NAIH (Hungary) - NAIH-3561-4/2022: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=N...")
 
(Initial edits)
Line 77: Line 77:
}}
}}


In one of noyb's cookie complaints, the Hungarian DPA ordered the operator of a weather forecasting website to stop transferring data to the US via Google ad services.
In one of ''noyb's'' "101 Cookie Complaints," the Hungarian DPA ordered the operator of a weather forecasting website to stop transferring data to the US via Google ad services.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 12 August 2020, the data subject visited a weather forecast website operated by the controller that used Google Analytics cookies. The data subject, represented by noyb, filed a complaint with the Hungarian DPA (Nemzeti Adatvédelmi és Információszabadság Hatóság - NAIH) alleging that the controller had processed her personal data, at least including her IP address, and sent it Google Ireland and ultimately Google LLC in the US. The data subject claimed that, following the Schrem-II judgment, the controller was obligated to stop transferring personal data to the US, as it could no longer base such a transfer on Articles 45 and 46 GDPR.  
On 12 August 2020, the data subject visited a weather forecast website operated by the controller that used Google Analytics cookies. The data subject, represented by ''noyb'', filed a complaint with the Hungarian DPA (''Nemzeti Adatvédelmi és Információszabadság Hatóság - NAIH'') alleging that the controller had transferred her personal data, including her IP address, to Google Ireland and ultimately Google LLC in the US. The data subject claimed that, following the Schrems-II judgment, the controller was obligated to stop transferring personal data to the US, as it could no longer base such a transfer on Articles 45 and 46 GDPR.
 
The data subject requested that the DPA investigate and establish:
The data subject requested that the DPA investigate and establish:
1. Which personal data were transferred by the controller to Google LLC, the US, or another third country or international organisation,
 
2. Which transfer mechanism under Articles 44, 45, and 46 GDPR the Controller based this transfer on, and
# Which personal data were transferred by the controller to Google LLC, the US, or another third country or international organisation,
3. Whether the applicable Google terms of service complied with [[Article 28 GDPR#3a|Article 28(3)(a) GDPR]].
# Which transfer mechanism under Articles 44, 45, and 46 GDPR the Controller based this transfer on, and
Additionally, the data subject requested that the DPA order the controller to suspend any data flows to Google LLC (pursuant to [[Article 58 GDPR#2j|Article 58(2)(j) GDPR]]). The data subject asked the DPA to impose an effective, proportionate, and dissuasive fine on the controller and Google (pursuant to [[Article 83 GDPR#5c|Article 83(5)(c) GDPR]]). The data subject emphasized that she was one of potentially thousands of affected users and that the controller had not acted to bring its data processing in line with the GDPR more than a month after the Schrems-II judgment.
# Whether the applicable Google terms of service complied with [[Article 28 GDPR#3a|Article 28(3)(a) GDPR]].
In its response to the DPA’s initial inquiry, the controller stated that it no longer used HTML codes or cookies from Google Analytics on its website, having removed them on 24 August 2020 after becoming aware of the possible consequences of the Schrems-II judgment. It claimed it no longer transferred personal data outside the EEA.
 
However, during a test conducted on 27 May 2022, the DPA found that controller’s website still used three cookies linked to Google’s ad service package that transmitted data to the US.
Additionally, the data subject requested that the DPA order the controller to suspend any data flows to Google LLC (pursuant to [[Article 58 GDPR#2j|Article 58(2)(j) GDPR]]). The data subject also asked the DPA to impose an effective, proportionate, and dissuasive fine on the controller and Google (pursuant to [[Article 83 GDPR#5c|Article 83(5)(c) GDPR]]). The data subject emphasized that she was one of potentially thousands of affected users and that the controller had not acted to bring its data processing in line with the GDPR more than a month after the Schrems-II judgment.
 
In its response to the DPA’s initial inquiry, the controller stated that it no longer used HTML codes or cookies from Google Analytics on its website, having removed them on 24 August 2020 after becoming aware of the possible consequences of the Schrems-II judgment.  
 
The controller claimed it no longer transferred personal data outside the EEA. However, during a test conducted on 27 May 2022, the DPA found that controller’s website still used three cookies linked to Google’s ad service package that transmitted data to the US.


=== Holding ===
=== Holding ===
The DPA stated that it was competent to assess the controller’s GDPR compliance because the controller was based solely in Hungary and therefore conducted no cross-board data processing. However, it was not competent to assess Google Ireland or Google LLC’s GDPR compliance because neither was based in Hungary.
The DPA stated that it was competent to assess the controller’s GDPR compliance because the controller was based solely in Hungary, offered services exclusively in Hungarian, and conducted no cross-board data processing. However, it was not competent to assess Google Ireland or Google LLC’s GDPR compliance because neither was based in Hungary.
The DPA noted that, according to well established EU interpretation, IP addresses are personal data. The DPA also confirmed that, because the controller independently decided on whether or not it would use services that required the installation of cookies, the controller’s status “data controller” was correct under [[Article 4 GDPR#7|Article 4(7) GDPR]]. [[Article 44 GDPR|Article 44 GDPR]] requires that the transfer of personal data to a third country or international organisation for processing may only take place subject to the provisions of Chapter V GDPR. Having found that the controller still transferred personal data to the US without a basis in one of these provisions, the DPA ordered the controller to discontinue the transfers.
 
With regard to the data subject’s request for an administrative fine, the DPA concluded that the right of a data subject to request a fine could not be inferred from their right to lodge a complaint under [[Article 77 GDPR#1|Article 77(1) GDPR]]. It was also not possible to impose a fine as a result of an investigation under Hungarian national law (Article 52 Infotv).
Addressing the complaint, the DPA noted that according to well established EU interpretation, IP addresses are personal data. The DPA also confirmed that, because the controller independently decided on whether or not it would use services that required the installation of cookies, the controller’s status as “data controller” was correct under [[Article 4 GDPR#7|Article 4(7) GDPR]].  
 
[[Article 44 GDPR]] requires that the transfer of personal data to a third country or international organisation for processing may only take place subject to the provisions of Chapter V GDPR. Having found that the controller still transferred personal data to the US without a basis in one of these provisions, the DPA ordered the controller to discontinue the transfers.
 
With regard to the data subject’s request for an administrative fine, the DPA concluded that the right of a data subject to request a fine could not be inferred from their right to lodge a complaint under [[Article 77 GDPR#1|Article 77(1) GDPR]]. It was also not possible to impose a fine as a result of an investigation under Hungarian national law ([https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi0862ExZ37AhXJX_EDHT20AHYQFnoECBAQAQ&url=https%3A%2F%2Fwww.naih.hu%2Ffiles%2FPrivacy_Act-CXII-of-2011_EN_201310.pdf&usg=AOvVaw3qncsTyl44Mhh1FqnqsdP_ § 52 Infotv]).


== Comment ==
== Comment ==
Line 102: Line 111:
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
== Official English Text of the Decision ==
The decision below is a machine translation of the English original. Please refer to the English original for more details.
 
<pre>
<pre>
Act CXII of 2011
Act CXII of 2011

Revision as of 02:59, 8 November 2022

NAIH - NAIH-3561-4/2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 4(7) GDPR
Article 28(3)(a) GDPR
Article 44 GDPR
Article 45 GDPR
Article 46 GDPR
Article 58(2)(j) GDPR
Article 77(1) GDPR
Article 83(5)(c) GDPR
Section 52 Infotv
Type: Complaint
Outcome: Partly Upheld
Started: 12.08.2020
Decided:
Published:
Fine: n/a
Parties: Időkép Kft.
National Case Number/Name: NAIH-3561-4/2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): English
Original Source: NAIH (in EN)
Initial Contributor: MW

In one of noyb's "101 Cookie Complaints," the Hungarian DPA ordered the operator of a weather forecasting website to stop transferring data to the US via Google ad services.

English Summary

Facts

On 12 August 2020, the data subject visited a weather forecast website operated by the controller that used Google Analytics cookies. The data subject, represented by noyb, filed a complaint with the Hungarian DPA (Nemzeti Adatvédelmi és Információszabadság Hatóság - NAIH) alleging that the controller had transferred her personal data, including her IP address, to Google Ireland and ultimately Google LLC in the US. The data subject claimed that, following the Schrems-II judgment, the controller was obligated to stop transferring personal data to the US, as it could no longer base such a transfer on Articles 45 and 46 GDPR.

The data subject requested that the DPA investigate and establish:

  1. Which personal data were transferred by the controller to Google LLC, the US, or another third country or international organisation,
  2. Which transfer mechanism under Articles 44, 45, and 46 GDPR the Controller based this transfer on, and
  3. Whether the applicable Google terms of service complied with Article 28(3)(a) GDPR.

Additionally, the data subject requested that the DPA order the controller to suspend any data flows to Google LLC (pursuant to Article 58(2)(j) GDPR). The data subject also asked the DPA to impose an effective, proportionate, and dissuasive fine on the controller and Google (pursuant to Article 83(5)(c) GDPR). The data subject emphasized that she was one of potentially thousands of affected users and that the controller had not acted to bring its data processing in line with the GDPR more than a month after the Schrems-II judgment.

In its response to the DPA’s initial inquiry, the controller stated that it no longer used HTML codes or cookies from Google Analytics on its website, having removed them on 24 August 2020 after becoming aware of the possible consequences of the Schrems-II judgment.

The controller claimed it no longer transferred personal data outside the EEA. However, during a test conducted on 27 May 2022, the DPA found that controller’s website still used three cookies linked to Google’s ad service package that transmitted data to the US.

Holding

The DPA stated that it was competent to assess the controller’s GDPR compliance because the controller was based solely in Hungary, offered services exclusively in Hungarian, and conducted no cross-board data processing. However, it was not competent to assess Google Ireland or Google LLC’s GDPR compliance because neither was based in Hungary.

Addressing the complaint, the DPA noted that according to well established EU interpretation, IP addresses are personal data. The DPA also confirmed that, because the controller independently decided on whether or not it would use services that required the installation of cookies, the controller’s status as “data controller” was correct under Article 4(7) GDPR.

Article 44 GDPR requires that the transfer of personal data to a third country or international organisation for processing may only take place subject to the provisions of Chapter V GDPR. Having found that the controller still transferred personal data to the US without a basis in one of these provisions, the DPA ordered the controller to discontinue the transfers.

With regard to the data subject’s request for an administrative fine, the DPA concluded that the right of a data subject to request a fine could not be inferred from their right to lodge a complaint under Article 77(1) GDPR. It was also not possible to impose a fine as a result of an investigation under Hungarian national law (§ 52 Infotv).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

Official English Text of the Decision

Act CXII of 2011
on the Right of Informational Self-Determination and on Freedom of Information 1
In order to ensure the right of informational self-determination and the freedom of
information, and to facilitate the implementation of the Fundamental Law, pursuant to Article
VI of the Fundamental Law, the Parliament hereby adopts the following Act on the
fundamental rules applicable in connection with the protection of personal data and the
enforcement of the right to access and disseminate data of public interest and data public on
grounds of public interest, and on the authority empowered to monitor compliance with these
rules:
CHAPTER I
GENERAL PROVISIONS
1. Object of the Act
Section 1
The purpose of this Act is to lay down the fundamental rules for data processing activities
with a view to ensuring that the right to privacy of natural persons is respected by data
controllers , and to enforcing of rights to access and disseminate data of public interest and
data public on grounds of public interest.
2. Scope
Section 2
(1) This Act shall apply to all data control and data processing activities undertaken in
Hungary relating to the data of natural persons as well as data of public interest and data
public on grounds of public interest.
(2) The present Act shall apply to both data processing and data process, carried out wholly
or partly, by automated means as well as manually.
(3) Provisions set out in the present Act shall apply if the controller processing personal
data outside the territory of the European Union contracts a data processor with a seat, site,
branch or address or place of residence within the territory of Hungary to perform data
processing, except if this device serves data traffic exclusively within the territory of the
European Union. Such controllers are obliged to designate a representative in Hungary.
(4) Provisions set out in the present Act are not applicable to natural persons processing
data exclusively for their own personal purposes.
(5) Concerning further use of public sector information, provisions in derogation from this
Act may be established by another act concerning the procedures and conditions for the
disclosure of data, the consideration payable therefore, and as regards remedies.
3. Definitions
Section 3
1 Updated: 11-10-2013 by NAIH
For the purposes of this Act:
1. ‘data subject’ shall mean any natural person directly or indirectly identifiable by
reference to specific personal data;
2. ‘personal data’ shall mean data relating to the data subject, in particular by reference to
the name and identification number of the data subject or one or more factors specific to his
physical, physiological, mental, economic, cultural or social identity as well as conclusions
drawn from the data in regard to the data subject;
3. ‘special data’ shall mean:
a) personal data revealing racial origin or nationality, political opinions and any affiliation
with political parties, religious or philosophical beliefs or trade-union membership, and
personal data concerning sex life,
b) personal data concerning health, pathological addictions, or criminal record;
4. ‘criminal personal data’ shall mean personal data relating to the data subject or that
pertain to any prior criminal offense committed by the data subject and that is obtained by
organizations authorized to conduct criminal proceedings or investigations or by penal
institutions during or prior to criminal proceedings in connection with a crime or criminal
proceedings;
5. ‘data of public interest’ shall mean information or data other than personal data,
registered in any mode or form, controlled by the body or individual performing state or local
government responsibilities, as well as other public tasks defined by legislation, concerning
their activities or generated in the course of performing their public tasks, irrespective of the
method or format in which it is recorded, its single or collective nature; in particular data
concerning the scope of authority, competence, organisational structure, professional
activities and the evaluation of such activities covering various aspects thereof, the type of
data held and the regulations governing operations, as well as data concerning financial
management and concluded contracts;
6. ‘data public on grounds of public interest’ shall mean any data, other than public
information, that are prescribed by law to be published, made available or otherwise disclosed
for the benefit of the general public;
7. ‘the data subject’s consent’ shall mean any freely and expressly given specific and
informed indication of the will of the data subject by which he signifies his agreement to
personal data relating to him being processed fully or to the extent of specific operations;
8. ‘the data subject’s objection’ shall mean a declaration made by the data subject objecting
to the processing of their personal data and requesting the termination of data processing, as
well as the deletion of the data processed;
9. ‘controller’ shall mean natural or legal person, or organisation without legal personality
which alone or jointly with others determines the purposes and means of the processing of
data; makes and executes decisions concerning data processing (including the means used) or
have it executed by a data processor 2 ;
10. ‘data’ processing’ shall mean any operation or the totality of operations performed on
the data, irrespective of the procedure applied; in particular, collecting, recording, registering,
classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or
connecting, blocking, deleting and destructing the data, as well as preventing their further use,
taking photos, making audio or visual recordings, as well as registering physical
characteristics suitable for personal identification (such as fingerprints or palm prints, DNA
samples, iris scans);
11. ‘data transfer’ shall mean ensuring access to the data for a third party;
12. ‘disclosure’ shall mean ensuring open access to the data;
2 In effect as of 1st July 2013