NAIH (Hungary) - NAIH-2727-2/2022.: Difference between revisions
No edit summary |
No edit summary |
||
(7 intermediate revisions by the same user not shown) | |||
Line 88: | Line 88: | ||
As a result, the controller notified the data subject that it irretrievably deleted the relevant personal data from its records, while retaining a copy of the order of the public notary about the estate (including name, date and place of birth of the data subject, as well as his mother's name) based on its legal obligation to keep records under Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises and also on the basis of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. | As a result, the controller notified the data subject that it irretrievably deleted the relevant personal data from its records, while retaining a copy of the order of the public notary about the estate (including name, date and place of birth of the data subject, as well as his mother's name) based on its legal obligation to keep records under Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises and also on the basis of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. | ||
=== Holding === | === Holding === | ||
First, the DPA considered the processing of personal data for the purpose of debt collection. It was clear from the probate order obtained in 2016 that the amount of debts exceeded the amount of the active assets and hence the controller's claim was unjustified. Nevertheless, after receipt of the order, the data subject was still sent payment notices by the controller to settle the debt. The DPA consequently held that the controller unlawfully processed the personal data of the data subject for the purposes of debt collection, in violation of [[Article 5 GDPR|Article 5(1)(b) GDPR]] and [[Article 6 GDPR|Article 6(1) GDPR]]. Regarding the copy of the order of the public notary that the controller retained, however, the DPA held that, pursuant to [[Article 17 GDPR#3b|Article 17(3)(b) GDPR]], a data subject's request for erasure cannot be complied with if the processing of personal data is required by law. The controller was lawfully processing the personal data included in the order of the public notary about the estate based on [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. | |||
Second, the data subject was informed by the phone operator of the controller that the request for erasure had to be made in writing. Since the GDPR does not impose any formal requirements for the submission of a data subject request, the controller was not entitled to do so and, by refusing to accept the data subject request, it breached [[Article 12 GDPR#1|Article 12(1) GDPR]]. | |||
Third, the DPA considered the inability of the controller to provide the data subject and the DPA with a copy of the initial erasure request. The DPA concluded that the controller, after becoming aware of the DPA’s proceedings, deleted the audio material, the retention of which would have been justified for the purposes of the proceedings, in particular based on the principle of accountability, and would therefore have had a legal basis under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The DPA further found that because the controller deleted the audio of the telephone conversation with the data subject and did so at a time that the proceedings were already pending, it violated [[Article 5 GDPR|Article 5(2) GDPR]]. In addition, because the requested audio file was not sent to the data subject when he requested it, despite the fact that data matching and identification took place and the telephone operator recorded the request, and because the controller did not give any reason for not providing access, the controller also violated [[Article 15 GDPR|Article 15(3) GDPR]] and [[Article 12 GDPR|Article 12(4) GDPR]]. | |||
Lastly, | Lastly, because the controller's policy on backups and their management was not public to the data subjects, the DPA held that the controller breached the principle of transparency under [[Article 5 GDPR|Article 5(1)(a) GDPR]]. | ||
== Comment == | == Comment == | ||
''Share your comments here!'' | ''Share your comments here!'' |
Latest revision as of 16:08, 22 June 2022
NAIH - NAIH-2727-2/2022. | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 12(1) GDPR Article 12(4) GDPR Article 13 GDPR Article 15(3) GDPR Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises (Hpt.) Act V of 2013 on the Civil Code (Ptk.) |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 14.06.2021 |
Decided: | 11.02.2022 |
Published: | 11.02.2022 |
Fine: | 10000000 HUF |
Parties: | n/a |
National Case Number/Name: | NAIH-2727-2/2022. |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | Hungarian DPA (in HU) |
Initial Contributor: | Abel Kaszian |
The Hungarian DPA imposed a fine of approximately €25,000 on a debt management company which, among others, violated Article 12(1) GDPR by failing to accept a verbal request for erasure.
English Summary
Facts
The controller (a debt management company ) sought to collect a debt from an heir of a person deceased in 2013.
Following a notice received on 23 June 2021, the data subject (the heir) called to inform the controller that in his view, the claim was not justifiable. Based on the Hungarian Act V of 2013 on the Civil Code, a claim expires after 5 years, and also, heirs are liable only up to the amount of the inherited estate. The data subject also asked the controller to erase all personal data relating to this case. As no measures were taken by the controller, the data subject called a second time on 15 July 2021, when he requested the controller to send him the audio recording of his previous call. The phone operator of the controller could not find any reference to the first phone conversation and informed the data subject that the request for erasure had to be submitted in writing.
After the controller received an inquiry by the DPA, it claimed that it had initiated the proceedings against the data subject based on an administrative error. It was determined in an internal review that the data subject's verbal request for erasure was fully justified and the controller's phone operator failed to register it as a complaint.
As a result, the controller notified the data subject that it irretrievably deleted the relevant personal data from its records, while retaining a copy of the order of the public notary about the estate (including name, date and place of birth of the data subject, as well as his mother's name) based on its legal obligation to keep records under Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises and also on the basis of Article 6(1)(c) GDPR.
Holding
First, the DPA considered the processing of personal data for the purpose of debt collection. It was clear from the probate order obtained in 2016 that the amount of debts exceeded the amount of the active assets and hence the controller's claim was unjustified. Nevertheless, after receipt of the order, the data subject was still sent payment notices by the controller to settle the debt. The DPA consequently held that the controller unlawfully processed the personal data of the data subject for the purposes of debt collection, in violation of Article 5(1)(b) GDPR and Article 6(1) GDPR. Regarding the copy of the order of the public notary that the controller retained, however, the DPA held that, pursuant to Article 17(3)(b) GDPR, a data subject's request for erasure cannot be complied with if the processing of personal data is required by law. The controller was lawfully processing the personal data included in the order of the public notary about the estate based on Article 6(1)(c) GDPR.
Second, the data subject was informed by the phone operator of the controller that the request for erasure had to be made in writing. Since the GDPR does not impose any formal requirements for the submission of a data subject request, the controller was not entitled to do so and, by refusing to accept the data subject request, it breached Article 12(1) GDPR.
Third, the DPA considered the inability of the controller to provide the data subject and the DPA with a copy of the initial erasure request. The DPA concluded that the controller, after becoming aware of the DPA’s proceedings, deleted the audio material, the retention of which would have been justified for the purposes of the proceedings, in particular based on the principle of accountability, and would therefore have had a legal basis under Article 6(1)(f) GDPR. The DPA further found that because the controller deleted the audio of the telephone conversation with the data subject and did so at a time that the proceedings were already pending, it violated Article 5(2) GDPR. In addition, because the requested audio file was not sent to the data subject when he requested it, despite the fact that data matching and identification took place and the telephone operator recorded the request, and because the controller did not give any reason for not providing access, the controller also violated Article 15(3) GDPR and Article 12(4) GDPR.
Lastly, because the controller's policy on backups and their management was not public to the data subjects, the DPA held that the controller breached the principle of transparency under Article 5(1)(a) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH-2727-2 / 2022. Subject: Partial application decision and termination order History: NAIH-5732/2021. The National Data Protection and Freedom of Information Authority (hereinafter referred to as the Authority) […] at the request of the applicant (hereinafter referred to as the “Applicant”) (hereinafter referred to as the hereinafter referred to as the “Applicant”) data protection authorities take the following decisions in the procedure: I. 1. In its decision, the Authority shall issue the Applicant's application on 25 May 2018 in so far as it seeks to establish the unlawfulness of its subsequent processing gives place and I.2. finds that the Applicant has violated - the processing of personal data by natural persons the free movement of such data and repealing Directive 95/46 / EC Regulation (EU) No 2016/679 (hereinafter referred to as the GDPR or General Article 5 (1) (a) and (b) of the Data Protection Regulation, - Article 5 (2) of the GDPR, - Article 6 (1) of the GDPR, - Article 12 (1) and (4) of the GDPR, - Article 13 of the GDPR, and - Article 15 (3) of the GDPR. II. The Authority shall include in the Applicant's request a decision on the information CXII of 2011 on the right to self-determination and freedom of information Act (a hereinafter: Infotv.) pursuant to Section 61 (2) rejects. III. Unlawful processing of the Applicant's personal data in its order the period prior to 25 May 2018 and the deletion of your personal data terminates. ARC. In its decision, the Authority shall inform the Applicant ex officio about the unlawful data processing carried out by it because of 10,000. 000 HUF, ie ten million forints data protection fine obliges to pay. * * *, The data protection fine governing the initiation of judicial review after the expiry of the time limit or, in the case of a review, 15 the settlement forint account of the collection of centralized revenues of the Authority within days (10032000-01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000). When transferring the amount, NAIH-5732/2021. JUDGE. number should be referred to. If the Applicant fails to meet the obligation to pay the fine within the time limit, it shall be delayed must pay a supplement. The rate of the late payment interest is the statutory interest, which is in arrears equal to the central bank base rate valid on the first day of the calendar half-year concerned. The fine and the in the event of non-payment of the late payment allowance, the Authority shall order enforcement of the decision. V. In view of the fact that the time limit has been exceeded, the Authority shall, by order, Payment of HUF 10,000, ie ten thousand forints, by the Authority to the Applicant - in writing by bank transfer or postal order. * * * I., II. and IV. Decision III. administrative appeal against the order it has no place, but it is addressed to the Metropolitan Court within 30 days of the communication may be challenged in an administrative action. The application shall be submitted to the Authority, electronically, which forwards it to the court together with the case file. Against the order in a lawsuit, the court acts in a simplified lawsuit. Not in full personal exemption for the beneficiaries, the fee of the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to record material fees. Legal representation is mandatory in proceedings before the Metropolitan Court. EXPLANATORY STATEMENT I. Procedure I.1.At the request of the Applicant, the Infotv. Pursuant to Section 60 (1), on June 24, 2021 data protection authority proceedings have been initiated. The application did not contain the sound recording referred to by the Applicant, which confirms that The applicant did not explain that the The form in which the Applicant (written or telephone) was rejected by the Applicant concerned nor did he substantiate his rejection The Applicant, and therefore the Authority, did not attach a court decision establishing the statute of limitations to his application and NAIH-5732-2 / 2021. In his order no. 5732-2 / 2021. in a document registered under number. I.2.The Authority shall notify the Applicant in accordance with NAIH-5732-4 / 2021. notified the procedure in order no and called for a statement for the first time in order to clarify the facts, with reference to CL of 2016 on General Administrative Procedure. Act (a hereinafter: Ákr.), to which the Applicant's reply was received on 16 August 2021 to the Authority (NAIH-5732-5 / 2021). On the basis of the Applicant's statement, the Authority considered that the clarification of the statement it is again necessary to invite the Applicant to make a statement in order to clarify the facts, and issues essential to the disclosure of the circumstances of the case In its reply, the Applicant did not detail the data management objected to by the Applicant operations and the examination of new circumstances has become warranted and will therefore be re-declared called for clarification of the facts in his order of 10 September 2021, to which the Applicant sent a letter to the Authority by letter dated 24 September 2021 (NAIH-5732-9 / 2021). 2, The Applicant in its response to the previous statements contradictory statements did not specify how the Applicant's personal data was deleted, therefore the Authority for the third time in its order of 14 October 2021, called on the Applicant. (NAIH-5732-10 / 2021.) The deadline given by the Applicant for this call is the last one In a letter dated requested an extension of 15 days, but did not give reasons for its request. THE The Authority granted the request for an extension in part, giving it 9 days allowed an extension of the deadline. However, the Applicant day, so 11 delayed the request by one day and argued that the order partially granting the application for an extension 10.11.2021. on the day of for delivery to the Applicant. I.3. The Authority has issued NAIH-5732-15 / 2021. s. notified the Applicant in its file that the evidentiary procedure has been completed. The Authority shall issue an order to that effect as evidenced by the return receipt Applicant 25.11.2021. The deadline for submitting declarations was reached on 03.12.2021. day has passed. The Applicant did not send a statement to the Authority. II. Clarification of the facts II.1. In his application and rectification, the applicant stated the following: II.1.1. In his application, the applicant requested: - the investigation of the data processing of the Applicant, - finding of unlawful data processing, - erasure of unlawfully processed data, an instruction from the controller to bring its data processing operations into line with the data protection provisions, - examine the data processing practices of the Requested, in particular the "real purpose" with regard to data management, and - the decision made against the Applicant by Infotv. Pursuant to Section 61 (2) to the public. II.1.2. The following documents / screenshots were attached to the application by the Applicant in copy: - screenshot of an outgoing call (to […]), - on 11.11.2021. letter of information and request for payment dated - a letter from the Applicant [….] notifying the Applicant, to close the Applicant's case and to the Applicant as a trader deleted personal data will be deleted within 3 working days, at the same time the transferor keep a copy of the order due to the registration obligation required by law. In addition to the above, the Applicant shall, in the framework of the rectification of deficiencies, on the day at 18:03 attached the audio of a telephone conversation. This sound recording was made by the Applicant, and in this requested the Applicant to send the previously recorded sound recording (23.06.2021) for you. The Applicant further referred in this audio recording to the former He also submitted a request for cancellation during the telephone call and asked to do so the reasons why your personal data will not be deleted, but the administrator will not do so found a reference in its records and argued that it should be in writing the applications concerned to submit. The Applicant's administrator was unable to provide information on the Applicant's question provide information on the legal or other provisions under which the data subject is not complying requests only if received in writing. At the beginning of the recording, the clerk a Applicant's personal information includes the mother's birth name, as well as the Applicant's birth name requested the provision of a place and time, which the Applicant later accused of as he questioned why this was necessary. 3, The audio recording testifies that in addition to the above, the Claimant and the Claimant are the claim he talked about its legitimacy and enforceability. The Applicant argued that the inheritance was not covers the debts of the testator, and the Applicant, as heir, is not obliged to settle the for the debts of the testator if the value of the inheritance exceeds the debts. According to the Applicant the Applicant, as a receivables management company, should be aware of this. The Applicant and also accused the Applicant of failing to enforce the claim and is now trying to recover it illegally. II.1.3. In its request to the Authority, the Applicant detailed the data processing complained of According to the following: The Applicant stated that the Applicant had purchased a claim on 7 December 2015, which was It demands from the petitioner the title of “inheritance”. Received by the Applicant on 23.06.2021, a Following a summons registered with the applicant at case number […], at 11:58 a.m. by telephone informed the Applicant of the following facts of which the Applicant was aware: - the original obligor died in 2013, with assets under HUF 100,000, over HUF 300,000 funeral expenses, and the heirs are liable only to the extent of the estate, and that, even if there had been a will (in excess of the debt), the claim is time-barred and therefore not enforceable in court, - the Applicant does not intend to pay the claim out of court. The Applicant also referred in its application that it had informed the Applicant that the his right to enforce his claim ceased and drew the Applicant's attention that the Applicant is aware of this (since the Applicant 's data are only available to the made it possible to obtain an inheritance order) and requested the deletion of the personal data of the data subject. According to the Applicant, the Applicant affected the Applicant's application without giving reasons he rejected. The Administrator of the Requested has stated that he will continue to handle the data and attempted to collect additional information about the Applicant. The Petitioner also argued that the Claimant's claim was already time-barred and therefore outstanding personal data of the Applicant could no longer be processed with reference to a claim however, he did not attach a court decision to his application in this regard. According to the Applicant, the Applicant is fully aware of the claim after the purchase was that he could not enforce the claim in court. The Applicant is clearly not accidentally failed to enforce the claim in the 5 years since the assignment. The Applicant According to the The Applicant may harass the Applicant until the end of the time, as it is up to the Applicant to decide that he will not bring legal proceedings within the limitation period. The processing of the data requested by the applicant is therefore manifestly unlawful, since the purpose of the processing is legitimate interest) did not exist even before the limitation period. It follows directly from this that that derivative data processing related to the enforcement of a legitimate interest (contact for customer identification purposes) cannot be legal or fair. The Applicant also referred to the fact that the conduct as the Applicant is handles the request on the basis of the testimony of the audio recording made on 15 July 2021 (i.e. more precisely, as it does not even record oral indications), obviously contrary to data protection provisions. In his telephone call to the Applicant, the Applicant specifically referred to the fact that a Applicant with the infringed data management of the Applicant's mourning process in the wrong direction affected, for the Applicant's letter of formal notice upset him just as he was in mourning calmed down. 4, II.2. The Requested NAIH-5732-5 / 2021. According to the statement in the file: The Applicant shall transfer the case from the date of assignment, at the request of the Authority reviewed and found that: On 07 December 7, 2015, […] assigned the claim to the Applicant. The Applicant a Pursuant to [….], was registered as the legal heir of the Applicant on 20 September 2016. on the day. The Applicant has initiated recovery proceedings against the Applicant due to an administrative error. THE According to the requested probate procedure, if one is final the amount of the value of the estate indicated in the transfer order is less than costs related to the acquisition of the estate, the Applicant shall take immediate action against the closing the case. Unfortunately, the case was not closed in the Applicant's case. Upon review of the case, it was found that the Applicant's oral complaint was fully substantiated and the staff member of the Requested Telephone Operator failed to when he did not accept the submissions made by the Applicant as an oral complaint, he instead requested it in writing send the objection. The Applicant did not contact the Applicant in writing. Due to the above, the Applicant has closed the case and the Applicant, as a party to the transaction and has deleted his / her related personal data from his / her register in an irreversible manner. THE Applicant has notified the Applicant that the case has been closed and that, as a party to the transaction all personal data will be deleted, this will be done within 3 working days, the order of transfer of the estate a copy of it shall, however, be retained by the Applicant with respect to that prescribed by law registration obligation. A copy of the notice sent to the Applicant and the cancellation The Applicant forwarded the screenshot to the Authority. According to the Applicant, in the event of a statute of limitations, he shall proceed as follows: Act V of 2013 on the Civil Code (hereinafter: the Civil Code) 6:23. § as provides that a time - barred claim may not be enforced in court this does not affect the existence of an obligation to provide the service. It's outdated claim, therefore, the Civil Code. rights, which are granted by the Applicant as the right holder may not be taken into account ex officio. If it is at the request of the person concerned, the court shall examine all the circumstances of the enforcement of the claim in which case the Applicant shall terminate the processing and the data shall be processed deletes data. II.3. The Requested NAIH-5732-9 / 2021. s. the following information in its declaration provided by: Deletion of data of the Applicant's previously processed personal data in view of the fact that the Applicant is not in a position to provide accurate information, the Applicant can generally declare that the debtors are personally identifiable as well as contact manages your data. The transfer order and the personal data contained therein (Applicant name, place and date of birth, name of mother) of the Applicant on credit institutions and financial CCXXXVII of 2013 on enterprises is a legal obligation with regard to Section 258 of the Act with reference to Article 6 (1) (c) of the GDPR. The Applicant does not has the audio material of the conversation with the Applicant, as the Applicant is In addition to the personal data indicated in the transfer order, the Applicant is all has deleted his personal data as he has closed the transaction as referred to above. 5, The Applicant further substantiated by documentary evidence that the purchase of his claim, in which […] was entered in the Register of the Claimant as his legal heir the Applicant, has not expired until the detection of the administrative error in view of the fact that the old Civil Code. a written request for the performance of a claim shall be deemed to be an act interrupting the limitation period summons, as well as the recognition of the debtor's debt, the settlement of the claim by agreement amendment and judicial enforcement. II.4. The Requested NAIH-5732-13 / 2021. s. In its statement registered in the document, the Applicant provided the following information: The personal data of the Applicant was deleted on 11 August 2021. The Authority stated to send telephone conversations with the Applicant a copy of his audio recording, given that they are covered by the Complaints Management Regulations (8/2020). (X.01.) 8.2. for 5 years, the Applicant replied as follows: In its first reply to the Authority, the Applicant stated that the telephone operator A staff member failed to do so when the Applicant's oral objection was not presented orally instead, he asked the Applicant to send his complaint in writing. In view of the fact that no sound recording was found in the Applicant's register, which was recorded as an oral complaint in connection with the Applicant and in writing nor was it filed, the Applicant did not take care of the statutory retention of a complaint. The Applicant has also stated that, as amended by the previous order, the Applicant is personal with regard to the processing of his data, that, as he has a legal obligation to make a backup copy of the registration system, therefore the personal data of the Applicant it is still stored as a backup. Access to this personal information limited and may not be used for purposes other than providing backup. The obligation to make a backup is the responsibility of financial institutions, insurers and reinsurers, as well as investment firms and commodity exchange service providers 42/2015 on the protection of the (III.12.) (Hereinafter: Government Decree) 5 / B. § d) for the Applicant. The deadline for extending the deadline in the letter sent by the Applicant on the last day of the deadline for the call applied to the Authority for an extension of 15 days however, he did not substantiate his request. The Authority took into account that the Applicant not previously missed a deadline. However, in the Authority’s view, the deadline The request for an extension was not duly substantiated as the Applicant did not indicate the the reasons for his request and the fact that he was at the time of the Authority's third call necessary because the Applicant did not respond fully to previous calls or in some places his statement was also contradictory. In view of the above, the Authority considered the 15 - day extension to be excessive, as Applicant did not provide any reason that would have clearly prevented it from doing so 11/5/2020 comply with the order by the day. The Authority shall request an extension granted the request in part by granting an extension of 9 days. THE However, it was applied for on 15.11.2021. on the day before, so he complied with the request by 11 days, and argued that the Authority granted the request for an extension in part Order of 10/11/2017 was served on the Applicant on the day that the Authority provided that the deadline for submitting the declaration was 05.11.2021. until the day extended it. II.5. The Authority consulted the data management information available on the Applicant's website, which reads as follows: 6, II.5.1. In connection with the recovery of a claim, the personal data of the Applicant shall be given priority referred to in Article 6 (1) (f) of the GDPR. II.5.2. In connection with data management during voice recording, the following included The Data Protection Information of the Applicant separates it in the field of debt collection data management (point 11) and in connection with lending activities telephone conversation (point 12). In the context of debt collection, the following objectives have been set, inter alia: reconciliations, legal statements, requests related to receivables management (eg installment payment agreement), ensuring the accountability of the data controller, legal claims submission, protection, ensuring proof of enforcement related to both parties for. The legal basis for data processing is Article 6 (1) (f) GDPR with recovery of claims context. The duration of data processing is regulated by Act V of 2013 on the Civil Code. (the hereinafter referred to as the Civil Code) limitation period 6.21-6.25. Was determined on the basis of § limitation period 5 years). The Applicant is the Hpt. For the retention of a complaint pursuant to Section 288 only with its lending activity telephone conversations. III. Applicable legal provisions The GDPR should be applied to personal data in a partially or fully automated manner non-automated processing of personal data which are part of a registration system or which are part of a intended to be part of a registration system. For data processing covered by the GDPR, the Infotv. Pursuant to Section 2 (2), the GDPR shall apply with the additions indicated therein. According to Article 5 (1) (a) and (b) of the GDPR: Personal information: (a) be processed lawfully and fairly and in a manner which is transparent to the data subject ("legality, fairness and transparency"); (b) collected for specified, explicit and legitimate purposes and not processed in a way incompatible with those objectives; in accordance with Article 89 (1) does not constitute incompatibility with the original purpose for the purpose of archiving in the public interest, further processing for scientific and historical research or statistical purposes ("Purpose limitation"); Under Article 5 (2) of the GDPR, the controller is responsible for complying with paragraph 1 and be able to demonstrate such compliance (‘accountability’). Article 6 (1) of the GDPR: (c) the processing of personal data is lawful insofar as it relates to the controller necessary to fulfill a legal obligation. (f) the processing of personal data is lawful if the processing is necessary for the legitimate interests of the controller or of a third party, unless the interests or fundamental rights of the data subject take precedence over those interests; and freedoms which require the protection of personal data, in particular where the data subject is a data subject child. 7 Under Article 12 (1) to (6) of the GDPR: The controller shall take appropriate measures to ensure that the data subject is provided with: all information on the processing of personal data referred to in Articles 13 and 14 and 15-22. and Article 34 shall be concise, transparent, comprehensible and easy to use provide in an accessible form, in a clear and comprehensible manner, in particular: for any information addressed to children. The information is in writing or otherwise - including, where applicable, the electronic route. Oral at the request of the person concerned information may be provided provided that the identity of the data subject has been otherwise established. (2) The controller shall facilitate the processing of the data subject in accordance with Articles 15 to 22. exercise of their rights under this Article. Article 11 (2) In the cases referred to in paragraph 15-22, the controller shall to exercise their rights under this Article may not refuse to comply with his request unless he proves that the person concerned unable to identify. 3. The controller shall, without undue delay, but in any case upon receipt of the request, inform the data subject within one month of the following an application under Article measures taken. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The deadline extension of the request by the controller indicating the reasons for the delay inform the data subject within one month of receipt. If the electronic is concerned the information shall be provided, if possible by electronic means, unless the person concerned requests otherwise. If the controller does not act on the data subject 's request without delay, but shall inform the data subject no later than one month after receipt of the request the reasons for not taking action and the fact that the person concerned may lodge a complaint with one of the supervisory authority and may exercise its right of judicial review. 5. The information provided pursuant to Articles 13 and 14 and Articles 15 to 22 and Article 34 All information and action taken pursuant to this Regulation shall be provided free of charge. If concerned The application is manifestly unfounded or, in particular because of its repetitive nature, excessive data controller: (a) involves the provision of the requested information or information or the taking of the requested action charge a reasonable fee taking into account administrative costs, or (b) refuse to act on the application. The burden of proving that the request is manifestly unfounded or excessive is on the controller. 6. Without prejudice to Article 11, where the controller has reasonable doubts as to the application of Articles 15 to 21, article the identity of the natural person submitting the application under may request the information necessary to confirm his identity. Pursuant to Article 15 (3) of the GDPR, the controller is the personal data subject provide a copy of the data to the data subject. For additional copies requested by the data subject the controller may charge a reasonable fee based on administrative costs. If that submitted the application electronically, the information was widely used shall be provided in electronic format, unless otherwise requested by the data subject. Pursuant to Article 17 (1) GDPR, the data subject has the right to request the controller delete personal data concerning them without undue delay and the data controller shall be required to provide the personal data of the data subject without undue delay delete if one of the following reasons exists: (a) personal data are no longer required for the purpose for which they were collected or for other purposes treated; (b) the data subject withdraws the authorization provided for in Article 6 (1) (a) or Article 9 (2) (a); consent to the processing, and there is no consent to the processing other legal basis; 8, (c) the data subject objects to the processing pursuant to Article 21 (1) and is not priority legitimate reason for the processing, or Article 21 (2) is concerned protests against data processing on the basis of (d) personal data have been processed unlawfully; (e) personal data are required by the law of the Union or Member State applicable to the controller must be deleted in order to fulfill an obligation; (f) the collection of personal data through the information society referred to in Article 8 (1) in connection with the provision of related services. Pursuant to Article 17 (3) of the GDPR, paragraphs 1 and 2 do not apply if data management required: (b) the Union or Member State law applicable to the controller governing the processing of personal data or in the public interest or in the exercise of official authority vested in the controller Article 21 of the GDPR Under paragraph 1, the person concerned is entitled, for reasons related to his own situation object at any time on the basis of Article 6 (1) (e) or (f) including profiling based on those provisions. In this case the controller may no longer process personal data unless the controller proves that that the processing is justified by compelling legitimate reasons which take precedence enjoy the interests, rights and freedoms of the data subject or which have legal claims related to the submission, enforcement or protection of Other administrative or judicial remedies under Article 77 (1) GDPR without prejudice to this, any person concerned shall have the right to lodge a complaint with a supervisory authority, in particular, the place of habitual residence, the place of employment or the place of the alleged infringement in the Member State of residence if the data subject considers that the personal data concerning him or her breach of this Regulation. Under the corrective power of the supervisory authority under Article 58 (2) (b) GDPR acting: (b) reprimands the controller or the processor if he or she is acting in a data-processing capacity has infringed the provisions of this Regulation; (i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case in addition to or instead of the measures referred to in this paragraph; The Ákr. Under Section 17, the authority has the powers and competencies at all stages of the proceedings ex officio. If you notice any of its deficiencies and it can be established beyond doubt in the case competent authority shall transfer the case, failing which the application shall be rejected or terminate the proceedings. Pursuant to Section 46 (1) of the Act, the authority shall reject the application if (a) there is no statutory condition for instituting proceedings and this law does not it has no other legal consequences. Pursuant to Section 47 (1) of the Act, the authority shall terminate the proceedings if (a) the application should have been rejected but the reason for it was to initiate the procedure came to the attention of the authority. Infotv. Pursuant to Section 38 (2b), the Authority shall provide personal data in Section (2) the role of litigant in the proceedings and the in non-litigious proceedings, by a court in accordance with the rules applicable to them data processing operations shall not be covered by paragraph 3 exercise their powers. 9, Infotv. Enforcement of the right to the protection of personal data pursuant to Section 60 (1) To that end, the Authority shall, at the request of the data subject, initiate a data protection authority procedure and may initiate ex officio data protection proceedings. Infotv. In its decision made in the data protection authority proceedings pursuant to Section 61 (1) a Authorities a) in connection with the data processing operations specified in Section 2 (2) and (4) a May apply the legal consequences set out in the GDPR, b) in connection with the data processing operations specified in Section 2 (3) (ba) establish the unlawful processing of personal data, bb) order the correction of inaccurate personal data, (bc) order the blocking, erasure or blocking of personal data which have been unlawfully processed destruction, bd) prohibit the unlawful processing of personal data, […] (bg) impose a fine, Infotv. Pursuant to Section 71 (1), during the proceedings of the Authority - for the conduct thereof to the extent and for the time necessary - may process all personal data as well as by law data covered by the obligation of professional secrecy and professional secrecy which are dealt with in order to ensure the efficient conduct of the proceedings required. Infotv. 75 / A. § pursuant to Article 83 (2) - (6) of the General Data Protection Regulation exercise the powers set out in paragraph 1 in accordance with the principle of proportionality, in particular by providing for the law or regulation on the processing of personal data Requirements laid down in a binding act of the European Union Article 58 of the General Data Protection Regulation in particular by alerting the controller or processor. Infotv. Pursuant to Section 61 (2), the Authority may order its decision - the data controller, and the publication of the identity of the processor, if (a) the decision affects a wide range of persons, (b) it was made in the context of the activities of a public body, or (c) the gravity of the infringement justifies disclosure. Infotv. Pursuant to Section 61 (5), the Authority in deciding whether it is justified to the imposition of a fine pursuant to paragraph 1 (b) (bg) and the amount of the fine account of all the circumstances of the case, in particular the infringement the size of the population involved, the gravity of the infringement, the imputability of the conduct and the whether the personal data relating to the processing of personal data have previously been established against the infringer infringement. Section 169 (1) - (2) of Act C of 2000 on Accounting (hereinafter: the Accounting Act) pursuant to paragraph 1. An undertaking shall draw up accounts for the financial year and a report on them supporting inventory, valuation, general ledger extract, as well as the logbook or other information required by law. for at least 8 years in a legible form in accordance with the requirements of keep. (2) The accounting document supporting the accounting accounts directly and indirectly (including general ledger accounts, analytical and detailed records), at least 8 shall be retrievable in a legible form for a period of one year and may be retrieved by reference to the accounting records way to preserve. Pursuant to Section 166 (1) of the Accounting Act, an accounting document is any such document issued or made by a natural person in a business or other relationship with the farmer 10, a document issued by a person or other economic operator (invoice, contract, agreement, statement, credit institution statement, bank statement, legal provision, other document which may be classified as such), whatever its printing or other method of production, which: supports the accounting of the economic event. A Hpt. Pursuant to Section 288 (1), the financial institution and the independent intermediary shall ensure that the client is subject to the conduct or activities of a financial institution and an independent intermediary, or orally (in person, by telephone) or in writing (in person, by telephone) or by any other document provided by post, post, facsimile, e-mail). THE the rules on complaint handling should also apply to the person providing the service contact an independent financial institution for the purpose of using does not use the service. A Hpt. Pursuant to Section 7 (1), a financial institution is a credit institution and a financial undertaking. A Hpt. Pursuant to Section 9 (1), it is a financial enterprise a) a financial institution which, in accordance with Section 3 (1) (d) and (e) and Section 8 (2) one or more financial services, or operates a payment system, and A Hpt. Under Section 3 (1), financial services for the following activities are business-like in HUF, foreign currency or currency: …. (l) receivables purchasing activity. A Hpt. 67 / A. § (1), the activity of financial service provider - the additional financial may only be performed using an IT system line, which ensures the closure of system components and prevents IT unauthorized access to the system and unauthorized modification. IT the system must also comply with the general information security confidentiality requirements. To this end, the credit institution shall provide administrative, physical and logical arrangements compliance with the general information security confidentiality requirements. Government Decree 5 / B. § d), the IT system complies with Hpt. 67 / A. § (1) of the Bszt. § 12 (12) - (14), the Fsztv. 12 / A. § and the Bit. Section 94 (4) - (6), with the closure of the system components, to the IT system to prevent unauthorized access and unauthorized modification, and general information security confidentiality requirements if the live operation system the data backup and recovery policy ensures a secure restore of the system; and backup-restore has been tested with frequency and documented according to the relevant regulations. ARC. Decision: IV.1. Data management prior to May 25, 2018 On 07 December 7, 2015, […] assigned the claim to the Applicant. The Applicant a […] On the basis of a final transfer order (hereinafter: transfer order) […] was registered as the legal heir of the Applicant on 20 September 2016. on the day. However, in spite of the above, the Authority will only process data after 25 May 2018 examined the Applicant for the following reasons: In the present proceedings, the Authority will only deal with the data processing of the Requested until May 2018 Made in connection with the data management after the 25th day of the day, so the Ákr. Section 47 (1) The Authority shall submit a request in accordance with paragraph 1 (a) before 25 May 2018 terminated the procedure in the part concerning the examination of his data processing, as the request did not 11, complied with Infotv. Section 60 (2), as the applicant the general data protection regulation was not yet applicable in this part of the data processing period, Thus, the Authority may not initiate official data protection proceedings upon request. IV.2. The issue of limitation of a claim According to the Applicant, the claim that the Applicant intends to collect against him has already taken place expired, however, the Applicant disputed this and argued that the Civil Code. 6:23. § (4) limitation may not be taken into account ex officio in judicial or administrative proceedings. In the present proceedings, the Authority shall limit the limitation period of the claim in respect of the data processing of the Requested did not examine it, because the judgment of Infotv. Pursuant to Section 38, Paragraphs (2) - (2a), a Authority. It is for the courts to decide this question. The Applicant has registered a claim against the Applicant in connection with which the The applicant did not attach a court decision finding that it did not exist, therefore, with regard to the claim registered by the Applicant, the data processing a a legitimate interest may in principle exist. IV.3. Person of the data controller According to the data of the company register, the main activity of the Applicant is a receivables management activity. The Authority has established, on the basis of the Applicant's statements, that the data processing under consideration the purpose of the processing in connection with the above - mentioned activity in the case in question, and assets are determined independently by the Applicant and therefore pursuant to Article 4 (7) of the GDPR data controller in connection with the processing of the Applicant's personal data. In the Authority 's view, the reference to an administrative error does not exempt Claimant from the responsibility of the controller, given that Article 4 (7) of the GDPR the Applicant qualifies as a data controller. The Applicant is the one who organizes the the process of data management and establishes its conditions. The most important feature of a data controller is that it has substantive decision-making power and responsibility for data management for fulfilling all the obligations set out in the General Data Protection Regulation. The Working Party on Data Protection set up under Article 29 of the Data Protection Directive (hereinafter Working Party on Data Protection) 1/2010 on the concept of "controller" and "processor". He also stated in his opinion that “Ultimately, the company or body needs to be held responsible for the processing of data and arising from data protection legislation unless there are clear indications that a natural person is a responsible. […] However, even in such cases where a specific natural person is appointed, to ensure compliance with data protection principles or to process personal data, that is the person will not be a data controller but a legal entity (company or acting on behalf of the public body, which remains responsible for the principles in its capacity as data controller in the event of a breach. " The Applicant carried out two independent proceedings in connection with the case complained of also referred to an administrative error. One of the administrative errors is against the Applicant the other administrative error related to the initiation of the recovery procedure is the telephone omission by the operator, as a result of which the Applicant did not make a telephone call treated as a complaint or a claim by a data subject. The two were realized independently "Administrative error" means a high degree of negligence, as if it occurred in the first case administrative error, in which case it would be viable that the Applicant’s first indication so, following his phone call on June 23, 2021, action will be taken to correct this, however this was not done, not even at the time of the Applicant's second telephone call (15 July 2021) the Applicant was instructed to investigate this case because of an administrative error in the conditions. 12, the initiation of the recovery process is an internal decision, the initiation of a process involving several persons presupposes the performance of duties and the preparation and sending of a letter issued, which is why this can be assessed as a high degree of negligence and negligence. IV.4. Management of the Applicant's personal data ARC. 4.1. Data management for receivables management purposes The Applicant acknowledged that it was in error and in its claims management business processes Controlled by the descriptive regulations, the Applicant handled the claim for personal purposes as the Applicant was registered as the heir as a trader, as a debtor a in his register, even though his estate did not cover the debts of the testator, and based on this, the Civil Code. nor, accordingly, on the basis of the Applicant's internal regulations may be required to pay the debt to the heir. The Applicant with the debtor and his successors in title on the basis of the assignment agreement became the holder of a claim against (his heirs) in order to enforce the claim, and had a legitimate interest in the processing of personal data necessary for that purpose in principle, the purpose of the data processing can be established on the basis of legal regulations and the purpose of data processing is lawful it counts as. Article 5 (1) (b) of the GDPR states, among the principles of data processing, that personal data data may be collected for lawful purposes and may not be processed for that purpose in a compatible manner. From the local government competent by the Applicant according to the debtor's place of residence 20.09.2016. on the day from an acquired disposition order, in which the Applicant is named as heir, it is clear that the amount of debts exceeds the amount of active assets. Of this notwithstanding the order, it sent payment orders to the Applicant after receipt of the order He applied to settle the debt. The Civil Code. Pursuant to Section 7: 96 (1), the heir for the debt of the estate with the objects of the estate and is liable to the creditors for their benefits, therefore the Authority considers that the Applicant a The applicant's personal data was unlawfully processed for the purpose of claim management infringed Article 5 (1) (b) of the GDPR from the entry into force of the GDPR, ie May 2018 From the 25th day to the date of deletion of the Applicant's personal data, ie 21 August 2021. until the day. According to the Applicant's statement, the Applicant was deleted on 21 August 2021 personal data processed for the purpose of claims management after detecting an administrative error the case was not closed due to. However, the Authority concluded from the facts that it did not the Applicant detected the administrative error, but the Applicant reported it to the Applicant also made two telephone calls and initiated data protection official proceedings Authority, therefore the Applicant's attention was drawn to the fact that the Civil Code recovery proceedings may not be instituted in respect of that claim. Of this however, the Applicant did not take action until after receiving the Authority's order to examine the data management, as the Applicant stated in a letter dated 11 August 2021 stated that “Our company, at the request of the T. Authority, has referred the matter for assignment reviewed and found the following with effect from. […] Review of the case On the basis of this, it was found that the Applicant's oral complaint was in full was well-founded and an employee of our telephone operator failed to take it instead of submitting the submissions made by the Applicant as an oral complaint, in writing objection. […] As a result of the above investigation, our Company has closed the case and the Applicant as a transaction operator and related personal data in a non-retrievable manner deleted from its register. " 13, IV.4.2. The legal basis for the processing of the Applicant's personal data for claims management purposes According to the Data Protection Information of the Applicant, the data processing for the purposes of receivables management is regulated by Article 6 of the GDPR. Article 1 (1) (f), ie with reference to a legitimate interest. A IV.4.1. Due to the provisions of point 1 the priority of the legitimate interest in the processing of the data with the rights and interests of the Applicant therefore could not rely on Article 6 (1) (f) of the GDPR in this case. With regard to this purpose of data processing, the Applicant is referred to in Article 6 (1) of the GDPR nor did it have a specific contractual legal basis (Article 6 (1) (b) GDPR), in view of the fact that the Applicant, as a concessionary claim for management purposes only a legal basis under Article 6 (1) (f) of the GDPR can be accepted for the processing of personal data. THE Mansion Kf.V.39.291 / 2020/5. upheld by judgment of 14 September 2020, In its final judgment, the Authority shared this view on the applicability of the contractual legal basis position. The Metropolitan Court of the European Data Protection Board, 2/2019. in its recommendation no considered the performance of the contract as a legal basis should be interpreted narrowly and does not automatically cover non-compliance data processing, or that only by sending a reminder of payment or the normal course of the contract the processing of data relating to the diversion may fall under the legal basis of the performance of the contract, the original however, this is not the case for data processing for the purpose of receivables management after the termination of the contract applicable. The additional legal bases set out in Article 6 (1) of the GDPR, ie point (a) a consent, point (c) is not applicable due to a lack of legal obligation, Article 6 (1) GDPR Paragraph 1 (e) may not be invoked by the Applicant at all, given that it does not it carries out an activity in the public interest and does not have a public authority license. On the basis of the above, it can be concluded that the Applicant has been in force since the entry into force of the GDPR, ie 2018. from 25 May to the date of deletion of the Applicant's personal data, ie 21 August 2021. has been in breach of Article 6 of the GDPR for the purposes of debt management for the purposes of Article 1 (1). ARC. 4.3.Reservation obligation required by law ARC. 4.3.1. Legacy transfer order The transfer order and the personal data contained therein (Applicant name, place and date of birth, name of mother) of the Applicant on credit institutions and financial CCXXXVII of 2013 on enterprises with regard to Section 258 of the Act (hereinafter: Hpt.) with reference to Article 6 (1) (c) of the GDPR. A Hpt. Pursuant to Section 258 (1), a financial institution is subject to business-like activities records in Hungarian - in accordance with the provisions of Hungarian accounting legislation in a manner suitable for both supervisory and central bank control. Section 166 (1) and Section 169 of Act C of 2000 on Accounting (hereinafter: the Act) Pursuant to paragraphs 1 to 2, personal data shall be removed from the termination of the business relationship, respectively shall be recorded and kept by the data controller for 8 years from the execution of the transaction order. An application for cancellation pursuant to Article 17 (3) (b) GDPR is not can be fulfilled if the processing of personal data is required by law. In view of the above, it can be concluded that the Applicant has failed to comply with Article 6 (1) (c) therefore lawfully treats a transfer order (and personal data of that Applicant). 14, However, the law only imposes an obligation to store, not the stored personal data can be used. IV.4.3.2. Sound recording According to the data management information of the Applicant, it was conducted with the data subjects telephone conversations are recorded and preserved by the Civil Code. during the limitation period specified in THE The Applicant argued that there was no such audio material in connection with the Applicant available to you. It can be accepted as a fact that the Applicant had a telephone conversation with the Applicant, as the Applicant is NAIH-5732-4 / 2021. In his statement of order No that, at the request of the Authority, the case was reviewed and it was established that The Applicant's administrator made a mistake because he did not receive the Applicant's oral complaint registered as a complaint. It can be concluded from this that the Applicant a during the review carried out by the Authority, he heard the data subject sound recording and drew conclusions from it, so there was a sound recording that a Recorded conversation between Applicant and Applicant. This is also supported by the fact that the Applicant During a call on 15 July 2021, his administrator remarked: with us earlier, with your colleague, you will want to request this recording. ” In view of the above, it can be concluded that the Applicant is aware of the present data protection authority proceedings deleted the audio material, the preservation of which is the procedure would have been justified, in particular with regard to the principle of accountability, and therefore It would also have had a legal basis under Article 6 (1) (f) GDPR. Besides other would have been justified for the purpose of maintaining it, since if the review had established that complaint was also made during the conversation, the Hpt. Section 288 also provides for such preservation obligation. Not about the preservation of the audio material of the telephone conversation with the Applicant care is also controversial because the Applicant himself acknowledged that the Applicant he also made a complaint during the first telephone conversation, which - the Applicant due to the omission of his employee, he did not adjudicate. He was affected by such “complaints” may be classified as an application taking into account different criteria. THE The Applicant stated that he had submitted an application to the Applicant, establishing this it would also have been necessary to preserve the sound material in question at a later date in order to prove whether the Applicant has lawfully classified the complaint in question as the non-affected application. Not about preserving the audio of a phone conversation care actually covers cancellation as it is known for Requested telephone conversations related to its data management information and considering that based on it all initiated by the parties concerned to the Customer Service of the Applicant automatically records a telephone conversation (this is also indicated by the machine voice during the call), therefore, he also had to record telephone conversations with the Applicant. The Applicant does not record the preservation of the audio material of the telephone conversation with the Applicant did not examine whether it was obliged under Article 5 (2) of the GDPR retained and did so by the time it was deleted by the present data protection authority proceedings were pending, so in any case the Applicant had to expect that the applicant must be able to deal with the Authority's claims against the Authority. In view of the above, the Authority found that by continuing with the Applicant canceled telephone conversations and was thus unable to call the Authority infringed Article 5 (2) of the GDPR. The Authority also mentions here that the Applicant is also involved in the purchase of receivables financial institution Hpt. Pursuant to § 288, he is also obliged to keep it with the recovery of claims complaints received in this context, so the Data Protection Information of the Requested 15, is incorrect, as it refers only to Hpt. To the obligation to keep a complaint under § 288. Obligations prescribed in the Credit Institutions Act non-compliance with the conservation obligation the Authority cannot make any findings because it also performs financial consumer protection tasks It is within the competence of the Magyar Nemzeti Bank. However, the Authority erred in the Request with regard to its information management information note, the The applicant also infringed Article 12 (1) of the GDPR and Article 13 of the GDPR. ARC. 5. Requests concerned Pursuant to Article 12 (1) of the GDPR, the controller must take appropriate measures in order to ensure that the information on the data subject 's application is concise, transparent, comprehensible and in an easily accessible form and in a clear and comprehensible manner. The information shall be provided in writing or by other means, including, where appropriate, by electronic means to specify. IV.5.1. Oral requests can also be made orally 4/2020 sent by the Applicant to the Authority. (05.06.) Data Management Document entitled Procedures for Telephone Recovery Experts 5.1. according to point if the data subject generally objects to the processing of all his data, the existence of the claim, then it is primarily for the administrator to argue that the claim exists in the records that the Applicant has an appropriate legal basis for the personal in connection with the processing of personal data and shall inform the data subject that the on what legal basis it handles personal data. If the argument is unsuccessful, in which case it is necessary to arrange for the erasure of all that can be done on the surface. The other data not to be erased on the interface may be communicated to the data subject, that your complaint will be investigated and that you will be informed in writing that your application has been processed. The GDPR does not rule out the possibility of providing oral information to the data subject upon request, as the GDPR Article 12 (1) provides for this separately. Nevertheless, the Applicant has telephone calls during which the operators provided information that they had to submit their request for cancellation in writing. As the GDPR does not apply in relation to the submission of applications by interested parties form, therefore the Applicant is not entitled to do so either, and by the fact that the fixed the acceptance of a request made by a person by telephone during a call for reasons in breach of Article 12 (1) of the GDPR. IV.5.2. Deletion of personal data and request for access Like the withdrawal of consent, it is a protest by the GDPR concerned under Article 21 the exercise of his right also gives rise to an obligation to cancel. In this case, the data controller only further processing of personal data on compelling legitimate grounds. The Applicant alleges that during the telephone conversation he was informed of his application rejects the administrator and insists that the data subject submit his / her request in writing to the To the applicant. The Applicant did not make it available to the Authority with the Applicant telephone conversations, claiming that he does not store such conversations, but a Applicant with the Administrator of the Applicant 2021. 07.15. on the day of the call made a sound recording. This audio recording refers to the previous one, 20/20/2021. continued on a telephone conversation and a request made by the data subject in connection therewith, in connection with which the The Applicant's Administrator shall inform the Applicant that the requests concerned must be made in writing to submit. However, this only applies to the cancellation request because the Applicant in this in the conversation on 20.06.2021. the audio of the conversation on the day asked for his release. The administrator, after reconciling the necessary data, informed that will be sent. In view of the fact that the Authority referred to the made on due to the lack of audio material, the request for protest and cancellation referred to by the Applicant a was unable to examine its performance and did not make any findings in that regard. 16, however, the requested audio material was not sent to the Applicant, despite the fact that data reconciliation and identification took place and the telephone administrator recorded the request, thus Applicant has violated the Applicant's right of access under Article 15 (3) GDPR, as he did not reply at all and thus did not explain the reason for the Applicant the failure of the Applicant to comply with a request for access, including Article 12 (4) of the GDPR violated. The Applicant stated that the Applicant’s employee (telephone operator) committed an omission by failing to record the Applicant's complaint, instead requesting it in writing send the objection. In the Authority 's view, the following cannot be accepted as grounds for exemption human negligence, because the Requested as a data controller is responsible for his / her activities for the careful organization of workflows that include stakeholder applications receipt and response within the deadline. IV.6. The principle of transparency The Applicant acknowledged NAIH-5732-13 / 2021 during the data protection authority proceedings. number in his reply letter that he keeps a backup copy of the Applicant's personal data, however did not inform the Applicant in its letter dated 10.08.2021, only about the cancellation and on the custody of a transfer order. A Hpt. 67 / A. § (1) with the IT systems used by financial service providers requirements for financial institutions to use IT Government Decree 5 / B. § explains in more detail, i.e determines how the requirements prescribed in the Credit Institutions Act must be complied with a financial undertakings. One such criterion is that the live system data backup and restore system to ensure a safe restore of the system, and this requires to back up the system. Backups, copies preparation is a prerequisite for the secure operation of the IT system as well as the Applicant continuing to purchase receivables, and therefore in backups The legal basis for the processing of personal data contained in Article 6 (1) of the GDPR obligation under paragraph 1 (c). The policy of the Requested backups and their handling is not public stakeholders, including the Applicant. The Applicant did not inform the Applicant that your personal information is still included in the backup and in what cases backups may be used or when you permanently delete them backups to the Requested. However, this is not acceptable because it is a complete data management process the transparency set out in Article 5 (1) (a) of the GDPR the data subject of the fact of the data processing and the important data processing related to it circumstances must be communicated in all cases. Due to the above, the Applicant violated Article 5 (1) (a) of the GDPR principle of transparency. IV.7. Applicant's comments on the request for an extension of the deadline The Authority emphasizes that Ákr. does not expressly provide for an application for an extension of time in the context of its assessment and thus does not provide for it in certain cases required. Given that the Applicant did not even explain why he was requesting a extension and could not, in principle, expect the Authority to grant his request, furthermore, the Applicant can only blame himself for the request for an extension of the time limit written on the last day of the deadline for completion of the call. In the opinion of the Authority if, due to any justifiable circumstance, the controller is unable to comply with the shall inform the Authority, stating the exact circumstances. 17, IV.8. Request for publication of the decision against the Applicant The Authority rejected the Applicant by disclosing the decision against the Applicant application of this sanction is either a right of the Applicant or a legitimate one does not directly affect the interests of the Authority, such a decision of the Authority shall not confer any right or obligation on it consequently, this legal consequence, which falls within the scope of the public interest, With regard to the application of the Act, the Applicant does not qualify as a customer Pursuant to Section 10 (1), and since the Ákr. Does not comply with Section 35 (1), request in this regard this part of the application shall not be construed as an application. IV.9. Legal consequences IV.9.1. The Authority granted the Applicant's request in part and Article 58 (2) GDPR (b) condemns the Applicant for violating: - Article 5 (1) (a) and (b) of the GDPR, - Article 5 (2) of the GDPR, - Article 6 (1) of the GDPR, - Article 12 (1) and (4) of the GDPR, - Article 13 of the GDPR, and - Article 15 (3) of the GDPR. III.9.2. As a result of the above infringements, it has become necessary to establish a legal consequence, which a Authority acting in accordance with a statutory discretion. The Authority examined of its own motion whether a data protection fine against the Applicant was justified. imposition. In this context, the Authority will comply with Article 83 (2) of the GDPR and Infotv.75 / A. § ex officio considered all the circumstances of the case and found that in the present proceedings in the case of an infringement detected, the warning is neither a disproportionate nor a dissuasive sanction, it is therefore necessary to impose a fine. In imposing the fine, the Authority took the following factors as aggravating factors take into account: 1. The violation is serious because the Applicant has committed several violations of principles. (GDPR Article 83 (2) (a) 2. The infringement is serious as the Applicant's sphere of interest was significantly affected by the fact that the Applicant tried to collect a claim against him, for the fulfillment of which the Civil Code. 7:96. § Under paragraph 1. The gravity of the infringement is aggravated in particular by the fact that the applicant's mourning process in connection with the deceased relative was aggravated by the He applied that the Applicant had to deal with a case that he already had considered closed by law, considering the Civil Code. related provisions. The Applicant a In his telephone call to the Applicant, he specifically referred to the Applicant the unlawful data processing affected the Applicant's mourning process in the wrong direction, for he was disturbed by the letter of summons of the Requested just when he was in mourning calmed down. For reasons attributable to the Applicant, the Applicant had to indicate several times to the Applicant that for the purpose referred to it (claim management) the Applicant you may not lawfully process your personal information. (GDPR Article 83 (2) (a)) 3. Illegal data processing for a long time (25 May 2018 and 11 August 2021) until the deletion of the unlawfully processed personal data). (Article 83 (2) GDPR paragraph (a) 4. The violation caused by unlawful data processing by the Requested is partly intentional because of its obligation under Article 5 (2) of the GDPR 18, its fulfillment can not be traced back to the telephone operator's failure to act. (GDPR Article 83 (2) (b)) 5. The Applicant canceled the telephone conversations with the Applicant, his employees relied on an error instead of accepting liability, for which reason it can be concluded that it did not cooperated with the Authority. (Article 83 (2) (f) GDPR) 6. The Authority has previously condemned the Applicant several times in the GDPR as follows: - Article 12 (2) of the GDPR and Article 5 (1) of the GDPR NAIH / 2019/1841. Resolution No also for breach of Article 5 (1) (a) of the GDPR. 3957-1 / 2021 and NAIH / 2020/308 due to violation of Article 15 of the GDPR. and - a violation of Article 6 (1) of the GDPR has already taken place in the Applicant NAIH / 2019/2566/8, NAIH / 2020/5552, NAIH / 2020/152/2. and NAIH-3957-1 / 2021. in decisions no data on the basis of an inappropriate legal basis. The Authority emphasizes here that NAIH / 2019/1814. laid down in Decision No The violation of Article 5 (1) (a) GDPR is equally a security breach the Authority has already done so condemned the Applicant earlier. A NAIH / 2019/2566/8. and NAIH / 2020/5552. was not included in decisions no line of fines, while NAIH / 2020/152/2. HUF 1,000,000 in Resolution No. a data protection fine was imposed, and NAIH-3957-1 / 2021. number HUF 1,000,000 in the resolution, NAIH / 2019/1841. in Resolution No. 500,000 HUF, a NAIH / 2020/308. to pay a data protection fine of HUF 2,000,000 the Applicant was bound by the Authority. (GDPR Article 83 (2) (e) and (i)) In view of the fact that the Applicant has repeatedly applied the same provisions of the GDPR, Article 5 of the GDPR In the case of Article 1 (1) (a), it infringed more than one, quantified three cases as set out above, the Authority will therefore and the fact that in the present proceedings there has been an infringement of eight provisions of the GDPR It took particular account of the imposition of fines and, in that regard, the Significantly higher than the data protection fines previously imposed on the applicant decided to impose a fine of According to the Applicant's 2020 report, the pre-tax profit was HUF […]. The imposed the data protection fine shall not exceed the maximum fine that may be imposed. (GDPR Article 83 (5) (a)) point) By imposing a fine, the Authority's specific preventive purpose is to encourage the Applicant to review your data management practices and ensure that personal information is provided in the future the right to data protection. Infringements committed by the Applicant are punishable under Article 83 (5) (a) of the GDPR. higher category of fines. Nature of the infringements the maximum amount of the fine that may be imposed under Article 83 (5) (a) and (b) of the GDPR 20 EUR 000 000 or up to 4% of the total worldwide turnover in the preceding business year. With regard to the imposition of a fine, the Authority follows Article 83 (2) GDPR did not take into account the provisions of the Directive because they were not relevant in the present case: c), d), g), h), points j), k). 19, V. Other issues: The powers of the Authority shall be exercised in accordance with Infotv. Section 38 (2) and (2a), its jurisdiction is covers the whole country. The decision is based on Ákr. 80.-81. § and Infotv. It is based on Section 61 (1). The decision is based on Ákr. 82. § (1), it becomes final with its communication. The Ákr. Section 112 and Section 116 (1) and § 114 (1) by way of an administrative action against the decision there is room for redress. * * * The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a hereinafter: Kp.). A Kp. Pursuant to Section 12 (2) (a), the Authority The administrative lawsuit against the decision of the Criminal Court falls within the jurisdiction of the court. Section 13 (11) The Metropolitan Court shall have exclusive jurisdiction pursuant to On civil procedure on the 2016 CXXX. Act (hereinafter: Pp.) - the Kp. Pursuant to Section 26 (1) applicable - legal representation in a lawsuit falling within the jurisdiction of the tribunal pursuant to § 72 obligatory. Kp. Pursuant to Section 39 (6), unless otherwise provided by law, the application has no suspensory effect on the entry into force of the administrative act. A Kp. Section 29 (1) and with this regard Pp. Applicable in accordance with § 604, electronic CCXXII of 2015 on the general rules of public administration and trust services. Act (a hereinafter referred to as the Customer's legal representative pursuant to Section 9 (1) (b) of the E-Administration Act obliged to communicate electronically. The time and place of the submission of the application is Section 39 (1). THE Information on the possibility of requesting a hearing is provided in the CM. Section 77 (1) - (2) based on. The amount of the fee for an administrative lawsuit shall be determined in accordance with Act XCIII of 1990 on Fees. law (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee is Itv. Section 59 (1) and Section 62 (1) (h) shall release the party instituting the proceedings. If the Applicant does not duly prove the fulfillment of the required obligation, the Authority shall: it considers that it has failed to fulfill its obligations within the prescribed period. The Ákr. According to § 132, if a the obligor has not complied with the obligation contained in the final decision of the authority, it shall be enforceable. The decision of the Authority Pursuant to Section 82 (1), it becomes final with the communication. The Ákr. 133, unless otherwise provided by law or government decree - ordered by the decision-making authority. The Ákr. Pursuant to § 134 - enforcement if law, a government decree or, in the case of a municipal authority, a local government decree otherwise does not have - the state tax authority implements it. In the course of the procedure, the Authority exceeded the Infotv. One hundred and fifty days according to Section 60 / A (1) administrative deadline, therefore Ákr. Pursuant to Section 51 b), it pays ten thousand forints to the Applicant. dated Budapest, February 11, 2022 Dr. Attila Péterfalvi President c. professor 20.21