NAIH (Hungary) - NAIH-180-16/2022: Difference between revisions
(changed company in controller; added paragraphs in the holding) |
No edit summary |
||
(3 intermediate revisions by 3 users not shown) | |||
Line 55: | Line 55: | ||
}} | }} | ||
The Hungarian DPA | The Hungarian DPA issued a fine of €13,000 against an online directory operated by a telecom operator (including customers' names, addresses and mobile numbers) for breaching the accountability principle and processing data without a valid legal basis, in violation of [[Article 5 GDPR#2|Articles 5(2)]] and [[Article 6 GDPR#1|6(1) GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A data subject found that his data (name, address, mobile number) were included | A data subject found that his data (name, address, mobile number) were included in a public online directory operated by a telecom operator (controller). The data was obtained by the operator in 2015, when the data subject first contracted with the company, but only got disclosed in 2018, when the data subject renewed his subscription via telephone. He first requested the deletion of his data via an online form, but found later that the request was ignored. He then requested the deletion via telephone as well. This once again proved unsuccessful, in spite of the promises he received on the phone. He subsequently filed a complaint with the Hungarian DPA to enforce the deletion of his data. In the meantime, the controller deleted the data from the registry. | ||
=== Holding === | === Holding === | ||
The Hungarian DPA (NAIH) found that the data subject's request for deletion was already fulfilled, and that therefore there was no need for the controller to act on this aspect of the complaint. However, the NAIH started an investigation | The Hungarian DPA (NAIH) found that the data subject's request for deletion was already fulfilled, and that therefore there was no need for the controller to act on this aspect of the complaint. However, the NAIH started an own-volition investigation into the controller's data processing practices with particular regard to data subject requests. | ||
Subsequently, the NAIH found that the controller was in breach of the accountability principle under [[Article 5 GDPR#2|Article 5(2) GDPR]], since it could not prove that it had received valid consent for the processing of the data subject's personal data. Moreover, it also found that since the controller had not even asked the data subject for valid consent, it had no legal grounds for processing under [[Article 6 GDPR#1|Article 6(1) GDPR]]. Finally, the NAIH held that the controller was in breach of [[Article 12 GDPR#2|Article 12(2) GDPR]] for mis-registering the data subject's request for the deletion of his data as a complaint about the service. | Subsequently, the NAIH found that the controller was in breach of the accountability principle under [[Article 5 GDPR#2|Article 5(2) GDPR]], since it could not prove that it had received valid consent for the processing of the data subject's personal data. Moreover, it also found that since the controller had not even asked the data subject for valid consent, it had no legal grounds for processing under [[Article 6 GDPR#1|Article 6(1) GDPR]]. Finally, the NAIH held that the controller was in breach of [[Article 12 GDPR#2|Article 12(2) GDPR]] for mis-registering the data subject's request for the deletion of his data as a complaint about the service. | ||
Line 69: | Line 69: | ||
The NAIH decided to subsequently impose a fine on the controller. It argued that a simple reprimand would not be proportionate or dissuasive, for multiple reasons. As aggravating circumstances, the NAIH took into account the fact that the data subject had to request deletion multiple times and that the data was included in the database for more than 3 years without a valid legal ground ([[Article 83 GDPR#2a|Article 83(2)(a)]]); that the controller committed multiple infringements ([[Article 83 GDPR#2d|Article 83(2)(d)]]) including gross negligence in handling the case ([[Article 83 GDPR#2b|Article 83(2)(b)]]); as well as that the NAIH had already warned the controller about its processing activities previously ([[Article 83 GDPR#2b|Article 83(2)(b)]]). | The NAIH decided to subsequently impose a fine on the controller. It argued that a simple reprimand would not be proportionate or dissuasive, for multiple reasons. As aggravating circumstances, the NAIH took into account the fact that the data subject had to request deletion multiple times and that the data was included in the database for more than 3 years without a valid legal ground ([[Article 83 GDPR#2a|Article 83(2)(a)]]); that the controller committed multiple infringements ([[Article 83 GDPR#2d|Article 83(2)(d)]]) including gross negligence in handling the case ([[Article 83 GDPR#2b|Article 83(2)(b)]]); as well as that the NAIH had already warned the controller about its processing activities previously ([[Article 83 GDPR#2b|Article 83(2)(b)]]). | ||
However, the NAIH took into account as mitigating factors that the controller offered a small compensation to the data subject ([[Article 83 GDPR#2c|Article 83(2)(c)]]); that it conducted the requested deletion in the meantime ([[Article 83 GDPR#2f|Article 83(2)(f)]]); as well as the the NAIH missed some of its deadlines when investigating the case ([[Article 83 GDPR#2k|Article 83(2)(k)]]). | However, the NAIH took into account as mitigating factors that the controller offered a small compensation to the data subject ([[Article 83 GDPR#2c|Article 83(2)(c)]]); that it conducted the requested deletion in the meantime ([[Article 83 GDPR#2f|Article 83(2)(f)]]); as well as the the NAIH missed some of its deadlines when investigating the case ([[Article 83 GDPR#2k|Article 83(2)(k)]]). Subsequently, the NAIH decided to fine the controller 5,000,000 HUF (~€13,000). Given that the controller's annual turnover was more than €752,000,000, this fine is very far from the maximum threshold allowed by the GDPR. | ||
Subsequently, the NAIH decided to fine the controller 5,000,000 HUF (~€13,000). Given that the controller's annual turnover was more than €752,000,000, this fine is very far from the maximum threshold allowed by the GDPR. | |||
== Comment == | == Comment == |
Latest revision as of 16:35, 27 April 2022
NAIH (Hungary) - NAIH-180-16/2022 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(2) GDPR Article 6(1) GDPR Article 12(2) GDPR Article 84(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 15.06.2021 |
Decided: | 02.03.2022 |
Published: | 04.04.2022 |
Fine: | 5000000 HUF |
Parties: | n/a |
National Case Number/Name: | NAIH-180-16/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | n/a |
The Hungarian DPA issued a fine of €13,000 against an online directory operated by a telecom operator (including customers' names, addresses and mobile numbers) for breaching the accountability principle and processing data without a valid legal basis, in violation of Articles 5(2) and 6(1) GDPR.
English Summary
Facts
A data subject found that his data (name, address, mobile number) were included in a public online directory operated by a telecom operator (controller). The data was obtained by the operator in 2015, when the data subject first contracted with the company, but only got disclosed in 2018, when the data subject renewed his subscription via telephone. He first requested the deletion of his data via an online form, but found later that the request was ignored. He then requested the deletion via telephone as well. This once again proved unsuccessful, in spite of the promises he received on the phone. He subsequently filed a complaint with the Hungarian DPA to enforce the deletion of his data. In the meantime, the controller deleted the data from the registry.
Holding
The Hungarian DPA (NAIH) found that the data subject's request for deletion was already fulfilled, and that therefore there was no need for the controller to act on this aspect of the complaint. However, the NAIH started an own-volition investigation into the controller's data processing practices with particular regard to data subject requests.
Subsequently, the NAIH found that the controller was in breach of the accountability principle under Article 5(2) GDPR, since it could not prove that it had received valid consent for the processing of the data subject's personal data. Moreover, it also found that since the controller had not even asked the data subject for valid consent, it had no legal grounds for processing under Article 6(1) GDPR. Finally, the NAIH held that the controller was in breach of Article 12(2) GDPR for mis-registering the data subject's request for the deletion of his data as a complaint about the service.
The NAIH decided to subsequently impose a fine on the controller. It argued that a simple reprimand would not be proportionate or dissuasive, for multiple reasons. As aggravating circumstances, the NAIH took into account the fact that the data subject had to request deletion multiple times and that the data was included in the database for more than 3 years without a valid legal ground (Article 83(2)(a)); that the controller committed multiple infringements (Article 83(2)(d)) including gross negligence in handling the case (Article 83(2)(b)); as well as that the NAIH had already warned the controller about its processing activities previously (Article 83(2)(b)).
However, the NAIH took into account as mitigating factors that the controller offered a small compensation to the data subject (Article 83(2)(c)); that it conducted the requested deletion in the meantime (Article 83(2)(f)); as well as the the NAIH missed some of its deadlines when investigating the case (Article 83(2)(k)). Subsequently, the NAIH decided to fine the controller 5,000,000 HUF (~€13,000). Given that the controller's annual turnover was more than €752,000,000, this fine is very far from the maximum threshold allowed by the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH-180-16 / 2022. Subject: Infringement and application (NAIH-5378/2021) DECISION The National Data Protection and Freedom of Information Authority (hereinafter referred to as the Authority) […] (place and date of birth: […]; address: […]; hereinafter: Applicant) to the Authority in 2021. received at the request on 4 June 2006, registered in […] (registered office: […]; hereinafter referred to as the “Requested”) in the data protection official proceedings initiated against makes the following decisions: 1. The Authority shall grant the applicant's application in part and shall condemn the applicant because he did not delete his personal data from his online inquiry at the request of the Applicant, in breach of the rules governing the processing of personal data by natural persons the free movement of such data and Directive 95/46 / EC Regulation (EU) 2016/679 repealing Regulation (EU) No Article 17 (1) (b) of the Data Protection Regulation). 2. The Authority will ex officio condemn the Applicant for its general data protection not in breach of the accountability requirement of Article 5 (2) of this Regulation proved that the Applicant had indeed consented to the personal data of the Applicant to publish it in its online directory. 3. The Authority will ex officio condemn the Applicant for its general data protection in breach of Article 6 (1) of the Regulation, was disclosed by the Applicant without legal basis personal information in your online directory. 4. The Authority will ex officio condemn the Applicant for failing to facilitate a Deletion of the Applicant's personal data by the Applicant classifying it as a complaint in breach of Article 12 (2) of the General Data Protection Regulation. paragraph. 5. Ex officio HUF 5,000,000, ie HUF 5 million data protection fine order the Applicant to pay. 6. The Authority shall reject the application in so far as it requires the Authority to: Applicant for the immediate deletion of the Applicant's personal data in a verified manner from the public inquiry, as the application has become devoid of purpose in this part. * * * Within 30 days of the final adoption of this decision, the data protection fine shall be imposed by a Authority's centralized revenue collection special purpose forint account (10032000- 01040425-00000000 Centralized direct debit IBAN: HU83 1003 2000 0104 0425 .................................................. .................................................. .................................................. .................................................. .................................................. .............. Falk Miksa utca 9-11. Fax: +36 1 391-14100 www.naih.hualat@naih.hu, 2 0000 0000). When transferring the amount, NAIH-5378/2021. JUDGE. for should be referred to. If the Applicant fails to meet the obligation to pay the fine within the time limit, the above is required to pay a late payment surcharge on the account number. The amount of the late payment allowance is legal interest that is valid on the first day of the calendar half-year affected by the delay equal to the basic interest rate. In the event of non-payment of the data protection fine and the late payment allowance, the Authority shall order a implementation of this Decision. There is no administrative remedy against this decision, but from the date of notification within 30 days of the application lodged with the Metropolitan Court can be challenged in a lawsuit. The application shall be submitted to the Authority, electronically, which shall: it forwards it to the court together with the case file. The request for a hearing shall be made by: must be indicated in the application. For those who do not benefit from full personal exemption the fee for the court review procedure is HUF 30,000, the lawsuit is subject to the right to record the material fee. THE Legal representation is mandatory in proceedings before the Metropolitan Court. EXPLANATORY STATEMENT I. Procedure In the letter received by the Applicant on June 4, 2021, it is a data protection official procedure He applied to the Authority to initiate proceedings against personal data - name, address, telephone number - are nevertheless publicly available at He requested from his public inquiry ([…]) that he had not consented to their disclosure. The Applicant indicated all this and his request for cancellation on 2 May 2021 telephone customer service, which was recorded by the Applicant as a complaint under number […]. THE The Applicant promised the Applicant a period of thirty days to remove his personal data, however, by the date of their request for data protection authority proceedings, 2021. until 3 June - were still publicly available and from the Applicant on this has not received any feedback by. The Applicant has requested the Authority to request the Applicant to provide proof of personal data immediately deleted from the public directory. II. Clarification of the facts 1. On 15 June 2021, the Authority issued NAIH-5378-3 / 2021. case number clarifies the facts issued an order in which the Applicant was notified of the data protection authority proceedings and called for a statement. 2. The Applicant - the Authority, dated 20 July 2021, NAIH-5378-7 / 2021. case number for re-clarification - sent its replies on 3 and 16 August 2021 to the Authority. The Authority also has three audio recordings in which the Applicant is the Applicant telephone conversations with their administrators can be heard., 3 3. The Applicant is May 2021. Sound recording recorded on day 2 (13 minutes 29 seconds) sent to the Authority. Accordingly, the Applicant indicated to the Applicant's Administrator that your personal data can still be seen in the public directory on the […] website, that the Applicant on the Applicant's online interface approximately two weeks prior to the telephone call initiated their deletion. The Applicant's clerk informed the Applicant that he was despite searching the Applicant's personal data in the directory, he or she will not see a hit name and phone number. As no progress was made in resolving the problem, the Applicant his clerk consulted an employee of another department who was given a name hits, not phone numbers. A staff member from another department suggested that the Applicant's problem should be recorded in the complaint. Employee of another department during the subsequent check, he already received a hit for a phone number, so he repeated it advised the clerk to record in his complaint that, although it was done according to the system deleting the Applicant's personal data from the inquiry office, but in practice this is the case however, it is not fulfilled because the system also matches the name and phone number. After consultation with an employee of another department, the Applicant an administrator on a conversation with an employee of another department and a informed the Applicant about the registration as a complaint, and also about the fact that the the time to investigate a complaint is officially 30 days, but the administrator says it won’t take that much time take advantage of the process. Based on the information of the Applicant's administrator by e-mail will inform the Applicant of the outcome of the investigation of the complaint. The Applicant will record two audio recordings (1: May 2, 2021, 9 minutes: 46 seconds; 2: June 25, 2021, 20 minutes 23 seconds). The first recording is the same as With an audio recording sent by the Applicant, provided that the Applicant does not hear it coordination between the administrator and the staff member of the other department. On the second recording, the Applicant was contacted by telephone on June 25, 2021 inquired in May 2021. On the 2nd day, he made a complaint based on his number […] and requested a copy of the telephone call of 2 May 2021 and 25 June 2021 sending. The Applicant's Administrator informed the Applicant that the May 2021 Your complaint of 2 was not properly recorded due to an operator error Requested internal and the complaint was unduly closed and the application was therefore closed as no further investigation or measure was connected to the closed complaint. Given that the personal data of the Applicant recorded as a complaint under the number […] of the Applicant online the request to delete it from his inquiry was not complied with, the complaint has been locked, which cannot be changed due to the system, so it is new again the problem was recorded as […] as a complaint. The Applicant is dated May 2, 2021 and June 2021 Request for a copy of the audio recordings of the telephone conversation on 25 also recorded separately. 4. Statements by the Applicant and by him and the Applicant by the Authority On the basis of the sound recordings made available to him by the Applicant on May 2021. On the 2nd day during the initiated telephone administration indicated to the Applicant that his / her personal data they can be seen in the public inquiry office on the […] website, even though Applicant on the Applicant's online interface approximately two weeks prior to the telephone call initiated their deletion. Based on the data of the Applicant's internal records, although a The Applicant's request for cancellation has been processed by the Applicant and the steps required for cancellation performed, due to a technical error, the actual deletion of personal data did not take place, they they remained available on the public inquiry interface. This telephone call of the Applicant was recorded as a complaint under the number […] of the Applicant, and the The requested administrator informed him that the case was officially open for thirty days at the disposal of the Applicant., 4 In the absence of a reply, the Applicant will also be contacted by telephone on 25 June 2021 inquired about the action taken on his complaint under […] and requested also send a copy of the phone call of 2 May and 25 June 2021. The Requested The Administrator informed the Applicant that his complaint of 2 May 2021 was a one-off, managerial was not properly recorded in the Applicant 's internal records due to an error, and complaint has been unduly closed, so there is more to the report as a closed complaint investigation, measure was no longer related. Given that the Applicant […] number personal data recorded as a complaint from the Applicant's online directory your request for cancellation has not been complied with, the complaint has been closed, which cannot be modified due to the system operated by the Applicant, therefore again, the problem was recorded as a new complaint, number […]. The Applicant dated 2 May and 2021 To issue copies of audio recordings of a telephone conversation on June 25, 2021 his application was also recorded separately under number […]. 5. The Applicant's request for cancellation was finally repeated by the Applicant on 25 June 2021 on the basis of the application, on 5 July 2021 - informing the Applicant of the error which was also sent to the Authority on 19 July 2021. Confirmed back to the Applicant by letter dated […] dated your personal data is no longer available in the Applicant's online directory. In addition, the Applicant sent the Requested to the Applicant on August 2, 2021 sound recordings. The Applicant also offered a gross compensation of HUF 5,000 to the Applicant for it to alleviate the inconvenience. 6. Thus, as acknowledged by the Applicant, the Applicant's cancellation claims in May 2021 - the 2021. approximately 2 weeks prior to the telephone administration initiated on May 2; a 2021. Application filed as a complaint on May 2 - due to technical and administrative errors materialized. First, the Applicant's online cancellation request is made by the Applicant processed and took the necessary steps to delete due to a technical error however, personal data has not actually been deleted and is still available remained on the public inquiry interface. Subsequently, the Applicant's complaint of 2 May 2021 the Requested internal was not properly recorded due to a one-time operator error and the complaint has been unduly closed. According to the Applicant's statement, the statements related to data processing, including to modify inclusion in the online directory for customers through multiple channels they also have the opportunity to. The statement of the Applicant and the statement sent by him, a according to the process description for changing the listing The change initiated on the interface automatically runs through the systems of the Requested, which the data will be updated in the Applicant's own directory within 48 hours. In force according to current processes, the change will also be sent to the domestic inquiry within 48 hours, however, the national database is only updated every two weeks. Given that the objection In this case, the automatic delete did not run properly, a technical problem occurred related subscribers in order to investigate and subsequently meet the subscriber demand notifications were recorded as complaints in the Applicant's internal records. 7. It was also sent between the Applicant and the Applicant on 30 April 2015 a copy of the subscription contract for the prepaid service provided, according to which the Applicant did not consent to the fact that the Applicant is publish the name, permanent address and telephone number of the subscriber by the Applicant reserved and in the national directory. According to the Applicant 's statement, on the basis of the data recorded in its register, the Due to the failure of the applicant to reconcile the annual data, the electronic communications, 5 according to the declaration of Section 134 of Act C of 2003 on Services (hereinafter: Eht.) (1a), in fact under paragraph 10a (d), the Applicant was obliged to contact the Applicant terminate the subscriber contract with immediate effect. Given that the annual due to the failure to reconcile the data, the termination has taken place, the Applicant will only he was able to keep his number after the contract, so he was re-contracted on June 12, 2018 with the Applicant, in which case the statements made by him were also amended. According to the Claimant's statement, the re-contract was made by telephone ([…]) when also in accordance with the valid process, only the reconciliation of the data, and requesting consents - including the processing of the Applicant's personal data in the directory consent to such publication. The Applicant's administrator is the Applicant based on their responses, the data reconciliation required by the re-contract process was required make or request the statements and then reactivate the number for. In the re-contract process, no contract was posted and signed by the parties subject to the fact that the subscription contract is governed by Eht. in a way made possible by it was created by the process by which the subscriber submits a contractual statement to the SIM by activating the card and using the service as an implied behavior me. At the time of the re-contract, the telephone directory consent was also given to the Applicant on behalf of. The Claimant's statement is in effect at the time of the re-contract, however currently repealed, electronic communications subscriber contracts are special 2/2015 on the rules of (III. 30.) of the NMHH, the Applicant voice recordings of telephone customer service calls from the time of recording for 2 years, so the sound recording concerning the Applicant's re-contract has been canceled therefore, the Applicant sent the re-contract to support the consent a screenshot of the registered system data. III. Applicable legal provisions Pursuant to Article 2 (1) of the General Data Protection Regulation, this is the case here the general data protection regulation applies to data processing. Act CXII of 2011 on the right to information self-determination and freedom of information. Pursuant to Section 2 (2) of the Act (hereinafter: the Information Act), the General Data Protection Act This Regulation shall apply with the additions set out in that Regulation. Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data the Authority shall, upon request, initiate an official data protection procedure and of its own motion initiate proceedings against the data protection authority. The data protection authority procedure is general CL of 2016 on administrative order. (hereinafter: Ákr.) apply with the additions specified in the Infotv. and the general data protection with derogations under this Regulation. Infotv. Pursuant to Section 60 (2): “To initiate official data protection proceedings Article 77 (1) and Article 22 (b) of the General Data Protection Regulation may be submitted in the case specified in Under Article 77 (1) of the General Data Protection Regulation: without prejudice to administrative or judicial remedies, all persons concerned shall have the right to: make a complaint to a supervisory authority, in particular where you have your habitual residence, in the Member State of employment or of the alleged infringement, if any considers that the processing of personal data concerning him or her infringes this Regulation. ", 6 According to Article 6 (1) of the General Data Protection Regulation: “Processing of personal data lawful only if and to the extent that at least one of the following is met: (a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes treatment; (b) processing is necessary for the performance of a contract to which the data subject is party at the request of the party concerned or before the conclusion of the contract necessary to do so; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is in the vital interests of the data subject or of another natural person necessary for its protection; (e) the processing is in the public interest or a public authority vested in the controller necessary for the performance of the task (f) processing for the legitimate interests of the controller or of a third party necessary, unless those interests take precedence over such interests interests or fundamental rights and freedoms that protect personal data especially if the child concerned. Point (f) of the first subparagraph shall not apply to the performance of their duties by public authorities processing of personal data during the Under Article 7 (3) of the General Data Protection Regulation: “The data subject shall have the right to to withdraw his consent at any time. Withdrawal of consent shall not affect the the lawfulness of consent-based data processing prior to withdrawal. The consent the data subject shall be informed before Withdrawal of consent is the same should be made possible in a simpler way than giving it. " Under Article 12 (1) to (6) of the General Data Protection Regulation: '1. The controller take appropriate measures to provide the data subject with personal data all the information referred to in Articles 13 and 14 and Each information pursuant to Article 34 shall be concise, transparent, comprehensible and easily accessible in a clear and comprehensible manner, in particular for children for any information to which it is addressed. The information shall be provided in writing or otherwise - including where appropriate, the electronic route. Oral information at the request of the data subject provided that the identity of the data subject has been otherwise established. 2. The controller shall facilitate the processing of the data subject in accordance with Articles 15 to 22. exercise of their rights under this Article. Article 11 In the cases referred to in paragraph 2, the controller shall rights under Article may not refuse to comply with your request for the exercise of the right to exercise his that the data subject cannot be identified. (3) The data controller shall, without undue delay, but in any case upon request within one month of receipt of the information. in accordance with Article on the action taken on the request. If necessary, taking into account the application complexity and number of applications, this deadline may be extended by a further two months. On the extension of the time limit, the controller shall indicate the reasons for the delay a inform the data subject within one month of receipt of the request. If concerned submitted the application electronically, the information preferably by electronic means unless otherwise requested by the data subject. 4. If the controller does not act on the data subject's request without delay, but shall inform the data subject no later than one month after receipt of the request the reasons for not taking action and the possibility for the person concerned to lodge a complaint before a supervisory authority and may exercise its right of judicial review 5. The information referred to in Articles 13 and 14 and Articles 15 to 22 and 34 the measure shall be provided free of charge. If the data subject's request is clearly unfounded or, in particular because of its repetitive nature, excessive, the data controller, subject to the information requested or the administrative nature of providing the information or taking the requested action costs: (a) charge a reasonable fee, or, (b) refuse to act on the application. Demonstration of the clearly unfounded or excessive nature of the request to the controller burden. 6. Without prejudice to Article 11, where the controller has reasonable doubts as to the application of Articles 15 to 21, the identity of the natural person submitting the application under Article may request the information necessary to confirm his identity. " According to Article 17 of the General Data Protection Regulation: “1. The data subject shall have the right to request the controller deletes personal data concerning him without undue delay, and the data controller is obliged to make the personal data of the data subject unjustified delete without delay if one of the following reasons exists: (a) personal data are no longer required for the purpose for which they were collected or treated differently; (b) the data subject withdraws the authorization referred to in Article 6 (1) (a) or Article 9 (2) (a) the consent which is the basis for the processing and the processing there is no other legal basis; (c) the data subject objects to the processing pursuant to Article 21 (1) and is not priority legitimate reason for the processing, or Article 21 (2) is concerned protests against data processing on the basis of (d) personal data have been processed unlawfully; (e) personal data are required by the law of the Union or Member State applicable to the controller must be deleted in order to fulfill an obligation; (f) the collection of personal data referred to in Article 8 (1) in connection with the provision of social services. (2) If the controller has disclosed personal data and in accordance with paragraph 1 it is required to delete the available technology and implementation costs take such reasonable steps, including technical measures, as may be taken into account measures to inform data controllers that the data subject has requested from them links to the personal data in question or e deletion of a copy or duplicate of personal data. 3. Paragraphs 1 and 2 shall not apply if the processing is necessary: (a) for the purpose of exercising the right to freedom of expression and information; (b) the Union or Member State rules governing the processing of personal data applicable to the controller fulfillment of a legal obligation or in the public interest or entrusted to the controller for the performance of a task performed in the exercise of a public authority; (c) in accordance with Article 9 (2) (h) and (i) and Article 9 (3) on grounds of public interest in the field of public health; (d) for the purposes of archiving in the public interest in accordance with Article 89 (1), scientific and for historical research or statistical purposes, in so far as the right referred to in paragraph 1 is concerned would be likely to make such processing impossible or seriously jeopardize; obsession (e) to bring, assert or defend legal claims. " According to Article 24 of the General Data Protection Regulation: "1. The controller shall its scope, circumstances and purposes, and the rights and freedoms of natural persons appropriate given the varying probability and severity of the reported risk implement technical and organizational measures to ensure and demonstrate that that personal data are processed in accordance with this Regulation. These are the measures shall be reviewed and, if necessary, updated by the controller. 2. If it is proportionate to the data processing activity, it shall be referred to in paragraph 1 As part of these measures, the controller shall also apply appropriate internal data protection rules. 3. For codes of conduct approved in accordance with Article 40 or approved in accordance with Article 42 joining a certification mechanism may be used as part of the demonstration that that the controller fulfills his obligations. ”, 8 Under Article 25 of the General Data Protection Regulation: '1. The controller shall be a scientific and the state of the art and the cost of implementation, as well as the nature and scope of data the rights and freedoms of natural persons, varying in the probability and severity of risk taking into account both data management appropriate technical and administrative procedures for determining the organizational measures, such as pseudonymisation, aimed at data protection principles, such as the effective implementation of data protection; to meet the requirements of this Regulation and to protect the rights of data subjects incorporating the necessary guarantees into the data management process. 2. The controller shall implement appropriate technical and organizational measures to ensure that only personal data is processed by default necessary for the specific purpose of the processing. This obligation applies to the amount of personal data collected, the extent to which they are processed, the duration of their storage and their availability. These measures should in particular to ensure that personal information is provided by default to the natural person without the intervention of an indefinite number of persons for. 3. An approved certification mechanism in accordance with Article 42 may be used to demonstrate this that the controller complies with the requirements of paragraphs 1 and 2 of this Article requirements. " According to Article 58 (2) of the General Data Protection Regulation: “The supervisory authority acting in its corrective capacity: (a) warn the controller or processor that certain data processing operations are planned its activities are likely to infringe the provisions of this Regulation; (b) reprimands the controller or the processor if he or she is acting in a data-processing capacity has infringed the provisions of this Regulation; (c) instruct the controller or processor to comply with this Regulation the exercise of his rights under this Regulation; (d) instruct the controller or processor to carry out its data processing operations bring this Regulation into line with the provisions of this Regulation with its provisions; (e) instruct the controller to inform the data subject of the data protection incident; (f) temporarily or permanently restrict data processing, including data processing prohibition; (g) order personal data in accordance with Articles 16, 17 and 18 respectively rectification or erasure of data and restrictions on data processing, as well as Article 17 (2) order notification to the addressees in accordance with with whom or with whom the personal data have been communicated; (h) withdraw the certificate or instruct the certification body in accordance with Articles 42 and 43 revoke a duly issued certificate or instruct the certification body not to issue the certificate if the conditions for certification are not or are no longer met; (i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case in addition to or instead of the measures referred to in this paragraph; and (j) order the flow of data to a recipient in a third country or to an international organization suspension. " Under Article 83 (2) and (5) of the General Data Protection Regulation: 2. Administrative fines shall be imposed in accordance with Article 58 (2), depending on the circumstances of the case. shall be imposed in addition to or instead of the measures referred to in points (a) to (h) and (j) of In deciding whether it is necessary to impose an administrative fine, or a the amount of the administrative fine in each case the following must be taken into account :, 9 (a) the nature, gravity and duration of the breach, taking into account the processing in question the nature, scope or purpose of the infringement and the number of persons affected by the infringement; the extent of the damage they have suffered; (b) the intentional or negligent nature of the infringement; (c) the mitigation of damage caused to the data subject by the controller or the processor any measures taken to (d) the extent of the responsibility of the controller or processor, taking into account the Technical and organizational measures taken pursuant to Articles 25 and 32; (e) relevant infringements previously committed by the controller or processor; (f) the supervisory authority to remedy the breach and the possible negative effects of the breach the degree of cooperation to alleviate (g) the categories of personal data concerned by the breach; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor has reported the breach and, if so, what in detail; (i) if previously against the controller or processor concerned, in the same have ordered one of the measures referred to in Article 58 (2), compliance with the measures in question; (j) whether the controller or processor has complied with Article 40 approved codes of conduct or an approved certification in accordance with Article 42 mechanisms; and (k) other aggravating or mitigating factors relevant to the circumstances of the case, for example, the financial gain obtained as a direct or indirect consequence of the infringement or avoided loss. […] 5. Infringements of the following provisions, in accordance with paragraph 2, shall be imposed no later than 20 An administrative fine of EUR 000 000 or, in the case of undertakings, the previous an amount not exceeding 4% of the total annual world market turnover for the financial year, with the higher of the two: (a) the principles of data processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9; appropriately; (b) the rights of data subjects under Articles 12 to 22. in accordance with Article (c) personal data to a recipient in a third country or to an international organization Articles 44 to 49. in accordance with Article d) the IX. obligations under the law of the Member States adopted pursuant to this Chapter; (e) the instructions of the supervisory authority pursuant to Article 58 (2) and the processing of data temporary or permanent restriction of the flow of data non-compliance with the request or access in breach of Article 58 (1) failure to provide insurance. " Infotv. 75 / A. §: “the Authority shall, in accordance with Article 83 (2) to (6) of the General Data Protection Regulation, exercise the powers set out in paragraph 1 in accordance with the principle of proportionality, in particular by providing for the law or regulation on the processing of personal data Requirements laid down in a binding act of the European Union to remedy the breach - Article 58 of the General Data Protection Regulation. in particular by alerting the controller or processor take action. " The Eht. According to Section 134 (10a) (d): “The subscription contract is also terminated by mutual agreement of the parties, subject to Section 127 (4) and provided that that the subscriber contract entered into with the implied conduct is expressed by the implied conduct by oral or written statement, the oral subscription agreement expressly or by a written statement, while an express subscription agreement is made in writing may be terminated by the parties. ", 10 2/2015 on special rules for electronic communications subscriber contracts. (III. 30.) Pursuant to Section 25 (1) of the NMHH Decree: “Subscribers arriving for telephone customer service the service provider is obliged to make a sound recording of the complaint and error report, which in a retrievable manner, except in the case provided for in Section 22 (7), the notification for a period of 2 years from the date of ARC. Decision ARC. 1. Requests for deletion of the Applicant's personal data 1. The Applicant has requested personal data (name, address, telephone number) from the Applicant deleted from your online directory several times. For the first time in mid-April 2021 a You have initiated the deletion on your online application, which is not due to a technical issue resulted in an automatic deletion affecting all of the Applicant’s systems process did not run properly, so the Applicant's personal data was not deleted from the inquiry office. Subsequently, on 2 May 2021, the Applicant initiated the cancellation, which was recorded as a complaint, however, then the complaint was not due to a one-time operator error was duly recorded in the Applicant's internal records and the complaint was unjustifiably closed, so the online directory remained available Applicant 's personal details. The Applicant for the third time on June 25, 2021 initiated the deletion of his personal data from the online directory, given that the You have not received a response to your request on May 2, 2021 and your personal information is still available they remained. On this third request, which was also treated as a complaint, the Applicant canceled it from the online inquiry to the personal data of the Applicant on 5 July 2021. 2. The statement of the Applicant and the inclusion in the inquiry notice sent by him according to the process description containing the modification of the personal data in the directory display can be controlled by the data subject, disclosure to the data subject based on its consent. This is supported by the general available on the Applicant's website 35-36 of Annex 3 to the Data Protection Information also point. The Applicant therefore - as it acknowledges - bases its consent on the displaying and disclosing personal data in an online directory. Consent is defined as defined in the General Data Protection Regulation should be based on information, be voluntary and have a specific, voluntary by a clear statement or unequivocal statement must be a declaration. In the case of consent-based data processing, the data subject is entitled to consent withdraw at any time. On the basis of the statements and documents available to the Authority, the Applicant and the Applicant Subscribers to the top-up card service established on 30 April 2015 under the contract, the Applicant has not consented to the Applicant being a subscriber publish the name, permanent address and telephone number of the applicant by the Applicant reserved and in the national directory. However, in the case of a re-contract entered into on 12 June 2018 - a statement from the Applicant according to - the statements given by the Applicant have been modified, according to the register telephone directory consent was also provided by the Applicant and was therefore included the personal data of the Applicant in the directory. 1 […], 11 However, the Authority is of the opinion that all this consent has been given to it voluntariness and that the Applicant’s statement or confirmation is unambiguous indicated by express act that he gave his consent to the personal data concerning him the information provided by the Applicant and the the screenshot of the system data recorded in the contract is not supported. Those merely certify that in the part of the register concerning the Applicant in the system data the field that allows your personal information to appear online has been checked inquiry office. It is based on consent within the meaning of Article 7 (1) of the General Data Protection Regulation in the case of data processing, the controller must be able to prove that consent to the processing of the personal data of the data subject. The resubmission sent by the Applicant however, a screenshot of the system data recorded in the contract, provided by the parties in the absence of a signed contract, does not prove that the consent was given by the Applicant himself would have. Accountability under Article 5 (2) of the General Data Protection Regulation the data controller is responsible for complying with the data protection principles and must be able to demonstrate such compliance. This is based on the data controller is obliged to document and record the data processing in such a way that its lawfulness ex post be demonstrable. In view of the above, it cannot be proved that it originated from the Applicant as a result of a voluntary declaration or an act unequivocally expressing confirmation has been marked in the Applicant's system data in the online directory of his / her personal data the Authority notes that the Applicant is unable to demonstrate compliance with data protection principles on this therefore infringed Article 5 (2) of the General Data Protection Regulation. the principle of accountability under paragraph 1. Consequently, it has not been established that the Applicant actually agreed to disclose your personal data in the Applicant's online directory that the Applicant would have had for the disclosure with an appropriate legal basis, the Authority finds that the Applicant has a general data protection in breach of Article 6 (1) of the Regulation, was disclosed by the Applicant without legal basis personal information in your online directory. 3. The Applicant classified the Applicant's requests recorded by telephone as a complaint by the Authority in their opinion, to exercise the rights of the data subject, to delete the personal data of the Applicant as they specifically requested the deletion of his personal data Requested from your online directory. The Authority will accordingly comply with the rules on the erasure of personal data examined. The General Data Protection Regulation governs the rights of data subjects the right to cancel. On this basis, given that the Applicant in his statement and Annex 3 of the General Terms and Conditions on data management information 35, the processing of personal data available in the online directory Article 6 (1) (a) of the General Data Protection Regulation indicated the legal basis for the consent - Article 17 (1) of the General Data Protection Regulation (b), the data subject shall have the right to request an unreasonable delay at the request of the controller delete the personal data concerning him without delay, and the controller is obliged to delete the personal data of the data subject without undue delay if the data subject, withdraw the basis for processing pursuant to Article 6 (1) (a) and there is no other legal basis for data processing. In the present case, even without examining the validity of certain conceptual elements of consent it can be stated that the Applicant - on the basis of his declaration and registration system - a managed and published on its consent basis in its online directory Applicant's personal data after the re-contract dated 12 June 2018. As described above, a The Authority found that it had not been demonstrated that the Applicant had in fact consented to disclose your personal data in the Applicant's online directory however, this fact was only revealed in the present proceedings. The Applicant When submitting requests for the deletion of personal data, the Applicant shall was aware that he had disclosed personal information with the consent of the Applicant and the Applicant requests the withdrawal of this consent. The Applicant is therefore the Applicant pursuant to Article 17 (1) (b) of the General Data Protection Regulation is obliged to delete the personal data of the applicants from the inquiry office. About how to provide information about deleting personal information the obligations of the controller are detailed in Article 12 of the General Data Protection Regulation. It can be stated that the Applicant first withdrew his personal data in April 2021 consent to the management of the application and initiated their cancellation by the Applicant online due to technical or administrative errors only on July 5, 2021 the data protection authority procedure or the requested authority procedure after becoming aware of it. On the occasion of the telephone inquiry of the Applicant on 2 May 2021, the preceding one about two weeks earlier, he initiated his personal information electronically delete from the online directory. However, on the basis of this information, it can be concluded that exceeding the deadline, more than two months later, the Applicant's personal delete your data without extending it for as long as possible that it would have provided information on the basis of the request measures. If the Applicant had not indicated his problem by telephone two On several occasions, the Applicant would not have taken action to comply with the data subject's request in order to. Consequently, the Authority finds that the Applicant has not complied with the Applicant's request to delete personal data, in violation of the general Article 17 (1) (b) of the Data Protection Regulation. The technical error or its clerks an error does not relieve the Applicant of the responsibility of the data controller. 4. In addition, the Authority has taken into account the finding in point 3 above that although the Applicant classified the Applicant's requests recorded by telephone as a complaint, they requests for the deletion of the personal data of the Applicant Article 12 (2) of the General Data Protection Regulation rights of the data subject - in the present case, a request for the deletion of personal data - a provision requiring compliance with it. Based on this, the data controller is obliged to facilitate the exercise of the data subject's rights. The Applicant's present case is contrary to this according to which the purpose of deleting the personal data of the Applicant applications as a complaint. It had to be clear to the Applicant that that the Applicant must act in accordance with the General Data Protection Regulation in relation to his / her requests, as the Applicant clearly argued that the online inquiry was personal requests the deletion of your data - which was preceded by one's own, on the Applicant's online interface electronic cancellation program initiated by the Applicant and not provided by the Applicant made a complaint against his service., 13 On the basis of the above, the Authority finds of its own motion that the Applicant has infringed the Article 12 (2) of the General Data Protection Regulation, as it was not facilitated by the Applicant deletion of your personal data. ARC. 2. Partial rejection of the application On July 5, 2021, the Applicant deleted the Applicant's personal data online inquiry office. The deletion of personal data was also sent to the Authority by the Applicant in 2021. Confirmed to the Applicant by letter dated 19 July 2006 […]. The Authority shall: reviewing his inquiry page, he found that the Applicant's personal data was already true are not available in the public directory. The Authority consequently, although the Applicant requested the Authority to call on the An applicant for the immediate deletion of his personal data in a certified manner shall be disclosed to the public the Authority rejects the application in this respect as unfounded has become. V. Legal consequences In the Authority's decision, Article 58 (2) (b) of the General Data Protection Regulation at the request of the Applicant, condemned the Applicant because of his online inquiry did not delete the Applicant's personal data at his request, in violation of the general Article 17 (1) (b) of the Data Protection Regulation. The Authority shall act ex officio in accordance with Article 58 (2) (b) of the General Data Protection Regulation also condemned the Applicant for failing to comply with Article 5 (2) of the General Data Protection Regulation. in breach of the accountability requirement under paragraph 1, has not demonstrated that: Applicant would have actually consented to the personal information of the Applicant online to be published in its directory. The Authority therefore ex officio also condemned the Applicant for failing to comply with Article 6 (1) of the General Data Protection Regulation. disclosed the Applicant's personal data without legal grounds in your online directory. The Authority shall act ex officio in accordance with Article 58 (2) (b) of the General Data Protection Regulation reprimanded the Applicant for not promoting the Applicant's personal data by recording the Applicant's requests by telephone as a complaint, in breach of Article 12 (2) of the General Data Protection Regulation, as it does not facilitated the deletion of the Applicant's personal data. The Authority examined whether a data protection fine against the Applicant was justified imposition. In this context, the Authority shall comply with Article 83 (2) and (3) of the General Data Protection Regulation Infotv. 75 / A. § considered all the circumstances of the case and found that a in the case of infringements detected in the present proceedings, the warning is neither proportionate nor appropriate a dissuasive sanction, it is therefore necessary to impose a fine. In setting the amount of the fine, the Authority took into account, in particular, that: Infringement by the Applicant under Article 83 (5) of the General Data Protection Regulation Infringement falling within the higher category of fines pursuant to paragraph 1 (b) it counts as. The Authority shall take into account the aggravating circumstance when setting the amount of the data protection fine took into account that, 14 - after the active participation of the Applicant, a total of three requests were made to delete personal data from an online directory [Article 83 of the General Data Protection Regulation Paragraph 2 (a)]; - the personal data of the Applicant for a long time, from 12 June 2018 to 2021. were available without a legal basis in the online directory [general Article 83 (2) (a) of the Data Protection Regulation]; the personal data of the Applicant have become public [Article 83 of the General Data Protection Regulation. Article 2 (2) (g)]; - the Applicant has committed several infringements, [Article 83 (2) of the General Data Protection Regulation paragraph (d)]; - the infringements committed by the Applicant are due to technical negligence and administrative errors [Article 83 (2) of the General Data Protection Regulation b)]; - the Authority has on one occasion convicted the Applicant of committing an offense data breach - data subject's right under Article 16 of the General Data Protection Regulation Infringement of the right of rectification (Decision No […]) [General Article 83 (2) (e) of the Data Protection Regulation]. The Authority shall take into account the attenuating circumstance when setting the amount of the data protection fine took into account that - the Applicant offered the Applicant a gross compensation of HUF 5,000 for him to alleviate the inconvenience [Article 83 (2) of the General Data Protection Regulation paragraph (c)]; - the Applicant deleted the Applicant as a result of the official data protection procedure data from its online directory [Article 83 (2) of the General Data Protection Regulation point (f)]; - the Authority exceeded the administrative deadline [Article 83 (2) of the General Data Protection Regulation paragraph (k)]. The Authority will not impose a data protection fine on the Applicant considered relevant Article 83 (2) (h), (i) and (j) of the General Data Protection Regulation as they cannot be interpreted in the context of the specific case. The net sales revenue of the Requested in 2020 is in the order of HUF 284,000.00 million was so far from the maximum fine that could be imposed. VI. Other issues The powers of the Authority shall be exercised in accordance with Infotv. Section 38 (2) and (2a), its jurisdiction is covers the whole country. The present decision of the Authority is based on Art. 80-81. § and Infotv. It is based on Section 61 (1). THE decision of the Ákr. Pursuant to Section 82 (1), it becomes final upon its communication. The Ákr. Section 112 and § 116 (1) and (4) (d) and § 114 (1) there is an administrative remedy against the decision. * * *, 15 The Ákr. Pursuant to Section 135, the debtor is in arrears at a rate corresponding to the statutory interest he is obliged to pay a supplement if he fails to meet his obligation to pay money on time. Act V of 2013 on the Civil Code 6:48. § (1) in the case of a debt owed, the debtor shall, from the date of default a equal to the central bank base rate valid on the first day of the calendar half-year affected by the delay interest on arrears. The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by decision of the Authority The administrative lawsuit against the court falls within the jurisdiction of the court Section 13 (3) Pursuant to subparagraph (a) (aa), the Metropolitan Court has exclusive jurisdiction. A Kp. § 27 Paragraph 1 (b) in a dispute in which the tribunal has exclusive jurisdiction competent, legal representation is mandatory. A Kp. Pursuant to Section 39 (6), the application has no suspensory effect on the entry into force of the administrative act. A Kp. Section 29 (1) and, in this regard, Act CXXX of 2016 on Civil Procedure. applicable in accordance with Section 604 of the Act, electronic administration and trust services CCXXII of 2015 on the general rules of According to Section 9 (1) (b) of the Act no the client's legal representative is obliged to communicate electronically. The time and place of the submission of the application is Section 39 (1). THE Information on the possibility of requesting a hearing is provided in the CM. Section 77 (1) - (2) based on. The amount of the fee for an administrative lawsuit shall be determined in accordance with Act XCIII of 1990 on Fees. law (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee the Itv. Section 59 (1) and Section 62 (1) (h) shall exempt the person initiating the proceedings half. If the required payment obligation is not met by the Applicant in an appropriate manner the Authority considers that it has not complied with the obligation within the time limit. The Ákr. According to § 132, if the Applicant fails to comply with the obligation contained in the final decision of the Authority fulfilled, it is enforceable. The decision of the Authority Pursuant to Section 82 (1) a becomes final upon communication. The Ákr. Section 133 enforcement - if you are a law Government decree does not provide otherwise - it is ordered by the decision-making authority. The Ákr. 134. § pursuant to the implementation - if by law, government decree or municipal authority In this case, the decree of the local government does not provide otherwise - the state tax authority implements. In the course of the procedure, the Authority exceeded the Infotv. One hundred and fifty days according to Section 60 / A (1) administrative deadline, therefore Ákr. Pursuant to Section 51 b), it pays ten thousand forints to the Applicant - by choice - by bank transfer or postal order. Date: Budapest, March 2, 2022 Dr. Attila Péterfalvi President c. professor