NAIH (Hungary) - NAIH-85-3/2022: Difference between revisions

From GDPRhub
mNo edit summary
 
(3 intermediate revisions by 3 users not shown)
Line 85: Line 85:
}}
}}


The Hungarian DPA Budapest Bank approximately €700,000 for carrying out automated decision-making and profiling based on emotional AI analysis of customer service calls, without a valid legal basis, a proper balancing of interests, and adequate safeguards. The DPA also held that the bank failed to provide data subjects with information related to the processing and their right to object.
The Hungarian DPA fined Budapest Bank approximately €700,000 for carrying out automated decision-making and profiling based on emotional AI analysis of customer service calls, without a valid legal basis, a proper balancing of interests, and adequate safeguards. The DPA also held that the bank failed to provide data subjects with information related to the processing and their right to object.


== English Summary ==
== English Summary ==
Line 120: Line 120:
The NAIH held that the Bank had provided no concrete evidence that it had carried out an adequate balance of interests between its claimed legitimate interest to carry out the processing, and the rights of the data subjects involved.  
The NAIH held that the Bank had provided no concrete evidence that it had carried out an adequate balance of interests between its claimed legitimate interest to carry out the processing, and the rights of the data subjects involved.  


The NAIH noted that according to the technical documentation provided by the Bank, the effectiveness of the emotion analysis software is actually relatively low, and that the Bank had failed to prove that, in its current form, its use was suitable to achieve its proposed objectives in a way that was proportionate to the affectation of data subjects’ rights. The NAIH also noted that the Bank had not demonstrated that any alternatives to this processing were considered.
The NAIH noted that according to the technical documentation provided by the Bank, the effectiveness of the emotion analysis software is actually relatively low, and that the Bank had failed to prove that, in its current form, its use was suitable to achieve its proposed objectives in a way that was proportionate to the effect on data subjects’ rights. The NAIH also noted that the Bank had not demonstrated that any alternatives to this processing were considered.


The NAIH also cited the [https://edpb.europa.eu/system/files/2021-06/edpb-edps_joint_opinion_ai_regulation_en.pdf European Data Protection Board and European Data Protection Supervisor’s Joint Opinion 5/2021 on the Artificial Intelligence Act], which states that ''“the use of AI to infer emotions of a natural person is highly undesirable and should be prohibited, except for certain well-specified use-cases, namely for health or research purposes.”'' Based on these criteria, the NAIH concluded that the Bank’s stated efficiency purposes were not proportionate to justify the use of a form of data processing that EU data protection bodies have considered undesirable and constitute a high risk to data subjects' fundamental rights.
The NAIH also cited the [https://edpb.europa.eu/system/files/2021-06/edpb-edps_joint_opinion_ai_regulation_en.pdf European Data Protection Board and European Data Protection Supervisor’s Joint Opinion 5/2021 on the Artificial Intelligence Act], which states that ''“the use of AI to infer emotions of a natural person is highly undesirable and should be prohibited, except for certain well-specified use-cases, namely for health or research purposes.”'' Based on these criteria, the NAIH concluded that the Bank’s stated efficiency purposes were not proportionate to justify the use of a form of data processing that EU data protection bodies have considered undesirable and constitute a high risk to data subjects' fundamental rights.
Line 137: Line 137:


== Further Resources ==
== Further Resources ==
''Share blogs or news articles here!''
https://open.spotify.com/episode/2dJxCezBR2vdOfb7tySNjR
 
Decision in English: https://naih.hu/hatarozatok-vegzesek?download=517-mesterseges-intelligencia-alkalmazasanak-adatvedelmi-kerdesei


== English Machine Translation of the Decision ==
== English Machine Translation of the Decision ==

Latest revision as of 13:36, 28 February 2023

NAIH - NAIH-85-3/2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(a) GDPR
Article 5(1) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 6(1)(f) GDPR
Article 6(4) GDPR
Article 12(1) GDPR
Article 13 GDPR
Article 21 GDPR
Article 21(2) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Type: Investigation
Outcome: Violation Found
Started: 22.09.2021
Decided: 08.02.2022
Published: 24.04.2022
Fine: 250,000,000 HUF
Parties: Budapest Bank Zrt.
National Case Number/Name: NAIH-85-3/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Cesar Manso-Sayao

The Hungarian DPA fined Budapest Bank approximately €700,000 for carrying out automated decision-making and profiling based on emotional AI analysis of customer service calls, without a valid legal basis, a proper balancing of interests, and adequate safeguards. The DPA also held that the bank failed to provide data subjects with information related to the processing and their right to object.

English Summary

Facts

In September 2021, the Hungarian DPA initiated an ex officio investigation against Budapest Bank Zrt. (hereinafter the Bank) related to the use of Artificial Intelligence (AI) software applied to the audio recordings of customer service telephone conversations between May 2018 and the start of the investigation.

According to the Bank, the software used speech signal processing based on AI to identify periods of silence, different voices talking at the same time, key words, and emotional elements (such as voice speed, volume and pitch) within the recorded sound files in order to identify customer dissatisfaction. Once the software had made an automated decision to identify calls according to these criteria, a Bank employee then listened to the recordings, and made call-backs to customers in order to handle and attempt to resolve any customer dissatisfaction issues.

The Bank stated that its legal basis for this processing was based on legitimate interest, and its purpose was to conduct call quality control, to prevent complaints and customer churn, as well as to increase efficiency.

The Bank stated that customers were informed at the beginning of the calls that they were being recorded, but admitted that they did not inform them that the AI software would be used to analyse the calls, since detailed information in this regard would make the introduction to the calls too long, outlasting many of the simple queries made by customers when calling the Bank. The Bank also claimed that the system did not store any identifiable personal data, or perform automated decision-making in order to create personal profiles.

Additionally, in a Data Protection Impact Assessment carried out by the Bank, the Data Protection Officer stated that: “The purpose of the processing is lawful on the basis of the rights of the data subjects and the business interests of the Bank, there is no direct or indirect legal prohibition. The processing is high-risk for several reasons, in particular the novelty of the technology used, as the audio recordings are analysed and findings are made automatically by artificial intelligence. The aggregate data is suitable for profiling or scoring for both sets of data subjects [customers and employees], and although no automated decision making is involved, the data processing may have legal effects on the data subjects. The high risk is mitigated by the controller through measures identified in the impact assessment, such as human decision-making at the end of automated processing. The exercise of data subjects' rights is ensured in accordance with standard practice.

Holding

Personal data

The NAIH first established that the software processed personal data since the data subject was indeed identifiable within this processing, due to the fact that the customer service calls are assigned a unique internal identification number that can be linked to the both the caller and the customer service employee. According to the NAIH, this processing was analogous to case law from the Court of Justice of the European Union C-582/14, which established that dynamic IP addresses are also personal data.

The NAIH also stated that the use of AI to identify emotional states should be considered processing of a sensitive nature, and could fall under the special category of personal data within the meaning of Article 9(1) GDPR in certain cases. However, the NAIH held that in this specific case Article 9(1) GDPR did not apply to the processing, since the voice analysis did not produce data that in itself could uniquely identify a data subject (and therefore could not be considered biometric data), and due to the fact that no meaningful inference as to the physical or mental state of health of the data subject could be drawn from the result of the processing.

Automated decision-making and profiling

The NAIH held that automated decision-making was carried out in this case, since it is not a prerequisite that the software makes the decision itself, and that it is sufficient if the processing is intended to produce an outcome that influences the decision-makers. The NAIH also established that profiling also took place according to the definition in Article 4(4) GDPR, since the prioritisation of dissatisfied customers based on keywords and emotions implies the evaluation of personal aspects cited in this provision.

Based on these assessments, and the fact that this is a novel technology, the NAIH noted that the processing created increased risks to fundamental rights, which also imply increased responsibilities on the controller. Therefore, the NAIH held that before rolling out the automated voice analysis using emotional AI, the Bank should have assessed whether the processing was feasible under the current technical and social circumstances, and taken into consideration appropriate safeguards to comply with data protection laws and the principle of data protection by design. Based on these considerations, the NAIH held that the Bank’s failure to carry out these obligations constituted a violation of Articles 24(1) GDPR, 25(1) and 25(2) GDPR.

Lack of proper information and right to object

The NAIH noted that no information was given to the data subjects regarding the voice analysis, in particular about the specific types of data processed, as well as how their emotional reactions were processed and assessed. According to the NAIH, this constituted a breach of Articles 12(1), 13, 5(1) and 5(2) GDPR.

Furthermore, according to its previous assessments regarding automated decision-making and profiling, the NAIH held that absence of information given to data subjects regarding their right to object lead to a breach of Article 21 GDPR. Additionally, the NAIH also considered that processing for customer retention purposes constituted a marketing purpose similar to customer acquisition, and that therefore the Bank violated data subjects’ right to object under Article 21(2) GDPR as well.

Balancing of interests and lawfulness of processing

The NAIH held that the Bank had provided no concrete evidence that it had carried out an adequate balance of interests between its claimed legitimate interest to carry out the processing, and the rights of the data subjects involved.

The NAIH noted that according to the technical documentation provided by the Bank, the effectiveness of the emotion analysis software is actually relatively low, and that the Bank had failed to prove that, in its current form, its use was suitable to achieve its proposed objectives in a way that was proportionate to the effect on data subjects’ rights. The NAIH also noted that the Bank had not demonstrated that any alternatives to this processing were considered.

The NAIH also cited the European Data Protection Board and European Data Protection Supervisor’s Joint Opinion 5/2021 on the Artificial Intelligence Act, which states that “the use of AI to infer emotions of a natural person is highly undesirable and should be prohibited, except for certain well-specified use-cases, namely for health or research purposes.” Based on these criteria, the NAIH concluded that the Bank’s stated efficiency purposes were not proportionate to justify the use of a form of data processing that EU data protection bodies have considered undesirable and constitute a high risk to data subjects' fundamental rights.

The NAIH also noted that not only the voices of the Bank's customers were analysed, but also the voices of its employees. The NAIH stated that although monitoring performance and quality assurance may give rise to legitimate interests in certain circumstances according to labour law, the question of suitability and proportionality was also relevant in this case, especially because employees are in a vulnerable position in the context of a labour relationship. The NAIH established that these factors were not taken into account due to the Bank's failure to conduct an adequate balance of interests, and that an adequate system of guarantees was not provided for employees.

Therefore, the NAIH held that the bank could not claim legitimate interest as a valid legal basis under Article 6(1)(f) GDPR (or any other legal basis listed in Article 6(1) GDPR) for the processing in question. It therefore held that the Bank had violated Articles 5(1)(a), 6(1) GDPR and 6(4) GDPR.

Fine and order to comply with GDPR

Based on these considerations, the NAIH imposed a fine of HUF 250,000,000 (approximately €700,000) on the Bank, and ordered the Bank to cease its use of AI to analyse emotions in the recordings of customer service calls unless it provided proof, within 60 days, that: an appropriate scope of data was defined; a proper data impact assessment was carried out; and a valid legal basis was provided which ensured that data subjects’ rights are protected to the maximum extent possible.

With regard to the Bank's employees, the NAIH held that processing should be limited to what is necessary for the purposes for which it is intended, and that they should be provided with appropriate information, indicating the assessment criteria and consequences, and including a specific balancing of interests that addresses their vulnerability due to the nature of their labour relationship, with appropriate internal safeguards.

Comment

Share your comments here!

Further Resources

https://open.spotify.com/episode/2dJxCezBR2vdOfb7tySNjR

Decision in English: https://naih.hu/hatarozatok-vegzesek?download=517-mesterseges-intelligencia-alkalmazasanak-adatvedelmi-kerdesei

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-85-3 / 2022 Subject: Decision
Earlier case number: NAIH-7350/2021



                                         DECISION


The National Authority for Data Protection and Freedom of Information (hereinafter: the Authority) a
Against Budapest Bank Zrt. (Registered office: 103 Budapest, Váci út 193; hereinafter: Customer,
or in some quoted texts: Bank) by the Customer's telephone customer service
25 May 2018 relating to the recording of telephone conversations and the present proceedings
between the date of commencement of the data management practice performed by the Customer in 2021.
initiated ex officio data protection authority proceedings on 22 September. The Authority on Data Protection
take the following decisions in official proceedings:


I. The Authority shall determine ex officio that the Client is involved in the sound recording analysis under review
data management practices violated the processing of personal data of natural persons
the free movement of such data and Directive 95/46 / EC
Regulation (EU) 2016/679 repealing Regulation (EU) No
Article 5 (1) (a) and (b), Article 6 (1), Article 6 (4)
Article 12 (1), Article 13, Article 21 (1) and (2), Article 24 (1), Article 25

Article 1 (1) and (2).

II. The Authority shall act ex officio in accordance with Article 58 (2) (d) of the General Data Protection Regulation
instructs Customer to modify its data management practices to comply with
general data protection regulation, ie do not analyze emotions during sound analysis, and
ensure adequate protection of data subjects' rights in relation to data processing, in particular, but not
only the right to adequate information and protest. In relation to Customer's employees, the

data processing must be limited to what is necessary to achieve the purposes for which they are intended; and
they should be provided with appropriate information on the evaluation criteria and implications
by marking. Separate data management related to employees for different purposes
the balance of interests should address the vulnerable situation resulting from this dependency; and
appropriate internal guarantees in this regard.

III. The Authority shall appoint the Client ex officio


                         HUF 250,000,000, ie HUF two hundred and fifty million
                                       data protection fine

                                     obliges to pay.

The II. the fulfillment of the obligation provided for in point 1 from the date on which the Client becomes final
must be submitted in writing within 60 days of the

to the Authority. Data management is real only if the appropriate data set is defined
impact assessment, a valid legal basis and proof of the maximum guarantee of the rights of the data subject
may be continued, otherwise the Customer must certify the termination of the data processing under review
to the Authority within the above time limit.

A III. within 30 days of the final adoption of this Decision
Authority's centralized revenue collection special purpose forint account (10032000-01040425-

00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000)
must be paid for. When transferring the amount, "NAIH-85/2022 JUDGMENT." reference should be made to







If the Customer fails to meet the obligation to pay the fine on time, a late payment surcharge
is obliged to pay. The amount of the late payment allowance is the statutory interest affected by the delay
equal to the central bank base rate valid on the first day of the calendar half-year.

Non-payment of the fine and the late payment allowance, as well as the II. no obligation under point
the Authority shall order the enforcement of the decision.


There is no administrative remedy against this decision, but from the date of notification
within 30 days of the application to the Metropolitan Court in an administrative lawsuit
can be challenged. The application must be submitted to the Authority, electronically, which is the case
forward it to the court together with his documents. A hearing may be requested in the application. The entire
for those who do not receive personal tax exemption, the fee for the administrative lawsuit is HUF 30,000, a
is subject to the right to record material taxes. Legal representation in proceedings before the Metropolitan Court

obligatory.

Act CXII of 2011 on the right to information self-determination and freedom of information. Act (a
hereinafter: Infotv.) pursuant to Section 61 (2) (a), the Authority shall publish this decision
on the Authority's website.



                                         EXPLANATORY STATEMENT

I. Procedure

I.1. The History Case

1. In the preliminary examination procedure NAIH-5161/2021 (hereinafter referred to as

Customer) as a legal entity engaged in the activity of a financial institution
data management to record the recorded audio of customer service calls automatically
analyze and provide adequate information to stakeholders. The Customer is the analysis
using the result, determine which dissatisfied customer needs to be recalled,
in this regard, it automatically analyzes, among other things, both the caller concerned and the caller
the emotional state of the customer service employee and other characteristics of the conversation. The History
In the case, the complainant can find a sentence on the Client's website referring to the sound analysis

asked questions in this regard but was not satisfied
replies to the Authority.

(2) At the request of the Authority, the Client received the number NAIH-5161-5 / 2021 on 5 July 2021.
In its reply, filed under
In the present proceedings, the Authority also classified Annex III to the explanatory memorandum. at point:

   (i) The sound analysis application (hereinafter: Software) was introduced by the Customer on 26.05.2017. THE
   The aim of the development was to make the work of the nearly 180 telephone staff more productive,
   by improving the call selection process of about 20 call-backers. THE
   retrievals are made by random selection while using the system, but
   calls are ranked by the Software based on the characteristics established by the Software. These characteristics

   are not known to the Customer, it is handled privately by the software. Detailed call evaluation
   results, the evaluated aspects are not known.
   (ii) The purpose of the Software is to make quality control more professional for Customer's employees

   individual development (professional and communication), improving the efficiency of processes and
   increase customer experience. The system does not store any uniquely identifiable data,






or customer information. The data are analyzed together. Areas of application of the program
does not include increasing sales results.
(iii) One of the main areas of use is call quality control (interception): to be assessed
calls are sorted by the analysis team for listeners. Sorting criteria

includes data from the Software (eg, dissatisfaction, frustration, etc.)
these are parameters that can be changed on a monthly basis in order to be the most effective
quality assurance, ie they can reveal the shortcomings and possible directions of development.

(iv) The second main area of use is to prevent complaints and customer migration: monthly in advance
a specified number of customers are called proactively in order to file a complaint
prevent or deter potential customer migration. Enter keywords into the system
based search criteria have been set up to help you find the
affected customers. This report can be run on a daily basis and the eavesdropper will randomly,
choose freely from potential calls.

(v) The third main area of use is to increase efficiency: team leaders on a daily basis
examine for their team which calls were higher than average and why
idle (silence / music) ratio. This is done in exceptional cases for the individual development of staff, respectively
used to improve process efficiency.

(vi) The mandatory element of the concept of personal data is missing, the data is definitely natural
being personal. The Software analyzes the conversation and therefore without eavesdropping (which
and a new data management process) none of the characteristics of the conversation can be identified.

(vii) Aggregate data on the regulated business process conducted on the basis of the script
they only allow a conclusion to be drawn from the discussions. Breaks, idling
length, even for a given administrator, is not an indicator of individual aptitude, but indicates that

special support is required for your work. For example, if you have a cumbersome IT system
waiting time for access causes longer silence.
(viii) The Software is similar to, for example, traffic counters, traffic lights
which also determine the number of persons involved in the traffic (otherwise

identifiable) of natural persons crossing the crossing,
however, their operation is not considered as personal data processing in practice.

(ix) The purpose of data processing is to deal with complaints and faulty banking procedures not complained of in the complaint.
reduce the number of efficient, courteous customer service to ensure control procedures
by supporting its effectiveness, as detailed above. Legal basis for data management
the legitimate interest of the Customer detailed in the description of the data management purposes is effective and lawful

telephone administration. The duration of data management may be retrieved within the Software
45 days for audio recordings, statistics generated by the operation of the Software
1 year for organized call lists.

(x) Identifying natural person profiling is not performed by the Software
sorts the call according to the above, and compiles the call traffic summary and statistics
broken down by processing workers. Automated data management operation for calls

by ordering. The result of the automated operation is a callback
an increase in the chance of being included in the list by random human selection or
can be minimized.

(xi) […] voice recorder operation:

[…] Records all audio by default. An automatism runs down every night

on the voice recorder server, which destroys calls in less than 5 seconds. Default, 4






   all calls are deleted after 180 days, except for calls with a business label
   in the […] interface on the business tag settings tab for that campaign
   have the Long Term Preservation mark.

   […] Has a dedicated server for voice analytics, which makes it intraday
   call recordings are duplicated. An automatism at night for the soundtracks of […]
   removes it from the hit list. Nevertheless, it remains in the internal system of the Software

   calls can be listened to until the 45th day after recording. There will be no calls after this
   can be listened to within the Software.

   (xii) Within the Software, the […] ([…]) option allows […] and
   to listen to and analyze calls from voice recording systems […] - […]. Also
   it is possible to monitor and categorize calls made and received […] and […] differently
   based on quality criteria, which results in customer - specific promotions and

   we can provide feedback on quality customer service, collection and sales
   to increase efficiency. Each functional management member shall cover the entire area
   by area ([…]), by group, by administrator, they can receive unmeasured data a
   in terms of quality.

   (xiii) […], using speech intelligence processing based on artificial intelligence, recognizes:
   • waiting / silence / talking to each other in the sound files,

   • recognizing and finding keywords in audio files
   • detects emotional / mood elements in sound files.

   (xiv) The measurement of wait / silence allows the area manager to identify the
   launch a reduction factor and action at both the individual and regional level
   (eg individual development, field training, process development, etc.).


   (xv) Keyword recognition (based on a dictionary we have developed) allows complaining customers
   filtering and churn prevention, detection of prohibited / stuffed words.

   (xvi) Detection of emotional / mood elements in calls shows the real customer experience
   or customer irritation.

   (xvii) The Software will store audio material in encrypted form on its own storage for 45 days, this

   then destroy them. Previous audio analyzes have continued
   can be retrieved, but the call cannot be inferred from these.

   (xvii) Automated decision making in individual cases, including a personal profile
   no decision is made during the processing of data with the Software. Therefore, the GDPR.
   The conditions of Article 22 (2) shall not apply.

   (xix) The information of the data subject is provided to the Customer by Chapter 3 of the Business Rules and by Telephone

   customer service and complaint handling through detailed data management information provided by
   attached to his reply.

   (xx) The Software has been operating without complaint since its introduction.

(3) At the request of the Authority, the Client received the number NAIH-5161-5 / 2021 on 5 July 2021.
The following substantive evidence was provided in the annexes to its reply registered under

In cases which the Authority also classified in the present proceedings, Annex III to the explanatory memorandum at point:
   (i) Internal Note on Customer Complaints […] (literal quotations), 5






“Our customer didn’t get information about artificial intelligence before making a phone call
using and using sound analysis software to analyze the conversation and wonder
what the purpose of this would be and what the purposes of data management would be.
Your question has not been answered by customer service. I ask for this artificial intelligence

receive software privacy information and privacy policies. Where can it be found?
How much does this correspond to the GDPR? ”
“I am sorry that our staff member was not aware of the relevant data management information: [ref

intranet address]
Attach this to the answer. It should be emphasized that? Telephone customer service quality assurance,
performs profiling based on a legitimate interest and through automatic decision-making for the prevention of a complaint

selects calls in which a higher-skilled bank employee diverts them by recall
the problem, complaint that arose during the telephone conversation.?
The referenced document is available at https://www.budapestbank.hu/hirdetmenyek/adatkezelesi-

information. Perhaps it is worth mentioning when it comes to general data management
information (Chapter 3 of the Business Rules) and the detailed data management information cited
our clerk would read it at the beginning of the call, this would prolong the complaint by at least 10-15 minutes,
the time of submission of the customer request. This would not be accepted by our customers. That is why the Bank decided
written information. "

(ii) Internal Note on Customer Complaint […] (literal citations, identical
reply to another letter from the person concerned)

“[…] The software analyzes the sound recording […] in terms of the developer's trade secret.
Among them, the developer of speech speed, volume, pitch, speech pauses
described the length as an example. The analysis does not result in a profile but in the recordings
the system ranks it daily. The basis of the order is that it can be deducted from the examined aspects
concluded that the caller, although not making a formal complaint, was dissatisfied
with the administration. Calls at the top of the rankings with higher qualifications and authority
will call you back in an attempt to remedy the cause of dissatisfaction. THE

As a result of the closed operation of the system, the Bank does not know or handle the order of calls
outside data. Thus, it does not transmit or store data, nor can it provide further information about it.
In the absence of security breaches, the operation of the system is not considered data protection
incident. It is in the common interest of telephone callers and the Bank to investigate and resolve latent complaints. This
basis for the operation of the system. Prior information management information in its current form
complies with the requirements of Article 12 (1) of the GDPR, which also ensures the conciseness and transparency of information.
requirements. Adequacy refers to the information provided to our customers and not customers

our stakeholders have not objected for more than 3 years. ”
(iii) Identifier: H-407/2018 (Telephone customer service and complaint handling detailed data management
information content)

      a) Telephone customer service for outgoing and incoming calls (in tabular form)

      data processed: name, notification, permanent address, postal address, telephone number (mobile,
      landline), e-mail address, mother's name, place and time of birth, ID
      document number (personal number; passport number, license number), if applicable income
      data, companion card holder, debtor, co-claimant, guarantor, debtor, proxy
      personal details (name, date of birth, mother 's name, ID number)

      etc.), account number, credit card number, credit censorship / reference number, etc., insurance,
      loans, savings, etc., for payment account, bank cards, credit card
      data on related transactions
      purpose: to handle telephone calls made by the customer (s),






      Duration: "See Section 3.1.8 of the Business Rules"
      legal basis: conclusion of a contract for incoming calls, "access" for outgoing calls
      (typed)

      data processors: n / a

      b) Telephone customer service for outgoing and incoming calls (in tabular form)
      data managed: name, notification address, telephone number, customer IDs (account number, card number

      etc.), channel of receipt, date of notification, reference number of the complaint, type of notification,
      whether it is a recurring complaint, category of complaint, if applicable, the amount complained of, notification
      severity, identifiers of previous complaints, detailed description of the complaint, letter of complaint, other
      attachments, detailed resolution of complaint, amount credited if applicable, complaint
      reply letter

      purpose: to handle a complaint submitted by a customer
      Duration: "See Section 3.1.8 of the Business Rules"

      legal basis: conclusion of a contract

      data processors: Where appropriate, the partners required for the investigation (insurance,
      credit intermediary, etc.)

      (c) other information at the end of the prospectus
      For the data management of the specific product affected by the call or complaint, see the specific product

      at your profile.
      Telephone customer service is in the legitimate interest of quality assurance and complaint prevention
      performs profile-based profiling and automatically selects calls
      in which a higher - skilled bank employee removes the

      a problem or complaint that arose during a telephone conversation.
      The Customer may provide information about the sound recording if the sound recordings
      One of the following data is available to identify:

      • the telephone number of the calling bank providing the caller ID service, as recorded
      in the absence of;

      • the telephone number provided by the data subject providing the caller ID service;

      • the start time of the call communicated by the data subject with an accuracy of at least 60 minutes
      determining time data.
(iv) Identifier: H-526/2020 (Business Rules, effective from 10.01.2021, page 41, citation)

   "3.1.8. Unless otherwise provided by law, the general data processing period is
   10 years from the termination of the customer relationship. This data processing period is adjusted to
   for the limitation period for general civil claims, also in view of the interruption of the limitation period. If that

   the purpose of data processing is to resolve a possible complaint, unless otherwise provided by law
   duration of data management is 1 year. These include, in particular, canceled or rejected services
   demand data. For marketing purposes - until your consent is withdrawn - with such a transaction
   The Bank may also contact the person concerned. Retention period of images for security purposes
   sixty days. The legal retention period for sound recordings for complaint handling is 5 years. The transaction
   the general data retention period shall apply to the recording of the order. The Bank is
   after the end of the data processing period, block the Data if the legal conditions for blocking and

   the technical conditions allow this. The duration of data management may be shortened by the Bank,
   excludes its liability in this regard. ", 7






   (v) Identifier: ‘balancing test voicemining.xlsx’ (actually a privacy impact assessment
   data sheet)
         brief description of data management: “Software and mass sound analysis, predefined
         search and analysis of content and keywords, description. The conversation

         detection of emotions in the sound system (negative, positive). "
         a brief summary of the necessity and proportionality study: “Data management a
         necessary to rank conversations according to their relevance. THE

         ranking has no direct effect on the participants in the conversation. The ranking
         interception based on the resulting customer (calling party)
         recall new stand-alone data management. "

         Opinion of the Data Protection Officer and decision on data processing
         Summary: “The purpose of data management is the rights of the data subjects and the business interests of the Bank
         there is no direct or indirect legal prohibition. Data management for several reasons
         high risk, in particular due to the novelty of the technology used,
         for audio recordings are made automatically using artificial intelligence
         analysis and findings are also generated automatically. The totality of the data is both
         suitable for profiling and scoring for the stakeholder group, and

         automated decision making does not happen in the process, data management for stakeholders
         may have legal effect. The high risk was identified by the data controller in the impact assessment
         measures, such as human at the end of automated data processing
         decision-making takes place. The exercise of the rights of the parties concerned is ensured in accordance with standard practice.
         The exercise of the right does not adversely affect those concerned. In the process
         there is no data processor. "

   (vi) Identifier: "privacy record extract.xlsx" (only relevant parts highlighted)

         name: storage of sound material
         goal: Through recorded conversations, the customer’s voice is recorded. You are later complaints
         in the event of a dispute, this may be intercepted.

         Legal basis: Law, legitimate interest, balance of interests

         processing: no

         duration: 10 years from the end of the contract

(4) At the request of the Authority, the Client received on 16 August 2021, NAIH-5161-10 / 2021
In its reply, registered under number

which the Authority has also classified in the present proceedings in Annex III to the explanatory memorandum. at point:
   (i) “On this basis, it can be concluded that the main purpose of using the application is call time
   promotion of abbreviations. The Bank's telephone customer service capacity is limited. Therefore, the call time

   shortening to ensure that significant customer irritation is reduced,
   cease. This is the purpose of breaks in conversations, listening to waiting music
   the Bank achieves by examining. In these cases, the calls from my co-workers are statistical
   processed by other methods and only listened back if necessary. Their purpose is to have a conversation
   find bugs in control scripts that wait, play music, or talk to each other
   (clutter of the clerk and the interlocutor). In this case, the
   or those who are automatically scheduled to be retrieved from your conversations

   are listened to in full, but in part on the basis of the aspects examined. So the
   eavesdropping worker does not hear the customer identification part. The application supports the same
   aspects per employee. This is in a performance - based pay system, 8






helps the employee to improve the efficiency of an individual call, the time required for their calls
reduce it. "
(ii) “The result of the screening may be overridden at any time by the wiretapping officer. The software
it only gives the listener a “menu” to choose from, but the decision is always a

competence of the colleague in the process. "
(iii) Employee contributions not used in operational work are listed in Appendix
Customer has repealed and attached the enforced regulations ([…] - A

recording, retrieving and handling telephone conversations at banking group level), and
also updated organizational changes while streamlining the annexes.
(iv) The Software is not a call recording system. This task is performed by the […] and […] systems.

These are used to transfer calls to the Software system. The data content of the Software is the call
caller ID in the recording system, the calling / called telephone number, the direction and time of the call,
length, name of the clerk, organizational unit, date of the analysis, quantified (%)
results, alphanumeric description of the recognized language elements.

(v) Customer retention or pre-complaint calls:
   • The listener launches a filter based on the rules and keywords set in the system

   for the period of his choice.
   • The Software lists the results, that is, the calls that match the filtering
   conditions.

   • The staff member randomly selects from the suggested calls and listens (typically
   the call segment indicated by the Software). If this is confirmed by the Software, it is complete
   it is advisable to listen to the call.

   • After listening back, you decide if it is possible in the given case
   customer retention or complaint prevention.

   • If so, it retrieves the customer's data from the banking systems.
(vi) Detected emotions can also be displayed at the call level. These can be aggregated into groups and

area level and sort by emotion strength.

(vii) No information will be given at the beginning of the calls as to whether to use the Software or whether
data processing for voice analytical purposes. In the case of an incoming call ([…]), […]
tell the voice recording. In the event of an outgoing call ([…] and […]), the staff member will inform you of the
recording. If the customer complains about the use of the software, the clerks
shall be informed of the possibility of recording the notification. If necessary, the complaint will be picked up,

which will be investigated by the Complaints Office - if necessary by the Data Protection Officer
involving. We would like to note that verbal information at the beginning of telephone calls
its practical possibilities are severely limited. A few words of information necessarily
misleadingly, forcing the data subject to an unjustifiably disadvantaged communication situation. Detailed,
and thorough information does not allow for live audio as required by law
compliance with contact requirements. A significant portion of phone calls are customer
interest. A customer for the opening hours of an account or the current balance of an account

Detailed information provided prior to responding to a request would necessarily violate Article 12 of the GDPR.
the requirement of conciseness of information under Article 1 (1) because it is temporal
its scope would far exceed the substantive administration, the actual data management.

(viii) The possibility of protesting without breaking the line is precluded by technical circumstances. If
human intervention could influence the analysis of a failed call,






   subtraction, would significantly skew the efficiency of the analysis, as it is the anomalies
   protest and agent intervention are expected in the case of a call containing

   (ix) The information is provided by the Client on the website https://www.budapestbank.hu/panaszkezeles.

   (x) Upon termination of the primary purpose of data management, the Customer shall delete from the production systems
   data, but the referenced 42/2015. (III. 12.) Government Decree § 3 (3) e) and (4) the Customer

   makes it an obligation to create and manage archives, data backups and backups.
   The order of their access corresponds to the concept of blocking according to the GDPR, therefore they are described in this way
   provided information to the Customer. The management rules of archive media are in the records management regulations
   is located.

   (xi) In addition to the questions, it is worth highlighting from the experience of personal control that a
   emotional indications of sound analysis for sound property and terms used

   are set up and therefore give false results about calls without human control. On the other hand
   there are people with a voice - our employee had one too - whose voice
   it always reflected dissatisfaction. These are also given, while the pause-to-speech ratio is intertwined
   speech and the speech / music ratio are relatively objective characteristics of conversation, until then
   emotional tone, so the dissatisfaction and frustration experienced are less reliable characteristics.
   This is taken into account by my colleagues when using the system.


   (xii) The caller will only be identified if it is necessary to compensate him due to a bank failure,
   or the Customer seeks to resolve your latent complaint in a reassuring manner.

(5) At the request of the Authority, the Client received on 16 August 2021, NAIH-5161-10 / 2021
In the annexes to its reply, registered as No
Background In cases which were also classified by the Authority in the present proceedings, Annex III to the explanatory memorandum at point:


   (i) Identifier: […] (Recording, listening to and handling telephone conversations banking group
   level instruction)
    „5. Detailed procedure […]

    To retrieve recorded conversations for voice analysis:

    In the Software System, using the voice analysis software, […] ([…], […]) and
    Calls to the […] and […] voice recording systems are available for complaint handling
    to listen back and analyze them. Furthermore, it is possible to recover and […] started and
    monitoring and categorizing incoming calls based on various quality criteria,
    which results can be used to formulate customer-specific actions and feedback
    to improve quality customer service, collection and sales efficiency. The

    individual functional management members for their entire area, by area ([…]), by group,
    they may receive unmeasured quality data per clerk.
    […], Using speech intelligence processing based on artificial intelligence, recognizes:

    • waiting / silence / talking to each other in the sound files,

    • recognizing and finding keywords in audio files
    • detects emotional / mood elements in sound files.

    Measuring the wait / silence allows the area manager to identify the
    launch a reduction factor and action at both the individual and regional level
    (eg individual development, field training, process development, etc.)., 10






 Keyword recognition (based on a dictionary we developed) allows complaining customers
 filtering and churn prevention, detection of prohibited / stuffed words.
 Detection of emotional / mood elements in calls shows the true customer experience
 or customer irritation.

 The Software will store the audio in encrypted form on its own storage for 45 days, thereafter
 destroys them. Previous audio analyzes have continued
 they can be retrieved, but the call cannot be deduced from them. "

(ii) Identifier: "interest balancing test voicemining_doc.docx"

 "2.1. The purpose of data processing is defined, express and legitimate, in accordance with the general
 Article 5 (1) (b) of the Data Protection Regulation: in the case of telephone administration a
 reduction of call time, more efficient filtering of latent customer complaints by call characteristics
 by increasing the efficiency of call interception.

 2.2. Demonstration of a legitimate interest: Article 6 (1) (f) of the General Data Protection Regulation
 According to the data management of the Bank is efficient, the exercise of the rights of the parties concerned by telephone
 legitimate interests as defined in the
 required.

 3.1. The need for data management is described in 2.1. in accordance with the purpose of point
 control by the controller, optimization of data management processes GDPR Article 5 (1) (a)
 fair procedure in accordance with point (d) and accuracy in point (d) of the same paragraph
 necessary to ensure faulty administration not otherwise detected

 remedy.
 3.2. Proportionality of data management is set out in Section 2.1. in accordance with the objective set out in
 interests, rights and freedoms: data management using the Software

 operations are carried out by the Bank in accordance with Article 11 of the GDPR, without identifying a specific data subject. THE
 Randomly selected conversation from a list generated using software
 In this case, too, the data subject will only be identified if recall becomes necessary.

 The data subject shall not be adversely affected by the data processing. Beneficial effect (complaint
 remedy) is a possible legal consequence.
 Proportionality is ensured by the Bank by personalizing the data generated in the system

 there is only a low statistical chance. The person concerned does not have to count on the fact that
 will have the legal effect of using the system, there is little chance of this, given the
 also for data management purposes.
 3.3. Alternatives available to replace data management: a

 the controller does not have an alternative tool, procedure or solution that:
 using the 2.1. the objective set out in point 1 may be achieved.
 3.4. In case of non-processing of data, the (estimated) disadvantages and damages of the data controller:

 decreased efficiency of conversations, efficiency of detection of latent complaints
 decrease. The consequent increase in call dropout is limited
 exercise their administrative rights, including the protection of their personal data. THE
 decrease in the efficiency of detection of latent complaints with the accuracy of data management
 reduce, where appropriate, pecuniary or legal disadvantage to the data subject.

 […] 4.2. The positive and negative effects of data processing on the data subject: a
 data management does not in itself have an adverse effect on the data subject
 with regard to., 11






    4.3. In addition to the mandatory information on data management, the Data Subject may be informed at any time
    may request about the data managed by the Bank, the purpose, legal basis and duration of the data processing.
    (right to information, Article 12 GDPR)
    […] 4.9. The Data Subject has the right at any time for reasons related to his or her own situation

    object to the processing of your personal data, including those based on the GDPR provision
    profiling as well. In this case, the controller may no longer process the personal data,
    unless the controller demonstrates that the processing is for compelling legitimate reasons
    justified by the interests, rights and freedoms of the Data Subject
    or to bring, assert or defend legal claims
    are related.

    […] 6.1. Existence of Legitimate Interest: Bank has an undisputed legitimate interest in the Software System
    improve your telephone administration and find out about latent complaints.

    6.2. Necessity of data management: in order to achieve the purpose of data management is personal
    data management is essential.

    6.3. Proportionality assessment: the data subject's right to self-determination is certain
    necessary and proportionate to the purpose and duration of the processing
    may be limited in accordance with On the basis of the balancing test, it can be concluded that
    the processing does not constitute an unnecessary and disproportionate restriction on the data subject 's rights; and
    freedom. The data subject may object to the data processing or may exercise it at any time
    General Data Protection Decree 12-22. guaranteed by Article


(6) In view of the above, the Authority Pursuant to Section 55 (1) (a) (b), 2021.
closed the History Case on September 23, and filed this Privacy Policy ex officio

telephone conversations conducted by the Customer's telephone customer service
between 25 May 2018 and the date on which the present proceedings were initiated
Subject to customer data management practices.


I.2. The present data protection authority procedure

(7) The subject of the present data protection authority proceedings is the receipt by the Customer of the incoming telephone customer service.

and by automatically analyzing the recorded voice recordings of your outgoing calls
by listening back to some of the audio recordings and then playing back the recorded recordings
was the examination of data processing related to the recall of some of the data subjects. The Authority is above
third parties who call the customer service in connection with the activity are involved,
and the employee working in the Customer's telephone customer service is personal
also examined the handling of his data.


(8) The Authority shall comply with the provisions of Act CL of 2016 on General Administrative Procedure. Act (hereinafter:
On 23 September 2021, he invited the Client to submit comments and
may make a statement in connection with the present proceedings and ex officio in the present proceedings
to be taken into account in connection with the History Case and by your telephone customer service
asked questions clarifying the circumstances of customer identification and recording.

(9) At the request of the Authority, the Client electronically signed on 29 October 2021

In its reply, registered as NAIH-7350-2 / 2021, the Commission made the following statements:

   (i) If the disclosure of information related to the data subject (bank secrecy) during the conversation
   should it happen, the Customer will always identify the data subject by requesting a unique land code or banking
   requesting information that is only known to the data subject. For an outgoing call, 12






   the person concerned is called on the telephone number registered with the Customer and, in addition, as described above
   identified.
   (ii) In the case of an outgoing call, the content of the verbal information: “Good day, I am XY, from the Bank
   I'm calling, I'm looking for ZW. I would like to inform you that our conversation is for quality assurance purposes

   we record. "
   (iii) The Client maintains its statements in the History Case with the clarification that a
   Software allows you to view the ranked call individually with a click

   as well as listening back. In doing so, the ranking parameter on the speech chart
   appear. This is necessary to ensure human control, because it is purely machine evaluation
   may lead to erroneous conclusions. (For example, silence is caused by a line error or the tone of the machine
   analysis erroneously evaluates it as dissatisfied.

   (iv) Customer’s data management practices have not changed materially since May 25, 2018, and the Authority
   nor did its examination reveal any circumstance that would justify a substantial change in the process. THE
   information practice is under review. It is expected to be more detailed at several points
   the Customer shall prepare information as a result of the investigation.

   (v) The called party may indicate that he does not consent to the recording by breaking the line.
   If you do not do this, you will be given an explicit behavior by starting the conversation
   contribution.

   (vi) The technical system records from the beginning of the call, in which the participating parties have no influence
   opportunity.

   (vii) The voice of the Customer's employees is also monitored. Queuing considerations
   can be set to monitor employee voice properties. With this, the employee
   development, if necessary, without labor disadvantage.

   (viii) The Software does not contain artificial intelligence and does not make automated decisions.
   The results of its analysis can only be utilized with human intervention and interpretation.
   (ix) Telephone customer service is not limited to customers. The monthly average number of calls is 2021-

   in 81 500 / month. Annually, 1-1.5 million calls were involved in voice analysis.
   (x) The Client, as a financial institution, performs extremely complex and large-scale data management. For this
   compared to the number of data protection complaints is extremely low, no data protection fines so far

   received by the Customer.
   (xi) The Client's net sales in 2020 were HUF 81,002,000,000.



II. Applicable legal provisions

(10) Pursuant to Article 2 (1) of the General Data Protection Regulation, the General Data Protection Regulation

Regulation shall apply to the processing of personal data in a partially or fully automated manner
processing of personal data in a non-automated manner
which are part of a registration system or which are part of a
intended to be part of a registration system.

(11) The Infotv. Section 2 (2)
the general data protection regulation in the provisions indicated therein

shall apply with the additions specified






(12) Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data
To that end, the Authority shall, at the request of the data subject, initiate a data protection authority procedure and
may initiate ex officio data protection proceedings.

(13) Infotv. Pursuant to Section 71 (2), the Authority has lawfully acquired it in the course of its proceedings
use a document, data or other means of proof in another procedure.


(14) Unless otherwise provided in the General Data Protection Regulation, the request was initiated
for data protection authority proceedings under Ákr. provisions of the Infotv shall apply
with differences.

(15) Under Article 4 (1) of the General Data Protection Regulation, "personal data" means identified or
any information relating to an identifiable natural person ("data subject"). The a can be identified
a natural person who, directly or indirectly, in particular by an identifier, e.g.

name, number, location data, online identifier or physical, physiological,
genetic, intellectual, economic, cultural or social identity
identifiable by a factor.

(16) According to Article 4 (4) of the General Data Protection Regulation, "profiling" means personal data
any form of automated processing of personal data
to assess certain personal characteristics of a natural person, in particular:

job performance, economic situation, health status, personal
preferences, interest, reliability, behavior, location, or
used to analyze or predict motion-related characteristics.

(17) According to Article 4 (14) of the General Data Protection Regulation, "biometric data" is a natural data
any specific technical information relating to the physical, physiological or behavioral characteristics of a person
personal data obtained through procedures that allow or confirm the natural person

unique identification, such as a facial image or dactyloscopic data.

(18) According to Article 4 (15) of the General Data Protection Regulation, "health data" means a
personal data concerning the physical or mental health of a natural person, including
data on healthcare provided to a natural person
which carries information on the state of health of the natural person.


(19) According to Article 5 (1) (a) of the General Data Protection Regulation, personal data
must be handled lawfully and fairly and in a manner that is transparent to the data subject
("Legality, due process and transparency").

(20) According to Article 5 (1) (b) of the General Data Protection Regulation, personal data
collected only for specified, explicit and legitimate purposes and not treated with them
in a way incompatible with the objectives ("purpose-based").


(21) Pursuant to Article 6 (1) of the General Data Protection Regulation, the processing of personal data
lawful only if and to the extent that at least one of the following is met:
   (a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes
   treatment;
   (b) processing is necessary for the performance of a contract to which one of the parties is a party;
   or to take action at the request of the data subject prior to the conclusion of the contract
   required;

   (c) processing is necessary for compliance with a legal obligation to which the controller is subject;






   (d) processing is in the vital interests of the data subject or of another natural person
   necessary for its protection;
   (e) the processing is in the public interest or a public authority vested in the controller
   necessary for the performance of the task
   (f) processing for the legitimate interests of the controller or of a third party
   necessary, unless the interests of the data subject take precedence over those interests
   or fundamental rights and freedoms which call for the protection of personal data,

   especially if the child concerned.
Point (f) of the first subparagraph shall not apply to the performance of their duties by public authorities
data management.

(22) According to Article 6 (4) of the General Data Protection Regulation, if different from the purpose for which the data were collected
processing for that purpose is not with the consent of the data subject or of an EU or Member State
is a right that is a necessary and proportionate measure in a democratic society

to achieve the objectives set out in Article 23 (1) of the General Data Protection Regulation
to determine whether the data processing for different purposes is compatible with the purpose for which the
personal data were originally collected, the controller shall take into account, inter alia:
   (a) between the purposes for which the personal data are collected and the purposes for which they are intended to be further processed
   possible contacts;
   (b) the conditions for the collection of personal data, in particular the data subjects and the
   relationships between data controllers;

   (c) the nature of the personal data, in particular that they are personal data within the meaning of Article 9
   whether it is a matter of dealing with special categories or whether it is a matter of criminal liability
   on the processing of personal data in accordance with Article 10.
   this word;
   (d) the possible consequences for data subjects of the intended data
   further treatment;
   (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.


(23) Pursuant to Article 9 (1) of the General Data Protection Regulation, racial or ethnic origin,
political opinion, religious or philosophical beliefs, or trade union membership
personal data and genetic data for the unique identification of natural persons
biometric data, health data and the sexual life of natural persons or
processing of personal data concerning sexual orientation - the general data protection regulation
Except in the exceptional cases provided for in Article 9 (2), it shall be prohibited.


(24) According to Article 12 (1) of the General Data Protection Regulation, the controller is appropriate
take measures to ensure the processing of personal data by the data subject
all the relevant information referred to in Articles 13 and 14 and Articles 15 to 22. and Article 34
each piece of information in a concise, transparent, comprehensible and easily accessible form, in a clear manner
and provide any information addressed to children, in particular, in plain language
in the case of. The information shall be provided in writing or otherwise, including, where appropriate, by electronic means
must also be provided. Oral information may be provided at the request of the data subject, provided otherwise

the identity of the data subject has been established.

(25) According to Article 12 (2) of the General Data Protection Regulation, the controller shall facilitate:
concerned 15-22. exercise of their rights under this Article.

(26) In accordance with Article 13 of the General Data Protection Regulation
   1. Where personal data concerning the data subject are collected from the data subject, the controller shall:

   at the time of obtaining the personal data from the data subject
   each of the following information :, 15






   (a) the identity and contact details of the controller and, if any, of the controller 's representative;
   (b) the contact details of the Data Protection Officer, if any;
   (c) the purpose of the intended processing of the personal data and the legal basis for the processing;
   (d) in the case of processing based on Article 6 (1) (f), the controller or a third party
   legitimate interests of a party;
   (e) where applicable, the recipients or categories of recipients of the personal data, if any;
   (f) where applicable, the fact that the controller is a third country or international organization

   personal data and the Commission’s Compliance Office
   the existence or absence of a decision in accordance with Article 46, Article 47 or Article 49 (1)
   in the case of the transmission referred to in the second subparagraph of
   the means of obtaining the guarantees and the means of obtaining a copy thereof, or
   reference to their availability.
   2. In addition to the information referred to in paragraph 1, the controller shall process personal data
   at the time of acquisition, in order to ensure fair and transparent data management

   provide the data subject with the following additional information:
   (a) the period for which the personal data will be stored or, if that is not possible, that period
   aspects of its definition;
   (b) the data subject's right to request from the controller the personal data concerning him or her
   access to, rectification, erasure or restriction of the processing of data, and
   may object to the processing of such personal data and to the portability of the data concerned
   the right to

   (c) information based on Article 6 (1) (a) or Article 9 (2) (a);
   in the case of data processing, the right to withdraw the consent at any time, which
   does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal;
   (d) the right to lodge a complaint with the supervisory authority;
   (e) that the provision of personal data is required by law or by a contractual obligation
   based on or a precondition for concluding a contract and whether the person concerned is obliged to be personal
   provide information on their possible consequences

   failure to provide data;
   (f) the fact of automated decision-making referred to in Article 22 (1) and (4), including:
   profiling and, at least in these cases, the logic used
   understandable information on the significance of such processing and on the data subject
   its expected consequences.
   (3) If the data controller has access to personal data for purposes other than the purpose for which they were collected
   intends to carry out the processing, it must inform the data subject before further processing

   this different purpose and any relevant additional information referred to in paragraph 2.
   4. Paragraphs 1, 2 and 3 shall not apply if and to the extent that the person concerned is already
   has the information.

(27) Under Article 21 (1) of the General Data Protection Regulation, the data subject is entitled to:
protest your personal data at any time for reasons related to your situation in accordance with Article 6 (1).
based on those provisions, including those provisions
based profiling. In this case, the data controller may not process the personal data

unless the controller demonstrates that the processing is justified by compelling legitimate reasons.
justified by the interests, rights and freedoms of the data subject
or to bring, assert or defend legal claims
are related.

(28) According to Article 21 (2) of the General Data Protection Regulation, if personal data
is handled for the direct acquisition of business, the data subject is entitled to do so at any time

object to the processing of personal data concerning him for this purpose, including profiling
also in so far as it relates to the direct acquisition of a business., 16







(29) Under Article 22 (1) of the General Data Protection Regulation, the data subject is entitled to:
do not cover only automated data processing, including profiling,
the scope of a decision based on a decision which would have legal effects on him or a similar degree of effect on him
would be affected.

(30) According to Article 24 (1) of the General Data Protection Regulation, the controller is the controller

nature, scope, circumstances and purposes, and the rights and freedoms of natural persons
taking into account the reported risks of varying probability and severity
implement organizational measures to ensure and prove that personal
data shall be processed in accordance with this Regulation. These measures are taken by the data controller
review and, if necessary, update it.

(31) According to Article 25 (1) of the General Data Protection Regulation, the controller is a scientific and

the state of the art and the cost of implementation, as well as the nature and scope of data
circumstances and purposes and the rights and freedoms of natural persons
taking into account both the probability and the severity of the risk
as well as the appropriate technical and organizational arrangements for data management
implement measures, such as pseudonymisation, aimed at complying with data protection principles,
such as the effective implementation of data saving, on the one hand, and the provisions of this Regulation, on the other
incorporating the guarantees needed to meet the requirements and protect the rights of those concerned

into the data management process.

(32) According to Article 25 (2) of the General Data Protection Regulation, the controller is appropriate
implement technical and organizational measures to ensure that by default
only personal data that is subject to that specific data processing should be processed
necessary for the purpose. This obligation applies to personal information collected
the extent of their handling, the duration of their storage and their availability. These are

measures in particular need to ensure that personal data is provided by default
they cannot be accessed indefinitely without the intervention of a natural person
for number of persons.

(33) According to Article 57 (1) (a) of the General Data Protection Regulation, the general
without prejudice to the other tasks set out in the Data Protection Regulation, the supervisory authority shall have its own
monitor and enforce the application of the General Data Protection Regulation.


(34) Pursuant to Article 58 (2) of the General Data Protection Regulation, the supervisory authority
acting in its corrective capacity:
   (a) warn the controller or processor that certain data processing operations are planned
   its activities are likely to infringe the provisions of this Regulation;
   (b) reprimands the controller or the processor if he or she is acting in a data-processing capacity
   has infringed the provisions of this Regulation;
   (c) instruct the controller or processor to comply with this Regulation

   the exercise of his rights under this Regulation;
   (d) instruct the controller or processor to carry out its data processing operations, where applicable
   in a specified manner and within a specified period, bring this Regulation into line
   with its provisions;
   (e) instruct the controller to inform the data subject of the data protection incident;
   (f) temporarily or permanently restrict the processing, including the prohibition of the processing
   is;

   (g) order personal data in accordance with Articles 16, 17 and 18 respectively
   rectification or erasure of data and restrictions on data processing, and Article 17 (2), Article 17






   order notification to the addressees in accordance with
   with whom or with whom the personal data have been communicated;
   (h) withdraw the certificate or instruct the certification body in accordance with Articles 42 and 43
   revoke a duly issued certificate or instruct the certification body not to
   issue the certificate if the conditions for certification are not or are no longer met;
   (i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case
   in addition to or instead of the measures referred to in this paragraph; and

   (j) order the flow of data to a recipient in a third country or to an international organization
   suspension.

(35) Pursuant to Article 83 (1) of the General Data Protection Regulation, all supervisory authorities
ensure that the general data protection Regulation referred to in Article 83 (4), (5) and (6)
The administrative fines imposed for breach of this Directive shall be effective and proportionate in each case
and be dissuasive.


(36) Pursuant to Article 83 (2) of the General Data Protection Regulation, administrative fines are imposed by
Article 58 (2) (a) to (4) of the General Data Protection Regulation, depending on the circumstances of the case.
It shall be imposed in addition to or instead of the measures referred to in points (h) and (j). When deciding that
whether it is necessary to impose an administrative fine or the amount of the administrative fine
In each case, due account shall be taken of the following:
   (a) the nature, gravity and duration of the breach, taking into account the processing in question

   the nature, scope or purpose of the infringement and the number of persons affected by the infringement;
   the extent of the damage they have suffered;
   (b) the intentional or negligent nature of the infringement;
   (c) the mitigation of damage caused to the data subject by the controller or the processor
   any measures taken to
   (d) the extent of the responsibility of the controller or processor, taking into account the
   technical and organizational measures taken pursuant to Articles 25 and 32 of the General Data Protection Regulation

   measures;
   (e) relevant infringements previously committed by the controller or processor;
   (f) the supervisory authority to remedy the breach and the possible negative effects of the breach
   the degree of cooperation to alleviate
   (g) the categories of personal data concerned by the breach;
   (h) the manner in which the supervisory authority became aware of the infringement, in particular
   whether the controller or processor has reported the breach and, if so, what

   in detail;
   (i) if previously against the controller or processor concerned, in the same
   referred to in Article 58 (2) of the General Data Protection Regulation
   compliance with one of those measures;
   (j) whether the controller or processor has complied with the general data protection rules
   codes of conduct approved pursuant to Article 40 of this Regulation or general data protection
   approved certification mechanisms in accordance with Article 42 of the Regulation; and
   (k) other aggravating or mitigating factors relevant to the circumstances of the case, such as

   financial gain gained or avoided as a direct or indirect consequence of the infringement
   loss.

(37) Pursuant to Article 83 (5) of the General Data Protection Regulation, the following provisions apply
an administrative fine of up to EUR 20 000 000 in accordance with paragraph 2
or, in the case of undertakings, the total worldwide turnover in the preceding business year
up to a maximum of 4%, with the higher of the two amounts

to impose :, 18






   (a) the principles of data processing, including the conditions for consent, are laid down in the General Data Protection Regulation
   In accordance with Articles 5, 6, 7 and 9;
   (b) the rights of data subjects under Articles 12 to 22 of the General Data Protection Regulation. in accordance with Article
   (c) the transfer of personal data to a recipient in a third country or to an international organization
   Articles 44 to 49 of the General Data Protection Regulation in accordance with Article
   (d) Article IX of the General Data Protection Regulation. in accordance with the law of the Member States adopted pursuant to this Chapter
   liabilities;

   (e) the supervisory authority in accordance with Article 58 (2) of the General Data Protection Regulation
   temporary or permanent restriction of data processing or the flow of data
   non-compliance with the request for suspension or general data protection
   failure to grant access in breach of Article 58 (1) of the Regulation.

(38) Infotv. Pursuant to Article 75 / A, the Authority is required to comply with Article 83 (2) to (6) of the General Data Protection Regulation.
shall exercise the powers set out in paragraph 1, taking into account the principle of proportionality, in particular:

by the law on the processing of personal data or by the European Union
in the event of a first breach of the requirements laid down in a mandatory act of the
in accordance with Article 58 of the General Data Protection Regulation
it takes action by alerting the controller or processor.


III. Findings and decision of the Authority


III.1. Recorded conversations conducted by Customer's telephone customer service
description of data management related to the analysis of sound recordings

(39) The Client, as a financial institution, operates a telephone customer service. In this context, certain
In some cases, it is a legal obligation to record a conversation with telephone customer service
and preservation. The present procedure of the Authority is the further processing of data on recorded audio files

focused on operations, not voice recording.

(40) The data controller is the data processing carried out in connection with the sound analysis with the Software
in the case of both the decision-making authority and the Client's own statements. It is up to the Customer to decide
the use of the Software and its terms of use in internal regulations.

(41) All telephone customer service calls are non-substantive calls of a few seconds

except for the audio of the call is recorded and stored in the Customer's systems.

(42) The recorded audio material is included in the Customer's telephone customer service employee
as a concerned person and a third party called by him or by calling the Customer’s telephone customer service
the affected voice of a party, in addition to which a single unique is associated with it in all systems of a Client
caller ID, caller / called phone number, call direction, time, agent name,
organizational unit.


(43) Every night an automation runs on the Customer 's voice recording server, which destroys the 5
seconds. Speech signal processing based on artificial intelligence
in addition, the wait / silence / talk to each other is automatically analyzed,
the keywords from the list provided and the emotional / mood status of the speaker. This
may be associated with a specific person as it may be filtered out if the Software affects an employee’s emotion
recognized and not the caller, which is the default assignment provided by Customer in the above (4)
paragraph (xi). Declaration under the same subparagraph -

and the technical “voice
A system based on the recognition of emotions under the annex entitled "screens.docx.doc", 19






its efficacy is highly questionable, as there was no recognizable emotion in 91.96% of cases
in. In this respect, the Authority emphasizes that personal data are not
but will be personal data when assigned to a specific person. For example, an inaccurately recorded and
unrealistic storage of data stored in connection with a given identifiable data subject
there will be treatment on the part of that data controller as if the data were accurate.

(44) Analysis, use and storage of the voice and emotional / mood status of the stakeholders

sensitive data processing. Although the Authority considers that this is not the case
a special category of person within the meaning of Article 9 (1) of the General Data Protection Regulation
data, however, their processing affects the privacy of the data subjects.

(45) The Authority considers that the data generated by the data processing under investigation are general
special categories of personal data under Article 9 (1) of the Data Protection Regulation
in the light of all the circumstances of the present case, it held as follows. Sound analysis

of the data that make up the result, only emotion, mental state is what is given
biometric data or health data. In the present case, the
according to the revealed facts, the data analysis does not create data that uniquely identify the data subject,
thus, this condition of biometric data is missing. And that condition does not apply to health data
that a meaningful conclusion can be drawn as to the physical or mental state of the person concerned
deducted from the outcome of the data processing at issue in the present case. Regardless, not the employee
method or the quality of the data itself, the conditions are not met, so it may be different

In similar cases, similar data may be classified as a special category of personal data
other circumstances, in conjunction with additional data - which is present
the above conditions are met.

(46) Based on the above, the Software evaluates by waiting / talking / talking to each other.
the performance of the Customer’s telephone customer service employee based on the manager
employees in accordance with the statement of the Client indicated in sub-paragraph (xiv) of paragraph (2) above

individual development, field training, process development, and the Customer may order the above (4)
According to the statement indicated in sub-paragraph (i) of this paragraph, this is the Customer's telephone customer service
also affects your employee’s performance pay.

(47) The Software will also record the results of the recognized keywords and emotions for each call.
and calls can be retrieved for up to 45 days within the Voice Analyzer Software.
however, they remain beyond the sound recording system. In this context, paragraph 3 (iii) above

The data management information containing the content indicated in subsection 3.1.8 only refers back to the provisions of section 3.1.8
which lists different retention periods for several data processing purposes for different purposes is not clear and
transparent to the average stakeholder.

(48) The Software will rank the calls based on the above, which is a suggestion of which
the data subject should be recalled in the first instance, which complainant is more dissatisfied. In this, the data subject a
to describe a typical emotional, mental state based on an analysis of the Software at the time of the call
data is also stored in the Software when connected to the call. Based on this, the Client is in a senior position

employees decide which customer service to call back to deal with dissatisfaction
for the purpose. The purpose of the Software is not to handle individual complaints, the complaint indicated on the telephone
regardless of the operation of the Software, any complaint will be handled in any way
by customer service staff. The purpose of the recall is not to deal with the specific complaint, but to
regardless of the resolution of the specific complaint of the customer in principle
filtering and management.


(49) The Client’s decision in the History Case referred to in sub-paragraphs (iii), (iv) and (v) of paragraph 2 above
the purpose of data management is to control the quality of calls with variable parameters, 20






based on, complaint and customer migration prevention, and call handling staff
increase its efficiency. The information provided to the persons concerned on the Customer's website in accordance with paragraph 3 (iii) above
The data management prospectus containing the content indicated in subsection 1 is very general in the first place
in relation to data management, "performs profiling based on a legitimate interest and automatic decision - making
selects calls in which a higher-skilled bank employee recalls
eliminates the problem of the telephone conversation, complaint "does not inform the sound analysis is substantive
method and essence, does not articulate clearly. The prospectus also covers quality assurance and

complaint prevention is for purposes only, but also the above description, which does not provide meaningful information
concerns the prevention of a complaint. For this reason, with the existence of data management, its essential content
and all its purposes are clearly unaware of those concerned, and this
information is not received during a phone call or callback.

(50) The Client has based the above data processing on its legitimate interests in order to retain its clients and
increase the efficiency of its internal operation. These interests, which are very different,

however, no data processing is required in either the minimum prospectus or the balance of interests
separated, they were handled together by the Customer.

(51) Although not the subject of the present proceedings, the Authority notes that it is general
Prior to the entry into force of the data protection decree, the Infotv.
Pursuant to Section 68 (4), due to the application of the new data processing technology, the examined
data protection registration would not have been automatic. The Authority is the Customer

upon request, the conditions and guarantees of data processing in such cases shall be individually assessed by the Authority
without its prior approval, the Customer would not have been able to start processing the data. Because this is
the approval procedure was not blamed on the Client, therefore the Authority obtained it with a significant delay
be aware of this data management. In addition, the information sent by the Client to the Authority
pursuant to Article 30 of the General Data Protection Regulation
nor does it mention the data management records related to sound recordings by processing the sound recording
data management, storage only.



III.2. Application of the General Privacy Policy to Data Management with the Software

(52) Under Article 4 (1) of the General Data Protection Regulation, the quality of 'personal data' can be
indirect identification is also sufficient.


(53) Article 57 (1) (a) and Article 58 (2) of the General Data Protection Regulation
Article 83 (1) (b) and (d), Article 83 (1), (2) and (5) and Infotv. Pursuant to § 75 / A a
Authority examined ex officio in the course of its proceedings the general practice of the Customer affecting the present case
part. The Authority shall inform Infotv. Section 71 (2) in any other proceedings
may use evidence in other proceedings.

(54) The Client stated that it had received a letter dated 5 July 2021, registered under number NAIH-5161-5 / 2021.
in its response to the History Case that, in its opinion, the Software does not store an identifier

data and analysis results generated by the Software by the caller and customer service representative
is not personal information about his emotional state because it cannot be linked to anyone, and the system a
compared to the operation of traffic counters and traffic lights. That's obvious
denies the NAIH-5161-10 / 2021 received by the Client in the History Case on 16 August 2021
information in its reply, registered under number, that the customer service telephone calls are one
they have a unique internal identification number that is on the Customer's systems in addition to the Software
they can also be contacted within the caller and the customer service representative and this unique ID

is also used as a pseudonym by the Software. When applying the consequence (eg recall,
sending to training) this connection is realized. A traffic counter or traffic light, 21






for example, the fourth car that passed in front of it and the driver cannot be re-identified
to draw. The Software does not operate on this principle at all, but is expressly intended to be specific
to take action.

(55) Based on the above, both parties to the call can be clearly identified by the Customer, which

during the normal operation of the system, the Customer shall continuously
whose recorded calls are intercepted and subsequently recalled accordingly, or
an employee working by telephone customer service is evaluated based on this. If you didn't
the Customer, but you would have the opportunity to do so, it would still be personal data for analysis by the Software
result until the irreversible termination of the relationship with that identifiable

stakeholders.

(56) The above interpretation is confirmed, inter alia, by the judgment of the Court of Justice of the European Union in Case C-582/14
judgment on dynamic IP addresses analogous to the present case, which are also personal data
for all controllers who, by lawful means, even indirectly,
access to the information from the ISP

which subscriber belonged to an IP address at a given time. In this case, the required identifier
information-alias ID link with phone number and other call details
- is available to the Client within its own systems, so there can be no question that it is legal
a tool was available for this. It is important to emphasize that it is a legal instrument designated by the court
the concept does not refer to the lawfulness of data processing, compliance with data protection rules,
but that the instrument used is not in itself infringing (such as a black market

database is an infringing tool regardless of the data processing it performs). By infringing means
it is not possible to carry out lawful data processing from the outset, but by lawful means from other conditions - purpose,
legal basis, etc. - depending on the law, the data processing may be lawful or illegal. In the absence of identifiable
based on the results of the analysis, the customer service would obviously not know who to call back,
nor would the customer service staff be as controllable as the Customer
checks them on the basis of its own declarations.


(57) Although the Authority's investigation focused on the operation of the Software, it is such a complex data management
the nature of the personal data is not determined by the fact that they can be identified within a subsystem.
e is concerned. It is necessary to examine all data sources legally available to the Customer
whether the condition of direct or indirect identification is met. The pseudonym

(use of pseudonymous identifiers) enhances data security, but is not affected by
unique identifying nature and quality of personal information of third party affected callers
with regard to. With respect to Customer's telephone customer service personnel a
the nature of personal data cannot even be questioned, as their names are also stored in that particular recording
linked to an analysis result that is linked to a specific audio recording. The third
Article 4 (1) of the General Data Protection Regulation is implicit in relation to data subjects

identifies identifiable with direct identification and general
Under Article 4 (5) of the Data Protection Regulation, the pseudonymous identifier itself is personal data
other information stored in connection with it, provided that the identifier itself is given
can be linked to a natural person. And a phone call doesn’t exist on its own, there is one behind it
is a natural person. Customer service is always available at the beginning of telephone conversations
identifies the person you are talking to, so both the listener and the potential

retrievable recordings contain identifying information. That it turned out to the Customer
according to his own statement, that in some cases the emotion recognized belonged to his own employee,
it also justifies the possibility of unique identification.




1https: //curia.europa.eu/juris/document/document.jsf? Docid = 184668 & doclang = HU & cid = 1095511, 22






(58) Based on the above, the emotional state recognized by the Software, the length of silence, and the
data associated with the caller ID and telephone number used will continue to be personal data

shall be deemed to be independent of their encryption or pseudonymisation as long as they belong to certain persons
may be linked to other data lawfully available to the Customer. The tapping back
during the first audible data on the audio recording is always the identification of the speaker, so the listener
in the case of recordings, there is not even a pseudonym at this point in the data management. It is independent of that

whether the connection is made by the Customer in 2 specific cases, it is sufficient that legal means are available a
available to you. From the fact that the length of silence, for example, is not primarily to the calling party, but to
draw conclusions about the work of a customer service representative - which you are
whether or not they are relevant to the human inspection - even where appropriate by the worker
their personal data for the duration of the data processing. The fact that a piece of data is subsequently incorrect, inaccurate

it turns out it does not yet call into question the nature of its personal data, as any - not just real
- data linked to a specific natural person results in personal data.

(59) In the light of the above, the provisions of the General Data Protection Regulation apply in principle
apply to data management using the Software and is not applicable in the present case

the opposite is true.


III.3. Application of Artificial Intelligence in the Software


(60) The Client received the present proceedings on 29 October 2021 under number NAIH-7350-2 / 2021.
in its registered reply, it stated that “the Software does not use artificial intelligence
contains no automated decision, the results of its analysis are solely with human input,
may be used for interpretation. "


(61) Information about the Software available through a public Internet search is provided by the company that developed it
examining the website, the questions asked by the Authority and the answers given to them
found the following. The software development company has one, its products more

Hungarian company distributing in the country. According to the description available on the company’s website: “artificial
intelligence and predictive analytics solutions, software development and customer service
activities consulting, operations, project and HR management
company […]. '3


(62) The basis of the operation of the Software is highlighted on the above Hungarian language website of the company
An application called the Sound Analysis Platform ('the Platform'), which is described on the website as
the developer published the following description: “The platform is a comprehensive one based on speech and data analysis
performance and quality management solution for customer services. The application analyzes
conversations at customer service from both the customer and operator side are recognized by

angry, dissatisfied, frustrated, uncertain, neutral or satisfied
atmosphere and additional factors affecting customer service quality and performance
factors such as silence, music, speech rate, volume, speech quality and intonation, and
other quality features. The system has full insight into all conversations being processed

provides elements that have a decisive influence on the quality and performance of customer services.
Get the most out of your customer service, reduce your average call time, and increase your performance
the standard of customer service at the same time. In addition to advanced business intelligence-based analytics, active


2
when a website is made available to the public by a person, the data recorded by that service provider
a dynamic IP ‑ address shall be considered as personal data in accordance with this provision for that service provider if it is lawful
means are available to the person concerned at his or her internet service provider
additional data "
3 […], 23






with automated performance management support, the system will be able to

to make operator work more efficient. "

                                                             4
(63) According to the description in the English information page on the Platform, the Platform is mechanical
it uses learning and artificial intelligence to identify and measure speech style
based emotions, keywords and phrase-based emotional and such
                                                                                         5
speech characteristics such as speech rate, pitch, and articulation. On the side
a statement from the developer regarding the operation of the product,
that a well-trained neural network sorts the sound fragments into three main ones
             6
category.

(64) As stated in the descriptions referred to, the Platform is concerned with both

artificial intelligence, machine learning and neural networks.

(65) Artificial intelligence is the development of computers and robots in a way that

allows them to operate in ways that can mimic or exceed
human capabilities. Programs using artificial intelligence are able to analyze and
place the data in context to provide information, or automatically
                                                                  7
trigger certain events without human intervention.


(66) Machine learning is, in fact, one of the possible paths to artificial intelligence
algorithms are used in this subfield of artificial intelligence
in such a way that they learn to automatically recognize what is present in the data

patterns and correlations and then apply what they learn to make better decisions
(or make better and better decisions). 8


(67) Neural networks are a possible approach within the field of machine learning, which
building on a simplified scheme of human brain function, it seeks to provide a solution such as
tasks that ordinary algorithms fail. The neural network is simple

consists of units - neurons - each of which, in the pattern of real nerve cells, receives incoming signals
receives and then outputs them together. However, the incoming signals are not the same
individual neurons are taken into account to determine the output value, but

described in statistical terms - weighted. The reason for this is illustrated by an example in
best to use the neural network to estimate (forecast) real estate prices
applied, the significance of a property in Budapest is not as important

is located in the 3rd district and what is the level of comfort than in the 3rd or 4th.
is located on the first floor. It is important to note that although neurons perform calculations, they do
yet no processors. The main difference between the two is that as long as the processors

programmed, that is, to be executed one after the other, essentially bound, and thus not by itself



4 […]
5 „[…] uses Machine Learning and Artificial Intelligence to identify and measure speech style based emotions, keyword, and expression-
based sentiment, and speech characteristics such as speech rate, intonation, articulation, etc. ”
6 "An extensively trained deep neural network classifies speech segments into three main categories […]"
7See: https://ai.engineering.columbia.edu/ai-vs-machine-learning/ “Artificial Intelligence is the field of developing computers and robots
that are capable of behaving in ways that both mimic and go beyond human capabilities. AI-enabled programs can analyze and
contextualize data to provide information or automatically trigger actions without human interference. "; confirms this approach
inter alia the legislative proposals of the European Union in the draft phase: https: //eur-lex.europa.eu/legal-
content / HU / TXT / HTML /? uri = CELEX: 52021PC0206
8 See https://ai.engineering.columbia.edu/ai-vs-machine-learning/ “Machine learning is a pathway to artificial intelligence. This
subcategory of AI uses algorithms to automatically learn insights and recognize patterns from data, applying that learning to make
increasingly better decisions. ”
9 See more: Report from the Council of the European Union on artificial intelligence, its key competences and scientific
methods; published: April 8, 2019; URL: https://digital-strategy.ec.europa.eu/en/library/definition-artificial-intelligence-main-
capabilities-and-scientific-disciplines, 24






they are given a modifiable sequence of instructions that are always predefinable output

meanwhile, the neurons are taught by adjusting the values of the weights, so they a
depending on the algorithm used, even a value not known in advance by the user of the algorithm
may result. 10


(68) According to the descriptions referred to above, the developer itself provides information that
Platform as a software product, what parameters can identify and evaluate, and how to do so
what IT methods and solutions in the field of artificial intelligence
apply.


(69) The Software is capable of being received and initiated by call center employees
calls are automatically evaluated according to predefined rules, such as
Check the employee according to the “greeting rule”
properly greeted the customer, or the so-called. “Test rule” that the system is capable of

check that the employee has tried to collect a sufficient number of questions from the client
necessary information.

(70) The system is an automatic evaluation of the performance of telephone customer service staff

it is also able to measure how long it takes to ask a question within a call
and the substantive response by listening to the worker (the so-called ‘silence period’), from which it is clear
a conclusion can be drawn as to the level of knowledge and preparedness of the employee. 12

(71) Based on the above, it can be concluded that the Software using artificial intelligence

performs the automatic processing of personal data, the result of which is, on the one hand, the data set up by it
a list of the order to be recalled and, on the other hand, until they are deleted - which is the duration in the Client History Case
45Days - Recognized Emotions and Voice Recording Features for Individual Calls
(eg length of breaks). It is not a condition for automatic data processing that the machine brings the

decision, it is sufficient if the aim is to produce a result that influences decision-makers,
are taken into account in the human decision that is being made here. This is confirmed by the Customer in the History
Case 2021. The annex to the reply, received on 5 July, registered as NAIH-5161-5 / 2021
which, in the name of the file name, is a balancing of interests, in fact a privacy impact assessment

document (identifier: ‘balancing test voicemining.xlsx’), according to which ‘Data management
high risk for a number of reasons, in particular the novelty of the technology used,
for audio recordings are analyzed automatically using artificial intelligence
and findings are also made automatically. The totality of the data is from both stakeholder groups
suitable for profiling or scoring, although automated decision making is not

in the process, the processing may have legal effects on data subjects. ".

(72) For the purposes of the foregoing, the
Article 21 of the General Data Protection Regulation. In addition, the General Data Protection Regulation4. Article 4 (4)

profiling will also take place as the data generated by the system - the system is essential
due to its functionality - at the workplace of the Customer's telephone customer service employees
shall also be used to monitor and evaluate the performance of those referred to in paragraph 4 (i)
According to the Customer Statement and the online source identified in paragraph 66. It also supports profiling

to rank dissatisfied customers for recalls based on keywords and emotions,
which qualifies as a personal characteristic within the meaning of Article 4 (4) of the General Data Protection Regulation



10See more: Tamás Klein: Robot law or human rights? In: “Regulatory Challenges of Artificial Intelligence”, Budapest, 2021, 129.
see also “A Closer Look at Neural Networks”; published: 08.08.2019 on the day; URL: https://docs.microsoft.com/en-
us / archive / msdn-magazine / 2019 / february / artificially-intelligent-a-closer-look-at-neural-networks
11 […]
12 […], 25






evaluation. The term profiling is also used by the Client in paragraph 3 (i) above
internal complaint concerning customer complaint number […] described in paragraph 3 (iii) (c) above.
the data management information described in Data management is about the emotions of natural persons
is based on a technology that performs analysis. This is with the statements made by the Client during the proceedings
contrary to Article 24 of the General Data Protection Regulation.
In accordance with the risk-based approach set out in Articles
the responsibility of data controllers has also increased.



III.4. Lack of proper information and right to protest

(73) With sound analysis and automatic analysis and evaluation of their emotions, and from this
no information has been provided to those concerned regarding the possibility of a subsequent recall
they are given orally at the beginning of the conversation.


(74) Customer does not provide any information referring to data management with the Software, but not specific information
“Telephone Customer Service and Complaint Handling
detailed data management information ”that states,“ Telephone customer service
perform profiling based on legitimate interests for quality assurance and complaint prevention purposes; and
selects calls in which the higher-skilled bank employee is qualified by automatic decision
it eliminates the problem or complaint that arose during the telephone conversation by calling back. ”. In addition, the

data subjects do not receive any information on what specific type of data they are
how and how they are treated to evaluate their emotional reactions. Article 13 of the General Data Protection Regulation.
It does not contain all the mandatory information other than the legal basis and does not indicate the purpose
complete. Neither the “Telephone Customer Service and Complaint Handling Detailed Data Management Information”
3.1.8 of the Business Rules. does not indicate clearly and intelligibly to the average person concerned
the duration of the data processing.


(75) The purpose of the above information is to ensure quality assurance and to prevent complaints. Neither is that
preventing customer migration or increasing internal efficiency are not included
among the objectives set for it.

(76) The Client’s statements set out in sub-paragraphs (vii) and (viii) of paragraph 4 above shall also be
the above is confirmed by the fact that the Customer is aware that the sound analysis under consideration
has not provided adequate transparency and transparency in the context of data processing for years

concise information and the right to protest because of their particular difficulty. The opposite is true
Customer data management information that states that it ensures the rights of the data subject. The Customer is
reference to, inter alia, the adequate security of the rights of the data subject
classified as risk - free and harm - free for several reasons
data management.

(77) The right to object to an automated data processing is not based on a legitimate interest
depends on the decision of the data controller, the Customer is obliged to ensure the general data protection

also under Article 21 of that Regulation. Due to the complete lack of a right to protest, basically in the present case
there is in any case a breach of Article 21 of the General Data Protection Regulation, but in principle a
Authority notes that telephone agitation for customer retention is similar to customer acquisition
Article 21 (2) of the General Data Protection Regulation.
shall have an objective right of objection in accordance with paragraph 1, for other purposes,
quality control, increasing internal efficiency - Article 21 of the General Data Protection Regulation.
A conditional right of objection pursuant to Article 1 (1) shall be granted. Not because of that, among other things

the different purposes of the processing and the interests of the controller in the balancing of interests are appropriate,






co-washing and joint evaluation as the end result - and the corresponding end result
conditions to be met - may not be the same for each goal.

(78) Although the consent was not cited by the Client as a legal basis, it also referred to this. With this
In this respect, the Authority notes that it is only appropriate under the General Data Protection Regulation
with in-depth knowledge, consent could be given through free and active action
the basis of data management, which is the refusal of the service (telephone customer service) as

excluded with legal consequences. The same is true for employees, as a rule of thumb
According to the Commission, the application of that plea is precluded, it is entirely free from interference
unthinkable in connection with the order. It is also fundamentally flawed and unacceptable
Customer's argument that no complaint has been received so far with the data processing under investigation
even if the persons concerned could not have been aware of it.

(79) Based on the above, it relates to the analysis activity of the Customer's customer service sound recording

processing of personal data in its present form infringes Article 5 (1) (a) of the General Data Protection Regulation.
and (b), Article 12 (1), Article 13 and Article 21 (1) and (2).


III.5. Qualification of Balance of Interest in Data Management with the Software

(80) Artificial intelligence is defined in section III.3 above. operating principle as set out in point

difficult to see and follow. This is one of the reasons why it requires special attention - not only that
described on paper but actually implemented - the use of artificial intelligence is
in the case of data processing where the transparency and transparency rules of the General Data Protection Regulation apply
the data controller wants to meet the accountability conditions. This is beyond an average risk
from the default expectation level for data processing, and - taking into account the
risk-based approach under Articles 24 and 25 of the General Data Protection Regulation
In view of the difficulty, the controller must decide when and for what

uses artificial intelligence and how it ensures transparency in this regard.

(81) An emotion analysis and satisfaction evaluation and recording system used in the Software
effectiveness of the technical annexes submitted by the Client in the History Case (identifier: “voice
screens.docx.doc ”) is relatively low. Nor does it reinforce that particular form
implemented sound analysis is suitable to achieve the stated goals and use the current
would be an unavoidable and proportionate restriction on the rights of data subjects, even if -

not as in the present case - the rights of the data subject would be adequately secured by the Client. The client
its balance of interests did not take this into account in any way from the date of the balance of interests
or information about the review is not supported by the documents provided by the Customer,
nor does it appear from the balance of interests that any regular review would be scheduled
to verify that the actual operation of the Software meets expectations and
adequately protects the rights of those concerned.

(82) Customer's voice analysis activity using artificial intelligence

- in particular, the assessment of the emotions of data subjects raises in itself a principle of data protection
issues. In its 2012 annual report, the Authority stated years ago that “A
The financial sector is at the forefront of new data management technologies. The bank
hidden information from the analysis of the audio of conversations with its customer service
they can also be extracted, from which the customer's ability to pay and ability to pay can be deduced. THE
the use of tools to examine psycholinguistic traits and the emotional charge of speech
However, it is not sufficient to examine the formal existence of the data subject's consent. THE

Ranking technology based on speech processing is an intervention to such an extent that
to the private sector and carries risks which the data subject incurs when giving his consent,






unable to recognize and judge their impact on his or her rights to privacy. The Authority drew attention
that data mining technology puts the financial institution in possession of data that
which the client is not even aware of, so the use of such tools is the subject of the procedure
                                        13
from its subject to its subject matter. " This is also evidenced by artificial intelligence
the choice of the method of data processing and the guarantees and rights of the data subject
is of paramount importance. Aliasing - the use of an internal sound recording identifier - in general
useful, but not sufficient in itself, especially in the present case.

(83) Decision No 5/2021 of the European Data Protection Supervisor and the European Data Protection Supervisor. s. common

opinion on harmonized rules for artificial intelligence (artificial intelligence)
Regulation of the European Parliament and of the Council
The European Data Protection Supervisor and the
The European Data Protection Supervisor also believes that MI is an individual's emotion
its use is extremely undesirable and should be prohibited for some well

specific uses - namely for medical or research purposes
(for example, patients for whom it is important to recognize emotions), except in all cases
adequate safeguards and, of course, all other data protection conditions and restrictions
including purpose limitation. ”4

(84) In addition to the above, the findings and the reasoning set out in paragraph 4 (vii) and (viii) above

on the basis of the statements set out in points (a) to (d)
is not provided for the specific data management method, so the rights of the data subjects are the Customer's customer service
his practice of analyzing recordings made by telephone voice recording completely empties him.

(85) The balance of interests was not determined on a case-by-case basis, but all objectives were combined into one

data management. The issue of suitability and proportionality had to be achieved in order to achieve the given data management purpose
instead, the Client has only its own interests, whether perceived or real, in its judgment
whether data management is necessary and proportionate, and even this is only formal
according to the criteria. The Client has only determined that it has an interest in achieving it
data management is required to enforce it, not the rights of the data subject compared to individual purposes

the impact of its activities in the event of Proportionality, the affected side is not actually
examined and downplayed significant fundamental rights risks. He took it out in a very factual manner
taking into account the guarantee effect of adequate information and the right to protest, which rights a
in reality, due to the design of the system, they are not fully provided to those concerned
depriving the data subject of the right to self-determination. Thus, the result of the balancing of interests is explained above
is fundamentally incorrect and misleading as to suitability and proportionality, nor is it

it compares what it should. The fact that the Customer has fewer customer service staff
performing the tasks is not in itself a disproportionate and appropriate reason for those involved
and by the Authority and the European Data Protection Board
data processing, which is considered undesirable and a high risk
form. Innovation only benefits people if it is

effective and coupled with strong guarantees. The Customer provides the increased warranties instead of the opposite
demonstrated during the clarification of the facts in relation to the sound analysis.

(86) Unfounded or incorrect planning and consideration of data processing does not constitute
For an unavoidable reason beyond the Client's control, it is solely an intentional act of the Client,

which started or continued the data management in the knowledge that it is essential
suffered from deficiencies and was not actually substantiated by a balance of interests, only
papered. Customer has not demonstrated that any alternatives have actually been considered. THE


13https: //www.naih.hu/eves-beszamolok? Download = 17: naih-beszamolo-2012-februar
14See paragraph 35: https://edpb.europa.eu/system/files/2021-10/edpb-edps_joint_opinion_ai_regulation_en.pdf, 28






voice recording - in case of complaints due to a legal obligation, otherwise the decision of the Customer
is an unavoidable element of telephone customer service, and a significant breach of interest is that
telephone customer service is not available to anyone who is connected to it at all - not at all
you do not want to accept data management. If the Customer is required to record
you want to perform additional data management operations with sound recordings, you want to analyze them
automatically with new and not completely known risky technologies, it must comply with
Article 6 (4) of the General Data Protection Regulation, as for a purpose other than that for which the data were collected

wishes to process personal data. In such a case, whether those concerned can expect to be reasonable
for data processing and new data processing for the original purpose - in this case the legal obligation
the data controller is obliged to do so
to check before starting data processing and the existence of appropriate guarantees
is required to provide on an ongoing basis. Without the substantive knowledge and choice of those concerned, one
an analysis of the sound recording available for a completely different reason cannot be considered from a data protection point of view
it is lawful if the persons concerned could not have become aware of it, and the rights of the persons concerned by the guarantee

they are missing, which, despite the knowledge of the Client, was not taken into account later, even in the knowledge of the Client
continued data management. This justifies the intentional nature of the infringement.

(87) At the discretion of the Client, the voices of its employees will also be analyzed and evaluated,
which is based, inter alia, on Customer's declaration under paragraph 4 (i) above
they are also used for performance pay. In the case of employee employees, it is also questionable whether
how much actual protest they would have because of the dependency. This circumstance as well

not considered by the Customer. Monitoring the performance of the contract with regard to employees,
quality assurance, due to labor law rules, may be justified in certain circumstances
certain legitimate interests. However, even in this case, suitability and proportionality are paramount
which is, inter alia, the Client's own statement pursuant to paragraph 4 (xi) above
nor is an appropriate system of guarantees provided in a conditional manner
workers who are more vulnerable than a third party. The no
an emotional analysis that is demonstrably effective and deeply and severely restricts the right to self-determination

nor can it be substantiated in a reasonable way for workers. As in the case of employees
specifically for performance at work in accordance with Article 4 (4) of the General Data Protection Regulation
associated profiling, as well as a thorough analysis of the rules and guarantees involved
required before processing data with a new technology, which the Customer also did not do
in the balancing of interests.

(88) The Authority also does not share the Client's view that there is no harm to the parties concerned

suffer in connection with the data processing under investigation. The General Data Protection Regulation a
serves the protection of the right to the protection of personal data, which is enshrined in Article VI of the Basic Law. Article 3
and Article 8 (1) of the Charter of Fundamental Rights of the European Union
is a fundamental right. In the relevant legislation - such as the general data protection
Regulation III. The rights of data subjects for the protection of fundamental rights set out in
even without direct financial loss, causes significant violation of fundamental rights,
and this is the case for a large number of stakeholders. According to the Customer's statement, this is
means data management for about 1-1.5 million voice recordings per year.


(89) The Authority also considers the applicability of Article 22 (1) of the General Data Protection Regulation
considered with respect to the data processing that is the subject of the present case, as it is also affected by the Customer
rights of the data subject to be ensured. The Customer also failed to do so in the data management planning
during. The decision based on fully automated data management is implemented in this case
stakeholders who are not selected for recall by the system or indicated by their administrators
error, so in these cases a negative decision is made without human intervention. The workers

In this case, the evaluation of work performance is also carried out. Nevertheless, in the present case, the Authority stated
noted that Article 22 (1) of the General Data Protection Regulation






it does not materialize in the event of a negative decision that it would have legal effect or a similar significant effect
stakeholders in a decision based on fully automated data management, as they do not
a reaction occurs. Human intervention is required to take further action on those individuals

selected by the Software for recall or employment review, such as
a significant impact is realized, but the decision is based on fully automated data management
condition is missing. Therefore, in the present case, in all the circumstances of the case, the Authority does not
established the applicability of Article 22 (1) of the General Data Protection Regulation, thus
nor is it a violation of it. However, in the case of extensive automated data management, the consideration of interests

The deficiency of the data controller is confirmed by the fact that the data controller does not consider this possibility in substance, such as
it was also omitted by the Customer in the present case.

(90) As explained in this section, the balancing of interests carried out by the Client does not

the result based on the analysis required by the General Data Protection Regulation
the priority of the legitimate interest established over the rights and freedoms of the data subject is not
can be established during the given data management.



III.6. Legality of Data Management with the Software

(91) Due to the invalidity of the balance of interests, the Authority considers that the sound recordings should be excluded
nor in connection with its automatic analysis by the Customer
legal basis under Article 6 (1) (f) of the Data Protection Regulation, nor any other general data protection

There is no legal basis listed in Article 6 (1) of the Regulation.

(92) The Customer makes no warranties or representations with respect to third party parties
no right of protest has been granted so far, so there are objective factors outside of emotion in this regard
(words, pauses) is only possible if it is appropriate for proportionality and necessity

perform this activity with appropriate guarantees. If it is
requires an analysis of factors other than emotions that can be clearly identified in the information
to be performed by the Customer, only with the guarantees in accordance with the general data protection regulation, no
you can do it indefinitely. One of the great challenges of artificial intelligence is to ensure transparency
which, in the present case, has completely failed to reach the parties concerned.


(93) It is easier for the Customer to know about its employees than for third parties
to base the analysis of objective factors (words, pauses) other than emotions, as the
to check the obligations related to the performance of the customer service position - the bank account
Unlike management, customer service may be required in certain circumstances

analysis of sound recordings. For employees, information is also easier than a caller
in the case of a third party who, if applicable, does not even have any legal relationship with the Client.
However, the use of new and high-risk technology - including Hungary
Also highlighted in the framework of the Artificial Intelligence Strategy - only very strong guarantees
and can be done with proper planning in a reliable and people-centered way. Rights of the data subject

emptying cannot be the goal and the result of development. A proportionate amount of and
The identification of these types of data requires a more thorough and verifiable justification for data management
when planning. If you use innovative and less known and regulated technology
as a data controller, the expectation is higher than in the case of classic technologies, so the
enhanced safeguards and careful planning are also needed to control workers

take effect. This form of monitoring and profiling - especially for employees


15See paragraph 72: European Data Protection Board and European Data Protection Supervisor 5/2021. s. common opinion
Page 1634, “Creating an effective and supportive Hungarian regulatory environment and ethical framework necessary for the operation of MI
taking into account the EU legal framework. " https://ai-hungary.com/api/v1/companies/15/files/146072/download, 30






raises a number of legal and ethical issues that the Customer has not identified
and not handled during data management.

(94) Based on the above, by automatically analyzing the customer service voice recordings
data processing practices in this form violate the general data protection regulation
Article 5 (1) (a) and Article 6 (1) and Article 6 (4).



III.7. Systemic violation of data subjects' rights

(95) Pursuant to Article 12 (1) of the General Data Protection Regulation, the Customer must be so concise
and provide, in a comprehensible manner, the minimum information necessary to understand data management
data subjects, on the basis of which the data subjects are at least as essential as the data processing
they are aware. This will not be done by the Customer in advance or during recalls

and those who call customer service on the phone can’t guess their voices are automatic
and cannot reasonably expect to be recalled without request, inter alia
because of the tone of their voice. In accordance with Article 24 (1) of the General Data Protection Regulation
novelty nature of data management, analysis of emotions and other psycholinguistic analyzes
based on the sensitive nature of the data and the other data processing conditions set out above
the data processing should be designed to ensure the maximum protection of the rights of the data subject and
freedoms, which he clearly did not do. The fact that there have been few complaints about this so far

received does not confirm that it did not bother those concerned, but that it did not reasonably bother
they may have known about this, which in itself strongly questions privacy compliance.

(96) Pursuant to Article 12 (2) of the General Data Protection Regulation, the Client is obliged to facilitate
the exercise of the rights of the data subject. The right to protest is a fundamental guarantee that is lacking at all
regardless of the other circumstances, it could in itself have failed to give priority to the legitimate interest
the finding. The existence of a legitimate interest is not sufficient, it must precede it

which is clearly not the case in the absence of adequate guarantees
may exist. Given that it is within the Customer’s discretion and is manifestly untrue
circumstance is the assurance of the rights of the data subject, this is not a careless mistake, only
it is intentionally so far removed from the facts and the theory described in the deliberations is practical
its implementation can only be deliberately ignored for years without a substantive review.

(97) Pursuant to Article 25 (1) and (2) of the General Data Protection Regulation, the Customer has become obliged

should be assessed before starting automatic sound analysis using artificial intelligence,
whether data management is feasible in the current technical and social context
subject to maximum compliance with data protection rules. The Client's consideration of interest is the reasoning above
Contrary to the statements made in paragraph 4 (vii) and (viii) and the facts
illegal status. Customer knew, or with due diligence
he or she could have known in a way that was possible or not before starting data management
it is possible to inform those concerned and to enforce the rights of protest and other data subjects.
Pursuant to the above and Articles 24 and 25 of the General Data Protection Regulation, the Customer does not presume

it could have decided to start voice analysis data processing in this form.

(98) Customer may use the Software prior to the application of the General Privacy Policy a
It was introduced in 2017. It is not clear from the text of the impact assessment and the balance of interests that:
when it was created by Customer and reviewed at any time. The general privacy policy
a reference to a regulation does not in itself indicate a specific date of manufacture. The impact assessment is formal
appropriate, but its content as explained in this decision does not correspond to reality, the

the issue of analysis of emotions is not substantially resolved, and these shortcomings are not addressed by the Client
was clearly aware at the time of the impact assessment and during the operation of the mandatory regular, 31






review, including the review due to the introduction of the General Data Protection Regulation,
at the time. This is confirmed by the statements of the Client presented in this decision.

The system of adequate information in the General Data Protection Regulation serves to:
the data subject must be aware of which personal data, which data controller and for what purpose,
how will you handle it. This is essential to be in a position to affect your rights
can practice on the merits. Article 6 (1) (f) of the General Data Protection Regulation

in accordance with paragraph 47 of the General Data Protection Regulation
information requirement applies. It is referred to in Article 13 of the General Data Protection Regulation
in addition to specific information, it is an additional condition that the reasonable expectation of the data subject should be
cover that data processing, you should expect that. In the absence of adequate information
the data subject is not in a position to exercise his or her rights properly,
especially when there is no real possibility to exercise the substantive right of protest. THE
the obligation to provide information is not, as explained above, a mere administrative,

Means a “securitization” obligation in the General Data Protection Regulation. A document
its production is not in itself the fulfillment of the data controller's obligations, it is only a means of recording it
there must be a substantive consideration and decision preparation, decision, and necessary
at intervals to review them. Applying a new type and high-risk technology
There is an increased expectation for both regular and substantive review. All in the preamble
both Articles of the General Data Protection Regulation require the controller to achieve a result
in determining its responsibilities, not just a specified minimum administration

by the controller. The purpose of the information is to put the person concerned in a position to
to be in an appropriate decision-making position regarding the exercise of the data subject's rights. THE
There is nothing meaningful about data management and sound analysis using software
information is not available to those who call the Customer's customer service by phone,
or who are called or recalled by Customer Customer Service.

(100) In the context of a legitimate interest, it is important to emphasize that it does not serve to

that, unless otherwise possible, the controller may at any time and for any reason on other grounds
in the absence of applicability, in accordance with Article 6 (1) (f)
data. Although it seems to be the most flexible legal basis, using it is the controller
takes significant responsibility - not only for the processing of personal data in the strict sense, but also for
by assuming other related warranty obligations. No
It is therefore a question of 'paperwork', but of a substantive task, a statement which is particularly true
in the case of data processing, where the data controller is in a position of trust and significant dominance

against price participants. Infringement of the rights of the data subject in the absence of appropriate guarantees
the risk is such that the balance of interests is the result of its actual exercise
it can only reasonably be expected that the legitimate interest of the third party will be overridden by the rights of the data subject.

(101) It is very important for data controllers to be aware that they are not concerned and are not
the Authority has the task and responsibility to process the data instead of the data controller in an official procedure
identification and justification of its purpose and legitimate interests. What purpose and how legitimate
intends to process personal data in the interests of the data subject, the data controller must be specific, at the data and target level

be clearly justified, weighed up and guaranteed. These guarantees must
to ensure, inter alia, that the data subject is aware of the data processing and that
be able to object to the data before the processing, since after the processing,
especially in the case of short-term or one-off data processing - the right to protest is already exhausted, thus
in fact, this right is not granted to him. In the present case, as explained above
it can be stated that in recital 47 of the General Data Protection Regulation
specified predictability and warranty conditions at system level, selected by Customer

have not been met due to the mode of implementation. Possibility of adequate information and prior protest,






it cannot be technically ruled out, only the solution chosen by the Customer did not allow
the Client is aware of the statements made during the procedure and presented in the explanatory memorandum.

(102) The violation or reduction of the rights of the data subject also means that the right chosen by the Customer is legitimate
in the case of data processing based on the consent of the data subject
the Customer provides worse conditions. In the case of the data subject's consent, the consent of each
for data processing purposes, such as voice recording initiated by the data subject

due to the handling of complaints and the subsequent analysis of the sound recording thus made - a separate reason for rejection
would deserve. Because the recording of the sound is not in the first place with the consent of the data subject, but for the most part
is based on a legal obligation which significantly restricts the freedom of the data subject from the outset
in addition, with respect to further data processing, the Customer shall, at the unilateral discretion of all parties concerned
the removal of the option only exacerbates the already severely restrictive situation. The client
- among other things - he deliberately ignored this obvious fact on paper only
in the sole discretion of its own business, which is contrary to the general rule

with the requirements of the Data Protection Regulation for data controllers.

(103) The systemic violation of the rights of the data subject is also confirmed by the fact that in the
The customer was not able to provide basic information about the data management to the complainant in an understandable way either,
not even by expressly requesting this to be complained about by the complainant on the Customer's website for a single general
sentence which aroused his suspicion (see paragraph 3 (iii) (c) above). The client
nor could he subsequently describe in a way that was comprehensible and specific to the complainant for what purposes, which

data on which legal basis and how it handles in the context of sound analysis are only specific
without making general findings and references in his response to data management
compliance. Customer's defense that no such issue has arisen so far is not
relevant on the one hand because there is no such aspect in the General Data Protection Regulation
on the other hand, the main lack of information of the data subjects so far is the main reason
lack of interest so far. Information under Article 13 of the General Data Protection Regulation
obligation is not infinite, its express purpose is to protect the data controller, in this case the Customer.

the vast majority of information available to data subjects regarding their data processing operations
equalization. If it is a complex and new technology of data management, then this
information dominance is also typically greater than data processing without such characteristics
so the Customer should have paid even more attention to compensating for this. This
however, despite its legal obligation, the Customer has not done so. This in turn supports
that generally does not meet the Customer 's consciously designed system of built - in and
the principle of default privacy.


(104) Based on the above, by automatically analyzing the customer service voice recordings
data processing practices in this form violate the general data protection regulation
Article 12 (1), Article 24 (1) and Article 25 (1) and (2).


III.8. Legal consequences


(105) In accordance with Articles 58 (2) (i) and 83 (2) of the General Data Protection Regulation, the
may impose a data protection fine in place of or in addition to other measures. That's not it
it was doubtful that the general data protection regulation would violate the general data protection law
Article 58 (2) (d) of Regulation (EC) No 1/2003 requires the controller to
bring data management into line with the general data protection regulation. Due to the nature of data management
the Authority set a deadline of 60 days instead of the usual 30 days. In addition, the Authority
in accordance with the applicable case law, the general rule for imposing a fine in such a case is

the aspects listed in Article 83 (2) of the Data Protection Regulation
in the statement of reasons for the decision







(106) As to whether a data protection fine is justified, the Authority
Article 83 (2) of the Data Protection Regulation and Infotv.75 / A. § considered ex officio
all the circumstances of the case and found that in the case of the infringements detected in the present proceedings
a conviction under Article 58 (2) (b) of the General Data Protection Regulation does not
is a proportionate and dissuasive sanction and a fine should therefore be imposed. Above all, in this round
the Authority took into account that the Client's data management practices are essentially complete

in its entirety disregarded the relevant legal obligations without being treated personally
that it has made any real effort to ensure the lawfulness of the data processing
outside the formal administration. In the present case, the protection of personal data - which a
It is the task of the Authority - not in the light of all the fining circumstances detailed below
available without imposing a data protection fine. Infotv. None of the circumstances under § 75 / A exists
the Client does not qualify as a small or medium-sized enterprise. The imposition of fines is both special and
it also serves general prevention, for which purpose the decision is also on the Authority's website

will be published.

(107) In setting the level of the data protection fine, the Authority took it as an attenuating circumstance
taking into account:

    (i) no direct decision is made with the Software as a result of artificial intelligence
    which are corrected by human review (Article 83 of the General Data Protection Regulation)

    Paragraph 2 (a)
    (ii) the Authority has not yet identified a data breach against the Customer (general
    Article 83 (2) (e) of the Data Protection Regulation).


(108) In setting the level of the data protection fine, the Authority considers aggravating circumstances
has taken into account:

    (i) The nature of the breach is particularly serious, serious, the case is significant, general data protection
    The Customer has violated several provisions of this Regulation. The largely automated data management,
    the use of new technology, the societal issues it raises about the challenges of the digital age,
    and the inadequacy of the controller's responses to them in the present case beyond the individual assessment

    they also make it significant on a theoretical level. The conduct of the data protection authorities in the present case
    many data controllers may be decisive in the future for many similar data processing operations,
    which is an invaluable amount of personal data for many millions of data subjects in Hungary
    may affect your treatment. (Article 83 (2) (a) of the General Data Protection Regulation)

    (ii) A longer period of time before the General Data Protection Regulation became applicable
    from the date of application of the General Data Protection Regulation
    has existed continuously and continues to exist. (Article 83 (2) of the General Data Protection Regulation)
    paragraph (a)

    (iii) The extent and market position of the Client's data management and in the financial sector
    based on its activities, the expectation of the Client is higher than the average
    in the case of a data controller, the number of sound recordings affected by automated data processing is 1-1.5 per year
    million. (Article 83 (2) (a) of the General Data Protection Regulation)

    (iv) The data management activity was performed using new and risky technology. The bank
    sector is a particularly sensitive area, the responsibility of financial institutions to customers and
    usually of a similar magnitude but operating in a different field
    compared to data controllers. It is fundamentally the opposite of confidence in the financial sector

    inadequate use of technology that raises significant fundamental rights issues,






    and, in the absence of adequate guarantees, significantly infringes the rights of the data subject. (general
    Article 83 (2) (a) and (d) of the Data Protection Regulation)

    (v) Analysis of human emotions by artificial intelligence in both the Authority and7
    the practice of the European Data Protection Board and the European Data Protection Supervisor

    in its view, it is very risky and should, as a general rule, be avoided outside certain areas.
    Significantly stronger guarantees and more meaningful consideration when using such technology
    necessary than what the Client has certified on the basis of the facts revealed. (general privacy policy)
    Article 83 (2) (a) and (d) of the Regulation)

    (vi) Only a “paperless” balance of interests contrary to the obvious facts is serious
    large-scale downgrading and disregard of risks is internal to the Client

    in its materials and regulations, in its balance of interests, the impact on the stakeholders is substantial
    complete lack of investigation in advance and during data processing, the right to information and
    Emptying the right to protest is supported by data protection rules
    to circumvent. There must have been at least a possible intention to infringe, accidentally a
    the above is not feasible. Based on its statements, the Customer may have known that due to the above

    data management may be problematic, but you have deliberately ignored these considerations
    in making its decisions on data management, based on a fictitious situation
    turning a blind eye to reality. (Article 83 (2) (b) of the General Data Protection Regulation)

    (vii) The Customer has not done anything about the right to information and the right to protest
    because, according to his statements, he considered it impracticable instead of
    would have modified the processing in accordance with the general data protection regulation

    able to fulfill its obligations. (Article 83 (2) (c) of the General Data Protection Regulation)
    (viii) Article 24 (1) of the General Data Protection Regulation takes a risk-based approach

    prescribes to the Customer, which it did not fulfill in the present case. No recording of voice recordings
    can be avoided by those concerned, in which case they may be used for any further purpose
    should be judged more strictly. Exclusion from the use of telephone customer service is the Customer
    the only alternative offered by the Commission, which is not a real choice for those concerned, moreover
    this is also questionable for the parties called by the Customer, nor in the absence of adequate information

    most of those involved in a decision-making situation under Article 25 of the General Data Protection Regulation
    can be traced back to a systemic problem that violated this principle. Artificial intelligence is not
    applied with due care without prior artificial intelligence
    poses orders of magnitude greater risk than automated data processing,
    which can only be assessed in the strictest way. (Article 83 of the General Data Protection Regulation

    Paragraph 2 (d)
    (ix) The regulation governing a specific new technology is still very rudimentary, so this

    should have been considered as an increased risk in the assessment, as well as the specific
    In the absence of strong specific guarantees arising from the unregulation of this area, the Customer
    would have been stronger than usual under the General Data Protection Regulation
    guarantees, but did not reach the average level of guarantees. (general

    Article 83 (2) (d) of the Data Protection Regulation)
    (x) The guarantee effect of the pseudonymisation used was negligible only because a

    in practice, all employees who access the Software and listen to the recordings
    times the caller is identified, as the recorded call is always with personal identification
    begins, and among other things, this obvious circumstance appeared untrue





17 See General Data Protection Regulation35. Article 4 (4) published impact assessment list21. point:
https://www.naih.hu/hatasvizsgalati-lista, 35






    during the balancing of interests, as a guarantee existing only on paper. (General Data Protection Regulation 83.
    Article 2 (2) (d)
    (xi) Data processing involved the recording and analysis of personal data
    such as the emotional state, the voice of the person concerned, the obscene vocabulary that touches more deeply on

    the privacy of data subjects as a technical or contact data, their treatment is a priority
    need. (Article 83 (2) (g) of the General Data Protection Regulation)
    (xii) The Authority only became aware of a complaint in the History Case

    The delayed processing of data by the customer in the present proceedings
    the acquisition was due to the Customer's omission detailed in paragraph 51 above.
    (Article 83 (2) (h) of the General Data Protection Regulation)

    (xiii) The Client's total annual net sales in 2020 were HUF 81,002,000,000, therefore a small
    no punitive or deterrent effect would be individual or detrimental
    in general terms. (Article 83 (2) (k) of the General Data Protection Regulation)

    (xiv) The Customer shall use the data processing specifically for indirect profit-making purposes, internally
    in order to reduce costs and make a profit by retaining customers, and
    unlawfully subordinated to this to all other statutory account
    aspect to be taken into account. (Article 83 (2) (k) of the General Data Protection Regulation)

(109) In view of the above, the Authority considers that, in all the circumstances of the case, the operative part
considered that the imposition of a data protection fine of EUR 1 000 000 was proportionate in all the circumstances of the case and
deterrent.


ARC. Other issues


(110) Infotv. According to Section 38 (2), the task of the Authority is to protect personal data,
and the right of access to data in the public interest and in the public interest
monitoring and facilitating the enforcement of personal data within the European Union
facilitating the free movement of Infotv. Pursuant to Section 38 (2a) of the General Data Protection Act
Hungary shall exercise the responsibilities and powers laid down in this Decree for the supervisory authority
in the General Data Protection Regulation and e
exercised by the Authority as defined by law. Jurisdiction of the Authority Hungary

covers the whole territory.

(111) Art. Pursuant to Section 112 (1), Section 114 (1) and Section 116 (1) a
There is an administrative remedy against the decision.

                                                * * *


(112) The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a
hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by decision of the Authority
The administrative lawsuit against the court falls within the jurisdiction of the court Section 13 (3) a)
Pursuant to point (aa) of the Act, the Metropolitan Court has exclusive jurisdiction. A Kp. Section 27 (1)
According to him, legal representation is mandatory in administrative proceedings before the tribunal. A Kp. Section 39 (6)
the submission of the application for the entry into force of the administrative act
has no suspensive effect.


(113) A Kp. Section 29 (1) and with regard to this, Act CXXX of 2016 on Civil Procedure.
applicable under section 604 of the Act, electronic administration and trust services
CCXXII of 2015 on the general rules of pursuant to Section 9 (1) (b) of the Act
his legal representative is obliged to communicate electronically. The time at which the application was lodged and,






location of the Kp. Section 39 (1). The possibility of a request for a hearing
information on the Kp. It is based on § 77 (1) - (2).

(114) The amount of the fee for an administrative action is set out in Act XCIII of 1990 on Fees. law
(hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee is
Itv. Section 59 (1) and Section 62 (1) (h) shall release the party instituting the proceedings.


(115) If the Client does not adequately demonstrate compliance with the required obligations, the Authority will:
considers that it has not fulfilled its obligations within the time allowed. The Ákr. According to § 132, if it is
Customer has not complied with the obligation contained in the final decision of the Authority, it is enforceable. THE
Authority's decision on the Ákr. Pursuant to Section 82 (1), it becomes final with the communication. The Ákr. 133.
§, unless otherwise provided by law or government decree - a
ordered by the decision-making authority. The Ákr. Pursuant to § 134, enforcement - if law,
a government decree or, in the case of a municipal authority, a local government decree, otherwise

by the state tax authority. Infotv. Pursuant to Section 61 (7), the Authority
to perform a specific act, to behave in a specific manner,
the Authority shall enforce the decision in respect of the obligation to tolerate or discontinue
implements.

Budapest, February 8, 2022







                                                                   Dr. Attila Péterfalvi
                                                                         President

                                                                   c. university professor