collection of personal data online. 9. The Authority a) the Customer1 HUF 3,000,000, ie HUF 3 million data protection fine b) Customer2 HUF 3,000,000, ie HUF 3 million data protection fine obliges to pay. Data protection fines shall be imposed within 30 days of the final adoption of this Decision Authority's centralized revenue collection special purpose forint account (10032000-01040425- 00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000) must be paid for. When transferring the amount, NAIH-175/2022. JUDGE. number should be referred to. If that Customer1 and Customer2 fail to meet their obligation to pay the fine within the time limit, is required to pay a late payment allowance. The rate of the late payment allowance is the statutory interest, which is a equal to the central bank base rate valid on the first day of the calendar half-year affected by the delay. The fulfillment of the obligations provided for in clauses 6, 7 and 8 shall be the responsibility of the Client1 and the Client2 within 30 (thirty) days of the decision becoming final together with the submission of supporting evidence to the Authority. The obligation in the event of non-compliance, the Authority shall order enforcement of the decision. The Authority draws the attention of the Client1 and the Client2 to the fact that it is open to challenge the decision until the expiry of the standing time limit for bringing an action or, in the case of an administrative action, the court is final Until its decision, the data affected by the disputed data processing may not be deleted or destroyed. No procedural costs were incurred in the proceedings. There is no administrative remedy against this decision, but they are subject to notification within 30 days of the application to the Metropolitan Court in an administrative lawsuit can be challenged. The application must be submitted to the Authority, electronically, which is the case forward it to the court together with his documents. Indicate the request for a hearing in the application must. For those who do not benefit from full personal exemption, the fee for the administrative action shall be: HUF 30,000, the lawsuit is subject to the right to record material taxes. In the proceedings before the Metropolitan Court, the legal representation is mandatory. The Authority shall issue this decision on the website of the Authority with the identification of the clients (name). publish. I N D O K O L Á S I. Procedure and clarification of the facts I.1. Subject - matter of the proceedings On October 13, 2020, Customer2 posted on his Facebook page called “Doctor Gödény” provided information on the https://alairasgyujtes.online website for the collection of signatures (a hereinafter ‘website’) and that ‘Today is an important we will launch an initiative […] ”. The collection of signatures therefore started on 13 October 2020 and the procedure also lasted. To support the national signature collection examined at https://alairasgyujtes.online is available online, as well as according to the information available on the website signature collection is also paper-based, meaning it is possible to support the initiative online and on paper, by downloading the signature collection form and its designated mailbox by sending it to. I.1.1. To support online signature collection, name, zip code, city, public name, house number, floor / door, e-mail address are required, telephone number is optional. THE When submitting an online support for an initiative, you must select “I have read and I have taken note of the checkbox in front of the text “Privacy Notice”. On data management information is available here only, via a hyperlink embedded in the text. According to the data management information, the data controller is the Customer1. Designated data management purpose on the one hand - in general, support for the collection of national signatures, on the one hand, and the organization, on the other liaising with the sympathizer, providing information on the organization 's activities, and events and sending invitations to join the organization’s campaigns. The The legal basis for data processing, as set out in the prospectus, is that “contact with the data subject regular activity ”with appropriate guarantees [Article 9 (2) (d) GDPR], while “non-regular in the case of contact ”means the express consent of the data subject prior to the recording of the data declaration [Article 9 (2) (a) GDPR] or in the event of its withdrawal name, address of residence / place of residence, telephone number and statement of consent (details of the blacklist) necessary to protect the legal needs of the Client1 [Article 9 (2) GDPR paragraph (f)]. The number of supporting signatures is displayed on the website as continuously available information, which reaches approximately 58,000. I.1.2. When supporting the collection of signatures on paper, name, address (postcode, town, public space, house number / house / door), e-mail contact, telephone number and signature option, however, there is no specific indication that the data is to be provided mandatory or optional. In the signature collection form - without reference to the data controller - the abbreviated name of the Customer1 logo is displayed. The sheet also has a signature collection website availability, a separate group and page for collecting signatures on the social networking site (Facebook), 4 impressions and an email address are indicated. The form contains a mailbox address (4405 Nyíregyháza, Pf .: 37.) for which the completed signature sheets must be sent and a brief information on the data processing must be sent, and a statement. I.1.3. Article 9 of the General Data Protection Regulation defines personal data as special categories. The regulation is a special category of personal, thus referring to political opinion prohibits the processing of data as a general rule or makes it subject to strict conditions. Personal provided to support the initiative of a political organization however, the data do not constitute a special category of personal data. If however, in addition to the purpose of the petition, the data subject also has the right to process data specifically for that purpose gives his consent to him as a sympathizer later in the political organization to inform about his / her activity, to get in touch with his / her political activity personal data provided by the data subject for this further contact necessary personal data as data indicating party sympathy is a special category - political personal data. I.2. History test procedure The Authority shall provide information in accordance with Article 57 (1) (h) of the General Data Protection Regulation CXII of 2011 on the right to self-determination and freedom of information Act (hereinafter: Pursuant to Section 38 (3) (a) of the Information Act), NAIH-7613/2020. ex officio launched an investigation into Customer1's "I agree that no one should be vaccinated and no one shall be punished or restricted in his absence. " during signature collection to examine the lawfulness of data processing. Client1's previous name: Common Denominator 2018, organization type association, form party. The Client1 most often communicated himself to the public as a party. The Authority informed the Client1 in the request sent to the Client1's registered office the initiation of a procedure in which the processing is carried out in order to clarify the facts However, the Authority was approached on 10 November 2020 Returned with no search. Subsequently, the Authority resent its request to the Client on 12 November 20201 the registered office of the Client1, dr. To the address of György Gődény and the also mailed to the mailbox address listed on the signature collection form. Request for residence 2020. Request sent to the mailbox address indicated on the signature collection form on 16 November 2020. was received on 30 November. Request sent to Customer1's registered office in 2020. however, on December 2, he returned with a “did not seek” sign. The Client1 responded to the Authority's request in its reply dated 14 December 2020 information. Given that Customer1's responses did not fully include a information necessary for the investigation and any questions raised during the investigation The Authority needed further information and contacted Customer1 again. hez. To all three addresses of the Authority - the registered office of the Client1, the legal representative of the Client1, dr. To the address of György Gődény and to the mailbox address indicated on the signature collection form - mailed his request was returned on February 1, 2021, marked “not sought”. In view of the fact that the facts could not be established during the investigation, the Authority Infotv. Pursuant to Section 55 (1) (a) (b), the investigation was closed and on 10 May 2021 initiated ex officio data protection proceedings. I.3. The official procedure With regard to the data management under investigation, the Authority Newt György also considered an individual to be a client and continued the official proceedings against him given that, on the basis of the information disclosed during the investigation procedure, it was found that Customer1 is not actually operating, is not operating, and is not Customer1 or not the Client1 is the data controller in connection with the collection of signatures respect. The Authority has issued NAIH-4769-1 / 2021. notified Customer2 as an individual in his order no on the initiation of the official data protection procedure and in order to clarify the facts called for a statement and NAIH-4769-2 / 2021. In order no notified the initiation of the official data protection proceedings at its official headquarters and also called for a statement. In view of the fact that the Authority has issued NAIH-4769-1 / 2021 and NAIH-4769-2 / 2021, respectively. number In response to the questions contained in the orders of the the obligation to cooperate provided for in the General Data Protection Regulation violated, the Authority referred to Client1 in NAIH-4769-6 / 2021. in order no. 100,000 HUF, ie Ákr ordered the payment of a procedural fine of one hundred thousand forints. Pursuant to Section 77 (3), and repeatedly called on Customer1 for the information needed to clarify the facts to specify. The Authority has issued NAIH-4769-6 / 2021. No. of the Customer1 electronic tried to deliver to your mailbox (company gateway) - subject to Customer1 however, service of the document is confirmed failed, the recipient did not accept it. The Authority will then impose a procedural fine and the Client1 1077 Budapest tried to deliver the fact-finding order by post again, Izabella utca 30 and the registered representative of the Customer1, ie Customer2 address. The Authority, taking into account that the Client1 in accordance with NAIH-4769-6 / 2021. imposed by order no failed to pay the procedural fine, ordered the enforcement of the procedural fine. The Authority has issued NAIH-4769-4 / 2021. In his order no., he also contacted […] Kft., requesting information the identity of the person operating the http://kozosnevezo.hu/ website, and the designated website contact details of your data controller. The Authority has issued NAIH-4769-5 / 2021. s. In his order, the Client2 also repeatedly called on him to make a statement in order to fully clarify the facts relating to the matters covered by the order Customer2 stated in a letter dated 15 July 2021. The data of the Client1 registered in the court register took place on September 28, 2021 have changed with the entry, which is a change in the name, registered office and representative of the organization affected his person. The Authority has issued NAIH-4769-11 / 2021. repeatedly in order to clarify the facts addressed questions to the Client1, his order was entered in the court register of non-governmental organizations in 2021. attempted to deliver by post to his new registered office on 28 September. THE The authority's order was returned from the registered office of the Client1 with the indication "not sought". The Authority has issued NAIH-4769-12 / 2021. order to request documents made a request to the court that registers the Client1. The Authority, 6 a reply from the tribunal received on 21 November 2021. The Authority has issued NAIH-4769-15 / 2021, NAIH-4769-16 / 2021, NAIH-4769-17 / 2021. and NAIH-4769- 18/2021. summoned Client2 for a personal hearing on 6 January 2022, […] The current newly registered representative of the Customer1 and […] and […] as the Customer1 members. The Authority NAIH-4769-19 / 2021. requesting information and documents he approached the National Investigation Bureau of the Standby Police. Of the persons summoned by the Authority for a personal hearing on 6 January 2022 only […] Appeared before the Authority. The Authority did not appear at the personal hearing three persons in NAIH-175-5 / 2022., NAIH-175-6 / 2022. and NAIH-175/2022. in his orders no ordered to pay a procedural fine. On January 6, 2022, the Authority examined the collection of signatures by providing test data https://alairasgyujtes.online page. I.4. Facts revealed I.4.1. According to the statement of […] Kft., The registration of the domain name kozosnevezo.hu was performed by dr. Newt It was carried out on January 10, 2018, at the request of George. I.4.2. On behalf of Client1, the legal representative of the party, dr. György Gődény is the examination procedure In relation to the questions raised by the Authority, the During the collection of signatures, the names, addresses, e-mail addresses, telephone numbers and signatures of the persons concerned are personal data collected by stakeholders through both online and paper-based signature collection provided voluntarily. The collection of signatures is done in accordance with the law for the “construction of a database of parties in the privacy statement available at https://alairasgyujtes.online as described. On the marked https://alairasgyujtes.online website, data management is completely electronic while the sheets received at the mailbox, according to his statement, were drilled by dr. György Gődény takes over, which are then processed to the “operator’s data controller”. Signatories may send the completed forms by post to 4405 Nyíregyháza, Pf .: 37, after which the summary sheet for the data controller. The name of the specific data controller is not included in the signature collection form, only the logo containing the abbreviated name of the Customer1 is indicated on the sheet. On a paper background During the collection, the data subjects are informed about the data management in the collection form, and the from the Internet address for collecting signatures as follows: “Included in the collection form By providing information and signing the signature collection form, I consent to the disclosure of my information Act CXII of 2011 on the right to information self-determination and freedom of information. Section 5 of the Act Pursuant to paragraph 1 (a), for the purpose of further communication, consultation and information, the until the withdrawal of the consent to the processing. I note that a information that I may request information in connection with the processing of my personal data from the data controller. Correction, deletion or blocking of personal data to the data controller I may initiate it at any time with my statement. The data controller declares that the communicated personal data will not be passed on to third parties and will not be disclosed they are! ”, 7 The data provided by the signatories is not used "for the time being" and is not available to anyone for and are not public. In the data management information, the legal bases for data processing are “with you in case of regular contact […] ”and“ non-regular contact with you In the case of […] ”, he stated that it was more common in regular contacts telephone or e-mail, while not regularly, infrequently or not at all no contact is made or, if there is a specific request, reference or stipulation. In relation to the storage of data and the database, in the format requested by the Authority, and they do not have a structure because "the operator arranges and manages these online techniques." The period of data retention is as described in the privacy statement, usually the consent data from the blacklist shall be kept for a period of 5 years from the withdrawal of the consent due to possible legal problems. The records of the data management activity are kept by the data controller, “we” do not have any information about this our records. Regarding the use of data processors during the collection of signatures, he stated that “it it is handled by the data controller, about which we have no information. ” Regarding the duration of the collection of signatures, he stated that it is not tied to a deadline yet. "The administration of the signatories' request shall be administered by the operator or the controller, we do not have a related document. " I.4.3. In order to further clarify the facts, the Authority - at the registered office of the Client1, dr. Newt György, as the legal representative of the Client1 party, on the address and on the signature collection form by mailing to the mailbox address indicated. - sent another request for information inter alia, who understood the “data controller” referred to in the previous reply, “operator data controller ”, as these persons as a person other than Customer1, respectively refers to an organization. The Authority also requested information on who understood the database "Operator". The Authority's request to all addresses was returned with a "no search" flag. I.4.4. The Client2 is included in the requests of the Authority within the framework of the data protection authority procedure questions as a person independent of the Client1, his / her name is also the sender of the reply letter and address, as opposed to the reply sent during the investigation procedure, in which the Customer1 was indicated as the sender. In this response letter, Customer2 as stated that Client1 is inoperable, has previously resigned from the management of Client1, perform or perform duties which are relevant to the questions raised by the Authority are not related. Therefore, no information is provided on the questions asked by the Authority provides that the address of the Nyíregyháza mailbox may be linked to the Customer1, as it has been opened for. Customer2 stated that it did not collect signatures and did not collect signatures no activity and therefore does not store anything related to it. I.4.5. The Customer2 - already as a person independent of the Customer1 and on the envelope of the reply letter the Customer2 by indicating his name and address as "consignor" in his reply of 15 July 2021 further submitted that Customer1 is also inoperable because the National Tax and Customs Administration The Tax and Customs Directorate of Eastern Budapest, case number 5339328442, dated 18 November 2019, 8 decided to cancel the tax number. Client2 attached to his reply the first page of the decision of the tax authority referred to a copy of the waiver dated 27 April 2018 resigns as executive director of the Common Denominator 2018 and requests membership of the organization the appointment of a successor and the convening of a quorum for that purpose as soon as possible. In its reply to the Authority dated 15 July 2021, Client2 that since a quorum was only recently convened, his resignation was formally resigned it has also happened, but it has no control over when the court will pass the change. Regarding the collection of signatures, he stated that it was done and organized by volunteers, in this membership did not actively participate, only the name was added to the organization to make it more serious weight. No decisions were made regarding the collection of signatures, no data they were not collected or stored, and they were not involved in anything other than opening the mailbox. Access to the mailbox is presumed to be with the person who has the key, but not about that person information. He stated that he could not say anything else to the Authority's questions as he had no information a and “I did not collect any signatures and did not specific activity, so if they ask their questions again, I can't say anything else compared to the previous ones. " I.4.6. Subject to the collection of signatures in the privacy statement as a data controller named Customer1 did not respond to the Authority's requests, and whereas the Authority has found that the data of the Client1 registered in the court register (organization name, registered office, representative) have changed, the Authority needs to take a decision held further clarification of the facts and therefore NAIH-4769-11 / 2021. with questions no contacted Customer1 who changed based on the data. The above number of the order sent to the new registered office of the Client1 on November 11, 2021 “did not seek” returned to the Authority. At the same time, the Authority issued NAIH-4769-12 / 2021. The Customer contacted him in his order no the court keeping the register to send to the Authority the Customer1 2021. on the basis of the changes registered on 28 September, a a copy of all documents submitted or attached during the change registration procedure, and send a copy of Client1's report for 2019 and 2020. As an annex to its order of 21 November 2021, the Metropolitan Court sent the following The documents on which the change registration procedure is based, and informed the Authority that neither for 2019 nor for 2020 the report submitted by the Client1 can be found in the public register. I.4.7. Given that all issues related to the Authority’s previous orders both the Client2 and the Client1 did not respond fully or at all, therefore the Authority considered it necessary to clarify the facts through a personal hearing. The Authority therefore summoned Client2 for a personal hearing on 6 January 2022 […] as Customer1 members and […] Customer1's current representative. At a personal hearing before the Authority on 6 January 2022 […], Customer1 member appeared. During the hearing, he stated that he was not currently a member of Client1 ,, 9 resigned in the fall of 2021. To certify this to the Authority on 19 January 2022 attached a copy of the declaration dated 9 October 2021, in which the Client resigns from membership in 1 for personal reasons. According to his statement, Customer1 has gathered support communities but no longer has any activity perform. According to him, Client1 party started in the 2018 elections, its activity was that they tried to reach people with political messages on a daily basis. After the election Client1 was no longer an active party in the 2018 parliamentary elections continued for years. Client1 party has an approx. Facebook group with 40,000 members, which is still there operates, but Customer1 no longer performs significant activities. Currently with the coronavirus engage in activities that are not specifically political in nature, sympathetic circle has been changed, it is running under a different name, but it can be linked to the name of Client2 in the same way. […] Said he was the founder and CEO of the Customer1- and handed over its management to Customer2 in about January 2018, and thereafter Client2 became the party's executive, chief financial officer, and he handled the administration activities. […] Stated in connection with the collection of signatures that he did not even know about it, he does not know whether he left. He said he had previously indicated to supporters that during the signature collection The question asked is a question that is inappropriate from an electoral point of view. THE communication between members and members of the support community can be linked to Facebook in the name of the Customer2 groups, he expressed his opposition to the issue in these groups. He stated that he did not know the signature collection sheets, did not take part in the signature collection, he was not in any way aware of the collection of signatures. The Authority learned from the subpoena that that signature collection is in progress. Regarding the collection of signatures, that its whether it was conducted, whether volunteers participated, it is likely that the Client2 can report. To the best of Customer1's knowledge, it does not work and has no information as to why renamed the Common Denominator 2018 Association, while the actual activities have been in Normal They are behind the Life Party. You do not have information about the address marked as a return address on the signature collection form, nor whether anything arrived on paper at the address indicated. You have no information on how the data is handled, how the data collected is used, and who has access to them. What kind of person, accountant, administrator is involved in the in the collection of signatures, who is the operator of the servers, in the provision of the IT background persons2, Customer2 may have information about it. The mailing address and registered office of the Customer1 was the address of […] at the time of its establishment, the Customer1 The documents related to the establishment of the company - official documents, documents related to the operation - were kept on this at the address. According to […] 's statement, these documents were later handed over together with the organization' s management Customer2, then Customer2 or its accountant things. Customer1's current domicile says it is likely that […] is domiciled, but that […] Has no role in the activities of Customer1. […] Said that “I agree that no one should be required to be vaccinated and that its should not be punished or restricted to a referendum earlier proposed and submitted to the National Electoral Commission. The Authority is the National On the website of the Electoral Office, a referendum on the same issue as the one indicated found an initiative (initiated by the Civil Movement Association, registered office: 1144 Budapest, Füredi utca 60-62. fsz./6.), which is the subject of an initiative of the National Electoral Commission Regulation (EU) No 52/2020 of 21 September 2020 Decision No rejected the authentication of the question put to the referendum., 10 I.4.8. The Authority, subject to […], […] and the Client2’s summons to the Authority for service despite his two attempts, he was not taken over and not at the personal interview the imposition of a procedural fine. In view of this, the Authority 175-5 / 2022., NAIH-175-6 / 2022. and NAIH-175-7 / 2022. in orders No. Customer2 200,000 HUF, ie a procedural fine of HUF two hundred thousand; […] Customer1's representative is HUF 100,000, ie a procedural fine of one hundred thousand forints; and […], the Client's 1 member is HUF 50,000, ie fifty thousand forints ordered to pay a procedural fine. I.4.9. The Authority was informed by press reports that the National Investigation Bureau of the Standby Police (hereinafter: KRNNI) conducted a house search at Client2 due to the suspicion of spreading horror, during which Customer2's computer was seized. In view of the above, the Authority 19/2021. In his order no., he contacted the KRNNI to request information that the On a computer seized during a house search conducted at Customer2 and between the seized materials whether there were any materials related to the collection of signatures or whether the KRNNI had seized a database documents containing information on the collection of signatures. According to the information provided by KRNNI upon request, during the analysis of the assets a they were looking for data that could be used to prove a horror crime, so they weren’t they know whether there are substances related to the data processing under investigation, but one they were able to send a document that can be retrieved by the Client2's signature collection activity context. The document contained three questions asked during the signature-gathering activity read, including the issue of signature collection examined in the present proceedings. I.4.10. The Authority will provide test data on 6 January 2022 as part of the clarification of the facts examined the https://alairasgyujtes.online page for signature collection. In doing so, the Authority shall: detected the following: Mandatory information for online signature collection support: name, zip code, settlement, name of public area, house number, floor / door, e-mail address, while optional phone number. To support this initiative, check the box “I have read and taken note of Privacy Policy ”checkbox and the reCAPTCHA test. The privacy statement available on the site still designates Customer1 as the data controller, and the abbreviated name of the Customer1 on the downloadable and paper-based signature collection form logo is displayed. According to the data management information sheet, “The Common Denominator is personal data in this area consent only in the following forms: the) […] (b) electronically, in which the common denominator shall make a statement of consent by sending a message to the e-mail address you provided, and then in its reply to the confirmation message, confirm its intention to consent. cat. ” In contrast, the confirmation email was not received during support address. I.4.11. On the basis of the information available, the Authority examined in its proceedings: https://alairasgyujtes.online website in order to identify the operator behind it determine. In doing so, we found the following: Users of the website on Cloudflare, 11 can be accessed through the servers of a content provider (hereinafter referred to as the Service Provider). THE the website operator does not only provide faster access from the Service Provider service, but also other technical services that are combined The effect is that anyone who searches a free IP database for a website URL it does not get the IP address of the server that originally hosted the website, but only the The IP addresses associated with your ISP's servers. This keeps the website operator hidden. THE the identity of the data controller could not be identified on the basis of the website. II. Applicable legal requirements Recital 39 of the General Data Protection Regulation: The principle of transparency requires that information and communication related to the processing of personal data is easy be accessible and comprehensible and that it be drafted in clear and simple language. mazzat meg. This principle applies in particular to the identity of the data controller and the the purpose of the treatment and any further information that it is provided fair and transparent handling of the personal data of the data subject and the provision of that data subjects have the right to receive confirmation and information about the data processed about them. about. Pursuant to Article 2 (1) of the General Data Protection Regulation, the general data protection Regulation shall apply to the processing of personal data in a partially or fully automated manner processing of personal data in a non-automated manner which are part of a registration system or which are part of a intended to be part of a registration system. Covered by the General Data Protection Regulation Infotv. Pursuant to Section 2 (2), the General Data Protection Decree shall apply with the additions indicated therein. Pursuant to Article 2 (2) of the General Data Protection Regulation, the Regulation does not apply processing of personal data if it: (a) carried out in the course of activities outside the scope of Union law; (b) by Member States in the activities covered by Chapter 2 of Title V of the TEU performed; (c) by natural persons exclusively in the course of their personal or domestic activities; (d) the prevention, investigation, detection and prosecution of criminal offenses by the competent authorities carried out for the purpose of conducting criminal proceedings or enforcing criminal sanctions, including: protection against and prevention of threats to public security. According to Article 4 (1) of the General Data Protection Regulation, “personal data: the identified or any information relating to an identifiable natural person ("data subject"); identifiable by a a natural person who, directly or indirectly, in particular by an identifier, e.g. name, number, location data, online identifier or physical, physiological, genetic, intellectual, economic, cultural or social identity identifiable by that factor. " According to point 2 of the same article, “data processing: on personal data or data files any operation or set of operations carried out in an automated or non-automated manner, thus collecting, recording, organizing, sorting, storing, transforming or altering, querying, available for inspection, use, communication, transmission or other means harmonization or interconnection, restriction, deletion or destruction. " According to Article 4 (7) of the General Data Protection Regulation, “controller” means the natural person or a legal person, public authority, agency or any other body that is personal determine the purposes and means of data processing, either individually or in association with others; if that the purposes and means of the processing are determined by Union or Member State law, the controller or, specific aspects of the designation of the controller are also governed by Union or Member State law may determine. " According to Article 4 (11) of the General Data Protection Regulation, "consent of the data subject" means the data subject voluntary, specific and well-informed and unambiguous declaration of will, by which the statement concerned or the act of confirmation is unequivocally expressed, to give his or her consent to the processing of personal data concerning him or her. According to Article 5 (1) of the General Data Protection Regulation, personal data: (a) be processed lawfully and fairly and in a manner which is transparent to the data subject ("legality, fairness and transparency"); (b) collected for specified, explicit and legitimate purposes and not processed in a way incompatible with those objectives; not in accordance with Article 89 (1) considered incompatible with the original purpose for the purpose of archiving in the public interest, scientific and further processing for historical research or statistical purposes (‘for purposes constraint ”); (c) be appropriate and relevant to the purposes for which the data are processed; and they should be limited to what is necessary ("data saving"); (d) be accurate and, where necessary, kept up to date; all reasonable measures must be taken in order to ensure that personal data are inaccurate for the purposes of data processing deleted or corrected immediately ("accuracy"); (e) stored in a form which permits identification of data subjects for personal purposes only allows the time necessary to achieve the purposes of data processing; personal information than this longer storage can only take place if personal data for archiving in the public interest in accordance with Article 89 (1) and will be carried out for historical research or statistical purposes, those covered by this Regulation appropriate technical and organizational arrangements to protect their rights and freedoms subject to the implementation of measures ("limited storage"); (f) be handled in such a way that appropriate technical or organizational measures are taken ensure the adequate security of personal data unauthorized or unlawful handling, accidental loss, destruction or including protection against damage ("integrity and confidentiality"). Subject to paragraph 2, the controller shall be responsible for complying with paragraph 1, and must be able to demonstrate this compliance (‘accountability’). Pursuant to Article 6 of the General Data Protection Regulation, the processing of personal data is limited to is lawful if and to the extent that at least one of the following is met: (a) the data subject has consented to the processing of his or her personal data for one or more specific purposes; ; (b) processing is necessary for the performance of a contract to which one of the parties is a party; or to take action at the request of the data subject prior to the conclusion of the contract required; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary to protect the vital interests of the data subject or of another natural person. necessary because of the mind; (e) the exercise of a public interest or the exercise of official authority vested in the controller necessary for the performance of its task; (f) processing is necessary for the protection of the legitimate interests of the controller or of a third party. unless those interests take precedence over those interests or fundamental rights and freedoms which require the protection of personal data, in particular if the child concerned. Point (f) of the first subparagraph shall not apply to the performance of their duties by public authorities data management. According to Article 9 (1) of the General Data Protection Regulation, “racial or ethnic origin” 13 political opinion, religious or philosophical beliefs, or trade union membership personal data and genetic and biological data for the unique identification of natural persons biometric data, health data and the sexual life of natural persons or the processing of personal data concerning his or her sexual orientation is prohibited. " According to paragraph (2) (a) of the same section, paragraph (1) does not apply to where the data subject has given his or her express consent to one or more of the said personal data for a specific purpose, unless Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted with the consent of the data subject. Article 13 (1) and (2) of the General Data Protection Regulation sets out the information which the data subject has obtained at the time the personal data are obtained should be made available to them if personal data are collected from the data subject. In accordance with paragraph 1 the controller shall provide the data subject with all of the following information: (a) the identity and contact details of the controller and, if any, of the controller 's representative; (b) the contact details of the Data Protection Officer, if any; (c) the purpose of the intended processing of the personal data and the legal basis for the processing; (d) in the case of processing based on Article 6 (1) (f), the controller or a third party legitimate interests of a party; (e) where applicable, the recipients or categories of recipients of the personal data, if any; (f) where applicable, the fact that the controller is a third country or international organization personal data to the Commission and the Commission’s decision on compliance. Article 46, Article 47 or Article 49 (1) in the case of the transfer referred to in the second subparagraph, appropriate and suitable guarantees and the means by which copies may be obtained or reference to the Pursuant to paragraph 2, the controller shall inform the data subject of the following additional information: at the time of obtaining the personal data: (a) the period for which the personal data will be stored or, if that is not possible, that period aspects of its definition; (b) the data subject's right to request from the controller the processing of personal data concerning him or her. rectification, erasure or restriction on their use and may object against the processing of such personal data and the right of the data subject to data portability; (c) data based on Article 6 (1) (a) or Article 9 (2) (a) in the case of treatment, the right to withdraw the consent at any time, which is not affects the lawfulness of data processing carried out on the basis of consent prior to withdrawal; (d) the right to lodge a complaint with the supervisory authority; (e) that the provision of personal data is required by law or by a contractual obligation based on or a precondition for concluding a contract and whether the person concerned is obliged to be personal data and the possible consequences of providing the data failure; (f) the fact of automated decision-making referred to in Article 22 (1) and (4), including: profiling and, at least in these cases, the logic used understandable information on the significance of such processing and on the data subject its expected consequences. Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data In order to do so, the Authority may initiate ex officio data protection proceedings. Infotv. Pursuant to Section 61 (1) (a), it was taken in a data protection official proceeding In its decision, the Authority Data management specified in Section 2 (2) defined in the General Data Protection Regulation in the context of may apply legal consequences. Infotv. Pursuant to Section 61 (2), the Authority may order the decision of the data controller or, 14 disclosure of the identity of the processor, if the This Decision affects a wide range of persons through the activities of a body performing public tasks or the gravity of the infringement justifies disclosure. Infotv. 75 / A. §: The Authority is set out in Article 83 (2) to (6) of the General Data Protection Regulation exercise its powers in accordance with the principle of proportionality, in particular by: legislation on the processing of personal data or binding European Union law for the first time in the event of a breach of the rules laid down in in accordance with Article 58 of the General Data Protection Regulation by alerting the controller or processor. Article 58 (2) (b), (d), (i), (f) and (g) GDPR: In the power of the supervisory authority to rectify acting: (b) reprimands the controller or the processor if he or she is acting in a data-processing capacity has infringed the provisions of this Regulation; (d) instruct the controller or processor to carry out its data processing operations, where applicable in a specified manner and within a specified period, bring this Regulation into line with its provisions; (i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case in addition to or instead of the measures referred to in this paragraph; (f) temporarily or permanently restrict the processing, including the prohibition of the processing; (g) order personal data in accordance with Articles 16, 17 and 18 respectively rectification or erasure of data and restrictions on data processing, as well as Article 17 (2) shall notify the addressees with whom it is addressed in accordance with paragraph 1 and Article 19 or with whom personal data have been communicated. All supervisory authorities pursuant to Article 83 (1) of the General Data Protection Regulation ensure that any infringement of this Regulation referred to in paragraphs 4, 5 and 6 is in accordance with this Article The administrative fines imposed pursuant to this Regulation shall be effective, proportionate and dissuasive in each case be dissuasive. Pursuant to Article 83 (2) of the General Data Protection Regulation, administrative fines are imposed by Article 58 (2) (a) to (4) of the General Data Protection Regulation, depending on the circumstances of the case. It shall be imposed in addition to or instead of the measures referred to in points (h) and (j). When deciding whether it is necessary to impose an administrative fine or the amount of the administrative fine In each case, due account shall be taken of the following: (a) the nature, gravity and duration of the breach, taking into account the processing in question the nature, scope or purpose of the infringement and the number of persons affected by the infringement; the extent of the damage they have suffered; (b) the intentional or negligent nature of the infringement; (c) the mitigation of damage caused to the data subject by the controller or the processor any measures taken to (d) the extent of the responsibility of the controller or processor, taking into account the technical and organizational measures taken pursuant to Articles 25 and 32 of the General Data Protection Regulation measures; (e) relevant infringements previously committed by the controller or processor; (f) the supervisory authority to remedy the breach and the possible negative effects of the breach the degree of cooperation to alleviate (g) the categories of personal data concerned by the breach; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor has reported the breach and, if so, what in detail; (i) if previously against the controller or processor concerned, in the same referred to in Article 58 (2) of the General Data Protection Regulation compliance with one of those measures; (j) whether the controller or processor has complied with the general data protection rules codes of conduct approved in accordance with Article 40 of this Regulation or general data protection approved certification mechanisms in accordance with Article 42 of the Regulation; and (k) other aggravating or mitigating factors relevant to the circumstances of the case, for example, the financial gain obtained as a direct or indirect consequence of the infringement or avoided loss. Pursuant to Article 83 (5) of the General Data Protection Regulation, the following provisions apply in accordance with paragraph 2 administrative fines or, in the case of undertakings, the full financial year of the previous financial year up to 4% of its worldwide turnover, provided that a higher amount should be charged: (a) the principles of data processing, including the conditions for consent, are laid down in the General Data Protection Regulation In accordance with Articles 5, 6, 7 and 9; (b) the rights of data subjects under Articles 12 to 22 of the General Data Protection Regulation. in accordance with Article (c) personal data to a recipient in a third country or to an international organization Articles 44 to 49 of the General Data Protection Regulation. in accordance with Article (d) Article IX of the General Data Protection Regulation. in accordance with the law of the Member States adopted pursuant to this Chapter liabilities; (e) the supervisory authority in accordance with Article 58 (2) of the General Data Protection Regulation temporary or permanent restriction of data processing or the flow of data non-compliance with the request for suspension or general data protection failure to grant access in breach of Article 58 (1) of the Regulation. III. Decision of the Authority III.1. The quality of data management III.1.1. Customer1 data management quality Information provided to stakeholders, including in the privacy statement available on the website the national signature collection was initiated by Customer1 and “Each of the recorded data the controller is the Common Denominator ’. The prospectus is therefore clearly Customer1 listed as a data controller. Personal data collected in connection with the collection of signatures One of the purposes indicated in the data management information is to collect signatures and specifically with the organization’s sympathizers contact, information about the organization's activities and events, and a call to join your organization's campaigns. Also on the paper-based signature collection sheet the Customer1 or the logo containing its abbreviated name as information referring to the data controller is indicated. In addition, however, there is no documentable association decision that is may be linked to the collection of signatures or on the basis of which a body of the Client1 would have dealt by collecting signatures. Based on the information revealed during the proceedings of the Authority, it emerged that the Client1 is a classic does not function as a party within the meaning of Article the legitimacy of its operation is questionable. This is supported, inter alia, by the Authority In the course of the proceedings, the letters sent to the Customer's registered office1 were all marked "not sought", 16 back; that the Tax and Customs Directorate of NAV-Budapest was dated 18 November 2019 deleted the Customer's tax number by its decision; that the http://kozosnevezo.hu website is also has become unavailable, and […], the statement of the party member, founder, and according to Client2 in the meantime, the renamed Customer1 no longer carries out significant activities, Customer1 as of 2018 was no longer active after the parliamentary elections, and the actual activities were no longer a They take place behind an organization called the Party of Normal Life. In the replies sent to the Authority's inquiries, the Client2 mentions one in several places not named and not supported by any other data or evidence other than A person or organization other than Customer1 or Customer2. In contrast, the procedure from the declarations of the persons covered and from the documentary evidence obtained by the Authority no other stakeholders in the data management operations were determined to decide on the data processing a person who has defined the purpose or means of the processing. Such person was not nominated by the parties heard and made a statement and is wide by the Authority nor could it be inferred from the documentary evidence obtained. Given that Customer1 provided the name for the signature collection, the online signature collection The Customer1 is indicated on the interface and on the paper - based signature collection sheet, and the The Customer1 is also explicitly designated as a data controller in the data management information, of which consequently, the Client1 shall be considered a data controller in this respect, despite the fact that a according to the available information, Customer1 is no longer operational in practice. III.1.2. Customer2 data management quality The Authority will send its first inquiries to Client1 to Client2 as Chair of Client1 addressed him and then declared him as a client in the proceedings as an individual. Based on the evidence available to the Authority, the Client1 only operates on paper, it is actual it does not operate legally, it does not hold regular meetings of members. Not available a documentable decision that would demonstrate that in the context of signature collection Customer1 would have made a decision despite the signature collection of Customer1's name used. In its reply to the Authority dated 31 May 2021, the Client2 - no longer the Client1 but as an independent person, he said that he was in charge of the administration previously resigned, so he has no opportunity to answer the questions raised by the Authority to answer, he has no information about the questions asked, the signatures are not his has not carried out any activities in the collection of signatures and does not store them nothing related to signature collection. As stated in the statement in the collection of signatures did not perform any activity, only performs or performed tasks out of favor, which, however, are not related to the questions asked by the Authority. Client2 made several statements in the social media during the fact-finding exercise statements made by the Authority in the course of the proceedings however, they contradict these claims. The role of Customer2 in data management is supported by the following: According to his statement in his reply dated 14 December 2020, on the signature collection sheet he receives the sheets received at the specified mailbox as the return address. The mailbox address marked as the return address on the signature collection form is unchanged for the Customer1 change in registered data (name of organization, registered office, representative) notwithstanding, the sheets returned by post, and thus the personal data provided by those concerned data will continue to be in the possession of the Customer2 on the basis of a previous statement., 17 In addition to performing data management, the quality of the Customer's 2 data controllers is supported by the following: i. Shipments mailed to Customer1's previous location were not picked up and marked there was no person at the headquarters who would have been entitled to receive the consignments. […] the registered office of the Client1, who is only a member of the association and does not hold a senior position, was registered at the address of under the chairmanship of Client2. The Authority shall also send its inquiries and orders to the address of the Client2 to which the Customer2 received the Authority's inquiries three times. Customer1- could only be contacted through Customer2 - which is also not the organization supports the proper functioning of the Client2, ie the Client2 as the Client1’s a separate person also had a significant influence in the affairs of the Client1 and in the collection of signatures by that the name of Customer1 is actually Customer2. Consequently, for data management decision-making related to the purpose of data management is obviously the responsibility of the Client2- may be related to. ii. Customer2 on April 27, 2018. in its statement dated the day of the Common Denominator 2018 resigned as ‘administrator resignation’ (‘resignation statement 1’) The signature of witnesses on the deed is not included in the proceedings, there was no evidence that Customer2 was the “waiver statement 1 ”to Client1 or to a legal representative in a change registration procedure in the absence of these, the "waiver 1" is the intended legal basis was not suitable for inducing an effect. Customer2 in a statement dated June 17, 2021 (“Waiver 2”) - when Customer2 was already aware of the data protection authority procedure - has repeatedly resigned from the position of managing director of the Client1, from which the the conclusion is that he himself did not consider "resignation statement 1" to have any legal effect considered it appropriate to do so again. Furthermore, in the meantime Signature collection has started under Customer1. The data management activity is a paper only it must obviously be done by someone other than an operating organization, which also proves that the activity of the Client2 was maintained despite his previous resignation from the management. THE "Resignation statement 2" was submitted in the change registration procedure on 02.08.2021. on the day. THE The Metropolitan Court deleted Client2 as the senior official of Client1 by the NGOs from the register. iii. Client2 has repeatedly promoted signature collection, e.g. the "Doctor Stork" in a Facebook post posted on October 13, 2020 “Today we are launching an important national initiative [Ezért] That is why the Common Denominator movement (http://kozosnevezo.hu) due to its public nature and opportunities A NATIONAL COLLECTION OF SIGNATURES is organized by social pressure IN THE PURPOSE OF THE SPEECH OF THE PEOPLE AND THE VALIDITY OF THE PEOPLE! About this here you can find out everything: https://alairasgyujtes.online ”and then in several of your posts encourages people to support this initiative. Plurals throughout your posts using it, thus naming himself as the initiator or stating that the collection of signatures he himself took part in launching it. arc. Https://444.hu/2020/10/20/godeny-probaljuk-a-tomegbazist- Pick up October 2020 According to an article published on the 20th, the Client2 stated that the questions asked of him during the interview that he or she was the Customer1 - of which he was the 28 September 2021 behind the collection of signatures and said that one of the main reasons for the collection of signatures aimed at trying to ‘gather a mass base’. The journalist wrote in the article that “After I called György Gődény, he answered a bunch of questions. […] Stork for a moment nor did it hide that one of their main goals with the whole was to try to “gather a mass base”. Customer2 has therefore stated that it and Customer1 are in charge of collecting signatures, ie behind the data processing examined in this case. And Client2 did not exalt himself as the chairman of Client1 who, in addition to the Client1, mentioned himself separately from him, thus acknowledging that he, as an individual data controller., 18 It can also be seen from the interview and the statements made during it that Client2 was able to answer the substantive questions related to the collection of signatures, he appeared in the as a competent person for the collection of signatures. Customer2 is apparently in the public mind as well appears as someone who has had and continues to have a decisive, influential role in signature collection. It can therefore be concluded that it is relevant to the collection of signatures information is available to Customer2, such as how the signature is collected, how long, so the partial decisions related to the collection of signatures can also be linked to the Client2. v. Even in June 2021, Customer2’s social networking sites identified above has published a post promoting the collection of signatures, encouraging Customer1 to no longer referred to in his posts. Customer2 made the entries in his own name. For example, in his post of 10 June 2021, he called for a motion before a parliament on 20 June encouraged his followers to collect signatures. In its entry of 11 June 2021, it also called for support for the initiative, highlighting the the availability of a website to support the initiative. vi. […], A member of Client1 testified before the Authority and also stated that a provided information that Customer1 has an approx. Facebook group with 40,000 members, which group is still operating, although the association no longer has significant activity or the Client1 no longer carries out any activity, it is not already a member, but also supporters, some of whom are connected in Facebook groups. Within the group and at all, in relation to Customer1, the circle of sympathy compared to the initial composition exchanged, there is currently activity associated with the coronavirus. Both the former and the current activity can be linked to the name of the Client2, he would know the meaningful answers to the questions of the Authority to give according to the witness. The testimony also confirms that the Customer2 is the key player in the collection of signatures the face of both the signature collection and the organizer of the campaign on the issue, central person. III.1.3. Summarizing the above, the Authority has established that the signature collection is the name of the Customer1 one of its purposes is to sympathize with the Customer1 organization further contact and information for them. Accordingly, the collection of signatures The Customer1 is also listed on its website and on the paper-based signature collection form, as well as on the website also available data management information as the data manager of the data management specifically for the Customer1 marks. Consequently, Customer1 is named as the data controller and for the purpose of data management Client1 can be linked, therefore the Authority considers Client1 to be a data controller in this respect he looked at. In addition to the above, the Authority found that Customer2 is the technical background for the collection of signatures played a prominent role in the provision and execution of the signature, collecting signatures on its own behalf promoted as an activist in the field of signature collection, acted as his key figure. These are clearly supported by the Customer2 in the collection of signatures, respectively decisive factor in the management of data in connection with the collection of signatures which had to play a key role in data management decisions spread, ie decisions were made by Customer2. This role is not just about collecting signatures participation, the performance of certain data management operations, but also the Client2 as the quality of the data controller of the individual and the corresponding responsibilities. This is the data controller liability is supported in particular by the fact that it is decisive for Customer2 had an influence on the decision on data management, to determine the purpose of data management, that he had access to the mailbox address indicated during the signature collection, he declared himself that he was behind the collection of signatures, as evidenced by the testimony of the witness. Therefore, the The Authority shall also determine the quality of the Client2 's data controller with regard to the examined data management III.1.4. In the Authority's view, it cannot be an organization that does not actually operate or on its behalf so that the actual data processing is disguised and personal relationships are unclear. 1 As emphasized by the Authority in Part I of its recommendation to political parties, no it is an acceptable situation that no one should be held responsible for the processing of data - especially one during the national collection of signatures, which is also ongoing online, and they try to avoid liability by claiming that the organization is not working, is they know nothing about data management and do nothing. It contradicts those statements in particular, the collection of signatures is still ongoing. According to the Authority, it is not permissible for such data controllers to be relieved of their responsibilities in this way data controllers collect personal data irresponsibly and without consequences, they are used. Furthermore, the fact that Customer1 is referred to as a “movement” does not mean that that by perceiving a legal person as a “movement”, due to the indeterminacy of the participants a liability of the legal person and the ‘movement’ and a compliance with the legislation could be waived. Based on the above, the Authority considers both Client1 and Client2 to be data controllers. turn. The Authority examined it in accordance with Article 26 of the General Data Protection Regulation and whether they are common controllers or parallel controllers. On this As a result of the investigation, the Authority concluded that Client1 and Client2 were common they are considered to be data controllers because there are no two separate data management or separate data management purposes in terms of the data management examined, but also the qualities and responsibilities of the data controller they exist in an atypical way, yet in the data controller construct examined in the present case are inextricably linked. The role of the two data controllers in this Decision cannot be separated more precisely than in the light of the procedural difficulties and the lack of cooperation. Accordingly, the Authority considered Client1 and Client2 to be joint controllers and this established the liability of both of them despite the fact that Customer2 is the data controller his quality was not recognized. The legal classification of the violations committed in the case and the established Furthermore, with regard to the legal consequences, it is irrelevant that parallel data controllers, or customers are considered common data controllers. III.2. Legality of information on data processing It is closely linked to the validity of the consent that it be preceded by appropriate information this is necessary in order for those concerned to be aware that they are specific what they agree to know the details of the data management and exercise their consent their right to withdraw. The person concerned is in possession of the relevant information make a decision on whether to consent to the processing of personal data concerning him or her. Failing this, the legal basis for consent, ie data processing, will be invalid. 1A Authority Recommendation on certain data protection requirements relating to the data management of political parties and organizations (February 2021 19.): “According to the experience of the Authority, one of the biggest shortcomings before the start of data processing is the lack of data controllers, clear clarification. In the Authority 's view, it is no longer the obligation to provide prior information or nor is it acceptable for a series of data processing operations not to have so that, especially if an infringement is suspected in the course of data processing, it should be clarified roles. ", 20 Article 5 (1) (a) and (b) of the GDPR and, in this context, Article 39 Recital 1 states that it must be transparent to natural persons, how they collect and use their personal data about them considered or otherwise treated, and in the context of a the extent to which personal data is and will be processed. The principle of transparency applies also to inform data subjects about the purposes of data processing. Personal data management is specific their objectives are explicitly stated and legitimate, and are already personal must be specified at the time of data collection. Article 13 of the GDPR defines what information is available to data subjects shall be informed at the time the data are obtained. III.2.1. In the Authority's view, the website is not sufficiently transparent, clear and unambiguous informing data subjects about the purposes of data processing. One of the purposes of data management is to express an opinion (‘I agree that no one should be required to be vaccinated and that no one should be may be penalized or restricted. ”) is highlighted only on the data collection interface, data management information refers to it only as “support for national signature collection”, while information that the data will be used for data processing purposes other than the original purpose (contact) will only be handled by opening and reading the privacy statement happens. The fairness and lawfulness of the processing of data subjects' personal data, inter alia, may be established if the data subject has been duly informed that: personal data is collected for two different data processing purposes and specifically for naming purposes what these data management purposes are. Information on the purposes of data management its adequacy and clarity cannot be established on the basis of the above. The legal basis in the data protection prospectus is Article 9 (2) (a) of the GDPR, or (d). Article 9 of the GDPR provides for special categories of personal data, which the regulation prohibits as a general rule or makes subject to strict conditions. THE special categories of personal data may be processed, inter alia, if the the data subject has given his or her express consent to their treatment for one or more specific purposes. There is also no specific information in the privacy statement that the data the duration of the collection of the data provided, nor the storage of the data provided in this context, how long it takes to use. According to the information on the https://alairasgyujtes.online website, the The collection of signatures is still ongoing, as determined by the Authority, or at the request of the Authority Customer2 stated that data collection is not time-bound. In the privacy statement, data subjects are informed that it is not automated the data obtained in the course of data processing, received on a signature collection form and statements of consent Customer1 shall be digitized and recorded by the database manager within 30 days of receipt the original documents are handed over, presented or destroyed as a petition. No information on the collection of signatures for an indefinite period after what will happen to the signature collection sheets and those included in or collected online with personal information. III.2.2. In the Authority's view, the data collection sheet is on the signature collection sheet a briefing should be provided to stakeholders on the planned data processing key information set out in Article 13 of the GDPR. With regard to the prospectus on the signature collection form, the Authority notes that the data subjects have not been properly informed, inter alia, of the legal basis and the purposes of the data processing, the wording refers, on the one hand, to consent based on the Information Act and, on the other hand, to 21 only for the purpose of contact, consultation and information mentions. The prospectus does not specify which organization is responsible for data management. The signature collection form does not specifically mention the data controller, only the Customer1 an emblem with its abbreviated name is shown on the sheet. Personal information collected information on the duration of storage is also not included in the text on the sheet. III.2.3. Based on the above, the Authority concludes that the controllers do not provide the clear, adequate and real information to those concerned on paper collection of signatures, nor in connection with the collection of signatures through the website all relevant circumstances of the data processing and shall not be determined clearly state the purpose of the processing, thereby violating the general data protection regulation Article 5 (1) (a) and (b) and Article 13 (1) to (2). III.3. Online data collection III.3.1. Legal basis for online data collection In addition to paper-based data collection, the signature collection is available at https://alairasgyujtes.online also takes place on a website. To support the initiative online, the stakeholders below are personal data are collected: name, postcode, town, name of public area, house number, floor / door, e-mail address, phone number. From this information, entering the phone number is optional, which is in the fill-in interface it is also indicated separately, while the other data are mandatory. The success of the online support of the initiative, that is, to bring it to the system "I have read and accepted the Privacy Notice." text pre-checkbox. The privacy statement is provided through a hyperlink embedded in this text available. Despite the call of the Authority, the Client2 did not specify the legal basis of the data processing, the According to a statement made as a representative of Client1, the persons involved in the collection of signatures are personal their data is provided voluntarily. According to the data protection prospectus, the legal basis for data processing is, on the one hand, that data management with appropriate guarantees for regular contact with the data subject In addition, the prospectus indicated the GDPR Article 9 (2) (d). Furthermore, the legal basis for data processing is not regular for the data subject in the case of contact, the express consent of the data subject prior to the recording of the data declaration, ie Article 9 (2) (a) of the GDPR. As detailed in the Privacy Notice, making a statement of consent is subject to Customer1 will confirm this with a message sent to the email address provided by the data subject and thereafter the data subject must confirm the consent in the reply to the confirmation message intention. The Authority emphasizes that during the testing of https://alairasgyujtes.online, it found that Contrary to what is stated in the privacy statement, when supporting the collection of signatures online the data controller does not send the opportunity to confirm the consent for the e-mail contact provided insurance email. The Privacy Notice therefore collects personal data from data subjects as described above treats it as a special category of personal data. Pursuant to Article 6 (1) (a) of the GDPR, the processing of personal data is lawful if it the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes, to treat. Personal provided to support the initiative of a political organization however, the data do not constitute a special category of personal data. If however, in addition to the purpose of the petition, the data subject also has the right to process data specifically for that purpose gives his consent to him as a sympathizer later in the political organization to inform about his / her activity, to get in touch with his / her political activity personal data provided by the data subject for this further contact necessary personal data as data indicating party sympathy is a special category of personal also constitute data. According to the data protection information sheet, the purpose of data management is to support the collection of signatures by: Customer1's contact with the data subject as a sympathizer, informing the data subject activities and events, and send invitations to Customer1 campaigns to join. Personal data processed for the purpose of political contact is therefore accordingly information referring to the political views of data subjects and, as such, general data protection special categories of personal data within the meaning of Article 9 (1) of that Regulation are considered. The processing of special categories of personal data is, as a general rule, prohibited by the Regulation, or subject to strict conditions. These special categories of personal data include In accordance with Article 9 (2) of the GDPR, they may be treated if they are concerned express consent to their treatment for one or more specific purposes. In order for the controller to be able to legitimately invoke the legal basis of the consent, the consent all its conceptual elements must meet the requirements that apply to it. 5/2020 on the consent of the European Data Protection Board and the Data Protection Directive issued pursuant to Article 29 of the Data Protection Directive The Working Party’s Guideline WP259 on Consent also confirms that that the statement or act expressing the confirmation unequivocally is lawful precondition for consent. The guidelines state that "explicit consent" is required in certain situations where there is a serious data protection risk. The general According to the Data Protection Regulation, "express consent" plays an important role in personal Article 9 on the handling of special categories of data, including political also in the case of the processing of personal data processed for contact purposes. The word “express” in this is In this case, it indicates the way in which the data subject expresses his or her consent. It means that the data subject must make a statement of specific consent. Consent "explicit" The obvious way to be convinced is that consent is given in a written statement would be a clear confirmation. As set out in Annex II of the Authority's Recommendation to Political Parties. also explained good practice Takes note of the European Data Protection Board's contribution 5/2020 Guideline No and established pursuant to Article 29 of the Data Protection Directive As set out in Guideline WP259 on the consent of the Working Party on Data Protection, the the method of two - step verification of consent, according to which the confirmation shall be the data controller obtains it by electronic means provided by the data subject send a letter notifying you that he or she intends to process the data subject's personal data, to which he requests confirmation of his consent in a reply. As stated in the privacy statement, the data controller will confirm your consent apply the two-step verification method described above in practice however, this method of confirming consent was not used. In order for the data subject to be able to express his will in concrete terms, it is therefore necessary that, data controller by obtaining consent related to data management activities clearly separate related information from information on other issues. Recital 42 of the General Data Protection Regulation also states that the controller you must provide a pre-arranged statement of consent that is clear and easy to use it must be made available in an accessible form and its language must be clear and it must be clear and not contain unfair terms. In the Authority's view, the provision of personal data on the online interface is on the one hand consent to the use of personal data on the other hand, it is not the original for the processing of personal data for contact purposes in addition to the purpose of data processing contribution. Recital 32 of the GDPR states that data processing can only take place if: by a clear affirmative action, such as in writing, including by electronic means - or voluntary, specific, informed and unambiguous consent to the processing of personal data concerning a natural person. If it is data management serves more than one purpose at a time, you can contribute to all data management purposes to be provided separately. If the data controller does not attempt to make each ask for consent separately for this purpose, there is a lack of freedom of decision. In the Authority's view, the lawfulness of the processing of the personal data of the data subjects at that time can be established if the data subject is used for all data processing purposes may have contributed separately to its management. By giving consent as explained above, they are not concerned clear and specific expression of his will, the data processing is not considered valid legal basis. The Authority notes that data controllers handle it without a valid legal basis personal data of data subjects, in breach of Article 6 of the General Data Protection Regulation Paragraph 1. As these data are also data for political contacts a special categories of personal data and their processing, among other things it is possible, if the data subject has given his or her express consent, the data processing also infringes Article 9 (1) of the General Data Protection Regulation. III.3.2. Purposefulness of data collection Article 5 (1) (b) of the GDPR provides for the principle of purposeful data processing, which personal data may only be collected for specified, explicit and legitimate purposes, and may not be treated in a way incompatible with those purposes. According to the prospectus, the purpose of data management is to support the collection of national signatures, on the other hand, the Client1’s contact with the data subject as a sympathizer, the data subject informing the Client about its activities and events, and sending invitations to the Client1 to join its campaigns, i.e. as in the client2’s multiple press releases further purpose of collecting signatures is to try to “gather a mass base”. The privacy statement refers only in general terms to the “national However, the prospectus does not specify which signatures to collect applies. In this connection, the Authority notes that through the website the Client1 it also refers to another ongoing signature collection or via a hyperlink to it navigates to a page that has a similar content structure and that page is referenced The data protection information sheet also refers to the collection of national signatures of a general nature with the same content information., 24 In the course of the procedure, the Authority found that the data protection reference was specific "Support for the collection of national signatures" for data management purposes only in support of the initiative “I agree that no one should be vaccinated no one shall be subjected to any form of restraint or punishment. " text indicates that the data protection notice does not indicate this specific purpose, while data management is different the purpose for which the data will be collected for subsequent contact purposes, is the interface for collecting data and supporting the initiative does not reveal that The Authority considers that it is misleading for supporters of the initiative. The signatories for, in a deceptive way, only the initiative is paramount on the data collection interface the purpose of which is communicated by the controller, while there is no invitation to the signatory all personal data - the telephone number is optional - for contact purposes only will also be handled by the data handler, which can only be accessed via the hyperlink provides information in a privacy statement. Compliance with the purpose limitation principle requires, inter alia, specificity the definition of the purpose stated before the start of the data processing and its understandable, non-ambiguous and non-misleading communication to stakeholders. On the basis of the information available, the Authority shall noted that the purpose of collecting personal data is not in fact to collect signatures, that is, support for the petition, but also for those interested in the subject, sympathizers, or personal collecting their data. This is borne out, among other things, by the fact that it is literally the same as the question of collecting signatures as a matter of referendum proposed by the initiator of the Civil Movement Association earlier (27 August 2020) was submitted to the National Electoral Commission. For the referendum However, the National Electoral Committee (IX.21.) NVB in its decision, however, in the privacy statement for the collection of signatures misleading reference or information that the signature collection sheets are intended to be handed over, presented as a petition. This is also indicated in the statement2 of the Customer2, which a Article published on October 20, 2020 (https://444.hu/2020/10/20/godeny-probaljuk-a-tomegbazist- to answer the question asked during the interview: “If you succeed more than 200 thousand to collect a signature, a referendum initiative could be considered, the pharmacist.". So the collection of signatures, data collection is still in progress on an issue that referendum on this issue is not possible and the stated purpose of the petition is clearly no longer feasible. The real purpose of data processing is, in the Authority's view, the collection of personal data to build a sympathy database, to create a mass base, but it is not clear whose because Customer1 exists only on paper. This establishes that data management purpose is unclear and unrealistic, so data controllers violate the general the principle of purpose limitation under Article 5 (1) (b) of the Data Protection Regulation. III.3.3. Infringement of the principle of due process Article 5 (1) (a) of the General Data Protection Regulation provides for a fair procedure the principle that personal data must be processed fairly. In the course of the procedure, the Authority found that during the collection of signatures - Annex III.1. point as detailed - the quality of the data controller is not sufficiently clarified, the data subjects misleadingly informing the controller and a person not actually working party is called data controller., 25 Information about the purpose of data processing is also misleading. A III.3.2. explained in point on the one hand, it is misleading because the signatories on the data collection interface are not informed of the on the other hand, for the purpose of collecting signatures the purpose is indicated by the controller, which is a manifestly impossible purpose, as it is a well-known fact that that the issue is not suitable for a referendum, its authentication by the National Electoral Commission rejected it earlier for several reasons. Based on the above, it can be concluded that the data processing is unfair, thus the data controllers breach of Article 5 (1) (a) of the General Data Protection Regulation the principle of a fair trial. III.4. Paper-based signature collection During the collection of signatures, according to the signature collection form that can be downloaded from the website, the parties involved are as follows personal data is collected: name, address (postcode, town, name of public place, house number / em. / door), e-mail contact, telephone number and signature. Privacy is available on the website also available on the website in the signature collection form reference is not included anyway - an ID number is assigned to the data subject's data the data management consent can be documented. The signature collection sheet for each data set collected it is not specified whether they are mandatory or optional. The following information, which can be assessed as information on the legal basis of the data processing, can be found on the signature collection form: veg: “By providing the information on the summary form and signing the signature collection form I consent to the disclosure of my data on the right to self-determination of information and the CXII. pursuant to Section 5 (1) (a) of the Act, further contact, for the purpose of requesting an opinion and providing information, the statement of consent to the until the end of the year. " Until 25 May 2018, the main rules on data protection in Hungary will be regulated by Infotv. contain- From that date, the GDPR is mandatory and directly applicable to the signature collector However, the short information text in the form is in the Infotv. Section 5 (1) a) refers to the legal basis of the consent indicated. According to the statement of the Customer2, the data subjects have their personal data both online and on paper provided voluntarily during the collection of signatures on this basis. The pre-worded statement on the signature collection form is limited to “additional for the purpose of communication, consultation and information " refers to consent. However, the purpose of collecting signatures is not only to maintain further contact, and related database building, but also support for the initiative, for which only it Signature sheet "I agree that no one should be required to be vaccinated and that no no one shall be punished or restricted. " main title refers to. An important conceptual element of consent is that the request for consent is preceded by appropriate information me. Article 5 (1) (a) and (b) of the GDPR and, in this context, Article 39 Recital 1 states that it must be transparent to natural persons, how they collect and use their personal data about them considered or otherwise treated, and in the context of a the extent to which personal data is and will be processed. The principle of transparency applies also to inform data subjects about the purposes of data processing. Personal data management is specific their objectives are explicitly stated and legitimate, and are already personal they must be specified at the time of data collection It can therefore be concluded that data subjects have their personal data as "support for the initiative". for the purpose of "contact, consultation and information" their consent is given by completing the signature collection form, ie personal data the legal basis for the management of the data subject is the consent of the data subjects. The Authority has determined that the information on which the statement of consent is based is correct however, the information on the signature sheet is inadequate, as indicated in Annex III.2.2. as detailed in point 1 - is not exhaustive and therefore the consent cannot be considered informed. However, despite the lack of information, the Authority is concerned does not consider its consent to data processing to be invalid if it data controllers requesting confirmation of their consent with appropriate information obtain a statement from those concerned. III.5. Infringement of the principle of accountability The Authority points out that, in accordance with Article 5 (2) of the General Data Protection essentially the objective responsibility and enhanced diligence of the controller Due to the fundamental requirement of accountability formulating the obligation to prove that the conditions for the lawfulness of data processing - data processing from the beginning - they persist. To the data controller from the planning of data management from the start of data processing to the deletion of all personal data processed you must carry out the data processing operation in such a way that you can prove at any time that how you complied with data protection regulations. Based on the principle of accountability, the data controller must implement the data management throughout the data processing process operations in order to be able to demonstrate compliance with data protection rules. The the principle of accountability can therefore be interpreted not only in general, at the process level, but in all specific data processing activity, the processing of personal data of a specific data subject also applies to The Authority states that data controllers do not guarantee the lawfulness and transparency of data processing certified to the Authority, did not declare that the personal data collected how and what it is used for, where the data is stored, and what the real purpose of data management is. Based on the above, it can be concluded that the data controllers by not approaching the Authority lawfulness of the data processing, breach of Article 5 of the General Data Protection Regulation. principle of accountability set out in Article 2 (2). III.6. Other findings The Authority will, on the basis of the facts set out above, in the course of the data protection authority proceedings found that the Client1 was operating in an illegal manner, or inoperability. Customer1 was not available at the registered office at the registered office and is not currently secured, nor was it possible to deliver the items to the gatekeeper. The Furthermore, most of the client1 was not available through his court-registered representative case. According to the registered data, however, in the data of the organization registered in the court register there was a change (change of registered office, registered representative), contact details of the Customer1 however, it was not insured even after the change was recorded. The previous registered office of the Client1 was reported to the address where the person who, a is not a representative of the organization, only a member, thus the items mailed to the registered office of the Customer1 receipt was not guaranteed either. The Authority has detected that Client1 is publishing the report or the public benefit annex did not fulfill his obligation at all. For all these reasons, the Authority initiated the Metropolitan Court with non-governmental organizations CLXXXI of 2011 on the court register and the related procedural rules. Act 71 / A.-71 / I. § of the lawfulness review procedure in accordance with III.7. Legal consequences III.7.1. The Authority shall act in accordance with Article 58 (2) (b) of the General Data Protection Regulation finds that Customer1 and Customer2 infringe Article 6 of the General Data Protection Regulation (1) and Article 9 (1) by going through the website in the context of the collection of signatures, the personal data of data subjects are collected without a legal basis. In accordance with Article 58 (2) (b) of the General Data Protection Regulation, the Authority finds that: that Customer1 and Customer2 infringe Article 5 (1) (b) of the General Data Protection Regulation the purpose of the purpose of the data processing is not clear specified. In accordance with Article 58 (2) (b) of the General Data Protection Regulation, the Authority finds that: that Customer1 and Customer2 infringe Article 5 (1) (a) of the General Data Protection Regulation Article 13 by not providing them to stakeholders clear, appropriate and real information on paper and on a website all relevant circumstances of the data processing in connection with the collection of signatures. In accordance with Article 58 (2) (b) of the General Data Protection Regulation, the Authority finds that: that Customer1 and Customer2, by their unclear quality as data controllers, are data subjects have been misled as to the identity of the controller and the purpose of the processing, breach of a fair practice within the meaning of Article 5 (1) (a) of the General Data Protection Regulation principle of procedure. In accordance with Article 58 (2) (b) of the General Data Protection Regulation, the Authority finds that: that Customer1 and Customer2 have infringed Article 5 (2) of the General Data Protection Regulation accountability requirement by not applying to the Authority the lawfulness of the data processing has been verified. The Authority, taking into account that data processing is a special category (party sympathy) the processing of personal data and there is no specific information on the data collected the use of personal data while the stated purpose of the data collection is unrealistic, and the Client1 and the Client2 did not cooperate with the Authority during the procedure, the general instructs Client1 and Client2 pursuant to Article 58 (2) (g) of the Data Protection Regulation, to be deleted from the signatures collection website from stakeholders online in a documented manner collected all personal data in this way. The Authority shall issue an order pursuant to Article 58 (2) (d) and (g) of the General Data Protection Regulation Client1 and Client2 to provide their consent on the paper-based signature collection form. obtain full information on data processing from data subjects a statement requesting confirmation of their consent, failing which the documented statement shall be deleted stakeholders both to support the initiative and to liaise personal information., 28 Pursuant to Article 58 (2) (f) of the General Data Protection Regulation, the Authority prohibits in connection with the collection of signatures, the continuation of data management in such a way that Customer1 and Customer2 complete immediately in connection with the collection of signatures both on paper and in the collection of personal data online, as its purpose is unclear and not clear real, data collection is underway on an issue on which a referendum is not sustainable and the stated purpose of the petition is no longer achievable. The real purpose of data management building a sympathy database, creating a mass base so that the Customer1 in practice does not work, only on paper, and the actual activities of the Normal Life Party organization name take place during. III.7.2. The Authority has examined whether it is justified to treat Client1 and Client2 imposition of a data protection fine. In this context, the Authority shall, in accordance with Article 83 (2) of the General Data Protection Regulation, and Infotv. 75 / A. § considered all the circumstances of the case and found that that in the case of infringements detected in the present proceedings, the warning is neither proportionate nor disproportionate a dissuasive sanction, it is therefore necessary to impose a fine. In setting the amount of the fine, the Authority took into account, in particular, that Infringements by Customer1 and Customer2 are covered by Article 83 (5) of the General Data Protection Regulation. shall constitute an infringement falling within the higher category of fines referred to in paragraph 1 (a) [Article 83 (2) (a) GDPR] The Authority has imposed a data protection fine on both Client1 and Client2 In determining the amount of they have not yet been convicted of a breach of the General Data Protection Regulation [GDPR Article 83 (2) (e)]. A) The Authority as an aggravating circumstance in imposing a fine on Client1 has taken into account: - the nature of the infringements is serious and concerns a current social issue which is therefore significant, according to a large number of stakeholders (according to https://alairasgyujtes.online) nearly 58,000 supporting signatures) involved the processing of your personal data [Article 83 (2) (a) GDPR]; - the Customer has infringed several provisions of the General Data Protection Regulation1 [GDPR 83. Article 2 (2) (a)]; - the longer duration of the infringement (the collection of signatures started on 13 October 2020 and the proceedings data collection is still ongoing [Article 83 (2) GDPR paragraph (a)]; - according to the Authority, actors in public and political life are increasingly expected to do so the collection of personal data in accordance with the provisions of the General Data Protection Regulation act accordingly [Article 83 (2) (a) GDPR]; - unlawful data processing due to the Customer1's grossly negligent conduct, data processing caused by its practice [Article 83 (2) (b) GDPR]; - from Customer1 as a political actor and from the category of personal data collected all technical and organizational measures would have been expected to be taken for the adequacy of data processing [Article 83 (2) (d) GDPR]; the personal data collected are also special categories of personal data [Article 83 GDPR. Article 2 (2) (g)]; - the conduct of the Client1 during the proceedings, the unavailability of which is the clarification of the facts greatly impeded [Article 83 (2) (f) GDPR]; The Authority did not consider it relevant to impose a fine on Client1 Circumstances under Article 83 (2) (c), (h), (i), (j) and (k) of the cannot be interpreted in this case B) The Authority as an aggravating circumstance in imposing fines on Client2 has taken into account: - the nature of the infringements is serious and concerns a current social issue which is therefore significant, processing of the personal data of a large number of data subjects [Article 83 (2) GDPR paragraph (a)]; - the Customer has infringed several provisions of the General Data Protection Regulation2 [GDPR 83. Article 2 (2) (a)]; - the infringement has existed for a long time and data collection is still ongoing (Initiated and pending on 13 October 2020) [Article 83 (2) GDPR the dot]; - from the Client2, as a person who is currently actively involved in political life it is increasingly expected that the general data protection regulation will apply to data processing comply with the requirements of [Article 83 (2) (a) GDPR]; - Client2, on the one hand, as the party's manager, ie as Client1's legal representative he also had an influence on data management, but also as an individual data controller a key player in the case [Article 83 (2) (a) GDPR]; - unlawful data processing due to the Customer's2 grossly negligent conduct, data processing caused by its practice [Article 83 (2) (b) GDPR]; the personal data collected are also special categories of personal data [Article 83 GDPR. Article 2 (2) (g)]; - the conduct and unavailability of the Client2 during the proceedings, the Authority disregarding the issues raised in his requests greatly clarifies the facts impeded [Article 83 (2) (f) GDPR]; The Authority took it as an attenuating circumstance when imposing fines on Client2 taking into account that the Client2 is a natural person [Article 83 (2) (k) GDPR]. The Authority did not consider it relevant to impose fines on Client2 Circumstances under Article 83 (2) (c), (d) (h), (i) and (j) of the cannot be interpreted in this case. The imposition of a fine on the basis of the above is necessary specifically for Client1 and Client2, and the Authority in setting the amount of the fine in addition to the specific deterrence objective also took into account the general preventive purpose to be achieved by the fine, with which the Client1 and the In addition to deterring Customer2 from further infringement, the right to the protection of personal data signatures. Subject to the Client1's obligation to publish the report in recent years has not complied with, the Authority has no specific information available to the Client for 1 year income. In the course of the proceedings, the Client2 did not refer to such a fact either circumstance which it is necessary to take into account in the imposition of any fine would have kept it. The amount of the fine shall be based on the law of the Authority acting in its discretion. Based on the above, the Authority has decided in accordance with the operative part. ARC. Other issues The powers of the Authority shall be exercised in accordance with Infotv. Section 38 (2) and (2a), its jurisdiction is covers the whole country., 30 The decision is based on Ákr. 80.-81. § and Infotv. It is based on Section 61 (1). The decision is based on Ákr. 82. § (1), it becomes final with its communication. The Ákr. Section 112, Section 116 (1), or pursuant to Section 114 (1), there is an administrative action against the decision redress. * * * The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a hereinafter: Kp.). A Kp. Pursuant to Section 12 (2) (a), the Authority The administrative lawsuit against the decision of the Criminal Court falls within the jurisdiction of the court. Section 13 (11) The Metropolitan Court shall have exclusive jurisdiction pursuant to On civil procedure on the 2016 CXXX. Act (hereinafter: Pp.) - the Kp. Pursuant to Section 26 (1) applicable - legal representation in a lawsuit falling within the jurisdiction of the tribunal pursuant to § 72 obligatory. Kp. Pursuant to Section 39 (6), unless otherwise provided by law, the application has no suspensory effect on the entry into force of the administrative act. A Kp. Section 29 (1) and with this regard Pp. Applicable in accordance with § 604, electronic CCXXII of 2015 on the general rules of public administration and trust services. Section 9 of the Act Under paragraph 1 (b), the client's legal representative is required to communicate electronically. The time and place of the submission of the application is Section 39 (1). The amount of the fee for an administrative lawsuit shall be determined in accordance with Act XCIII of 1990 on Fees. law (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee is Itv. Section 59 (1) and Section 62 (1) (h) shall release the party instituting the proceedings. If the Applicant does not duly prove the fulfillment of the required obligation, the Authority shall: it considers that it has failed to fulfill its obligations within the prescribed period. The Ákr. According to § 132, if a the obligor has not complied with the obligation contained in the final decision of the authority, it shall be enforceable. THE Authority's decision on the Ákr. Pursuant to Section 82 (1), it becomes final with the communication. The Ákr. 133. §, unless otherwise provided by law or government decree - a ordered by the decision-making authority. The Ákr. Pursuant to § 134 - enforcement if law, a government decree or, in the case of a municipal authority, a local government decree otherwise does not have - the state tax authority implements it. Infotv. Pursuant to Section 60 (7) a To carry out a specific act contained in a decision of an authority, specified the decision as to the obligation to conduct, tolerate or stop shall be carried out by the Authority. Budapest, March 2, 2022 Dr. Attila Péterfalvi President c. professor