NAIH (Hungary) - NAIH-3932-5/2024: Difference between revisions

From GDPRhub
No edit summary
 
(3 intermediate revisions by one other user not shown)
Line 71: Line 71:
}}
}}


The DPA fined Aldi HUF 80,000,000 (€203,811) in connection to its age verification practices when selling alcohol. It found that data subjects could not easily access the privacy policy and that they could be asked for an ID when there was a doubt they could be under 18.
The DPA fined Aldi HUF 80,000,000 (€204,000) in connection to its age verification practices when selling alcohol. It found that data subjects could not easily access information and that they could not be asked for an ID when there was no doubt they were over 18.


== English Summary ==
== English Summary ==
Line 78: Line 78:
The controller, a supermarket company, conducted verifications about the age of customers wanting to buy alcoholic beverages. In addition to asking for an ID card, in some shops the controller also recorded the date of birth of the data subjects, while in other shops it did not.
The controller, a supermarket company, conducted verifications about the age of customers wanting to buy alcoholic beverages. In addition to asking for an ID card, in some shops the controller also recorded the date of birth of the data subjects, while in other shops it did not.


Moreover, a 70-year-old data subject complained that they were asked for an ID even if it was evident that they were not under 18.
Moreover, another complaint concerned the fact that the controller asked elderly data subjects for an ID, even though it was evident that they were not under 18.


Finally, according to the data subjects, the privacy policy was not provided to them. Therefore, they could not know which was the legal basis and the duration of the processing.
Finally, according to the data subjects, no information under [[Article 13 GDPR]] was not provided to them. Therefore, they could not know which was the legal basis and the duration of the processing.


For these reasons, several data subjects filed a complaint with the DPA.
For these reasons, several data subjects filed a complaint with the DPA.


=== Holding ===
=== Holding ===
First, the DPA found that the data subjects were not able to have sufficient information about the processing at hand, since no sign was put in the controller’s shops. Moreover, the employees of the controller were not able to provide more information or indicate where to find the privacy policy. Furthermore, the DPA noted that the practices varied within the stores.
First, the DPA found that the data subjects were not able to have sufficient information about the processing at hand, since no sign was put in the controller’s shops. Moreover, the staff were not able to provide more information or to inform the data subjects where to find more information about the data processing. Furthermore, the DPA noted that the practices varied between the stores.


Therefore, the DPA held that the information provided by the controller was insufficient, not easily accessible and not transparent and found a violation of [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 12 GDPR#1|12(1)]], [[Article 13 GDPR#1|13(1)]] and [[Article 13 GDPR#2|13(2) GDPR]].
Therefore, the DPA held that the information provided by the controller was insufficient, not easily accessible and not transparent. As a consequence, it found a violation of [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 12 GDPR#1|12(1)]], [[Article 13 GDPR#1|13(1)]] and [[Article 13 GDPR#2|13(2) GDPR]].


Secondly, the DPA noted that Article 16/A(4) of the Consumer Protection Act of 1997 (''[https://njt.hu/jogszabaly/1997-155-00-00.44 1997. évi CLV. Törvény a fogyasztóvédelemről]'') requires alcohol sellers to ask for an ID card only when they are in doubt that the buyer could be under 18 years old. When this doubt does not exist, like in the case of a 70-year-old man, this obligation does not apply. Therefore, the controller could not rely on [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]].  
Secondly, the DPA noted that Article 16/A(4) of the Consumer Protection Act of 1997 (''[https://njt.hu/jogszabaly/1997-155-00-00.44 1997. évi CLV. Törvény a fogyasztóvédelemről]'') requires alcohol sellers to ask for an ID card only when they are in doubt that the buyer could be under 18 years old. When this doubt does not exist, like in the case of a 70-year-old man, this obligation does not apply. Therefore, the controller could not rely on [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]].  
Line 97: Line 97:
Finally, the DPA held that the controller did not implement adequate measures to protect the personal data of data subjects in its stores since, for example, data subjects were required to state their date of birth aloud and other customers could hear it.
Finally, the DPA held that the controller did not implement adequate measures to protect the personal data of data subjects in its stores since, for example, data subjects were required to state their date of birth aloud and other customers could hear it.


On these grounds, the DPA issued a fine of HUF 95,000,000 (€242,025), then lowered to HUF 80,000,000 (€203,811).
On these grounds, the DPA issued a fine of HUF 95,000,000 (€242,000), then lowered to HUF 80,000,000 (€204,000).


Moreover, it ordered the controller to display in each of its shops, in a prominent place and in a readily accessible format for data subjects, its current privacy notice, drawn up in accordance with [[Article 13 GDPR]].
Moreover, it ordered the controller to display in each of its shops, in a prominent place and in a readily accessible format for data subjects, its current privacy notice, drawn up in accordance with [[Article 13 GDPR]].
Line 104: Line 104:
This decision is issued after an appeal by the controller before the Metropolitan Court of Justice (''Fővárosi Törvényszéknek''). The court found that the recording of date of birth did not constitute processing of personal data since this only piece of information cannot allow to identify a person. It confirmed the remainder.  
This decision is issued after an appeal by the controller before the Metropolitan Court of Justice (''Fővárosi Törvényszéknek''). The court found that the recording of date of birth did not constitute processing of personal data since this only piece of information cannot allow to identify a person. It confirmed the remainder.  


The DPA took this judgement into account and lowered the amount of the fine from HUF 95,000,000 (€242,025) to HUF 80,000,000 (€203,811).
The DPA took this judgement into account and lowered the amount of the fine from HUF 95,000,000 (approx. €242,0000) to HUF 80,000,000 (approx. €204,000).


== Further Resources ==
== Further Resources ==

Latest revision as of 11:50, 10 September 2024

NAIH - NAIH-3932-5/2024
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 12(1) GDPR
Article 13 GDPR
Article 32 GDPR
16/A. § 1997. évi CLV. törvény a fogyasztóvédelemről
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 02.07.2024
Published:
Fine: 80,000,000 HUF
Parties: ALDI MAGYARORSZÁG ÉLELMISZER Élelmiszer Kereskedelmi Betéti Társaság
National Case Number/Name: NAIH-3932-5/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: fb

The DPA fined Aldi HUF 80,000,000 (€204,000) in connection to its age verification practices when selling alcohol. It found that data subjects could not easily access information and that they could not be asked for an ID when there was no doubt they were over 18.

English Summary

Facts

The controller, a supermarket company, conducted verifications about the age of customers wanting to buy alcoholic beverages. In addition to asking for an ID card, in some shops the controller also recorded the date of birth of the data subjects, while in other shops it did not.

Moreover, another complaint concerned the fact that the controller asked elderly data subjects for an ID, even though it was evident that they were not under 18.

Finally, according to the data subjects, no information under Article 13 GDPR was not provided to them. Therefore, they could not know which was the legal basis and the duration of the processing.

For these reasons, several data subjects filed a complaint with the DPA.

Holding

First, the DPA found that the data subjects were not able to have sufficient information about the processing at hand, since no sign was put in the controller’s shops. Moreover, the staff were not able to provide more information or to inform the data subjects where to find more information about the data processing. Furthermore, the DPA noted that the practices varied between the stores.

Therefore, the DPA held that the information provided by the controller was insufficient, not easily accessible and not transparent. As a consequence, it found a violation of Article 5(1)(a), 12(1), 13(1) and 13(2) GDPR.

Secondly, the DPA noted that Article 16/A(4) of the Consumer Protection Act of 1997 (1997. évi CLV. Törvény a fogyasztóvédelemről) requires alcohol sellers to ask for an ID card only when they are in doubt that the buyer could be under 18 years old. When this doubt does not exist, like in the case of a 70-year-old man, this obligation does not apply. Therefore, the controller could not rely on Article 6(1)(c) GDPR.

As a consequence, the DPA found a violation of Article 6(1) GDPR.

Thirdly, the DPA found that recording the date of birth in the cash register system violated Article 5(1)(c) GDPR. Indeed, the DPA considered that there was a method of achieving the objective which was appropriate but less harmful to the data subjects and involved fewer processing operations.

Finally, the DPA held that the controller did not implement adequate measures to protect the personal data of data subjects in its stores since, for example, data subjects were required to state their date of birth aloud and other customers could hear it.

On these grounds, the DPA issued a fine of HUF 95,000,000 (€242,000), then lowered to HUF 80,000,000 (€204,000).

Moreover, it ordered the controller to display in each of its shops, in a prominent place and in a readily accessible format for data subjects, its current privacy notice, drawn up in accordance with Article 13 GDPR.

Comment

This decision is issued after an appeal by the controller before the Metropolitan Court of Justice (Fővárosi Törvényszéknek). The court found that the recording of date of birth did not constitute processing of personal data since this only piece of information cannot allow to identify a person. It confirmed the remainder.

The DPA took this judgement into account and lowered the amount of the fine from HUF 95,000,000 (approx. €242,0000) to HUF 80,000,000 (approx. €204,000).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-3932-5/2024 Subject: decision

                                     H A T A R O Z A T



By the National Data Protection and Freedom of Information Authority (hereinafter: the Authority)
ALDI HUNGARY FOOD Food Trade Deposit Company
(head office: 2051 Biatorbágy, Mészárosok útja 2., company registration number: 13-06-058506; the
hereinafter: Mandatory) in connection with the purchase of alcoholic beverages established in the summer of 2022 and
thereafter, in the period until the decision with case number NAIH-3227-3/2023 becomes final

the personal data of natural persons of the implemented data management practices
regarding its protection and the free flow of such data, as well as a
in Regulation 2016/679 (EU) repealing Directive 95/46/EC (the
hereinafter: the general data protection regulation) compliance with the regulations
in the official data protection procedure (main case) NAIH-3227-3/2023

annulling point 3 of the decision made in the case number (hereinafter: Decision) and a
105.K.701.548/2023/11 obligates the authority to a new procedure in this regard. on November 7, 2023
judgment of the Budapest court, delivered on 7 December 2023, and communicated to the Authority on 7 December 2023 (
hereinafter: Judgment) initiated ex officio under case number NAIH-3932/2024,
in its repeated official data protection procedure, the Authority makes the following decisions:


   1. Established in point 1 of the Resolution and upheld by the Metropolitan Court
      based on legal violations, taking into account the provisions of the Judgment; the Obliged Authority
      obligates ex officio within 30 days of this decision becoming final

                           HUF 80,000,000, i.e. eighty million HUF

                              to pay a data protection fine.

   2. The Authority on information self-determination and freedom of information
      CXII of 2011 Act (hereinafter: Infotv.) based on point a) of § 61, paragraph (2).
      ex officio orders the identification data of the Obligor in its final decision

      disclosure by publication
       a) on the website of the Authority, furthermore

       b) on the opening page of the Obligor's website, clearly visible and easily accessible
          place, within 30 days of the decision becoming final, and there

          be available for at least 30 days.

The Obligor is obliged to fulfill the obligation prescribed in point 2, sub-point b) of this decision
must be in writing within 30 days of its becoming final - the supporting evidence
along with its submission - certify it to the Authority.


In case of non-fulfilment of the obligation prescribed in sub-point b) of point 2, the Authority shall order a
implementation of the decision.

No procedural costs were incurred in the procedure.


There is no place for administrative appeal against this decision, but from the announcement
within 30 days from the date of issue, with a letter of claim addressed to the Capital Tribunal
can be challenged in a lawsuit. The claim must be submitted electronically to the Authority, which


1 The NAIH_K01 form is used to initiate an administrative lawsuit: NAIH_K01 form (16.09.2019) The
form can be filled out using the general form filling program (ÁNYK program).
.………………………………………………………………………………………………………………………………………… ……………………..

1055 Budapest Tel.: +36 1 391-1400 naih.hu/adatkezelesi-tajekoztatok
 Falk Miksa utca 9-11              KR ID: 429616918 ugyfelszolgalat@naih.hu 2


forwards it to the court together with the case documents. The request for the holding of the trial is submitted by the
must be indicated in the application. For those who do not receive full personal tax exemption

the fee for the judicial review procedure is HUF 30,000, the lawsuit is subject to the right to record fees. THE
Legal representation is mandatory in proceedings before the Metropolitan Court.


                                      I N D O C O L A S

I. History, basic case


(1) The Authority has received several notifications regarding the compulsory purchase of alcoholic beverages
      regarding the new data management practice established in connection with In submissions
      they complained about significantly different data management practices in individual stores. THE
      according to the whistleblowers, they did not hand over data management information even upon request
      to those concerned, and neither did the cashiers, so the date of birth
      in connection with its recording, the legal basis and duration of the data management was not known. Whistleblowers

      based on his information, the Obligee's stores in several settlements also contain alcohol
      in the case of buying drinks - based on notification at the cash desk, according to other complaints
      by way of obligation to hand over an identity card - recorded the customer's birth certificate
      his time. According to another complaint, the cashier did not know the purpose of data recording and
      to provide information regarding its legal basis, and the regional manager indicated that
      to the store manager that the data of the identity card cannot be recorded
      necessary in the event that the buyer's legal age can be established in another way,

      customers were not informed of this fact. A whistleblower complained that he
      you are apparently over 70 years old, but you still had to prove your age.

(2) Based on the above, on August 19, 2022, the Authority ex officio data protection authority
      initiated a procedure in order to check that the Obliger's alcohol content
      whether the data management practices established in connection with the purchase of drinks are adequate
      requirements contained in the general data protection regulation.


(3) During the procedure, the Authority invited the Obligee to make a statement several times
      in order to clarify the facts; as well as on general administrative regulations
      2016 CL. Act (hereinafter: Act), on-site without prior notice
      conducted inspections in two randomly selected stores of the Obligor.

(4) March 30, 2023, adopted in the official data protection procedure initiated ex officio.

      In point 1 of the Decision dated
      offended him
       a) point a) of Article 5 (1) of the General Data Protection Regulation;

       b) point c) of Article 5 (1) of the General Data Protection Regulation;
       c) Article 6 (1) of the General Data Protection Regulation;
       d) Article 12 (1) of the General Data Protection Regulation;
       e) Paragraphs (1) and (2) of Article 13 of the General Data Protection Regulation;
       f) paragraphs (1) and (4) of Article 32 of the General Data Protection Regulation.

(5) Transparency contained in Article 5 (1) point a) of the General Data Protection Regulation

      violation of the principle of
      on-site) was not available for those interested in purchasing alcoholic beverages
      the related data management established by the Obligor is transparent; it is essential
      those involved did not have the opportunity to learn about its circumstances, because it was not posted


https://www.naih.hu/kozig-hatarozat-birosagi-felulvizsgalata 3


      appropriate, containing essential information related to the actual data management
      data management information; and at the request of the stakeholders and representatives of the Authority a

      Obliged employees could not even verbally provide information on the related matter
      about the online availability of the data management information sheet or the data management is essential
      on its circumstances [see: Paragraph (129) of the Decision's justification].

(6) The principle of transparency was also violated by the fact that in the Obligor's stores, as well as
      the alcoholic beverages at the cash registers were also significantly different within each store
      actual related to verifying the age of persons intending to buy

      data management practice, accordingly, it was not transparent for those concerned
      data management concerning them [see: paragraph (134) of the justification of the Decision].

(7) Obliged by Art. Order on notification according to § 76 [NAIH-6989-16/2022
      order no.] violated Article 5 (1) of the General Data Protection Regulation
      the principle of transparency according to paragraph a) of the data management realized by logging
      also by not ensuring the transparency of data management for those concerned

      for, since he did not provide information in the period between August 4 and 11, 2022
      for those concerned in relation to data management; August 12 and 31, 2022
      in the period between
      to those concerned on the Website (https://www.aldi.hu/hu/homepage.html) and the Ákr. 68-69. §
      during the inspection in his stores about the fact that all keys of the cash register
      is struck (and therefore, in the case of purchasing an alcoholic drink, the customers' date of birth
      is) was logged, and that these log files are for 180 days after recording

      were also stored, and for them the data processor used by the Obligor
      also has access; finally, that from September 1, 2022, the Ákr. according to § 76
      up to the date of the order on notification, it has not been modified by the relevant Obligor
      data management information, and therefore still did not inform the data subjects above
      explained [see: paragraph (141) of the reasoning of the Decision].


(8) "easy
      "accessible" criterion was violated by the fact that the Obligor did not provide adequate
      measures in order to provide data management to the data subjects
      related information in an easily accessible manner in each store and
      make it available in the form [see: Paragraph (148) of the Decision's justification].

(9) The obligee violated paragraphs (1) and (2) of Article 13 of the General Data Protection Regulation,

      considering that the Obligor at the time of obtaining the personal data
      was not made available to the data subjects by Article 13 of the General Data Protection Regulation
      The information specified in paragraphs (1) – (2) is the data processing affected by the procedure
      in connection with [see: paragraph (157) of the justification of the Decision].

(10) The Obligor is the period between August 4, 2022 and August 31, 2022
      Article 6 (1) of the General Data Protection Regulation has not been verified

      for processing the data of data subjects who have 18.
      in connection with reaching their age, the CLV of 1997 on consumer protection. law (a
      hereinafter: Fgytv.) 16/A. "doubt" as defined in paragraph (4) of Sec
      about whom - clearly visible to anyone given his old age -
      it was clear that they had reached the age of eighteen. Since e
      in connection with personnel, the Authority was also unable to identify the Obligee ex officio
      a legal position or individual decision concerning data management
      would create a relevant legal obligation, so the Obligor violated the general

      Article 6 (1) of the Data Protection Regulation [see: (165) of the reasons for the Decision
      paragraph].                                              4


(11) Article 6 (1) of the General Data Protection Regulation was also violated by the fact that a
      The obligee wrongly imposes a legal burden on him in general, covering all customers

      identified this legal place and the legal norms governing it as an obligation - thus
      in particular, the general data protection decree and the Fgytv. - not properly
      applied, the applicability of the legal obligation applicable to it has been over-extended
      by entering personal data into the cash register system in the log files
      when recording, as Fgytv. 16/A. Paragraph (4) of § only the age credit
      it is awaiting proper proof, so it did not have an adequate legal basis for the recording.
      [see: paragraph (166) of the reasoning of the Decision]


(12) The Fgytv. 16/A. Doubt in the case of purchasing an alcoholic beverage based on § (4).
      in this case, the customer must be asked to provide creditable proof of age (i.e. in
      in the event that it cannot be clearly established that the alcoholic beverage is to be purchased
      whether the intending person has reached the age of eighteen or not). The Obliged
      however, in the period between August 4, 2022 and August 31, 2022, Fgytv. 16/A.
      The phrase "in case of doubt" defined in paragraph (4) of §, statutory

      exceeding the provision, in addition to it in a general manner, in the Obligor's own words
      he prescribed "the development of its systematic use" in the position of shop assistant
      to buy each alcoholic beverage for its employees
      mandatory verification of the age of the intending person. By doing so, he offended the general
      also the principle of data saving contained in Article 5 (1) point c) of the data protection decree
      – which, regardless of the legal basis, must be taken into account during all data processing
      to the data controller - as it is in the case of customers who have obviously reached the age of 18

      handled and recorded data not relevant to the purposes of data management
      in its system [see: paragraph (169) of the justification of the Decision].

(13) The general data protection regulation during the sales process of alcoholic beverages
      Based on the definition of Article 4, point 2, both to prove age
      inspection of a suitable identity card, both suitable for proof of age
      date of birth read from the ID or date of birth provided by the customer

      entering it into the cash register system, recording it and keeping it in its log files for 180 days
      its storage can be considered a data management operation. Over-view operations in general
      however, its mandatory provision was not absolutely necessary for the purpose that those concerned
      Must establish the age of 18. The Obligor thereby violated the
      contained in Article 5 (1) point c) of the General Data Protection Regulation
      the principle of data saving, because there is a suitable one to achieve the goal, however, the affected parties
      a method that is less harmful for him and involves fewer data management operations, so a

      processing of personal data was not limited to the necessary extent [see: the Decision
      paragraph (174) of its justification].

(14) Contained in paragraphs (1) and (4) of Article 32 of the General Data Protection Regulation
      data security requirements are violated by the fact that the Obligor's stores, as well as
      the stakeholders did not develop appropriate measures within some stores
      to protect your personal data; the procedure prescribed by the Obligor was not applied;

      as well as certain stakeholders in the case of the purchase of alcoholic beverages, the cashiers
      at his express request, he had to announce his birth clearly for others as well
      their date [see: paragraph (181) of the reasoning of the Decision].

(15) Due to the violations established in point 1 of the Resolution, the Authority shall amend Resolution 2.
      in point obliged the Obligor to

       a) aimed at verifying age in the case of purchasing alcoholic beverages
          its data management practices are brought into line with the general data protection regulation
          with its provisions, as well as Fgytv. 16/A. with paragraphs (1) and (4) of § 5


          only when in doubt check the age of the buyers and during
          do not record data at the log file level either, and change the relevant

          data management information;
       b) display the data processing carried out there in each store
          according to Article 13 of the General Data Protection Regulation

          its effective data management information for those concerned
          in a clearly visible place, in an easily accessible form.

(16) Based on the violations established in point 1 of the Decision, the Authority, the data management
      due to its illegality, in point 3 of the Decision, the Obligee was ex officio obliged to a
      HUF 95,000,000 within 30 days of the decision becoming final, i.e.
      to pay a HUF ninety-five million data protection fine.


(17) The Authority, in point 4 of the Decision, Infotv. On the basis of point a) of paragraph (2) of § 61
      ex officio ordered the identification data of the Obligor in its final Decision
      publicizing it by publishing it on the website of the Authority, and a
      On the opening page of the mandatory website, in a clearly visible and easily accessible place, a
      Within 30 days of the decision becoming final, and it should be available there at least
      for 30 days.

(18) On April 26, 2023, the Obligor paid the Authority the amount of Decision 3.
      HUF 95,000,000 data protection fine imposed in point [see: NAIH-3227-4/2023

      document with case number].

(19) Obligor in his statement received by the Authority on April 28, 2023 (NAIH-3227-
      declaration with case number 5/2023) submitted that he modified his practice, a
      "On April 14, 2023, the person requesting to enter the age was deleted from the cash register software
      software element". In his statement, the obligee also informed the Authority that
      that the data processing carried out in stores has been modified and published

      data management information on activities.

(20) In the action addressed to the Metropolitan Court, the Obligor (as plaintiff) the Decision
      He requested the annulment of points 1, 3 and 4.

(21) In its judgment (case number NAIH-3932-1/2024), the Capital Court referred to Decision 3.
      point, and the Authority (as a defendant) for a new procedure in this round

      obliged. In addition to this, the Capital Court rejected the claim.

(22) According to paragraph [41] of the Justification of the Judgment, “[…] the court established that it is
      the defendant's decision regarding the preservation of the date of birth in the diary file a
      the legal basis of the violations established in point 1 of the provision, as well as the
      regarding the provision imposing a fine of HUF 95,000,000 on the plaintiff (point 3)
      illegal. In relation to point 3, the decision was made by Kp. Section 89, subsection (1) b)

      annulled it by applying point 1 and sent the defendant to a new procedure in this round
      obliged. In relation to the data management implemented with insight and input a
      the plaintiff did not dispute points 1 a) and c)-f) of the operative part of the decision, thus
      in this part, the court did not affect the decision, and the court referred to point 1 b)
      the legal basis of the infringement established in accordance with sub-section, as well as the decision to the public
      with regard to point 4 ordering the filing of the claim, the Kp. Section 88, paragraph (1), point a).
      rejected based on Taking into account all of this, point 1 of the decision

      annulment was not justified because the defendant is the plaintiff
      evaluated its data management as a unit and established a violation, and with the insight
      and in relation to data management implemented by input, 6 contained in point 1


      a violation of provisions exists regardless of whether with respect to preservation
      the same findings were not legal.".


(23) Based on paragraph [42] of the Justification of the Judgment, "In the repeated procedure,
      the defendant must make his decision taking into account that the plaintiff a
      did not commit during the preservation of the date of birth in the log file
      infringement. Again, you have to decide whether it is implemented with insight or input
      applicable due to violations established in connection with data management
      on legal consequences, with the fact that in the event of a fine, the amount of the violation

      it must be defined taking into account the narrower range of its scope; in the log file
      circumstances related to preservation should not be taken into account during the consideration and
      cannot be evaluated as an aggravating circumstance with the mandatory age verification (insight,
      entry) the longer period of the violation established in connection. The amount of the fine
      therefore, ignoring all these circumstances, it should be more proportionate.".

(24) In view of the above [see: paragraphs (1) – (23) of the reasons for this decision] – the

      With the exception of point 3 of the Decision - the rest of the Decision became final.

II. Repeated data protection official procedure

(25) Based on the Judgment, the data protection authority repeated on December 7, 2023
      proceedings have been initiated.


(26) Neither the Authority nor the Obligor submitted any objections to the Judgment
      request for revision (see file number NAIH-3932-2/2024).

(27) The Art. Officially known by the authority and public knowledge based on Section 62 (3).
      facts do not need to be proven. In view of this, in the case number NAIH-3227/2023, as well as the
      Document material created under case number NAIH-6989/2022 was officially approved by the Authority
      is considered a known fact.


(28) In the order of the Authority, case number NAIH-3932-3/2024, sent through Cégkapu
      notified the Obligee about the repeated data protection official procedure; as well as
      informed the Obligor that, within the scope determined by the Judgment, the repeated
      can make a statement in the subject of official data protection proceedings. The Authority's order was issued by
      Mandatory Downloaded on March 5, 2024.


(29) Mandatory declaration for order number NAIH-3932-3/2024 March 11, 2024.
      was received by the Authority in e-Paper (case number NAIH-3932-4/2024
      statement). In his statement, the Obligor submitted that case number NAIH-3932-3/2024
      in accordance with the provisions of the order, the Obligor did not submit a review request either
      against the Judgment, "for his part, he also sees that the case can be definitively closed as soon as possible
      kept in front of”. Based on the contents of the declaration, the Obligee "the main case is administrative and
      in the court stage, he presented the statements that the Fővárosi

      The Tribunal took into account, still unchanged, when reaching the Judgment
      maintains".

(30) In its statement with case number NAIH-3932-4/2024, the Obligor requested that the present
      a decision to be made in a repeated data protection official procedure a
      The Authority shall form it in accordance with the provisions of the Justification of the Judgment (see: the Judgment
      Paragraphs [41] and [42] of his reasoning). The Obligor also requested that a

      Authority “when determining the amount of the fine, please take into account that
      since according to the Judgment, keeping the date of birth in a diary file does not qualify
      of data management, the duration of illegal behavior is also a fraction of the originally 7


      established". The obligee also requested that the Authority from the reasons for the decision
      omit the "exact sum indication" of the Obligor's annual transaction number.


(31) During this repeated data protection official procedure, the Authority in the Judgment
      he did not conduct a new evidentiary procedure beyond those specified, as well as new evidence
      were not used either.

III. Applied legal sources


(32) Based on Article 2 (1) of the General Data Protection Regulation according to the present case
      the general data protection regulation shall be applied to data management.

(33) On the basis of Article 4, point 1 of the General Data Protection Regulation, personal data is identified
      or any information relating to an identifiable natural person (“data subject”);
      the natural person who directly or indirectly, in particular, can be identified
      an identifier such as a name, number, location data, online identifier or a

      physical, physiological, genetic, intellectual, economic, cultural or natural person
      can be identified based on one or more factors related to his social identity.

(34) Based on Article 4, point 2 of the General Data Protection Regulation, data management is personal
      conducted on data or data files in an automated or non-automated manner
      any operation or set of operations, such as collecting, recording, organizing,
      segmentation, storage, transformation or change, query, insight, use,

      communication by means of transmission, distribution or otherwise making it available,
      alignment or linking, restriction, deletion or destruction.

(35) According to Article 4, point 7 of the General Data Protection Regulation, a data controller is a natural person
      or legal person, public authority, agency or any other body that a
      purposes and means of processing personal data independently or together with others
      defines; if the purposes and means of data management are EU or member state law

      determine, the data controller or the particulars regarding the designation of the data controller
      aspects can also be determined by EU or member state law.

(36) Pursuant to Article 31 of the General Data Protection Regulation, the data controller and
      data processor, as well as - if any - the data manager or the data processor
      during the execution of the tasks of its representative with the supervisory authority - its inquiry
      based on - cooperates.


(37) Pursuant to Article 58, Paragraphs (1) – (2) of the General Data Protection Regulation:
      "(1) The supervisory authority, acting in its investigative capacity:

       a) instructs the data manager and the data processor, or, where applicable, the data manager
          or the representative of the data processor to perform its tasks
          provides necessary information;
       b) conducts investigations in the form of data protection audits;
       c) perform the certificates issued in accordance with Article 42 (7).
          review;
       d) notifies the data manager or the data processor assumed by this regulation

          of violation;
       e) receives access to its tasks from the data controller or data processor
          for all personal data and all information necessary for its performance; and
       f) the data controller is given access in accordance with EU or member state procedural law
         or to any premises of the data processor, including all data processing
         used equipment and tools.                                               8


      (2) Acting within the supervisory authority's corrective powers:
       a) warns the data manager or the data processor that some planned

          its data management activities are likely to violate the provisions of this regulation;
       b) condemns the data manager or the data processor if its data management activities
          violated the provisions of this regulation;
       c) instructs the data controller or the data processor to fulfill e
          your request regarding the exercise of your rights according to the regulation;
       d) instructs the data manager or the data processor that its data management operations - given
          in a specified manner and within a specified time - harmonize e

          with the provisions of the decree;
       e) instructs the data controller to inform the data subject about the data protection incident;
       f) temporarily or permanently restricts data management, including data management
          also its prohibition;
       g) in accordance with Articles 16, 17 and 18, orders the personal
          correcting or deleting data, or restricting data management, as well as a
          In accordance with Article 17, paragraph (2) and Article 19, it is ordered by the addressees

          notification of this to whom or to whom the personal data has been disclosed;
       h) revokes the certificate or instructs the certification body to comply with Articles 42 and 43
          to revoke a properly issued certificate, or is instructed by the certifier
          organization not to issue the certificate if the conditions for certification are no longer met
          are not fulfilled;
       i) imposes an administrative fine in accordance with Article 83, the given case
          depending on your circumstances, you are beyond the measures mentioned in this paragraph

          instead of them; and
       j) orders directed to a recipient in a third country or an international organization
          suspension of data flow."

(38) Pursuant to Article 83 (1) – (5) of the General Data Protection Regulation:

      "(1) All supervisory authorities ensure that (4), (5), (6) of this decree
      due to the violation referred to in paragraph 1, the administrative penalty imposed under this article
      fines should be effective, proportionate and dissuasive in each case.
      (2) The administrative fines, depending on the circumstances of the given case, are subject to Article 58 (2)
      in addition to or instead of the measures mentioned in points a)-h) and j) of paragraph

      impose. When deciding whether it is necessary to impose an administrative fine,
      and when determining the amount of the administrative fine in each case
      due consideration shall be given to:
       a) the nature, severity and duration of the infringement, taking into account the one in question
          the nature, scope or purpose of data management, as well as the number of data subjects whom the
          affected by the infringement, as well as the extent of the damage suffered by them;
       b) the intentional or negligent nature of the infringement;

       c) damage suffered by data subjects on the part of the data controller or data processor
          any measures taken to mitigate;
       d) the degree of responsibility of the data manager or data processor, taking into account the
          technical and organizational measures undertaken by him on the basis of Articles 25 and 32
          measures;
       e) relevant violations previously committed by the data controller or data processor;
       f) remedying the violation with the supervisory authority and the possible negative nature of the violation

          extent of cooperation to mitigate its effects;
       g) categories of personal data affected by the infringement;
       h) the manner in which the supervisory authority became aware of the violation is special
          taking into account whether the data manager or the data processor announced the
          infringement and, if so, in what detail;                                              9


       i) if against the concerned data controller or data processor earlier - in the same
          in the subject - the measures referred to in Article 58 (2) were ordered

          one of them, compliance with the measures in question;
       j) whether the data manager or the data processor has complied with Article 40
          to approved codes of conduct or approved certification under Article 42
          for mechanisms; as well as
       k) other aggravating or mitigating factors relevant to the circumstances of the case
          factors, such as acquired as a direct or indirect consequence of the infringement
          financial gain or avoided loss.

      (3) If a data manager or data processor is the same data management operation
      with respect to related data management operations - you are intentional
      due to negligence - violates several provisions of this regulation, the full amount of the fine
      may not exceed the amount determined in the case of the most serious violation.
      (4) Violation of the following provisions - in accordance with paragraph (2) - at most
      with an administrative fine of EUR 10,000,000, or in the case of businesses
      with an amount of no more than 2% of the total annual world market turnover of the previous financial year

      vulnerable; of the two, the higher amount must be imposed:
       a) in terms of the data manager and the data processor, Articles 8, 11, 25-39, 42 and 43
          obligations defined in Article;
       b) as defined in Articles 42 and 43 with regard to the certification body
          obligations;
       c) as defined in Article 41, Paragraph 4, with regard to the control organization
          liabilities;

      (5) Violation of the following provisions - in accordance with paragraph (2) - at most
      with an administrative fine of EUR 20,000,000, or in the case of businesses
      with an amount not exceeding 4% of the total annual world market turnover of the previous financial year
      should be punished, with the higher amount of the two being imposed:
       a) the principles of data management - including the conditions of consent - of Articles 5, 6, 7 and 9
          properly;
       b) the rights of the data subjects 12-22. in accordance with Article;

       c) third country recipient or international organization for personal data
          44-49. in accordance with Article;
       d) IX. obligations according to the law of the Member States adopted on the basis of chapter;
       e) the instruction of the supervisory authority according to Article 58 (2), or
          temporary or permanent limitation of data processing or data flow
          non-compliance with its suspension notice or Article 58 (1)
          failure to provide access in violation of paragraph


(39) Infotv. Pursuant to Section 2 (2) of the General Data Protection Regulation, there
      shall be applied with the additions contained in the specified provisions. It's common
      data processing not covered by Article 2 (1) of the Data Protection Regulation
      regarding Infotv. With regard to paragraph (4) of § 2: "Personal data referred to in (2)
      and (3) for treatment not covered by paragraph

      a) in Article 4, II-VI, and VIII-IX of the general data protection regulation. chapter,
         as well as
      b) Sections III-V of this Act. and VI/A. In its chapter, in addition to § 3., 3., 4., 6., 11., 12., 13., 16.,
         17., 21., 23–24. point, paragraph (5) of § 4, § 5 (3)–(5), (7) and (8)

         paragraph, paragraph (2) of § 13, § 23, § 25, § 25/G. § (3),
         in paragraphs (4) and (6), 25/H. in paragraph (2) of § 25/M. § (2),
         the 25/N. § 51/A. (1) of § § 52–54. §, § 55 (1) and (2)
         in paragraph 56–60. in §, 60/A. (1)–(3) and (6) of § § 61 (1)
         in points a) and c) of paragraph 61, paragraphs (2) and (3) of § 61, paragraph (4) b) 10


         and paragraphs (6)–(10), and 61/A–61/D. § 62-71. §-in,
         in Section 72, Sections (1)–(5) of Section 75 and Section 75/A. § and in Annex 1

      certain provisions shall apply."

(40) Infotv. Based on paragraphs (2) – (2a) of § 38:

      "(2) The Authority's task is to protect personal data, as well as the public interest and
      control of the enforcement of the right to access public data in the public interest
      and promotion, as well as the free flow of personal data within the European Union
      facilitating.
      (2a) Established for the supervisory authority in the general data protection regulation
      tasks and powers of legal entities under the jurisdiction of Hungary
      as defined in the general data protection regulation and this law

      is exercised by the Authority."

(41) Infotv. According to § 60, paragraph (1), the right to the protection of personal data
      in order to enforce it, the Authority, at the request of the person concerned, data protection
      initiates official proceedings and can initiate official data protection proceedings ex officio. The
      for official data protection procedure, Art. rules must be applied in Infotv
      with specified additions and according to the general data protection regulation

      with differences.

(42) Infotv. 60/A. § (1) in the official data protection procedure
      administrative deadline of one hundred and fifty days, which does not include the facts
      from the invitation to provide the data necessary for its clarification until its fulfillment
      spreading time. The Akr. Pursuant to § 103, paragraph (3), in ex officio proceedings, the
      only the duration of the suspension of the procedure is not included in the administrative deadline. The

      for the application of procedural deadlines, in other § 52 shall be applied.

(43) Infotv. Based on § 61, paragraph (1):

      "(1) In the decision made in the official data protection procedure, the Authority
       a) with the data management operations specified in paragraphs (2) and (4) of § 2
          in connection with the general data protection regulation
          may apply legal consequences, especially upon request or ex officio
          may order unlawfully processed personal data in the manner determined by it
          to be executed, or temporarily or permanently in other ways
          can limit data processing,

       b) with the data management operations defined in § 2, paragraph (3).
          in context
            ba) can establish the fact of unlawful processing of personal data,
            bb) can order the correction of personal data that does not correspond to reality,
            bc) may order the blocking or deletion of unlawfully processed personal data or
               destruction,
            bd) may prohibit the unlawful handling of personal data,

            be) may prohibit the transmission or transfer of personal data abroad,
            bf) may order the information of the data subject, if the data controller does so unlawfully
               omitted or denied, and
            bg) can impose fines,
      c) defined in Article 41 (1) of the General Data Protection Regulation
         general data protection against an organization performing control activities
         legal consequences defined in Article 41 (5) of the Decree

         can apply."                                             11


(44) Infotv. According to § 61, paragraph (2):

      "(2) The Authority may order in its decision - the data controller or the data processor
      disclosure by publishing your identification data, if
       a) the decision affects a wide range of persons,
       b) it was brought in connection with the activities of a body performing a public task, or

       c) the severity of the infringement justifies disclosure."

(45) Infotv. Warning in the Authority's procedure based on Section 61 (3).
      its application is excluded if the Authority imposes a fine based on the regulations applicable to its consideration
      establishes the necessity of its imposition.

(46) Infotv. Pursuant to § 61, paragraph (7), the implementation of the Authority's decision is a

      included in a decision, to carry out a specific act, defined
      in relation to an obligation to conduct, tolerate or cease a
      It is undertaken by an authority. In case of a final or administrative lawsuit, the Authority a
      illegal as determined in a final decision by an administrative court
      data affected by data management - the court, prosecutor's office or other authority is different
      in the absence of this provision - these data cannot be deleted or destroyed
      in the case of criminal proceedings or other official or judicial proceedings, the criminal proceedings

      from the start date of the criminal proceedings or with a final decision of the court
      until its completion by a non-final order, or by the prosecution
      or the investigative authority terminates proceedings that cannot be challenged with further legal remedies
      until its decision is made, and in the case of other official or judicial proceedings, this
      from the start date until the final or legally binding end.

(47) Infotv. On the basis of § 71, paragraph (1), during the Authority's procedure - the

      to the extent and for the time necessary to conduct it - you can manage it all personally
      data, as well as secrets protected by law and secrets bound to the exercise of a profession
      qualified data that are related to the procedure and that are managed
      necessary for the successful completion of the procedure.

(48) Infotv. According to § 71, paragraph (2), the Authority shall act lawfully during its procedures
      obtained document, data or other means of proof in other proceedings

      you can use it.

(49) The Art. Based on Section 5 (1), the client can make a statement at any time during the procedure,
      you can comment.

(50) The Art. Based on § 6, all participants in the procedure are obliged to act in good faith and
      to cooperate with other participants. No one's behavior can be directed by the authorities

      to deceive or to unjustifiably delay decision-making or execution.
      The good faith of the client and other participants in the procedure must be assumed in the procedure.
      The authority bears the burden of proving bad faith.

(51) The Art. Based on paragraphs (1) - (2) of § 13, if the law does not require that the customer is personal
      proceedings, instead of his legal representative, or by him or his legal representative
      a person authorized by, and the client and his representative can also act together. Yogi

      the procedure of a person's legal representative is considered a personal procedure.

(52) The Art. On the basis of § 14, the authorized representative has the right to represent - if it is a
      disposal register does not include - must certify. The power of attorney
      must be included in a public document or a private document with full evidential force or in a protocol
      must be said. If nothing else appears from the power of attorney, it is covered by procedure 12


      for all related statements and actions. If the right of representation
      due to revocation, termination or the death of the client or authorized representative

      ceases, the termination of reporting to the authority against the authority, a
      it is effective against other customers from the moment it is communicated to them.

(53) The Art. 27, the authority is the client and other participants in the procedure
      natural personal identification data and the type of business necessary for identification
      personal data specified in the regulatory law, and - if the law
      does not provide otherwise - essential for the successful conduct of the procedure

      processes other personal data as necessary. The authority ensures that the law
      secret protected by and other data protected by law (hereinafter together: protected data)
      should not be made public, should not come to the knowledge of an unauthorized person, and is protected
      the protection of data defined by law must also be ensured in the procedure of the authority.
      The authority in the course of its procedure to conduct it - defined by law
      manner and scope – manages the protected data that are related to its procedure,
      and the handling of which is necessary for the successful completion of the procedure.


(54) The Art. Based on § 33, paragraph (1), the client at any stage of the procedure and its
      you can consult the document created during the procedure even after its completion.

(55) The Art. On the basis of § 33, paragraph (4), during the inspection of the documents, the copy entitled to it,
      you can prepare an extract or - against the reimbursement of costs specified in a government decree
      - you can request a copy, which the authority will certify upon request.


(56) The Art. Pursuant to § 34, it is not possible to inspect the draft decision. Unrecognizable
      and the document or a part of the document from which a conclusion can be drawn
      to protected data or to personal data that can be known by law
      specified conditions are not met, unless the data - not including the classified
      data - the lack of knowledge of it would prevent the person entitled to inspect the document from e
      in the exercise of his rights guaranteed by law. Based on the request, the authority is

      provides access to documents - even after the end of the procedure - or in an order
      rejects.

(57) The Art. According to § 62, paragraph (3), it is officially known by the authority and is public knowledge
      facts do not need to be proven.

(58) The Art. Based on the provisions of paragraphs (1) - (2) of § 77, the person whose obligation

      violates it through his own fault, the authority obliges him to reimburse the additional costs caused,
      and may be subject to procedural fines. The minimum amount of the procedural fine in each case
      ten thousand forints, the maximum amount - unless the law provides otherwise -
      five hundred thousand HUF in the case of a natural person, legal entity or other organization
      one million forints.

(59) The Art. On the basis of § 103, paragraph (1), in ex officio proceedings, the Ákr. upon request

      the provisions relating to initiated procedures in the Acr. VII. with the deviations included in chapter
      must be applied.

(60) The Art. On the basis of § 104, paragraph (1) point b), the authority in its area of competence
      initiates the procedure ex officio if ordered to do so by a court.

(61) The Fgytv. 16/A. § (1) is prohibited under the age of eighteen

      for a person - with the exception of medicines that can only be issued on medical prescription -
      to sell or serve alcoholic beverages.                                             13


(62) The Fgytv. 16/A. According to paragraph (4) of § defined in paragraphs (1)–(3).
      in order to enforce the restriction, the company or its representative in case of doubt

      invites the consumer to provide creditable proof of age. Age is appropriate
      in the absence of proof, the sale or service of the product must be refused.

ARC. Judgment

(63) In its judgement, the Metropolitan Court of Appeal considered point 3 of the Decision
      Act I of 2017 on the Code of Procedure (hereinafter: Law) § 89 (1) paragraph b)

      annulled it on the basis of point and obliged the Authority to proceed with a new procedure in this regard. This
      moreover, the Metropolitan Court rejected the claim.

(64) The Metropolitan Court explained in paragraph [27] of the Justification of the Judgment that the
      "the court found that after the purchase, in the given cash register, the entry
      as a result of a keystroke in the form of a string of numbers in the format "NNHHYYYYYY".
      a recorded and stored date of birth was not considered personal data because the data subject

      identification was no longer possible. The date of birth is all in this form
      together with keystrokes, any other data that can be associated with the data subject
      without, it was stored solely for the purpose of troubleshooting and not for the identification of the data subject.
      The number line of the date of birth recorded by keystroke during storage is not the customer,
      as a natural person, but made it possible to identify the purchase [...] From all this
      therefore, the preservation of the date of birth in the log file for 180 days was not implemented
      and data management".


(65) Pursuant to paragraph [42] of the Justification of the Judgment, this repeated data protection
      in an official procedure, the Authority must make its decision taking into account that
      the Obligor "did not commit in the field of keeping the date of birth in the diary file
      infringement".

(66) In its judgment, the Metropolitan Court also emphasized that (see: the Judgment

      Paragraph [41] of its justification), that the annulment of point 1 of the Decision is for that reason
      was not justified, because in that the Authority handled the Obligor's data as a unit
      evaluated and established a violation; and realized with insight and input
      with regard to data management, the provisions contained in point 1 of the Decision
      its violation exists regardless of whether the same with regard to preservation
      findings, according to the Metropolitan Court, "were not legal".


(67) Pursuant to the above [see paragraphs (63) – (66) of the reasons for this decision]
      therefore, in view of all the circumstances of the case, the Metropolitan Court in its Judgment so
      decided that, contrary to the provisions of the Decision, "the date of birth in the diary file
      By keeping it for 180 days, the Obligee did not carry out data management".

V. Legal Consequences


V.1. Data protection fine

(68) Pursuant to paragraph [42] of the Justification of the Judgment, the Authority should "Repeatedly decide
      is required in connection with the data management implemented with insight or input
      on the legal consequence applicable due to established violations, with the fact that
      in the case of imposing a fine, its amount is a narrower scope of the scope of the violation
      must be determined taking into account; related to retention in the log file

      circumstances should not be taken into account during the consideration and cannot be assessed as aggravating
      as a circumstance in connection with the mandatory age verification (inspection, entry) 14


      a longer period of established infringement. The amount of the fine is therefore all this
      disregarding circumstances, it should be proportionally less.".


(69) The Authority pursuant to Article 58(2)(i) and Article 83 of the General Data Protection Regulation
      (2) also imposes a data protection fine instead of or in addition to the other measures
      can impose.

(70) In the matter of whether, in this repeated data protection official procedure, it is justified
      e the imposition of a data protection fine, the Authority has discretion based on the law

      decided acting in his authority, taking into account Infotv. § 61. Paragraph (1) point a), that is
      Infotv. 75/A. §, as well as Article 83 (2) of the General Data Protection Regulation
      and Article 58 (2) of the General Data Protection Regulation. The Authority considered it
      all the circumstances of the case, paying special attention to the provisions of the Judgment and
      established that in the present repeated data protection official procedure a
      warning and conviction are neither proportionate nor dissuasive in themselves
      would be a sanction, therefore the imposition of the fine is necessary in view of the Obligee's market

      situation, the general and national nature of the practice it introduced and the significant
      to the person concerned. In this case, the protection of personal data - which is the Authority
      task - no, based on the totality of the fine imposition circumstances detailed below
      is available without imposing a data protection fine. The imposition of fines is both special and
      it also serves general prevention, according to which the decision not only
      On the Authority's website, but on the opening page of the Obligor's website, clearly and easily
      is also published in an accessible place.


(71) When determining the amount of the fine, the Authority took into account, above all,
      that the Metropolitan Court decided in its Judgment that “the date of birth
      keeping it in a log file for 180 days did not implement data management" (see: az
      Paragraph [27] of the Justification of the Judgment); the Obligee “the date of birth in the log file
      he did not commit a violation of the law during the preservation of the
      paragraph [42]). However, the Authority cannot dispense with the fact that in the Decision

      established additional, fundamental violations of the general data protection regulation
      Belonging to the category of fines with a higher amount according to Article 83, paragraph (5), point a).
      are considered violations of the law, based on this the maximum fine that can be imposed is EUR 20,000,000,
      and in the case of enterprises, the total annual world market turnover of the previous financial year
      an amount of up to 4%, the higher of the two must be imposed.

(72) When determining the amount of the fine (95,000,000 HUF) imposed by the Authority in the Decision

      took into account the data for 2021, on the basis of which the Obligor's sales
      its net sales revenue in 2021 was HUF 315,282,601,000. At the same time, the Authority also
      took into account that, in comparison, the taxable profit of the Obligor is HUF 8,504,878,000
      was this year [see paragraph (184) of the Decision's justification].

(73) During the determination of the fine in this repeated data protection official procedure
      in view of the period of existence of the violations, the Authority is the Obliger's 2021

      business year taken into account.

(74) Based on the 2021 data, it must be taken into account by the Authority
      Based on HUF 315,282,601,000, the legal maximum of the fine is
      in the case HUF 12,611,304,040. Compared to this, the HUF 80,000,000 included in this decision
      HUF data protection fine 0.025% of the net sales of the debtor's sales, i.e
      significantly below the maximum fine amount.                                              15


(75) When determining the amount of the data protection fine, the Authority uses the following mitigating factor
      circumstances were taken into account:

       - September 2022 employees employed as a mandatory store salesperson
          From day 1, customers will only be called in case of doubt about their age loan
          proof of eligibility in case of purchase of alcoholic beverages; what the Judgment

          Paragraph [39] of its justification also contains [Article 83 of the General Data Protection Regulation
          (2) point a)];
       - The violation affected a narrow range of categories of personal data of the persons concerned, a

          recording was limited to the customers' date of birth [General Data Protection Regulation
          Article 83(2)(g)];
       - The Authority assessed that the primary purpose of the measure introduced by the Obliger

          protection of persons under the age of eighteen (which the Judgment
          Paragraph [35] of its justification is also confirmed), the consumer protection law
          compliance with the regulations as fully as possible, there was no question about that
          information that the other was aimed at obtaining an unlawful advantage [general
          Article 83 (2) point k) of the Data Protection Regulation].

(76) When determining the amount of the data protection fine, the Authority takes into account the Judgment

      Also for paragraph [42] of his reasoning - he took the following aggravating circumstances
      taking into account:
       - Obliged - on the basis of paragraph [39] of the Justification of the Judgment, which is not contested by him -

          committed several legal violations and violated other fundamental provisions, therefore the Authority
          considered the nature of the violations to be of medium seriousness, to which it belongs
          evaluation based on paragraph [39] of the Reasoning of the Judgment not even like that
          it is unreasonable that the Obligor's practice of keeping it in the log file is "no
          was unlawful" [General Data Protection Regulation Article 83 (2) point a)];

       - The number of those involved was significant, as stated in the Justification of the Judgment [33]
          also confirmed [Article 83 (2) of the General Data Protection Regulation
          point a)];

       - The violations existed at the national level [see: (38) and
          Paragraphs (120)], were not ad hoc in that August 4, 2022 and
          In the period between August 31, 2022, the Obligor prescribed it in a general manner
          for the age of each person intending to buy alcoholic beverages
          mandatory inspection; as well as paragraphs [33] and [38] of the Justification of the Judgment

          confirmed [General Data Protection Regulation Article 83 (2) point a)];
       - Data management operations are opaque for a longer period of time to those concerned
          were due to the fact that the information on data management was not easily accessible,

          incomplete information was provided to those concerned in several aspects; this is it
          Paragraph [32] of the Justification of the judgment also confirmed [general data protection
          Regulation Article 83 (2) point a)];

       - As a result of the data management, certain data subjects who have reached the age of 18 are Obliged
          hindered in their right to contract (see: case number NAIH-6989-5/2022
          minutes page 6; minutes of case number NAIH-6989-6/2022, page 6); what it is
          Paragraph [37] of the Justification of the judgment also confirms [general data protection decree
          Article 83(2)(a)];

       - Based on several reports received against the Obligor, the Authority detected a
          The probability of the unlawful nature of the mandatory data management practices, which
          resulted in the ex officio proceeding under case number NAIH-6989/2022; this Judgment 16


          It was also confirmed by paragraph [34] of its justification [general data protection decree 83.
          Article (2) point h)].


(77) When determining the amount of the data protection fine, the following circumstances – a
      As stated in paragraph (187) of the justification of the decision - the fine
      their extent was neither aggravated nor alleviated, they had a neutral effect:

       - After completing the proof procedure, the obligee put it on his website
          Effective from January 17, 2023, the investigated data management operations and
          fully describing the recipients - however, the mandatory age check
          is still unclear regarding - modified data management
          information, however, the date of the committed violation (August 4, 2022 -
          31.), it is no longer possible to assess the mitigation of the damage

          of a measure taken in order to [general data protection regulation Article 83 (2)
          point c)];
       - Mandatory after completion of the proof procedure on January 16 and 17, 2023

          in the context of personal education, the revised data protection was introduced in the meantime
          documents with the regional managers, who were then given the task of
          to be replaced in all stores by January 31, 2023 at the latest
          data protection documents, however, the date of the breach (2022)
          in view of the period that has passed since August 4 - 31), the mitigating factor can no longer be evaluated
          as circumstances [General Data Protection Regulation Article 83 (2) point c];

       - To establish a data protection violation by the Obligor, the general data protection
          due to violation of the regulation, it has already taken place twice, however, these
          infringements were evaluated by the Authority in this official data protection procedure
          did not consider it relevant in terms of data management [NAIH-987/2021

          case number (previous case number: NAIH/2020/8690) and case number NAIH-1044/2021
          (previous case number: NAIH/2020/2255) data protection investigation procedure] [general
          Article 83 (2) point (e) of the Data Protection Regulation];

       - The Obligee cooperated with the Authority during the procedure, but this is a matter for the judge
          practice and legal obligation based on the practice of the Authority, its absence
          could be an aggravating circumstance. This is also stated in paragraph [36] of the Justification of the Judgment
          confirmed [General Data Protection Regulation Article 83 (2) point f)].

(78) The Authority, when determining the amount of the data protection fine, in the Decision
      originally 4 relievers; It took into account 6 aggravating and 4 neutral circumstances [see:

      paragraphs (185) – (187) of the justification of the Decision]. Reasoning for Judgment [42]
      Pursuant to paragraph
      no longer evaluated the longer duration of the infringement as an aggravating circumstance (which
      The justification for the decision was found in the 3rd indent of paragraph (186).
      in addition to the additional circumstances according to which the violations are on a national level
      existed, they were not random). Paragraph [42] of the Justification of the Judgment stated
      also that the Authority is “related to the preservation in the log file

      circumstances should not be taken into account during the consideration". In view of this, however, the
      during this repeated data protection authority procedure, the Authority is the data protection fine
      when determining its extent, it no longer took into account as a mitigating circumstance the
      It was evaluated in the 2nd indent of paragraph (185) of the justification of the decision
      circumstance on the basis of which, according to the Obligor's statement, the personal data
      in relation to the log files containing the protection measures proportionate to the risks
      applied [general data protection regulation Article 83 (2) point d)].                                           17


(79) Considering paragraphs [30], [31] and [42] of the Justification of the Judgment, the Authority
      during the imposition of a fine in a repeated data protection official procedure a

      the amount of the fine, taking into account the narrower range of the scope of the violation
      determined; circumstances related to retention in the log file a
      did not take it into account during consideration; and did not assess it as an aggravating circumstance
      in connection with the mandatory age verification (inspection, input).
      a longer period of established infringement. However, the Authority cannot waive it
      from the fact that the Obligor - based on paragraph [39] of the Reasoning of the Judgment, neither by him
      disputed - committed several violations; violated several fundamental provisions; furthermore

      the number of those affected was significant; and the violations existed at the national level,
      they were not random.

(80) The above [see: paragraphs (68) – (79) of the reasons for this decision] and the case
      based on all its circumstances, the Authority originally considered 6 in the Decision
      due to aggravating circumstances during the present repeated data protection official procedure 1
      circumstance (longer duration of the violation) was no longer assessed as aggravating

      as a circumstance, so - even though not every violation can be of the same weight
      consider - the fine originally imposed by the Authority in the Decision (HUF 95,000,000)
      reducing its amount by roughly 1/6 (HUF 15,000,000) and
      thus decided to impose a data protection fine of HUF 80,000,000 in total. The present
      the amount of the data protection fine imposed in the decision - the Reasoning of the Judgment [42]
      taking into account the provisions of paragraph - it became proportionately less than a
      Fine originally imposed in a decision.


(81) Based on the above and all the circumstances of the case, the Authority is the deciding party
      considered the imposition of a data protection fine in the amount of proportional and dissuasive
      effective both in terms of special and general prevention, which
      amount is still significantly below the maximum fine; at the same time a
      is proportional to the severity of violations, it is the sales data for 2021
      in comparison, it cannot represent a disproportionate financial burden for the Obligor.

      In other cases, this amount may be significantly different based on individual circumstances,
      does not bind the Authority in other matters.

(82) On April 26, 2023, the obligee paid to the Authority in point 3 of the Decision
      imposed a HUF 95,000,000 data protection fine [see: file number NAIH-3227-4/2023].
      In view of this, the Authority acts ex officio in the Decision and in this decision
      payment of the difference in the data protection fine to the Obligor

      repayment.

(83) In view of the period of existence of the violations, as well as the fact that the Authority has a
      When making a decision, you did not have to apply the European Data Protection Act
      Administrative fines for the board according to the general data protection regulation
      04/2022 on its calculation. guidelines no. (hereinafter: Guidelines), thus
      the Authority also omits it during the current repeated data protection official procedure

      the use of reserved items. At the same time, the Authority notes that the Guidelines
      if applied in the present case, the amount of the data protection fine is significant
      would exceed the amount of the fine contained in both the Decision and this Decision.

V.2. Publication of the decision

(84) Pursuant to paragraph [42] of the Reasoning of the Judgment, the Authority "Repeatedly decides

      is necessary in connection with the data management implemented with insight or input
      on the legal consequence applicable due to established violations".                                            18


(85) Infotv. Pursuant to § 61, paragraph (2): "The Authority may order in its decision - that
      by publishing the identification data of the data manager or the data processor -

      disclosure if
       a) the decision affects a wide range of persons,
       b) it was brought in connection with the activities of a body performing a public task, or

       c) the seriousness of the infringement justifies disclosure."

(86) In point 4 of the Decision, the Authority referred to Infotv. On the basis of point a) of paragraph (2) of § 61
      ex officio ordered the identification data of the Obligor in its final Decision
      publicizing it by publishing it on the website of the Authority, and a
      On the opening page of the mandatory website, in a clearly visible and easily accessible place, a
      It must be available at least within 30 days of the decision becoming final

      for 30 days.

(87) Based on the provisions of paragraph [40] of the Justification of the Judgment, the final Decision –
      Obligatory and on the website of the Authority
      in connection with its order, the Capital Court established that the Authority e
      specifically provided by Infotv. It was founded on point a) of paragraph (2) of § 61, which
      was clearly stated in point 4 of the operative part of the Decision and the Decision

      also in paragraph (194) of its justification. The Authority is the disclosure
      not by the weight of the infringement, but by the fact that the Decision
      affected a wide range of people. With attention to the fact that the Obligor a
      objectionable data management practices on a general basis, nationally, for all stores
      comprehensively ordered, i.e. the challenged practice during the investigation period, all
      he ordered it to be used in the case of a person buying an alcoholic drink, without a doubt
      it can be established that the Decision affected a wide range of persons. In itself e

      due to circumstances, the Authority is Infotv. could order it on the basis of point a) of paragraph (2) of § 61
      publication of the Decision.

(88) On the basis of the above, the Metropolitan Court made the Decision public
      with regard to point 4 of the order, the Obligor's claim is submitted to Kp. Section 88, paragraph (1), point a).
      rejected based on (see paragraph [41] of the Justification of the Judgment).


(89) Considering that the Obligor - based on paragraph [39] of the Justification of the Judgment
      not even disputed by him - he committed several violations of law, several principled provisions as well
      violated, the Authority considered the nature of the violations to be moderately serious, which
      its assessment as such was not even based on paragraph [39] of the Justification of the Judgment
      it is unreasonable that the Obligor's practice of keeping it in the log file "was not
      illegal". The number of people involved was significant, the violations are all the Obliger
      they existed on a national level covering his business and were not of an ad hoc nature, and a

      a wide range of natural persons were affected.

(90) Since the decision made in this repeated data protection official procedure
      is closely related to the Decision, to be evaluated together with the above
      considering [see: paragraphs (84) – (89) of the justification of this decision] – a
      Similar to the decision - the Authority is Infotv. On the basis of point a) of paragraph (2) of § 61
      ordered ex officio in the present repeated data protection official procedure

      final decision by publishing the Obligor's identification data
      not only on the Authority's own website, but also on the Obligor's website
      on the opening page of its website, in a clearly visible and easily accessible place, the present
      for at least 30 days from the decision becoming final
      in duration.                                              19


VI. Other questions


(91) The competence of the Authority is defined by Infotv. It is defined by paragraphs (2) and (2a) of § 38,
      its jurisdiction covers the entire territory of the country.

(92) This decision of the Authority is based on Art. §§ 80-81 and Infotv. It is based on paragraph (1) of § 61.
      The decision of the Ákr. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. 112.
      against the decision based on § a, § 114, paragraph (1), and § 116, paragraph (1)
      there is room for legal redress through an administrative lawsuit.


(93) The rules of administrative proceedings are set out in Kp. determine. The Kp. Based on § 12, paragraph (1).
      the administrative lawsuit against the Authority's decision falls within the competence of the courts, a
      sued by Kp. On the basis of § 13. paragraph (3) point a) point aa) the Metropolitan Court
      exclusively competent. The Kp. According to § 27, subsection (1), point b) in a legal dispute,
      in which the court has exclusive jurisdiction, legal representation is mandatory. The Kp. Section 39
      According to paragraph (6), the submission of the claim is an administrative act

      does not have the effect of postponing its entry into force.

(94) The Kp. Paragraph (1) of § 29 and, in view of this, the 2016 Code of Civil Procedure
      CXXX. is applicable according to § 604 of the Act, electronic administration and confidential
      CCXXII of 2015 on the general rules of services. Act § 9 paragraph (1).
      b), the client's legal representative is obliged to maintain electronic contact.


(95) The time and place of filing a claim against the Authority's decision is set out in Kp. Section 39
      (1) is defined. About the possibility of a request to hold the hearing
      information from Kp. It is based on paragraphs (1) – (2) of § 77. The fee for the administrative lawsuit
      XCIII of 1990 on the levy. Act (hereinafter: Itv.) 45/A. § (1)
      is determined by paragraph From the advance payment of the tax, the Itv. Section 59 (1)
      paragraph and point h) of § 62 paragraph (1) exempt the person who initiated the procedure.


(96) If the Obligor does not adequately certify the fulfillment of the prescribed obligation, a
      The authority considers that the obligation was not fulfilled within the deadline. The Akr. § 132.
      according to, if the obligee did not comply with the obligation contained in the final decision of the authority
      enough, it is enforceable. The Akr. Pursuant to § 133, paragraph (1), the execution – if
      unless otherwise provided by law or government decree - the decision-making authority
      orders. The Akr. Pursuant to paragraph (1) of § 134, enforcement - if it is a law,
      government decree or local government decree in the case of municipal authorities

      does not provide otherwise - it is undertaken by the state tax authority. Infotv. Section 61 (7)
      based on paragraph 1, the implementation of the Authority's decision was included in the decision,
      to carry out a specific act, to perform a specific behavior, to tolerate or
      in relation to the obligation to stop, the Authority undertakes.

Budapest, according to the electronic signature and time stamp






                                                       Dr. Habil. Attila Péterfalvi
                                                        president, c. university teacher