NAIH (Hungary) - NAIH 6737 1/2024: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=NAIH 6737 1/2024 |ECLI= |Original_Source_Name_1=NAIH |Original_Source_Link_1=https://naih.hu/hatarozatok-vegzesek |Original_Source_Language_1=Hungarian |Original_Source_Language__Code_1=HU |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_...") |
mNo edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 72: | Line 72: | ||
On 29 December 2021, a data subject filed a complaint with the Hungarian DPA (NAIH) against a mail delivery service (the controller). As part of its services, the controller corresponds with mail recipients via email and mobile notifications to update the status of a parcel’s delivery. The data subject, who was the recipient of a package delivered by the controller, alleged that in addition to these messages the controller also sent them two emails in November and December 2021 noting that the delivery had been completed. The emails also contained a questionnaire for feedback and a marketing offer. The data subject claimed that these two additional types of content had no legal basis. The data subject also claimed that the controller had failed to facilitate the data subject’s rights in response to a complaint it sent to the controller in November 2021. | On 29 December 2021, a data subject filed a complaint with the Hungarian DPA (NAIH) against a mail delivery service (the controller). As part of its services, the controller corresponds with mail recipients via email and mobile notifications to update the status of a parcel’s delivery. The data subject, who was the recipient of a package delivered by the controller, alleged that in addition to these messages the controller also sent them two emails in November and December 2021 noting that the delivery had been completed. The emails also contained a questionnaire for feedback and a marketing offer. The data subject claimed that these two additional types of content had no legal basis. The data subject also claimed that the controller had failed to facilitate the data subject’s rights in response to a complaint it sent to the controller in November 2021. | ||
The controller provides postal services on the basis of Act CLIX of 2012 on Postal Services (Postal Act) and the General Terms and Conditions of Business (GTC) adopted by the National Media and Infocommunications Authority. Under the Postal Act, the recipient of a delivery must be informed of the delivery by electronic message | The controller provides postal services on the basis of Act CLIX of 2012 on Postal Services (Postal Act) and the General Terms and Conditions of Business (GTC) adopted by the National Media and Infocommunications Authority. Under the Postal Act, the recipient of a delivery must be informed of the delivery by electronic message. | ||
In its reply brief, the controller argued that given | In its reply brief, the controller argued that given the Postal Act’s legal requirements, it must provide data subjects with information on the status of their delivery and it is thus not possible to unsubscribe from status messages with such information. The contested follow-up email, the controller argued, was a part of these permitted notifications. The purpose of the processing was to send the data subject a notification of the entire delivery process, and its legal basis was necessity of contract to ensure the recipient received the parcel. Neither the survey nor the marketing content, the controller argued, constituted a separate processing because they were merely added to the delivery notification message rather than being sent to the data subject separately. | ||
With regard to the data subject’s letter to the controller, the controller stated that it did not detect the email due to an IT system issue. The controller also argued that the letter was framed only as a general complaint and did not constitute an exercise of any rights under Articles 15-21 GDPR. It cited to a previous NAIH decision in which the DPA stated that applicants must rely on ‘grounds relating to their own situation’ in objecting, noting that the data subject did not do so here. | With regard to the data subject’s letter to the controller, the controller stated that it did not detect the email due to an IT system issue. The controller also argued that the letter was framed only as a general complaint and did not constitute an exercise of any rights under Articles 15-21 GDPR. It cited to a previous NAIH decision in which the DPA stated that applicants must rely on ‘grounds relating to their own situation’ in objecting, noting that the data subject did not do so here. | ||
Line 81: | Line 81: | ||
The NAIH found that the controller violated Articles 5(1)(a) as well as 13(1) and (2) GDPR. It issued a fine of about €12,680 (HUF 5,000,000). | The NAIH found that the controller violated Articles 5(1)(a) as well as 13(1) and (2) GDPR. It issued a fine of about €12,680 (HUF 5,000,000). | ||
The NAIH considered whether the controller’s legal basis extended to the survey and marketing content on the email. In the case of the survey, it found there was no need for a separate legal basis as there was a close link between the original and further processing purposes, both of which are focused on the efficacious provision of its services. It also noted no adverse effects on the data subject’s privacy, as both additional messages could have been ignored. With regard to the marketing information, on the other hand, the NAIH found that it was not directly related to the performance of the contract and sending of status-related messages. Instead, it was an independent direct marketing communication to promote the use of its services. Thus, this processing required a legal basis and the controller was prohibited by [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] from processing the data subject’s information for direct marketing purposes. In addition, the controller failed to mention processing for direct marketing purposes in its privacy notice in violation of [[Article 13 GDPR]]. | |||
Another Article 13 violation resulted from the message at the bottom of the controller’s email. This concerned an email received by the NAIH as part of the investigation, not an email sent to the data subject, which stated that “under a statutory obligation, [we] will provide you with electronic tracking of your mail.” The NAIH found that the controller is not legally obliged to email the data subject to evaluate the service or give marketing. Indeed, no part of that email is fulfilling the purpose of electronic tracking, as the notification is of a completed service. Thus, the NAIH ordered the controller to modify this information in its emails. | Another Article 13 violation resulted from the message at the bottom of the controller’s email. This concerned an email received by the NAIH as part of the investigation, not an email sent to the data subject, which stated that “under a statutory obligation, [we] will provide you with electronic tracking of your mail.” The NAIH found that the controller is not legally obliged to email the data subject to evaluate the service or give marketing. Indeed, no part of that email is fulfilling the purpose of electronic tracking, as the notification is of a completed service. Thus, the NAIH ordered the controller to modify this information in its emails. | ||
With regard to the data subject’s complaint to the controller in November 2021, the NAIH found that the data subject’s letter to the controller was not a request to exercise its rights under Articles 15-21 GDPR. Thus, the NAIH concluded that the controller didn’t infringe the data subject’s | With regard to the data subject’s complaint to the controller in November 2021, the NAIH found that the data subject’s letter to the controller was not a request to exercise its rights under Articles 15-21 GDPR. Thus, the NAIH concluded that the controller didn’t infringe the data subject’s rights. Nonetheless, even if the submission was not a request to exercise its rights, the NAIH said that the controller must establish a procedure so that technical issues don’t prevent it from responding to privacy-related correspondence. | ||
== Comment == | == Comment == |
Latest revision as of 09:33, 19 June 2024
NAIH - NAIH 6737 1/2024 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(1)(a) GDPR Article 13(1) GDPR Article 13(2) GDPR 2012. évi CLIX. törvény a postai szolgáltatásokról |
Type: | Complaint |
Outcome: | Upheld |
Started: | 29.12.2021 |
Decided: | 29.04.2024 |
Published: | |
Fine: | 5,000,000 HUF |
Parties: | n/a |
National Case Number/Name: | NAIH 6737 1/2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | lm |
The DPA fined a postal service €12,680 (HUF 5 million) for adding unsolicited content to its delivery updates. While a customer satisfaction questionnaire did not require a separate legal basis, the inclusion of direct marketing information did.
English Summary
Facts
On 29 December 2021, a data subject filed a complaint with the Hungarian DPA (NAIH) against a mail delivery service (the controller). As part of its services, the controller corresponds with mail recipients via email and mobile notifications to update the status of a parcel’s delivery. The data subject, who was the recipient of a package delivered by the controller, alleged that in addition to these messages the controller also sent them two emails in November and December 2021 noting that the delivery had been completed. The emails also contained a questionnaire for feedback and a marketing offer. The data subject claimed that these two additional types of content had no legal basis. The data subject also claimed that the controller had failed to facilitate the data subject’s rights in response to a complaint it sent to the controller in November 2021.
The controller provides postal services on the basis of Act CLIX of 2012 on Postal Services (Postal Act) and the General Terms and Conditions of Business (GTC) adopted by the National Media and Infocommunications Authority. Under the Postal Act, the recipient of a delivery must be informed of the delivery by electronic message.
In its reply brief, the controller argued that given the Postal Act’s legal requirements, it must provide data subjects with information on the status of their delivery and it is thus not possible to unsubscribe from status messages with such information. The contested follow-up email, the controller argued, was a part of these permitted notifications. The purpose of the processing was to send the data subject a notification of the entire delivery process, and its legal basis was necessity of contract to ensure the recipient received the parcel. Neither the survey nor the marketing content, the controller argued, constituted a separate processing because they were merely added to the delivery notification message rather than being sent to the data subject separately.
With regard to the data subject’s letter to the controller, the controller stated that it did not detect the email due to an IT system issue. The controller also argued that the letter was framed only as a general complaint and did not constitute an exercise of any rights under Articles 15-21 GDPR. It cited to a previous NAIH decision in which the DPA stated that applicants must rely on ‘grounds relating to their own situation’ in objecting, noting that the data subject did not do so here.
Holding
The NAIH found that the controller violated Articles 5(1)(a) as well as 13(1) and (2) GDPR. It issued a fine of about €12,680 (HUF 5,000,000).
The NAIH considered whether the controller’s legal basis extended to the survey and marketing content on the email. In the case of the survey, it found there was no need for a separate legal basis as there was a close link between the original and further processing purposes, both of which are focused on the efficacious provision of its services. It also noted no adverse effects on the data subject’s privacy, as both additional messages could have been ignored. With regard to the marketing information, on the other hand, the NAIH found that it was not directly related to the performance of the contract and sending of status-related messages. Instead, it was an independent direct marketing communication to promote the use of its services. Thus, this processing required a legal basis and the controller was prohibited by Article 6(1)(b) GDPR from processing the data subject’s information for direct marketing purposes. In addition, the controller failed to mention processing for direct marketing purposes in its privacy notice in violation of Article 13 GDPR.
Another Article 13 violation resulted from the message at the bottom of the controller’s email. This concerned an email received by the NAIH as part of the investigation, not an email sent to the data subject, which stated that “under a statutory obligation, [we] will provide you with electronic tracking of your mail.” The NAIH found that the controller is not legally obliged to email the data subject to evaluate the service or give marketing. Indeed, no part of that email is fulfilling the purpose of electronic tracking, as the notification is of a completed service. Thus, the NAIH ordered the controller to modify this information in its emails.
With regard to the data subject’s complaint to the controller in November 2021, the NAIH found that the data subject’s letter to the controller was not a request to exercise its rights under Articles 15-21 GDPR. Thus, the NAIH concluded that the controller didn’t infringe the data subject’s rights. Nonetheless, even if the submission was not a request to exercise its rights, the NAIH said that the controller must establish a procedure so that technical issues don’t prevent it from responding to privacy-related correspondence.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
20 (81) In the present case, the Applicant complained that on 22 November and 21 December 2021, the Respondent sent it an e-mail with the subject [...], which, in its view, contained direct marketing content, for which it had no legal basis, and that the sending of the e-mail was also a general breach of the General Data Protection Regulation. (82) Taking into account the dates of the two letters received by the Applicant, the Authority examined the legality of the letters sent during this period from a data protection perspective. Changes after that period, such as the changes in the wording and subject matter of the letters of [...] referred to by the Respondent, implemented and planned as of 27 January 2022, changes in the legal basis for the processing, can be taken into account in the consequences and the implementation of the Decision. (83) Article 5 of the General Data Protection Regulation sets out the main principles which must be taken into account when processing personal data and which must be applied at all times during the processing. It follows from the requirement of accountability under Article 5(2) of the GDPR that the controller is responsible for compliance with the data protection principles and must be able to demonstrate such compliance. On this basis, the controller must document and record the processing in such a way that its lawfulness can be demonstrated a posteriori. (84) According to the principles of lawfulness, fairness and transparency as set out in Article 5(1)(a) of the General Data Protection Regulation, personal data must be processed fairly and lawfully and in a transparent manner for the data subject. (85) According to the purpose limitation principle of Article 5(1)(b) of the GDPR, personal data may only be processed for specified, explicit and legitimate purposes. (86) A further requirement for the lawfulness of processing is that the processing may be based on a legal ground within the meaning of Article 6(1) of the General Data Protection Regulation. (87) According to the defendant's declarations to the Authority, the primary purpose of the [...] e- mail is for the defendant to provide feedback to the addressee on the successful delivery or to provide information on the progress of the delivery of the product by means of status messages, which is an obligation under the Postal Act. According to its declaration, the legal basis for the processing of data in this context is the contractual legal basis pursuant to Article 6(1)(b) of the General Data Protection Regulation. In addition to the request to fill in a questionnaire to ascertain customer satisfaction, the purpose of sending the e-mail is also to provide information on [...], which the applicant objects to and which, in its view, contains marketing content. In the Respondent's view, this is not a specific marketing offer, but a permanent opportunity for any data subject and, like the request to fill in a customer satisfaction questionnaire, the information on [...] does not constitute separate processing. According to the Respondent, this is because the Respondent does not use the e-mail addresses separately for this other processing purpose, but adds a new content to the e-mail containing the status messages sent pursuant to Article 6(1)(b) of the GDPR. (88) In the case of this e-mail, the Respondent considers that, on the basis of Article 6(4) of the General Data Protection Regulation, the use of the information about [...] as a message or e- mail address for other purposes, as well as the request to fill in a questionnaire to find out about customer satisfaction, is compatible with the original purpose of the information about the delivery and its process. Therefore, the information of [...] on [...] is not a separate processing and cannot be considered, for example, as a newsletter or marketing message. In view of the fact that the Respondent is subject to the Postal Act and the GTC 21 has undertaken, subject to its provisions, to provide data subjects with information on the status of the delivery in order to ensure the traceability of the postal item, it is therefore not possible to unsubscribe from the status message including information on [...], as this is part of the provision of the service and the contractual information. The Respondent, having reviewed its processing in the light of the Authority's present procedure, and having, inter alia, carried out an examination of the criteria under Article 6(4) of the GDPR, the results of which have been made available to the Authority, concluded that the information about [...] as another purpose of sending the e-mail is compatible with the original purpose of the processing (sending a status message about the delivery process) and that, therefore, in view of recital 50 of the GDPR, there is no need to invoke Article 6(4) of the GDPR. (1)(b), on a separate legal basis other than the legal basis under paragraph 1(b). (89) However, contrary to these declarations, the data processing information sent by the Respondent on 22 November and 21 December 2021, the date of sending the emails to the Respondent, was prepared in 2016, published by the Respondent on its website in September 2016, and according to which the legal basis for data processing was the data subject's consent under the then applicable Infotv. (90) The Authority cannot make any findings on the compliance of the legal basis under the GDPR prior to the date of application of the General Data Protection Regulation and the 2016 Data Protection Notice with the General Data Protection Regulation in the present DPA procedure, but it should be noted that recital 171 of the General Data Protection Regulation provides that processing that started before the date of application of the General Data Protection Regulation, i.e. 25 May 2018, must be brought into compliance with the General Data Protection Regulation within two years of the date of entry into force of the General Data Protection Regulation, i.e. 25 May 2016. (91) On this basis, the Respondent should have brought the data processing at issue in the present case into compliance with the General Data Protection Regulation, which was not fully done. (92) Although the Respondent indicated the legal basis for its processing in its declaration, Article 6(1)(b) of the GDPR, the actual application of this legal basis was not supported by any document. The information notice on data processing in force on 22 November and 21 December 2021, the date of sending the emails to the Applicant and published on the Applicant's website, contained the legal basis for consent under the GDPR in relation to the letters of [...], the whole of the information notice itself being based on the rules of the GDPR. Moreover, the GTC also cited by the Respondent does not support the actual application of the legal basis under Article 6(1)(b) of the GDPR. In addition, Clauses 6.3.1, 6.3.2 of the GTCs provide for system messages which the Respondent receives and are therefore not relevant to the present case, while Clause 9.2 of the GTCs provides that "the arrival of the shipment and the possibility of receipt will be notified to the Customer or the Recipient by means of an automatic system message sent by SMS to the mobile phone number, in which the Customer or the Recipient will receive the code to open the compartment." Nor does it follow from this provision that the Respondent has processed the personal data of the Applicant - and other data subjects - on a legal basis corresponding to its declaration. Moreover, this provision of the GTC does not cover the processing of e-mail addresses. The fact that subsequently, as a result of the Authority's present procedure, the Applicant has amended its privacy notice, which it itself acknowledged was inadequate and needed to be amended, to bring it into conformity with its declaration and to set out Article 6(1)(b) of the GDPR as the legal basis for the processing, does not affect the legal assessment of its processing in the period prior to that date. 22 (93) Consequently, the Authority is of the opinion that the Respondent decided to change the legal basis for the processing as a result of the procedure, by changing the consent under the Infotv. to the legal basis under Article 6(1)(b) of the GDPR. (94) According to the principles of lawfulness, fairness and transparency as set out in Article 5(1)(a) of the GDPR, lawfulness presupposes in the first place the existence of an adequate legal basis, i.e. the processing must be based on the data subject's consent or have another legal basis laid down in the GDPR, including the need to comply with legal obligations to which the controller is subject, the performance of a contract by the data subject and the steps to be taken prior to that performance. The requirement of transparency is closely linked to the requirement of lawfulness, in that the process and documentation of the processing should be made known to the outside world. Communication between the controller and the data subject is ensured, the data subject is informed of all material aspects of the processing and receives this information in an intelligible, simple and meaningful way. Effective and complete information is an essential element of transparency and a threshold condition for the enforcement of the data subject's rights. The General Data Protection Regulation favours written information. The principle of transparency requires that information relating to the processing of personal data is easily accessible and comprehensible, and that it is drafted in clear and plain language. This principle applies in particular to the provision of information to data subjects about the identity of the controller and the purposes of the processing. The principle of transparency is also part of and a prerequisite for the enforceability of accountability. Data controllers must inform data subjects and the public that data will be processed lawfully and transparently and must be able to demonstrate that processing operations comply with the General Data Protection Regulation. In the context of Internet services, the features of the data processing systems should allow data subjects to really know what happens to their personal data. (95) According to the above, the Authority cannot examine the adequacy of the legal basis for consent under the Infotv. and the 2016 data management prospectus in the present proceedings, but it can be concluded that, contrary to the statements, the 2016 data management prospectus does indeed include the sending of system messages related to services as a processing purpose in point 4.1, but according to the prospectus, the data subject's consent was the legal basis for processing during this period. This point of the Prospectus also includes the sending of a questionnaire to measure user satisfaction as a processing purpose, but not as a processing purpose compatible with the status message. However, information on [...] is not included in the prospectus. None of the processing operations mentioned and described in the prospectus are compatible with Article 6(1) of the General Data Protection Regulation (b) is the legal basis for. In addition, the bottom of the two e-mails sent to the Applicant states that the letter was sent by the Applicant pursuant to Section 54(2)(a) of the Postal Act. Therefore, the lawfulness of the legal basis for the processing cannot be established, nor can it be established that the processing complies with the General Data Protection Regulation. (96) In view of the above and the fact that the Respondent did not bring its processing into compliance with the General Data Protection Regulation during the period under examination, it cannot be established that the processing under examination in the present procedure was based on an appropriate legal basis and, consequently, the Authority concludes that the Respondent has infringed Article 5. However, as the Authority cannot examine the lawfulness of consents obtained prior to the GDPR in the present procedure and as the legal basis used by the Respondent is not clear, it cannot conclude that there is a clear lack of a legal basis for the processing. Consequently, the Authority rejects the applicant's request that the Authority should order the 23 The applicant requests the defendant, in the applicant's view, to destroy the data unlawfully processed. (97) It follows from the above that the Respondent did not provide information on the processing in accordance with the General Data Protection Regulation, which the Respondent confirmed by acknowledging that the information notice needs to be amended. (98) The right to prior information under Article 13 of the General Data Protection Regulation requires data controllers to provide data subjects with adequate information about the way and circumstances in which their personal data are processed. This right is intended to make data subjects aware that the controller intends to process personal data relating to them. On the other hand, it enables data subjects to assess the potential impact of the envisaged processing on their privacy and the other risks and dangers involved. Finally, the information provided will enable individuals to exercise their right to informational self-determination. The primary purpose of the right to prior information is to enforce the principle of transparency. It is through this right that data subjects can find out about the envisaged processing. However, it is also closely linked to the requirement of due process and the principle of accountability. Article 13(1) to (2) of the General Data Protection Regulation contains the information that controllers must provide to data subjects. Considering that the information notice for the period under examination was based on the information under the Infotv. in force in 2016, including the information on the legal basis under the Infotv. at that time, it can be concluded that the Respondent failed to provide information in accordance with the General Data Protection Regulation, in breach of Article 13(1) to (2) of the General Data Protection Regulation. (99) However, the Authority is of the view that all the purposes of processing indicated in the Applicant's statement - and partly in its 2016 privacy policy - are legitimate, i.e. the legitimate purpose of the Applicant to use the name and email address of the data subject to inform about the status of the delivery of the ordered product, to request feedback in the form of a questionnaire on the quality of service and to inform data subjects about the so-called [...] as a discount. (100) The Authority also considers it acceptable for the future that the Respondent should base the processing of the contested processing operations related to status messages on a legal basis under Article 6(1)(b) of the General Data Protection Regulation. (101) The contractual legal basis is applicable because recipients are also covered by the provisions of the General Terms and Conditions applied by the Respondent, for example, the provisions on the receipt and return of mail. According to the Respondent's declaration, the focus of its service is on the addressees, pursuant to Clause 4 of the GTC, according to which the Respondent undertakes to deliver the consignments ordered by the addressee, to organise the delivery and to deliver the parcel to the addressee. The sending of e-mails for the traceability of the postal consignment is necessary for the contractual performance of both the service provided by the Respondent and the contract between the online shop and the addressee, and for the Respondent to fulfil its obligations to the addressee under the GTC. In the Authority's view, the processing provides the data subject with information in the context of the performance of the main subject matter of the contract, the receipt of the goods, which directly affects the performance of the specific contract and the data subject can reasonably expect the processing to take place, and the GTC expressly so provide, so that the contractual legal basis applies to this processing. (102) In the context of the request to fill in a questionnaire on customer satisfaction and the related processing, it should be noted that the use of personal data - name, e-mail address - for these other purposes - so-called further processing - is not in accordance with the general 25 However, the Respondent is not legally obliged to send an e-mail inviting the Respondent to evaluate the service and to fill in a questionnaire, and this particular letter does not serve the purpose of electronic tracking of the mailing, therefore the information contained in the letter is incorrect. In view of this, it is necessary to modify the e-mails of [...] and the information contained in the e-mails. (108) With regard to the information on [...] and the processing of data subjects' names and e-mail addresses for this purpose, the Authority has also reviewed the assessment of the criteria set out by the data subject under Article 6(4) of the General Data Protection Regulation. On this basis, the Authority is of the view that, in view of the fact that with [...] the data subject can also send a package at a discount via the Respondent's network, the information about [...] - contrary to the Respondent's view, an information aimed at promoting the Respondent's service - therefore constitutes economic advertising within the meaning of the General Data Protection Regulation. Article 3(d). In the Authority's view, this message is not directly related to the performance of the contract and the sending of the related status messages, the original purpose of the processing, but is an additional, independent and not strictly related, direct marketing communication - and use of personal data - to promote the use of the service of the Applicant, which, on the basis of the information available on the Applicant's website, the data subject may receive not (only) in relation to the performance of the service, but through three other means: by registration, as a registered member by inviting friends and acquaintances and as a registered member during special promotions organised by the Respondent. Consequently, the purpose of the processing of the personal data processed in relation to [...] is therefore separate from the information on delivery, which also serves the performance of the contract, and is not compatible with the processing purpose of the information on delivery as a separate processing for direct marketing purposes. Moreover, in the context of the contractual legal basis, the provision of the service is the main subject matter of the contract, the data subject reasonably expects that his data will be processed in this context, so that the contractual legal basis is only applicable to the use of the service, not to the sending of commercial communications. (109) Given that the communication of information about [...] as a direct marketing communication is incompatible with the original purpose of the processing, the Respondent must have a legal basis to send such messages. (110) Although according to the Respondent, the processing of the information on [...] has a negligible impact on the data subject and also benefits the data subject, the Authority is of the view that the provisions on processing other than for the purpose of the information should not apply to the Respondent, but that this processing can be carried out on the basis of a proper legal basis by means of a separate, independent processing purpose. (111) Moreover, the data processing related to the information about [...] is not, as in the period under review, currently included in the privacy notice as a letter with direct marketing content, no information about it is visible or known to the data subjects. In view of this, it is necessary to amend the data management information of the Respondent. (112) In view of this, the Applicant is prohibited by Article 6(1)(b) of the General Data Protection Regulation from processing the name and e-mail address of the Applicant in the context of the provision of information on [...], and the Authority therefore prohibits the processing of this personal data of the Applicant by the Applicant on this legal basis. IV.2. The Applicant's complaint to the Respondent (113) The Applicant also objected to the fact that the Respondent did not reply to the request for information submitted by the Applicant in November 2021. 22nd day at 12:13 pm, in response to a complaint sent by a contact person to the email address [...]. 26 (114) In this letter, the Applicant objected to the [...] letters, as in its view the letters contained unsolicited direct marketing content and it did not consent to the sending of such letters, and in its view the Applicant did not even provide the opportunity to unsubscribe. In its complaint, the Applicant also complained that the [...] letter was also contrary to the legal provision referred to in the letter. For all these reasons, the Applicant requested that the Respondent cease its mailing practices which it considered to be unlawful. (115) According to the Respondent's statement, due to a configuration error in its IT system, it did not detect the emails sent to the email address [...], including the specific request of the Applicant. However, the Respondent's position with regard to the Applicant's letter of 22 November 2021 is that it does not constitute an exercise of a right of the data subject within the meaning of Articles 15 to 21 of the General Data Protection Regulation in that the data subject did not indicate any rights that he or she wished to exercise against the Respondent. (116) According to the Respondent's declaration, the Applicant did not request access to its personal data, did not request their rectification, erasure or restriction, nor did it submit a request for data portability. The Applicant's request can at most be considered as an exercise of the right to object, but its letter as a whole shows that it is in fact complaining about the alleged failure of the Respondent to comply with its obligations as data controller under Articles 5-6 of the General Data Protection Regulation. However, the Applicant has not put forward the 'grounds relating to its own situation' as required by Article 21(1) of the GDPR and the Authority's case law as a condition for this exercise of the data subject's rights. (117) The Authority, having reviewed the letter of the Applicant, found that it objected to the general practices of the Applicant, as stated by the Respondent, and that it challenged the Applicant's failure to comply with its obligations as data controller, without seeking to enforce any specific data subject rights under Articles 15-21 of the GDPR. (118) Therefore, the Authority concludes that the Respondent has not infringed the Applicant's right to be heard and rejects this part of the application. (119) However, the Authority draws the Respondent's attention to the fact that even if the submission made by the Respondent was not a request to exercise the right of data subjects under Articles 15-21 of the GDPR, the Respondent must establish a procedure so that a configuration error does not prevent it from responding to other privacy-related correspondence. The Authority therefore considers it appropriate that, as a result of the present procedure, the Respondent has reviewed the process and procedures for the management of the [...] e-mail address and account, as a result of which it has discontinued this e-mail account and will in future receive requests from data subjects in relation to its processing through the customer service form and the Respondent's central e-mail address [...]. (120) In addition, the Authority considers it an appropriate measure that the Respondent, by February 2022 25. day, replied to the Complainant's complaint, a copy of which was also sent to the Authority to demonstrate that it had fulfilled its obligation to reply to the Complainant on a non-concerned legal matter. V. I n t e r n a t i o n o f t h e r e s e a r c h s (121) The Authority has found, on the basis of Article 58(2)(b) of the GDPR, that the Respondent used the name and e-mail address of the Respondent and other data subjects in the period under investigation in breach of Article 5(1)(a) of the GDPR, in violation of the principles of legality, fairness and transparency, in the context of the [...] 27 to send status messages in connection with correspondence and to measure customer satisfaction and to provide information about [...]. (122) The Authority also found, on the basis of Article 58(2)(b) of the GDPR, that the Respondent had infringed Article 13(1) to (2) of the GDPR by failing to provide adequate information on its processing to the Respondent and to other data subjects. (123) The Authority has instructed the Respondent, pursuant to Article 58(2)(d) of the General Data Protection Regulation, to base its processing of data relating to [...] on an appropriate legal basis and to provide appropriate information to data subjects about its processing. The Authority also prohibited the processing of the name and e-mail address of the applicant and other data subjects in connection with the provision of information on [...], in the absence of a legal basis. (124) The Authority has assessed whether it is justified to impose a data protection fine on the Applicant. In this context, the Authority has considered all the circumstances of the case on the basis of Article 83(2) of the GDPR and Article 75/A of the InfoPrivacy Act and concluded that, in the case of the infringements found in the present procedure, a warning is neither proportionate nor a dissuasive sanction and therefore a fine is necessary. The Authority imposed the data protection fine specifically on the Applicant - Respondent, but not on other data subjects. (125) In determining the amount of the fine, the Authority first of all took into account that the infringements committed by the Respondent constitute infringements falling under the higher category of fines pursuant to Article 83(5)(b) of the GDPR. (126) In determining the amount of the fine, the Authority took into account as aggravating circumstances that - the use of personal data in violation of the principles of legality, fairness and transparency, involving between 35,000 and 210,000 natural persons per month, taking into account the data provided by the Respondent, for the period between the fourth quarter of 2021 and February 2022. If only the two thresholds are taken as a basis, the Authority estimates that the total number of natural persons concerned during the period under examination, i.e. from the introduction of the processing in the fourth quarter of 2021 until 27 January 2022, ranges from 175,000 to 1,050,000, i.e. a large number of natural persons [Article 83(2)(a) of the GDPR]; - this unlawful processing by the Respondent is systemic, since, according to the statements and evidence submitted by the Respondent, it did not only concern the Respondent as an isolated case, but was a general processing practice [Article 83(2)(a) of the GDPR]; - the core business of the Respondent described above includes data management, which it carries out on a large scale on a daily basis. On its website3 it has installed more than 1,000 parcel machines and delivered more than 20 million parcels in the 8 years since it started providing its service. Consequently, it can be expected that the Respondent carries out the processing activities at issue in this case with adequate knowledge of data protection and in compliance with data protection requirements [Article 83(2)(a) and (k) of the General Data Protection Regulation]. 3 [...] 28 (127) In determining the amount of the fine, the Authority took into account as mitigating circumstances that - no special categories of data are processed [Article 83 of the General Data Protection Regulation (2)(a)]; - the infringements committed by the Respondent resulted from its negligence, its failure to carry out the necessary review of the processing in the light of the application of the General Data Protection Regulation and its misclassification of the processing in the context of the information on [...] [Article 83(2)(b) of the General Data Protection Regulation]; - the Respondent has not yet been sanctioned for breach of the General Data Protection Regulation and no further complaints have been received in relation to this processing following the sending of the million emails [Article 83(2) of the General Data Protection Regulation point (e)]; - the Respondent has reviewed its processing of the data at issue in the present case during the procedure [Article 83(2)(f) of the GDPR]; - as a result of the procedure, the Respondent has taken measures to ensure lawful processing and has amended the title and content of the [...] letters and has amended its privacy notice [Article 83(2)(f) GDPR]; - the Authority has significantly exceeded the time limit for its administration [General Data Protection Regulation Article 83(2)(k)]. (128) The Authority did not consider Article 83(2)(c), (d), (g), (h), (i) and (j) of the General Data Protection Regulation relevant in determining the data protection fine imposed on the (j), as they cannot be interpreted in the context of this case. (129) The Respondent's net sales revenue for 2022 was in the order of HUF 4,200 million, so the data protection fine imposed is remote compared to the maximum fine that can be imposed. VI. Other issues: (130) The competence of the Authority is defined in Paragraphs (2) and (2a) of Article 38 of the Infot Act, and its competence extends to the whole territory of the country. (131) The Authority's present decision is based on Articles 80-81 of the General Civil Code and Article 61(1) of the Information Act. The decision becomes final upon notification pursuant to Article 82(1) of the General Civil Code. Pursuant to § 112 and § 116(1) and (4)(d) and § 114(1) of the General Civil Procedure Code, the decision may be appealed against by means of an administrative procedure. * * * (132) According to Section 135 of the General Civil Code, the debtor is liable to pay default interest at the statutory rate if he fails to pay the money on time. (133) Pursuant to Section 6:48 (1) of Act V of 2013 on the Civil Code, in the event of a default in the payment of money, the debtor shall pay interest on arrears at the base rate of the central bank in force on the first day of the calendar half-year in which the default occurred, starting from the date of default. (134) The rules of administrative proceedings are set out in Act I of 2017 on the Code of Administrative Procedure (hereinafter referred to as the "Code"). The Kp. Pursuant to Section 12 (1) of the Administrative Procedure Act, administrative proceedings against a decision of the Authority fall within the jurisdiction of the courts. Article 13 (3) 29 a) point (aa), the Metropolitan Court of Budapest shall have exclusive jurisdiction. Article 27. (1) legal representation is mandatory in disputes over which the court has exclusive jurisdiction, in accordance with paragraph 1(b). In the case of a court of law with jurisdiction in the case of a court of law, the legal representation shall be limited to the court of law. According to Article 39(6), the filing of a statement of claim does not have suspensory effect on the effectiveness of the administrative act. (135) Pursuant to Section 29 (1) of the Code of Civil Procedure and, with regard to this, Section 604 of Act CXXX of 2016 on the Code of Civil Procedure, applicable pursuant to Section 9 (1) b) of the Act on the Protection of the Client's Rights in Civil Matters, the legal representative of the client is obliged to communicate electronically. (136) The time and place for lodging the application shall be determined by the Kp. Article 39(1). Information on the possibility of requesting a hearing is given in the notice of the Court of First Instance of the European Communities, Kp. 77(1) to (2). (137) The amount of the fee for administrative proceedings is determined by Section 45/A (1) of Act XCIII of 1990 on Fees (hereinafter: Itv.). Exemption from the advance payment of the fee is provided for in the provisions of the Act. Article 59(1) and Article 62(1)(h) of the Act exempts the party initiating the proceedings from the payment of the fee. (138) If the Applicant fails to provide adequate proof of the fulfilment of the obligations and the obligation to pay the money, the Authority will consider that the Applicant has failed to fulfil its obligations within the time limit. Pursuant to Article 132 of the General Tax Code, if the Applicant has not complied with the obligations contained in the Authority's final decision, the latter is enforceable. The Authority's decision is based on Article 82 of the General Civil Code. (1) shall become final upon notification. Pursuant to Section 133 of the General Administrative Procedure Act, enforcement is ordered by the authority issuing the decision, unless otherwise provided by law or government decree. Pursuant to Section 134 of the General Tax Code, enforcement is ordered by the State Tax Authority, unless otherwise provided by law, government decree or local government ordinance in a municipal authority case. Pursuant to Section 61(7) of the Information Act, the enforcement of a decision to perform a specific act, to engage in a specific conduct, to tolerate or to cease a specific conduct, as contained in a decision of the Authority, is carried out by the Authority. (139) In the course of the procedure, the Authority exceeded the one hundred and fifty-day time limit for the administration of the case pursuant to Section 60/A (1) of the Infotv., and therefore, pursuant to Section 51 (b) of the General Administrative Procedure Act, it shall pay the Applicant HUF 10,000 by bank transfer or postal order, at the Applicant's option. Budapest, 29 April 2024. Dr habil. Attila Péterfalvi President c. university professor