NAIH (Hungary) - NAIH-2857-20/2021: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH (Hungary) |DPA_With_Country=NAIH (Hungary) |Case_Num...") |
|||
Line 70: | Line 70: | ||
NAIH established that for the purposes of sending the client satisfaction survey e-mails, the importer was to be deemed the data controller, as it was solely responsible for deciding the nature, tools and purposes of processing. The repair shop acted merely as processor for the importer. As such, NAIH rejected the original complaint against the repair shop, as it did not act as the controller for the data. | NAIH established that for the purposes of sending the client satisfaction survey e-mails, the importer was to be deemed the data controller, as it was solely responsible for deciding the nature, tools and purposes of processing. The repair shop acted merely as processor for the importer. As such, NAIH rejected the original complaint against the repair shop, as it did not act as the controller for the data. | ||
However, the Authority expanded the investigation, ex officio, to the importer. In this regard, NAIH held that the importer was in breach of Articles [[Article 5 GDPR#1a|5(1)(a)]], [[Article 5 GDPR#2|5(2)]], [[Article 12 GDPR#1|12(1)]] and [[Article 13 GDPR|13]] of the GDPR, for not providing sufficient information regarding the processing in a transparent, clear and comprehensive manner. | However, the Authority expanded the investigation, ex officio, to the importer. In this regard, NAIH held that the importer was in breach of Articles [[Article 5 GDPR#1a|5(1)(a)]], [[Article 5 GDPR#2|5(2)]], [[Article 12 GDPR#1|12(1)]] and [[Article 13 GDPR|13]] of the GDPR, for not providing sufficient information regarding the processing in a transparent, clear and comprehensive manner. | ||
The DPA also held that the importer had no legal ground for processing the data under [[Article 6(1) GDPR]]. NAIH argued that the legitimate interest legal ground was not applicable for processing data for the purpose of sending of the satisfaction surveys, because the necessary prerequisites explained in Recital (47) of the GDPR regarding reasonable expectations and other guarantees have not been fulfilled. The Authority especially emphasised that the data subject had no opportunity to express prior objection to the processing of their data. | The DPA also held that the importer had no legal ground for processing the data under [[Article 6 GDPR#1|6(1) GDPR]]. NAIH argued that the legitimate interest legal ground was not applicable for processing data for the purpose of sending of the satisfaction surveys, because the necessary prerequisites explained in Recital (47) of the GDPR regarding reasonable expectations and other guarantees have not been fulfilled. The Authority especially emphasised that the data subject had no opportunity to express prior objection to the processing of their data. | ||
Finally, NAIH also examined, ex officio, whether the importer's overall data processing practices raised any data protection concerns. The DPA noted that as a general practice, the importer did not disclose in its e-mails that it acted as the data controller, where it obtained the data from, and from where the data subject can obtain more information regarding the processing. NAIH also argued that the importer was in breach of the data minimisation principle, because the processing of the data subjects' address, age, gender, telephone number and car registration identifiers were not necessary for the purposes of conducting client satisfaction surveys. | Finally, NAIH also examined, ex officio, whether the importer's overall data processing practices raised any data protection concerns. The DPA noted that as a general practice, the importer did not disclose in its e-mails that it acted as the data controller, where it obtained the data from, and from where the data subject can obtain more information regarding the processing. NAIH also argued that the importer was in breach of the data minimisation principle, because the processing of the data subjects' address, age, gender, telephone number and car registration identifiers were not necessary for the purposes of conducting client satisfaction surveys. | ||
When it comes to remedies and penalties, the Authority decided that there was no further action necessary in the individual case brought by the data subject. However, NAIH decided to impose a fine of €13,500 (5,000,000 HUF) under [[Article 83 GDPR#2|Article 83(2)]] for the general data processing practices of the importer, and ordered it to bring its processing operations into compliance with the GDPR under [[Article 58 GDPR#2d|Article 58(2)(d)]]. | When it comes to remedies and penalties, the Authority decided that there was no further action necessary in the individual case brought by the data subject. However, NAIH decided to impose a fine of €13,500 (5,000,000 HUF) under [[Article 83 GDPR#2|Article 83(2)]] for the general data processing practices of the importer, and ordered it to bring its processing operations into compliance with the GDPR under [[Article 58 GDPR#2d|Article 58(2)(d)]]. |
Latest revision as of 11:03, 21 January 2022
NAIH (Hungary) - NAIH-2857-20/2021 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(1) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 12(1) GDPR Article 13 GDPR Article 58(2)(d) GDPR Article 83(2) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 27.10.2021 |
Published: | 15.12.2021 |
Fine: | 5000000 HUF |
Parties: | n/a |
National Case Number/Name: | NAIH-2857-20/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | Tapir |
Hungarian DPA fines car importer €13,500 (HUF 5,000,000) for sending client satisfaction surveys without a lawful legal ground, and breaching the principles of transparency, accountability and data minimisation in the process.
English Summary
Facts
A data subject submitted a complaint to the Hungarian DPA after receiving unsolicited e-mails regarding their satisfaction with a car repair service they used earlier. The repair service claimed that it was not the controller in the case, as the communications were sent by another entity, the importer of a specific car brand to Hungary ('importer'). NAIH therefore expanded the inquiry to this importer on its own motion (ex officio). The importer argued that processing personal data for the purpose of ensuring consumer satisfaction was its legitimate interest under Article 6(1)(f) of the GDPR, for which it also conducted the necessary legitimate interest assessment. The importer provided data processing information to the data subjects via printed documents at the reception of the car repair service, and claimed that employees at the service were also tasked to provide information about the processing orally. However, in this specific case, the data subject was only informed that the provision of their e-mail address is not compulsory, but was not provided information regarding the processing to be conducted by the importer regarding surveying client satisfaction either orally or in writing, and was not asked for their consent in this regard. NAIH subsequently expanded the inquiry to the general data protection practices of the importer.
Holding
NAIH established that for the purposes of sending the client satisfaction survey e-mails, the importer was to be deemed the data controller, as it was solely responsible for deciding the nature, tools and purposes of processing. The repair shop acted merely as processor for the importer. As such, NAIH rejected the original complaint against the repair shop, as it did not act as the controller for the data. However, the Authority expanded the investigation, ex officio, to the importer. In this regard, NAIH held that the importer was in breach of Articles 5(1)(a), 5(2), 12(1) and 13 of the GDPR, for not providing sufficient information regarding the processing in a transparent, clear and comprehensive manner. The DPA also held that the importer had no legal ground for processing the data under 6(1) GDPR. NAIH argued that the legitimate interest legal ground was not applicable for processing data for the purpose of sending of the satisfaction surveys, because the necessary prerequisites explained in Recital (47) of the GDPR regarding reasonable expectations and other guarantees have not been fulfilled. The Authority especially emphasised that the data subject had no opportunity to express prior objection to the processing of their data. Finally, NAIH also examined, ex officio, whether the importer's overall data processing practices raised any data protection concerns. The DPA noted that as a general practice, the importer did not disclose in its e-mails that it acted as the data controller, where it obtained the data from, and from where the data subject can obtain more information regarding the processing. NAIH also argued that the importer was in breach of the data minimisation principle, because the processing of the data subjects' address, age, gender, telephone number and car registration identifiers were not necessary for the purposes of conducting client satisfaction surveys. When it comes to remedies and penalties, the Authority decided that there was no further action necessary in the individual case brought by the data subject. However, NAIH decided to impose a fine of €13,500 (5,000,000 HUF) under Article 83(2) for the general data processing practices of the importer, and ordered it to bring its processing operations into compliance with the GDPR under Article 58(2)(d).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Registration number: NAIH-2857-20 / 2021 Subject: Decision DECISION Before the National Data Protection and Freedom of Information Authority (hereinafter: the Authority) ……………………. applicant (address: ……………………………………………… .; a hereinafter referred to as the "Applicant") (registered office: …………………………………………… .; hereinafter: the Applicant) 2021. his application for unlawful processing of personal data lodged on 23 February in which the Authority granted client status to ………………………………………. ……………………… .. (registered office: ……………………………. ……………………; hereinafter referred to as "the Importer"), and The Authority extended the subject matter of the customer satisfaction survey carried out by the Applicant and the Importer. to examine general data management practices related to measurement - the following decisions brings: I. The Authority shall request the Applicant to establish that the Applicant unlawfully transmitted in the absence of adequate individual information and a valid legal basis The email address of the applicant and the technical identification of his vehicle to the Importer, rejects. II. The Authority shall establish ex officio that the importer is provided with appropriate individual information and handled the Applicant's email address, address and telephone number in the absence of a valid legal basis, as well as the technical identification data of your vehicle, thus the Importer is the personal identity of the Applicant violated a on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC Article 5 (1) of Regulation (EU) No 2016/679 (hereinafter referred to as the General Data Protection Regulation) the principle of lawful and transparent data processing in accordance with Article 12 (1) and Article 13 of the General Data Protection Regulation - concise, transparent, comprehensible and easy to use the provision of information in an accessible form that is clear and comprehensible pursuant to Article 5 (2) of the General Data Protection Regulation accountability and the general data protection regulation as regards the legal basis Article 6 (1). III. The Authority will determine ex officio that the Importer is measuring customer satisfaction for reasons explained in the explanatory memorandum lawful and transparent data processing in accordance with Article 5 (1) (a) of the Data Protection Regulation Article 5 (1) (c) of the General Data Protection Regulation principle of data protection, Article 6 (1) of the General Data Protection Regulation and general Article 13 of the Data Protection Regulation. ARC. Due to the above data breaches, the Authority will notify the Importer ex officio HUF 5,000,000, ie HUF 5 million data protection fine obliges to pay. 2 V. The Authority considers the general data protection regulation in view of the infringing data processing practices Pursuant to Article 58 (2) (d), the importer shall be required ex officio to within 30 days of the date of receipt of this Decision with the provisions of the General Data Protection Regulation in the explanatory memorandum to this decision as explained above. The fulfillment of this decision by the Importer shall become final within 30 days of the divorce. in writing - the supporting evidence to the Authority. A IV. within 30 days of the final adoption of this Decision Authority's centralized revenue collection special purpose forint account (10032000- 01040425-00000000 Centralized direct debit IBAN: HU83 1003 2000 0104 0425 0000 0000). When transferring the amount, "NAIH-2857/2021 JUDGMENT." for should be referred to. Failure by the Importer to meet its obligation to pay the fine within the time limit shall be delayed The amount of the late payment allowance is the statutory interest, which is equal to the central bank base rate valid on the first day of the calendar half-year concerned. Failure to pay the fine and the penalty payment and the obligation under point V above in the event of non-compliance, the Authority shall order enforcement of the decision. There is no administrative appeal against the decision, but it is from the communication within 30 days of the action brought before the Metropolitan Court in an administrative action can be challenged. The application shall be submitted to the Authority, electronically, which shall be forward it to the court together with the case file. The request for a hearing shall be made by: must be indicated in the application. For those who do not benefit from full personal exemption the fee of the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to record material fees. The Capital Legal proceedings are mandatory in proceedings before the General Court. EXPLANATORY STATEMENT I. Procedure and clarification of the facts On February 23, 2021, the Applicant submitted an application received by AVDH with authentication a To the authority in which he stated that after having been inspected / serviced by the Applicant your car, gave the Applicant the email address (…………… .. …………….). On this email address On February 12, 2021, he received an unsolicited email with a request to do so fill in a satisfaction questionnaire and then send another email by February 19, 2021. I, in which I was again asked to complete the questionnaire due to a lack of response. Emails a The chassis number of the applicant's ……………… car was also included. The Applicant is did not use the unsubscribe link in the emails, but the authority’s procedure initiated because, in his opinion, emails from a source unknown to him he should not have received it in the first place, and this illegality cannot be remedied afterwards asked to find out. In its application to the Authority, the Applicant requested a declaration that a Applicant has illegally provided the email address provided by the Applicant during servicing to surveyor. for. 3 At the request of the Authority, the Applicant received a reply on 5 May 2021, inter alia He stated that although he also conducts occasional surveys to measure customer satisfaction and for advertising purposes, however, with regard to specific data processing, it was the Importer data controller making data management decisions. For this reason, the Importer has this privacy policy involvement in the regulatory process as a client and further clarification of the facts necessary for which the Authority, in its opinion of 2 June 2021, NAIH-2857-6 / 2021, An order dated 31 May 2021 was sent to the Importer. The Applicant also attached its own data management information to the above reply, which according to his statement, it is also available in print at the reception or at the customer desk. THE According to the Applicant, the Applicant and the Importer as well as the manufacturer of the cars (……………………………., Established in ………………………………………… .., hereinafter referred to as Manufacturers) engaged in joint economic activities in the field of general data protection under this Regulation. Interest balance dated 21 December 2020 attached by the Applicant according to the Applicant as a data controller for market research and customer satisfaction measurement purposes forward data to the Importer and the Manufacturer. This is confirmed by the Requested “2020. ”.. of the data management information notice, which does not indicate the exact scope provided that the Importer also transfers the data to …………… .. as a data processor. In its reply to the Authority's request received on 21 June 2021, the Importer confirmed that that, in its view, the Importer qualifies for the data processing under investigation the purpose and means of the data processing shall be determined by the Importer. The Requested importer brand service partner. In the context of this legal relationship, the Importer and the Applicant there is close cooperation between them. By the Applicant and the brand partners on the standard used worksheet refers to the data management information available on the Importer's website contains a link. The Importer received from the Applicant on January 14, 2021 a Applicant's contact email address and technical details of the vehicle repair. This data is The importer has provided a customer satisfaction report to its data processor, ……………………. for transmission to a third party. Importer 's declaration and According to the data management information available on the importer 's website, the the legal basis for the processing of data for customer satisfaction surveys is the importer's legitimate interest in as the sole importer of …………… .. motor vehicles in Hungary the Hungarian dealership and service partners are of the expected quality requirements. In this regard, the Importer also has a balancing test attached to your answer. According to the prospectus, the range of data processed is the customer's wiring and first name, email address, home address, telephone number, chassis number, registration number of your vehicle, technical data, the name of the dealer or service center used, the name used the date of service and the content of any feedback. According to the Importer 's declaration it is industry practice to measure customer satisfaction. As the Applicant is responsible for informing and securing the right to object its reply was not complete and the Authority again requested further clarification of the facts contacted the Importer and the Applicant. The importer received the second request from the Authority on 30 July 2021 stated that the individual information of the data subjects would be provided as an annex to the worksheet printed data management information, this is the expected procedure for brand partners towards. The Applicant's second request to the Authority was sent electronically on 28 July 2021 by post In a submission received on July 30, 2021, he stated that at the reception and the 1https: // ……………………………………… 4 made available at the customer desk by printing the data management information. In addition, the The importer expects its general procedure to be informed orally about the data processing the client is provided with the data management when requesting the data and as an attachment to the worksheet printed version of the prospectus. Verbal information includes, but is not limited to, email address is optional. In the individual case, according to the Applicant's statement about it the Applicant was informed orally that the provision of the e - mail address is not mandatory, however The Applicant did not receive any special information on its use for customer satisfaction measurement. THE in the present individual case, the Applicant's employee has failed to complete the worksheet, Applicant's signature and a printed version of the data management information as an annex to the worksheet. The Applicant attached the unfilled worksheet which contains a link to the Importer 's website, but is not in relation to the measurement of customer satisfaction, but specifically the performance of the contract and data processed in connection with the performance of the service on the basis of a legal obligation provide a reference as a source of more detailed information on this data processing. In addition to the survey prepared by the Importer, the Applicant shall also sent a separate satisfaction survey to the Applicant, against which the Applicant did not he protested, filling it out and sending it back. On 12 July 2021, the Authority sent the Applicant a summary of the information disclosed so far relevant facts. Based on the replies of the Applicant and the Importer, the individual case could not be considered a Without examining the general practice regarding the processing of data relating to an applicant, therefore, on 11 August 2021, the Authority ex officio extended the proceedings to the Applicant and general data management related to the customer satisfaction measurement performed by the Importer practice. The Authority’s general practice and the General Administrative Procedure Act 2016 year CL. (hereinafter: Ákr.) for final declarations pursuant to § 76 given in his reply received on September 2, 2021, the Applicant sent his own separately questions used in connection with customer satisfaction measurement and the Applicant provided this personal data to be transmitted to the Importer and stated that maintains its statements of 4 May 2021 on the issue that why some of the personal data transmitted is needed to measure customer satisfaction. E in this respect, it reiterated the balance of interests which did not require each type of data however, indicated that the exact answer regarding the data transfer was given is within the competence of the Importer, the Applicant is bound only by the Importer acted on the basis of his contract. It also claimed that under the contract with the Importer, had to make a commitment in return for the rights granted to the Applicant in the contract to meet and control the highest level of customer needs to ensure data transmission. The minimum requirements, the related framework and corner points shall be determined unilaterally by the Importer on an annual basis. The Importer shall sign the contract may terminate unilaterally if the customer satisfaction the result of the measurement does not meet the values specified by the Importer. For the Manufacturer a Applicant does not transfer personal data. For the Importer for servicing information is transmitted in a personal manner, as it considers that necessary to measure customer satisfaction and improve customer relationships. identification. In his opinion, improving customer relationships is also in the interest of customers. The Ákr. Pursuant to § 76, the Applicant maintained his declaration that he had not committed breach of data protection when the email address of the Applicant was forwarded by the For importer. In its view, the relationship between the Applicant and the parties concerned is relevant and there is a proper connection and the data transmitted are not unnecessarily affected or disproportionately to the privacy of the data subject and the widespread use of the 5 you can expect this because of practice. The Requested in the present case and generally serious resources mobilize in order to provide its employees with adequate awareness and knowledge handle customers ’personal information. He highlights his responsibilities among that has fulfilled its obligation to provide data under its contract with the Importer, As per importer's expectations. He also asks to take into account that the Authority has not yet done so established a data breach against the Applicant, did everything in its power to do so and the current COVID-19 situation for the whole sector is extremely high had a negative effect. The applicant also states that it qualifies as an SME. The Authority's general practice and the Ákr. 76. for final declarations In its reply received on 13 September 2021, the Importer sent customer satisfaction survey, the questions of which were included in the Applicant questions from a separate set of questions and other questions, including the gender of the person concerned and about his age. The Importer also stated that the chassis number of the vehicle (and present not in the case of service, only the registration number in case of sale of a new vehicle) manage customer satisfaction measurement to identify which one the opinion of the customer concerned in relation to the vehicle. According to the Importer 's declaration the customer's name, email address, telephone number, and home address are all required to complete the questionnaire contact and, if necessary, further contact based on the answers. Vehicle breakdown details and service name, location and time of service his data are necessary to understand what work he was satisfied with and dissatisfied with the customer. Data handled in relation to customer satisfaction measurement they are not required for any other purpose, they shall be handled by the Importer only for that purpose. Customers and the identification of the vehicle is handled independently by the Importer for other purposes, but not as a result of data transmission. If the customer does not consent to your data will be forwarded anonymously to the Importer by the surveyor data processor. Customer identification matters if it is negative in the event of an opinion, the complaint must be investigated. The Importer is only aggregated towards the Manufacturer transmits anonymous statistics, not specific personal data. Importer 's declaration According to it, it receives service data from branded services connected to a natural person the Importer because that is the only way to perform the customer satisfaction measurement. Attached to the answer brand service contract copy IV. Confirmed by the Applicant on 2 September 2021 that the transfer is unilateral by the Importer imposed an obligation on the Applicant and the terms thereof unilaterally by the Importer is entitled to determine and change, while the Applicant is not entitled to do so. For the answer copy of the attached brand service contract According to Article V (5), the brand service is obliged to Establish and keep up-to-date a customer register in the form specified by the importer, whose data must be communicated to the Importer on a regular and continuous basis ………………. traceability of motor vehicles, current and future traceability of compliance with regulations, organization of possible recall campaigns and tracking, organizing public opinion polls among end customers, customers developing and recommending products and services that best meet your expectations for the purpose. Regardless, the Importer and the Requested are independent economic operators, independent act as data controllers. The Ákr. Pursuant to Article 76, the Importer has maintained his declaration that that he had not committed a breach of data protection, acted in full law and emphasizes that that you only receive the results of the customer satisfaction measurement from the data processor if if the customer has consented to the disclosure of his name. The purpose of customer satisfaction measurement primarily the examination of trends, trends, is not the focus of a given customer's responses examination, only in case of a negative opinion or complaint. The Importer's data management operations due diligence and compliance with applicable legislation, so far no complaints were received about the data processing, and the Authority has not yet acted on this Regarding importer data management. Nevertheless, a possible legal consequence 6 the importer requests that the current situation of COVID-19 be taken into account had an extremely negative impact on the sector as a whole, as well as the following circumstances: - the nature, scope and purpose of the data processing are not such as to seriously affect the data subject would invade his private sphere, the persons concerned do not suffer any damage and, moreover, as explained above, data management also serves the interests of data subjects, - the alleged infringement is negligent, the Importer, as data controller, has not previously committed a data breach, such as Authority did not establish, Importer was not ordered to general one of the measures referred to in Article 58 (2) of the Data Protection Regulation, and compliance with the measures in question, - the importer cooperated in good faith with the Authority throughout the proceeding, - the categories of personal data concerned by the processing do not fall into any particular category personal data, nor personal data that is deeply concerned would invade his privacy. The Ákr. Pursuant to Section 76, the Authority summoned the Applicant on 15 September 2021 to submit its final statements, which was invited by the Applicant on 17 September 2021 but did not submit a statement within that 15-day period or application. In the absence of any declaration by the Importer, the Authority Beszamolo.im.gov.hu recorded on the basis of a public online database that the Importer The annual net sales (turnover) of the company was HUF,, the profit after tax and was HUF. II. Applicable legal provisions According to Article 2 (1) of the General Data Protection Regulation, the general data protection Regulation should apply to personal data in a partially or fully automated manner and the non-automated processing of data which are part of a registration system or are part of a registration system they want to be part of. Under Article 4 (1) of the General Data Protection Regulation, "personal data" are identified or any information relating to an identifiable natural person ("data subject"), including also the online ID. Under Article 4 (2) of the General Data Protection Regulation, "processing" is personal performed on data or files in an automated or non-automated manner an operation or set of operations, such as collecting, recording, organizing, segmenting, storing, modification or alteration, querying, viewing, use, transmission of communication, by distribution or otherwise making available, coordination or linking, restricting, deleting or destroying. Under Article 4 (7) of the General Data Protection Regulation, "controller" means a natural or legal person, public authority, agency or any other body which is personal determine the purposes and means of data processing, either individually or in association with others. Under Article 4 (8) of the General Data Protection Regulation, a "processor" is a natural person or a legal person, public authority, agency or any other body which is handles personal data on behalf of the data controller. 7 Under Article 4 (10) of the General Data Protection Regulation, a "third party" is a natural person or a legal person, public authority, agency or any other body which is not is the same as the data subject, the controller, the processor or the persons who for the processing of personal data under the direct control of the controller or processor have been authorized. According to Article 5 (1) (a) of the General Data Protection Regulation, personal data be processed lawfully and fairly and in a manner that is transparent to the data subject ("legality, due process and transparency"). Pursuant to Article 5 (1) (c) of the General Data Protection Regulation, the purposes of data processing they must be appropriate and relevant and necessary limited (‘data saving’). Pursuant to Article 5 (2) of the General Data Protection Regulation, the controller is responsible for shall be able to demonstrate such compliance (“Accountability”). According to Article 6 (1) (f) of the General Data Protection Regulation, a processing of personal data if the processing is lawful by the controller or a third party necessary to safeguard its interests, unless those interests take precedence enjoy the interests or fundamental rights and freedoms of the data subject which are personal data protection, especially if the child concerned. The first three sentences of recital 47 of the General Data Protection Regulation the controller, including the controller with whom the personal data may be communicated Or the legitimate interest of a third party may provide a legal basis for the processing, provided that: the interests, fundamental rights and freedoms of the data subject shall not take precedence based on his relationship with the controller. That's right there may be an interest, for example, where there is a relevant and appropriate relationship between the data subject and the controller, for example in cases where the controller is a customer or is employed by it. To establish the existence of a legitimate interest in any case, it must be carefully examined, inter alia, whether the person concerned: at the time of and in connection with the collection of personal data reasonably that the data may be processed for that purpose. Pursuant to Article 12 (1) of the General Data Protection Regulation, the controller is appropriate take measures to ensure the processing of personal data by the data subject all the information referred to in Article 13 and Articles 15 to 22 and Article 34 each piece of information in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible manner, especially for children for any information. Article 13 of the General Data Protection Regulation lists the minimum required information that the controller is obliged to provide to the data subject, if any personal data relating to the data subject are collected from the data subject: (a) the identity of the controller and, if any, of the controller 's representative; and contact details; (b) the contact details of the Data Protection Officer, if any; (c) the purpose of the intended processing of the personal data and the legal basis for the processing; 8 (d) based on Article 6 (1) (f) of the General Data Protection Regulation in the case of data processing, the legitimate interests of the controller or of a third party; (e) where applicable, the recipients or categories of recipients of the personal data, if any; (f) where applicable, the fact that the controller is in a third country or internationally personal data to the organization and the Commission the existence or absence of a decision on compliance or general data protection Article 46, Article 47 or the second subparagraph of Article 49 (1) of this Regulation appropriate and suitable guarantees in the case of the transfer referred to in the first subparagraph and the means of obtaining a copy of them reference to contact details. (g) the period for which the personal data will be stored or, failing that, the aspects of determining the duration; (h) the data subject's right to request from the controller the personal data concerning him or her access to, rectification, erasure or restriction of the processing of data, and may object to the processing of such personal data as well as to the data subject the right to data portability; (i) Article 6 (1) (a) or Article 9 (2) of the General Data Protection Regulation; In the case of data processing based on paragraph 1 (a), the consent shall be given at any time the right to withdraw the consent, which shall not affect the withdrawal of the consent prior to the withdrawal the lawfulness of data processing carried out on the basis of (j) the right to lodge a complaint with the supervisory authority; (k) whether the provision of personal data is legal or contractual whether it is based on an obligation or a precondition for concluding a contract and whether the person concerned whether it is obliged to provide personal data and how possible they may have consequences for non-reporting; (l) the automated data referred to in Article 22 (1) and (4) of the General Data Protection Regulation decision-making, including profiling, and at least in these cases the logic used and the understandable information that such data management what significance it has and what the expected consequences are for the data subject. Information processing covered by the General Data Protection Regulation CXII of 2011 on the right to self-determination and freedom of information Act (a hereinafter: Infotv.) pursuant to Section 2 (2) of the General Data Protection Decree therein shall apply with the additions set out in the provisions set out in Infotv. Enforcement of the right to the protection of personal data pursuant to Section 60 (1) To that end, the Authority shall, at the request of the data subject, initiate a data protection authority procedure and may initiate ex officio data protection proceedings. Infotv. Pursuant to Section 61 (1) (a), it was taken in a data protection official proceeding In its decision, the Authority Data management specified in Section 2 (2) defined in the General Data Protection Regulation in the context of may apply legal consequences. Infotv. Pursuant to Section 71 (2), the Authority has lawfully acquired it in the course of its proceedings use a document, data or other means of proof in another procedure. 9 Infotv. 75 / A. Pursuant to Article 83 (2) to (6) of the General Data Protection Regulation, the Authority exercise the powers set out in paragraph 1 in accordance with the principle of proportionality, in particular by providing that the law on the processing of personal data or the Requirements set out in a binding act of the European Union Article 58 of the General Data Protection Regulation in particular by alerting the controller or processor. In accordance with Article 58 (2) (d) of the General Data Protection Regulation, the Authority shall issue instructions the controller or processor to carry out its data processing operations, as appropriate in a specified manner and within a specified period, bring this Regulation into line provisions. Pursuant to Article 58 (2) (i) of the General Data Protection Regulation, the Authority shall shall impose an administrative fine in accordance with Article 1, depending on the circumstances of the case in addition to or instead of the measures referred to in this paragraph. Pursuant to Article 83 (1) of the General Data Protection Regulation, all supervisory authority shall ensure that any breach of this Regulation referred to in paragraphs 4, 5 and 6 the administrative fines imposed pursuant to this Article are effective in each case, be proportionate and dissuasive. According to Article 83 (2) of the General Data Protection Regulation, administrative fines Article 58 (2) of the General Data Protection Regulation, depending on the circumstances of the case. shall be imposed in addition to or instead of the measures referred to in points (a) to (h) and (j) of In deciding whether it is necessary to impose an administrative fine, or a the amount of the administrative fine in each case the following must be taken into account: (a) the nature, gravity and duration of the infringement, taking into account the nature of the infringement in question the nature, scope or purpose of the processing and the number of data subjects affected by the breach and the extent of the damage they have suffered; (b) the intentional or negligent nature of the infringement; (c) the damage suffered by the data subject by the controller or the processor any measures taken to alleviate (d) the extent of the responsibility of the controller or processor, taking into account its responsibilities technical and administrative measures taken pursuant to Articles 25 and 32 of the General Data Protection Regulation organizational measures; (e) relevant infringements previously committed by the controller or processor; (f) with the supervisory authority, remedy the breach and the breach may be negative the degree of cooperation to mitigate its effects; (g) the categories of personal data concerned by the breach; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether the breach has been reported by the controller or processor and, if so, in what detail; (i) if previously against the controller or processor concerned, in the same referred to in Article 58 (2) of the General Data Protection Regulation compliance with one of those measures; 10 (j) whether the controller or processor has complied with the general data protection rules codes of conduct approved in accordance with Article 40 of this Regulation or the general approved certification mechanisms under Article 42 of the Data Protection Regulation; and (k) other aggravating or mitigating factors relevant to the circumstances of the case, for example, the financial gain obtained as a direct or indirect consequence of the infringement or avoided loss. Pursuant to Article 83 (5) of the General Data Protection Regulation, the following provisions apply in accordance with paragraph 2 administrative fines or, in the case of undertakings, the full financial year of the previous financial year up to 4% of its worldwide turnover, the higher amount shall be charged: (a) the principles of data processing, including the conditions for consent, the general data protection in accordance with Articles 5, 6, 7 and 9 of this Regulation; (b) the rights of data subjects under Articles 12 to 22 of the General Data Protection Regulation. in accordance with Article (c) personal data to a recipient in a third country or to an international organization Articles 44 to 49 of the General Data Protection Regulation. in accordance with Article (d) Article IX of the General Data Protection Regulation. in accordance with the law of the Member States adopted pursuant to this Chapter liabilities; (e) the supervisory authority in accordance with Article 58 (2) of the General Data Protection Regulation temporary or permanent restriction of data processing or non-compliance with the request to suspend the flow of data or the general breach of Article 58 (1) of the Data Protection Regulation failure. Unless otherwise provided in the General Data Protection Regulation, the application was initiated for data protection authority proceedings under Ákr. shall apply in the Infotv with certain deviations. The Ákr. Pursuant to Section 10 (1), a customer is a natural or legal person, other organization, whose right or legitimate interest is directly affected by the matter, to whom the contains official data or has been placed under official control. III. Decision 1. The subject of the proceedings and the identity of the controller The subject of the proceedings initiated on the application is whether the Applicant has been treated unlawfully by the Applicant personal information. The subject of the ex officio extended procedure shall be the processing of the data by the importer, For the purpose of the customer satisfaction survey sent to the Applicant via …………………… examining the lawfulness of data processing in relation to emails in an individual case, in particular Considering that the Importer has the personal data of the Applicant and the data of the service whether it was lawfully obtained from the Applicant. The subject of the ex officio procedure is also the Importer's customer satisfaction survey examination of its general practice in relation to general classification of its interests. 11 Based on the available information, it did not occur in relation to the data management under investigation transfer of personal data to the Manufacturer, so this procedure does not apply to the data management of the Manufacturer and its extension is otherwise limited to the competent French data protection authority would be possible with the involvement of In the absence of such a request, the subject of the proceedings shall not be the Applicant's own data management for the purpose of customer satisfaction surveys with its own questionnaire, as requested by the Applicant complaint was not completed, it was completed and returned by the Applicant and the separate data processing, which is not performed by the Importer. In the present proceedings, the Applicant expressly objects protested that a person other than the Applicant, to the best of his knowledge, also processed your personal data, in this respect it is not legally relevant that the The Applicant also conducted its own survey, which is not disputed by the Applicant. According to the Applicant's statement of 5 May 2021, it is engaged in a joint economic activity Importer and Manufacturer (not investigated in this proceeding). The Importer of 21 June 2021 There is a close co-operation between the Importer and the Applicant. THE Neither the Applicant nor the Importer made such a statement at the repeated request of the Authority or submitted a document which would support joint data processing and was disclosed in the proceedings circumstances do not suggest this either. The data management information of the Applicant is the data transmission for the purpose of the survey (email address, car identification data, service data) designates the Applicant as the data controller. The declarations of the Importer and the Applicant as well as on the website of the Importer are also available decisions regarding the sending of the complained emails brought by the Importer alone, data management directly related to the sending of emails the Importer shall be deemed to be the controller. The Applicant received it on 2 September 2021 and the Importer on 13 September 2021 and the Importer and Applicant attached on 13 September 2021 Part IV of the branded service contract concluded between the and V. both the measurement of customer satisfaction and the related data set and the obligation to provide the Requested Data is the sole responsibility of the Importer it depends on your unilateral decision. Based on this, the Importer can define and modify it at any time unilaterally the purpose, means and means of data management related to customer satisfaction measurement way. This is done through a branded service contract, which is governed by Article 28 of the General Data Protection Regulation. shall constitute a contract defining the processing of data within the meaning of Article 3 (3). The Importer in the light of all the circumstances of the case, a Applicant is considered a data processor in the above legal relationship. In the light of the specific circumstances of the case set out in the grounds of this decision, the present proceedings In respect of the data processing which is the subject of the data, the Importer shall be the sole data controller, the Applicant it only acts as a data processor under the brand service contract. The data processor does not performs independent data management, its activity is considered to be the activity of the data controller, no acts for an independent purpose and legal basis. According to Article 4 (10) of the General Data Protection Regulation the data controller and the person in a contractual relationship with him shall not be considered third parties data processors. Accordingly, it does not qualify as a third party data transfer is the data processing specified by the Importer solely in the interest of the Importer (in case of a negative opinion, the interest of the Applicant) against them) transfers the personal data of the data subjects to the Importer, this is only the Importer constitutes a movement of data within its sphere of interest. 12 2. Rejection of the application As explained above, since the request is the transmission of the Data of the Requested, was intended to establish the illegality of its data processing and the Applicant could not follow the infringement for which the data controller is responsible as the data subject is not the data subject under investigation therefore the Authority rejected the request in accordance with the operative part. However, the Authority examined the data management of the Importer ex officio as set out below the lawfulness of the data and the general data management relating to the subject matter of the present proceedings practice. 3. The processing of the Applicant's personal data by the Importer measurement 3.1. Lack of adequate information According to Article 12 (1) of the General Data Protection Regulation, the Importer as data controller shall take appropriate measures to ensure that the person concerned: all information on the processing of personal data referred to in Article 13 and 15–22. and Article 34 shall be concise, transparent, comprehensible and easy to use in an accessible form, in a clear and comprehensible manner. The system of adequate information in the General Data Protection Regulation serves to: the data subject should be aware of which personal data, which data controller and which purpose of how you will handle it. This is essential to be in a position to exercise the rights of the data subject. Article 6 (1) of the General Data Protection Regulation In the case of data processing based on paragraph 47 (f), the General Data Protection Regulation There is an increased information requirement under paragraph 1. According to this, the general In addition to the specific information referred to in Article 13 of the Data Protection Regulation, an additional condition is that the data subject's reasonable expectation should cover the data processing in question must be expected and there must be some direct customer or other relationship with the person concerned and the data controller. Given that in the present case the Importer is the data controller, so the direct legal relationship between the Importer and the Applicant shall be examined, not the motor vehicle sales dealership or the relationship between the Applicant and the Applicant. Good in the absence of information, the data subject is not in a position to be affected exercise properly. The obligation to provide information does not apply as explained above means a mere “securitization” obligation in the General Data Protection Regulation. Both a both the articles of the General Data Protection Regulation prescribed when defining the obligations of the controller, not just a specific one proof of minimal effort on the part of the controller. The purpose of the information is to be such puts the data subject in a position to have his or her rights in the appropriate decision-making position in connection with the exercise of When examining individual data processing, the Authority shall establish that the specific in the present case, whether the relevant information was provided in respect of the Applicant, ie What information did the applicant receive about the data management? This is done individually, for all cases the Authority, taking into account the available evidence. It is also clear from the facts that there is no relationship between the Applicant and the Importer direct legal relationship, client legal relationship. The fact that the Applicant’s customer is a and the Applicant is a contractual partner of the Importer, not yet the Applicant Importer's customer does not automatically create a general data protection regulation (47) the relationship required under paragraph Without examining the general practice, the present 13 In this case, there would be a substantial, demonstrable relationship between the Applicant and the Importer if the The applicant would be aware of this activity of the Importer. The Applicant in his application specifically marked ………………. about the role of Importer by emails he knew neither from the emails nor from the advance notice. Finding out this retrieving from an external source is not the data subject's obligation to general data protection but as part of the data controller obligations as explained above to put the Applicant in a position to know this reasonably. Issued by the Applicant an unfilled and unsigned worksheet with a completely different legal basis for a different purpose (not satisfaction measurement) is by no means a very small reference to data management appropriate, clear and transparent in accordance with the General Data Protection Regulation information requirement, the Applicant could not link it in any way for measuring customer satisfaction. In the present case, it can be stated that the Applicant under the responsibility of the Importer as Due to the occasional omission of one of the employees of the data processor, the Applicant did not receive the the worksheet and the data management information of the Applicant and the Importer as an annex thereto, nor was he informed orally that he would be caught by a person other than the Applicant manage the Applicant's email address and certain details. He only got information about it - not that provably, verbally - that you are not required to provide your email address, but that in itself is not sufficient information to make an informed exercise of the rights of the data subject and to become acquainted with them exactly what your email address will be used for and what other data it affects. THE The information not provided to the Applicant otherwise incorrectly indicated the Applicant as the data controller of the data transmission. The Applicant also sent a separate satisfaction survey to the Applicant. The Applicant This is due to the direct customer relationship between the and Requested and the provision of the email address was reasonably expected by the Applicant, the Applicant did not object. However the In the present case, it also follows that - after a survey of the Applicant already completed - in the absence of adequate information, the Applicant could not reasonably expect that the Importer, with whom the Applicant had no previous relationship, will contact you by email with another survey, plus a third party - ……………… .. in addition to an email that did not specifically identify you neither the Importer nor the Applicant. There was no reference in the emails to the actual sender (the Importer) and the source of the personal data, and its disclosure is not a Applicant's role as concerned. On this basis, the Applicant could legitimately believe that …………………. has obtained his personal data unlawfully, and that is the situation It was caused by the improper procedure of the importer as data controller. Both the content of the application and the Based on the facts revealed during the clarification of the facts, the Applicant did not calculate and did not you could expect to provide your email address and other personal information to the Importer will be forwarded and will be sought by the Importer. It is alleged that at the Receptionist's Office the relevant information exists, it was also not reasonably foreseeable that In the absence of specific information to that effect from the applicant, it is not viable to do so to base the information on the data subject, it does not meet the increased expectation expressed above and responsibility. This is especially true for online data management where the right one is concise providing the information would not have caused any real additional cost in the email. In addition to the above, Article 5 (2) of the General Data Protection Regulation explicitly states that the burden of proving that the Applicant is adequate whether it has been informed. The general data protection regulation does not preclude oral however, in the event of a statement to the contrary by the data subject In the absence of proof, the Authority shall issue a decision in accordance with Article 5 of the General Data Protection Regulation. In principle, at the expense of the controller, in this case the Importer evaluates. Since, according to the Applicant 's statements, the oral procedure was still pending in the individual case nor did it cover exactly the purposes for which it would be used personal data involved in the transfer, taking into account the above does not fulfill the clear and unambiguous requirements of the General Data Protection Regulation, the requirement for verifiable information. In view of the above, the Importer violated the general rule with respect to the Applicant lawful and transparent data processing in accordance with Article 5 (1) (a) of the Data Protection Regulation in accordance with Article 12 (1) and Article 13 of the General Data Protection Regulation, in a transparent, comprehensible and easily accessible form, in a clear and comprehensible manner the obligation to provide the information set out in this Article and the general data protection rules the principle of accountability under Article 5 (2) of that Regulation. 3.2. The validity of the legal basis of the data processing is the personal data of the Applicant respect In its information and balance of interests, the Applicant indicated that legitimate interest data transfer as a separate data processing purpose performed by the Applicant as a legal basis for the activity that the importer has a legitimate interest as a third party in the ………………. as the sole importer of motor vehicles in Hungary, that the Hungarian dealership and service partners are of the expected quality requirements. This is also the statement of the Importer of 21 June 2021 confirmed. This in itself is not an illegal interest, but a general privacy policy appropriate for the existence of a legal basis under Article 6 (1) (f) of identifying a non-illegal interest is only the first step, in addition to other aspects must comply with the data processing in order to comply with the general data protection regulation be a legitimate interest on which data management can be based. It is also important to point out that data collection and transmission alone is not usually the case separate data management, only the first operation of a data management process that is substantive it prepares data management, and without meaningful data management it does not have its own purpose and results. The the achievement of an objective and a result, in this case an assessment in the interest of the Importer, data processing operations cannot be examined individually, their legal basis and legality it depends on whether all data processing operations for a single purpose are lawful, none of them implements a data breach. Because of data management - given a specific case due to negligence - the Importer did not inform the Applicant at all, so the prospectus The incompleteness of the content did not materially affect the information of the Applicant a matter of general practice. As regards the legitimate interest in the plea, it is important to emphasize that it does not serve to: unless otherwise possible, the controller may at any time and for any reason on other grounds Article 6 (1) (f) personal information. Although it seems to be the most flexible legal basis for its application the data controller has significant responsibilities - not just personal data in the strict sense but also to meet other related warranty obligations also by undertaking. The general interest is closely linked to the legitimate interest the principle of accountability enshrined in Article 5 (2) of the Data Protection Regulation, which is transparency, accuracy and fairness of the processing of personal data obligation to meet the administrative burden of Not about "paperwork" it is therefore a question of a substantive task, a statement which is particularly true in the case of data processing where the controller and the data subject have no direct customers or other legal relationship. In the absence of adequate guarantees, the rights of the data subject are the risk of prejudice is such that the result of the balance of interests can only be that the legitimate interest of the third party is overridden by the rights of the data subject due to the risks involved in the processing. 15 It is very important for data controllers to be aware that they are not involved as well as not the tasks and responsibilities of the Authority in an official procedure instead of the controller shall be: identification and justification of the purpose and legitimate interests of the processing. What it is like for which purpose and for what legitimate interests he wishes to process personal data, the controller must specifically, broken down into data and target levels, clearly justify, weigh up and guarantee its create. These guarantees must ensure, inter alia, that the person concerned be aware of the data processing and still be able to object to the data processing prior to data processing, especially after a short period of time or once in the case of data processing - the right to protest is already exhausted, so this right is not actually guaranteed a for. When sending a one-time satisfaction meter email, it is specifically true that its the protest has no material effect after it has taken place. The Importer as it is considered a decision of the data controller that the data processing is in the legitimate interest according to the prospectus instead of the express consent of the data subject - which is, for example, marketing According to the worksheet, the legal basis for the requests is Importer bears. In the present case, on the basis of the above, it can be concluded that the general data protection predictability and guarantee as set out in recital 47 of this Regulation conditions were not met, the Applicant could not object in advance to the data processing, on the basis of all the circumstances of the individual case, it and its consequences - by the Importer data management and, in this context, the receipt of an e-mail which did not reveal exactly who sent - he could not reasonably have foreseen. Appropriate information and, consequently, concerned in the absence of legal capacity, the legal basis for a legitimate interest is not, irrespective of the other conditions may be valid for the Applicant. In view of the above, the Importer is in addition to the above as far as the Applicant is concerned infringed Article 6 (1) of the General Data Protection Regulation. 4. Importer's data management practices related to customer satisfaction measurement In this regard, the Authority ex officio examined whether the Importer had customers whether its general practice of measuring satisfaction raises any data protection issues a problem which, if detected ex officio, the Authority should call on the controller to remedy it. The Authority's explanatory memorandum III.3.1. and III.3.2. The general findings in the content and importance of the information and the validity of the legal basis for its legitimate interest the importance of an appropriate relationship between the controller and the data subject They also apply to the importer's general data management practices. Based on the facts revealed, the Importer has a contract with substantially similar content applies provisions with regard to the data management in question with brand partners, such as The relevant provisions of the brand service contract between the Importer and the Applicant shall be a Assessed by the Authority as a general practice of the Importer. It is a common procedure for the Importer to use a data processor, for example by e-mail via ………………. to complete a measurement. The data subject may not know from the content of the email that the Importer is in question the specific person sending the emails, who got the email address and where, and with that where to find more information. The email "your" "your dealer" and "email was sent on behalf of" not only nonsensical (there is no legal entity that ……………… [car brand]) and 16 unsuitable for identifying a data controller, but are clearly misleading as not many is one of the (unspecified) dealerships, but an Importer as data controller emails were sent on behalf of. This is confirmed by the fact that up to several years may have elapsed at the time of servicing since the purchase of the vehicle and not necessarily at the dealership that makes the purchase all servicing. The importer's obligation as a data controller is not only appropriate organizational measures to provide prior information, but also to individual stakeholders Transparency, identification and, to a minimum, are also important in the communication sent to them the existence of the necessary information to enable the data subject to link that prior whether you received the e-mail from the person indicated in the information. Because nowadays a lot spam is common, which is also typically a link to malicious programs electronic message sent at the request of a person other than the data subject is of paramount importance clear identification of the consignor and the existence of appropriate information from prior information. The email does not contain any information as to the source of your personal information what was and by whom on what legal basis the Applicant handles exactly which personal data. The the indication of the chassis number in the email is also personal data stored in connection with a person unnecessary treatment, which does not give the data subject substantially new information, as he knows if has recently taken his car into service, but it is unrealistic to expect the chassis number to identify your car by heart. Neither data management information nor there was no reference in the emails to information on specific data management, and the e-mails would not have caused any difficulties with the e-mails ensure that at least the most basic information is provided at the end of the year (actual consignor as data controller, legal basis, source, information on the website). Although the emails from the Importer the data importer is responsible for its activities as if it were a data controller it would have acted itself, as the General Data Protection Regulation makes the controller general responsible for compliance. For the above reasons, data subjects are not even able to exercise their rights and information they can ask the Importer as only the data processor could be identified in the email, to which the data subject had no connection. The data processor with data management was not available in the email. In considering a legitimate interest, it is also important to do so supporting that the personal interest is most necessary to achieve the objective pursued by the legitimate interest data is handled by the data controller. At the request of the Authority, the Importer shall make only a general statement in relation to its measurement of customer satisfaction all types of data handled were absolutely necessary, but did not provide any evidence under. With regard to the chassis number, the Authority has already explained above that it is unreasonable to expect one the knowledge of the data subject from the data subject, based on which the given email was automatically narrowed down for a motor vehicle. However, in addition to suitability, the need is also debatable as an Importer there was no evidence as to why the person concerned would not remember being a couple has been in service with your car within one day and, if you have more than one car, with which. Thus, the transfer of this data to the data processor and its inclusion in the email for the most part unnecessary and unsuitable to achieve the goal. The Importer also did not substantiate why an email was required the address and telephone number of the person concerned. As stated by the Importer In its response, received on September 13, 2021, the main purpose of customer satisfaction measurement it is statistical and trend-like, so it is not necessary to identify the data subject. Like that the Importer has also stated that the identification of the data subject is only required if there is a specific negative 17 formulates an opinion, a complaint and consents to its transmission by name To the importer. Thus, in relation to the above statistical purpose, the names, addresses and addresses of the respondents obtaining your phone number from a brand partner is not necessary and appropriate to achieve this goal. The above can be said about the age and gender of the data subject requested in the questionnaire nor, in these respects, did the Importer substantiate that the indicated satisfaction measurement and how this data would relate to the purpose of complaint handling and why not without it the objective identified as a legitimate interest is achieved. In view of the above, the importer should have examined in the interest assessment whether the collection and storage of certain service data in connection with a specific person is mandatory whether both statistical and complaint handling purposes are necessary or otherwise available. For example, if the brand partner only provides aggregate statistics to the Importer how many service jobs you have done on which parts and whether you are the customer does not object to this by using the appropriate service If you send an email address to a separate list, you will receive an email with a link to the questionnaire it can be posted in the same way - with proper information in the email about why you sent it in fact - and the complainants have the date of purchase or service on the questionnaire, based on the brand partner and email address - can be clearly marked for the brand partner, for which more detailed individual information is required. That contact information is enough for that request from the person you wish to communicate through the e-mail, address and telephone number are obviously not required for this. The complaint is named In the case of this procedure, in contrast to the wording of the questionnaire requesting consent, not only the name is handled by the Importer, so it is important to indicate that the contact information and the data subject-specific vehicle data will also be processed by the Importer in the case of consent. The Authority notes that specifically for the purpose of handling complaints otherwise, the use of a legal basis for consent is questionable, since in the event of its withdrawal a the investigation of the complaint is interrupted, however, it is already new after the customer satisfaction survey data management, which is not the subject of the present proceedings. In the absence of a specific complaint and disclosure the examination of the specific service conditions that can be linked to the given data subject is the statement of the Importer is not part of the purpose and therefore does not justify the identification of identifiable data by the Importer treatment. If the Importer still wishes to process the above personal data, the in the context of measuring customer satisfaction, it must be able to substantiate it which he was unable to do in the present proceedings. That is why it is not acceptable either result of a balance of interests. Given that the questions asked by the Applicant in its own questionnaire are substantive were the same as those asked by the Importer (with the exception that the Importer questions) should be considered in the balance of interests whether such parallelism is required and with different, overlapping surveys involved whether bombardment can be avoided by processing less personal data, which also did not arise consideration of the interests of the Importer. In this context, the Authority emphasizes the existence of a legitimate interest and legal bases in general should be considered in the context of the data processing purpose. The fact that the Importer is different for other purposes The legal basis handles the same type of personal data of the data subjects, so you know them, not yet automatically authorizes the use of such data for other purposes, up to a maximum of the legal consequence may be a factor reducing the actual data protection risk in determining. The same is true of the importer 's argument that earlier no stakeholder complaint has been received, and many stakeholders have not, due to a lack of transparency was in a position to know against whom he should exercise his rights as a data subject. 18 In view of the above privacy concerns, they are clearly predominant risks to the rights of the data subject which have not been properly considered by the Importer. In doing so, the interests identified by the Importer take precedence interests or fundamental rights and freedoms that protect personal data Article 6 (1) (f) of the General Data Protection Regulation There is no other legal basis under this Regulation for the processing of the data in question in the form of. Based on the above, the Importer's practice of measuring customer satisfaction violates lawful and transparent under Article 5 (1) (a) of the General Data Protection Regulation accordance with Article 5 (1) (c) of the General Data Protection Regulation principle of data protection, Article 6 (1) of the General Data Protection Regulation and general Article 13 of the Data Protection Regulation. ARC. Legal consequences As the examined customer satisfaction measurement data management for the Applicant already terminated, in this regard, an obligation to delete is not necessary for the available information Based on. As it does not affect the rights of the data subject under the General Data Protection Regulation, the data subject is concerned its customer capacity does not cover the issue of imposing a data protection fine. The Authority examined of its own motion whether it was justified to impose a data protection fine on the Importer. As to whether the imposition of a data protection fine is justified, the Authority Acting in accordance with the discretion based on the law, Infotv. Section 61 (1) paragraph a) of the Infotv. 75 / A. § 83 of the General Data Protection Regulation. and Article 58 (2) of the General Data Protection Regulation. The Authority shall rule on the illegality of the individual data processing carried out in respect of the Applicant considers that no other measure is necessary in the individual application case. In ex officio proceedings concerning the illegality of a general practice examined ex officio, the Authority shall: considered the following in relation to the data protection fine. The Authority did not take this into account as a mitigating circumstance regarding the necessity of the fine the economic situation referred to by the Importer, as it - indirectly, in terms of annual revenue only if the fine is necessary, it does not affect the amount of the fine whether it is necessary to impose a fine is determined by the infringement and its circumstances in accordance with Article 83 (2) of the General Data Protection Regulation. In this regard, the In setting the amount of the fine, the Authority took into account that the Importer profit after tax was ……………………… .. HUF, which is more than ……………………. and 2019. while net sales revenue decreased by… ..% in 2020 compared to the 2019 level. The Authority also did not take into account as an attenuating circumstance that the Importer a It cooperated with the Authority in the proceedings as this Article 31 of the General Data Protection Regulation applies. would be the obligation of all data controllers and processors under Article may be considered as an aggravating circumstance. The Authority also did not consider the importer as an attenuating circumstance that data subjects do not suffer any harm and, moreover, Article 19 it also serves the interests of data subjects, as personal data is subject to general data protection unnecessary data which do not take into account the will of the data subject The use of personal data violates the right to the protection of personal data and in general unnecessary data security risk, and presumably in a small number of cases - it is in the interest of the data subject if he or she has a complaint the data subject may submit it without question if the Importer so requests forum, there is no need to contact the Importer separately. The Authority took into account the market weight of the Importer as an aggravating circumstance, the potential 2 the number of stakeholders (which is the CSO 's new …… .. …… .. car sales statistics in Hungary on the order of at least ten thousand) and that the general practice of importing it exclusively in Hungary in terms of brand. The Authority took into account the fact that it was not available as an aggravating circumstance effective information and redress for those concerned. In this context, the The small number of complaints received by the authority, as an essential element of the infringement, is that those involved they have not been adequately informed about the data processing in question and are not necessarily expected to do so, so they can't protest in large numbers. Importer's data management Based on its size and market position, it would be expected that the Importer would not be limited to certain the exercise of the rights of the data subject depends on the individual and unsupervised decision of the administrator. The Authority took into account as an aggravating circumstance the fact that the infringement lasted for several years the result of existing, ongoing practice and its design - and the general redesign in line with the Data Protection Regulation - was in principle ill-considered. The Authority took into account as a mitigating circumstance the scope of the personal data processed did not contain personal data belonging to a special category or for other reasons, and a significant part of the personal data relates to the vehicle owned by the data subject technical data, and some of the data is handled by the Importer for other purposes anyway, such as the damage to those affected was not significant despite the size of the group affected. The Authority took into account as an attenuating circumstance that in the case of an individual complaint a The applicant, as a data processor, had an error in an individual case word and assessed the Applicant's statement that it had taken action in similar cases and to require the Importer to make it mandatory transmission of data management information to data subjects. The Authority took into account as an attenuating circumstance the negligence of the infringement, was not intended to harm the persons concerned or to gain an unlawful advantage, and the designated interest may, where appropriate, cease to be a legitimate interest if the conditions for data processing are properly met adapted to the provisions of the General Data Protection Regulation set out in the explanatory memorandum. The Authority took into account as an attenuating circumstance the fact that the Importer did not previously has committed a data breach, which has not been identified by the Authority. As a result of the Authority 's deliberations in relation to the general practice examined, the In the light of all the circumstances of the case, it is necessary to impose a fine on both the special and the for general prevention in order to ensure the protection of personal data in the future the right to protection of human rights. 2https: //www.ksh.hu/docs/eng/xstadat/xstadat_evkozi/e_ode001b.html 20 Based on the above, the Authority considers that the maximum amount that can be imposed is approx. considered the imposition of a data protection fine of three tenths of a thousand (0.026%) proportionate and dissuasive in all the circumstances of the case with regard to. V. Other issues The powers of the Authority shall be exercised in accordance with Infotv. Section 38 (2) and (2a) defines its jurisdiction It covers the entire territory of Hungary. The Ákr. Section 112 (1) and (2) and Section 116 (1) and Section 114 (1), respectively the decision is subject to administrative review. * * * The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by decision of the Authority The administrative lawsuit against the court falls within the jurisdiction of the court Section 13 (3) Under subparagraph (a) (aa), the Metropolitan Court has exclusive jurisdiction. A Kp. Pursuant to Section 27 (1) (b), the administrative court within the jurisdiction of the tribunal legal representation is mandatory in litigation. A Kp. According to Section 39 (6) - unless otherwise provided by law the bringing of the action for the administrative act to take effect has no suspensive effect. A Kp. Section 29 (1) and with regard to civil procedure on the 2016 CXXX. applicable pursuant to Section 604 of the Act (hereinafter: Pp.), the of 2015 on the general rules of electronic administration and trust services CCXXII. According to Section 9 (1) (b) of the Act, the customer's legal representative is electronic obliged to keep in touch. The time and place of the submission of the application is Section 39 (1). THE Information on the possibility of requesting a hearing is provided in the CM. Section 77 (1) - (2) based on. The amount of the fee for an administrative lawsuit shall be determined in accordance with Act XCIII of 1990 on Fees. law (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee the Itv. Section 59 (1) and Section 62 (1) (h) shall exempt the person initiating the proceedings half. If the obligor does not duly prove the fulfillment of the prescribed obligations, the Authority shall: considers that it has not fulfilled its obligations within the time allowed. The Ákr. According to § 132, if the Debtor has not complied with the obligation contained in the final decision of the Authority, the executable. The decision of the Authority With the communication pursuant to Section 82 (1) it becomes final. The Ákr. Section 133 enforcement - if you are a law Government decree does not provide otherwise - it is ordered by the decision-making authority. The Ákr. 134. § pursuant to the implementation - if by law, government decree or municipal authority In this case, the decree of the local government does not provide otherwise - the state tax authority implements. Infotv. Pursuant to Section 61 (7) of the Authority, to perform a specific act, to behave, to tolerate or to the Authority shall enforce the decision in respect of the standstill obligation implements. Budapest, October 27, 2021 Dr. Attila Péterfalvi President c. professor