NAIH (Hungary) - NAIH-7058-5/2022: Difference between revisions
No edit summary |
(changed raffle back to prize draw) |
||
Line 65: | Line 65: | ||
}} | }} | ||
The Hungarian DPA fined a news service 2,000,000 HUF (approx. €5,080) for processing personal data without valid consent. Data subjects who signed up for the controller's newsletter were automatically signed up to electronic marketing and a | The Hungarian DPA fined a news service 2,000,000 HUF (approx. €5,080) for processing personal data without valid consent. Data subjects who signed up for the controller's newsletter were automatically signed up to electronic marketing and a prize draw without being sufficiently informed nor being able to give granular consent. | ||
== English Summary == | == English Summary == | ||
Line 72: | Line 72: | ||
The controller is a news service provider. Data subjects subscribed to its service to receive daily news and updates through a newsletter. It was not clarified whether this was a paid service. The controller relied on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] to process the data for the newsletter. | The controller is a news service provider. Data subjects subscribed to its service to receive daily news and updates through a newsletter. It was not clarified whether this was a paid service. The controller relied on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] to process the data for the newsletter. | ||
The controller also processed personal data for electronic direct marketing (eDM) and a | The controller also processed personal data for electronic direct marketing (eDM) and a prize draw. The eDM emails were sent to everyone who subscribed to the service. The prize draw was advertised by the controller in the period between 24 February 2022 to 24 March 2022. The controller wanted to offer the prize draw's prize to all service subscribers. Therefore, all the service users were subscribed to the prize draw and there was no way for them to opt out of the prize draw. | ||
On 24 June 2022, the DPA opened an ''ex officio'' investigation into a controller's services. According to the facts uncovered by the DPA, between January 1, 2021 and May 17, 2022, all subscribers who registered online for the news service were automatically subscribed to eDM. A single checkbox on the website was used to accept the Terms of Service (TOS) - a condition of the subscription - ''and'' to subscribe to eDM. At the time of subscription. In other words, it was not possible to subscribe to the service through the website alone without subscribing to eDM. In its defense, the controller argued that the data processing could be legitimized through legitimate interests. | On 24 June 2022, the DPA opened an ''ex officio'' investigation into a controller's services. According to the facts uncovered by the DPA, between January 1, 2021 and May 17, 2022, all subscribers who registered online for the news service were automatically subscribed to eDM. A single checkbox on the website was used to accept the Terms of Service (TOS) - a condition of the subscription - ''and'' to subscribe to eDM. At the time of subscription. In other words, it was not possible to subscribe to the service through the website alone without subscribing to eDM. In its defense, the controller argued that the data processing could be legitimized through legitimate interests. | ||
Line 83: | Line 83: | ||
''Second'', the DPA held that the controller did not sufficiently inform data subjects about their rights. It emphasized that, under [[Article 12 GDPR#1|Article 12(1) GDPR]], a controller must provide the data subject with the necessary assistance to enable him or her to exercise all data subject rights in an informed manner. The information obligation is not a mere "paperwork" obligation, but is intended to enable the data subject to make an informed choice about the processing and to exercise his or her data subject rights. In order to be capable to fully exercise their rights (such as their right to withdraw consent), it is necessary to know exactly when and under what conditions data processing based on the data subject's consent for the purpose of eDM will cease. Such information was not provided. The duration for which personal data would be processed for eDM was not sufficiently clear and unambiguous. Therefore the DPA found the controller in breach of [[Article 12 GDPR#1|Article 12(1) GDPR]]. | ''Second'', the DPA held that the controller did not sufficiently inform data subjects about their rights. It emphasized that, under [[Article 12 GDPR#1|Article 12(1) GDPR]], a controller must provide the data subject with the necessary assistance to enable him or her to exercise all data subject rights in an informed manner. The information obligation is not a mere "paperwork" obligation, but is intended to enable the data subject to make an informed choice about the processing and to exercise his or her data subject rights. In order to be capable to fully exercise their rights (such as their right to withdraw consent), it is necessary to know exactly when and under what conditions data processing based on the data subject's consent for the purpose of eDM will cease. Such information was not provided. The duration for which personal data would be processed for eDM was not sufficiently clear and unambiguous. Therefore the DPA found the controller in breach of [[Article 12 GDPR#1|Article 12(1) GDPR]]. | ||
''Third'', the DPA decided that the data processing was not based on consent, as the controller did not fulfil the conditions of Article 7 GDPR. Consent was neither sufficiently informed. Referring to the European Data Protection Board's Guideline 5/2020, the DPA explained that any information that may be relevant to a typical data subject's decision must be provided. According to the DPA this includes the duration of processing in the case of eDM. Data subjects typically subscribe to a large number of newsletters over the course of their lives, which are difficult for them to keep track of. Therefore, the DPA was of the opinion that the time of the cessation of e-mailing in the case of eDM is important information for data subjects. Moreover, according to [[Article 7 GDPR#2|Article 7(2)]] and [[Article 7 GDPR#4|7(4) GDPR]], consent must be granular. To use consent as a legal basis, controller must not bundle different incompatible processing purposes. This was violated in the present case. Consent would have to be given separately for the subscription service, the eDM, and the | ''Third'', the DPA decided that the data processing was not based on consent, as the controller did not fulfil the conditions of Article 7 GDPR. Consent was neither sufficiently informed. Referring to the European Data Protection Board's Guideline 5/2020, the DPA explained that any information that may be relevant to a typical data subject's decision must be provided. According to the DPA this includes the duration of processing in the case of eDM. Data subjects typically subscribe to a large number of newsletters over the course of their lives, which are difficult for them to keep track of. Therefore, the DPA was of the opinion that the time of the cessation of e-mailing in the case of eDM is important information for data subjects. Moreover, according to [[Article 7 GDPR#2|Article 7(2)]] and [[Article 7 GDPR#4|7(4) GDPR]], consent must be granular. To use consent as a legal basis, controller must not bundle different incompatible processing purposes. This was violated in the present case. Consent would have to be given separately for the subscription service, the eDM, and the prize draw. The investigation of the DPA showed that the controller had not complied with these criteria. | ||
Consequently, the DPA found the data processing to be unlawful. The processing violated [[Article 7 GDPR#2|Article 7(2) GDPR]], [[Article 7 GDPR#4|Article 7(4) GDPR]] and [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. The controller was fined 2,000,000 HUF (approx. €5,080). In determining the height of the fine, the DPA took into account some mitigating circumstances, namely, that the controller cooperated with the DPA during the proceedings, acknowledged the infringement and remedied it for the future in the present proceedings, conducted internal training, and that the infringement only concerned the data subjects' email address data and not any other data or sensitive data. An aggravating circumstance was that the data processing continued for an extended period of time. | Consequently, the DPA found the data processing to be unlawful. The processing violated [[Article 7 GDPR#2|Article 7(2) GDPR]], [[Article 7 GDPR#4|Article 7(4) GDPR]] and [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. The controller was fined 2,000,000 HUF (approx. €5,080). In determining the height of the fine, the DPA took into account some mitigating circumstances, namely, that the controller cooperated with the DPA during the proceedings, acknowledged the infringement and remedied it for the future in the present proceedings, conducted internal training, and that the infringement only concerned the data subjects' email address data and not any other data or sensitive data. An aggravating circumstance was that the data processing continued for an extended period of time. |
Latest revision as of 08:55, 10 February 2023
NAIH - NAIH-7058-5/2022 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 6(1) GDPR Article 7(2) GDPR Article 7(4) GDPR Article 12(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 24.06.2022 |
Decided: | 15.11.2022 |
Published: | 16.11.2022 |
Fine: | 2000000 HUF |
Parties: | n/a |
National Case Number/Name: | NAIH-7058-5/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | Abel Kaszian |
The Hungarian DPA fined a news service 2,000,000 HUF (approx. €5,080) for processing personal data without valid consent. Data subjects who signed up for the controller's newsletter were automatically signed up to electronic marketing and a prize draw without being sufficiently informed nor being able to give granular consent.
English Summary
Facts
The controller is a news service provider. Data subjects subscribed to its service to receive daily news and updates through a newsletter. It was not clarified whether this was a paid service. The controller relied on Article 6(1)(b) GDPR to process the data for the newsletter.
The controller also processed personal data for electronic direct marketing (eDM) and a prize draw. The eDM emails were sent to everyone who subscribed to the service. The prize draw was advertised by the controller in the period between 24 February 2022 to 24 March 2022. The controller wanted to offer the prize draw's prize to all service subscribers. Therefore, all the service users were subscribed to the prize draw and there was no way for them to opt out of the prize draw.
On 24 June 2022, the DPA opened an ex officio investigation into a controller's services. According to the facts uncovered by the DPA, between January 1, 2021 and May 17, 2022, all subscribers who registered online for the news service were automatically subscribed to eDM. A single checkbox on the website was used to accept the Terms of Service (TOS) - a condition of the subscription - and to subscribe to eDM. At the time of subscription. In other words, it was not possible to subscribe to the service through the website alone without subscribing to eDM. In its defense, the controller argued that the data processing could be legitimized through legitimate interests.
Holding
The DPA decided that the controller's conduct was in breach of the GDPR.
First, the DPA rejected the controller's argument that, in the absence of other suitable legal grounds, the processing may have been done on the legal basis of legitimate interest. The DPA emphasized that controllers are obliged to decide in advance on the legal basis for processing, to weigh the legitimate interest against the rights of the data subject pursuant to Article 6(1)(f) GDPR, to document this, and to inform the data subjects accordingly, including about the right to object. In the absence of this, an ex-post change of the legal basis would generally, as well as in the present case, constitute an unfair processing for the data subjects, and the balancing of interests would not lead to a positive result for the controller. As a matter of principle, the DPA stated that it is not up to the data subject or the DPA to identify the appropriate legal basis before the processing starts. Rather, by virtue of the principle of privacy by design and by default, it is the sole responsibility of the controller.
Second, the DPA held that the controller did not sufficiently inform data subjects about their rights. It emphasized that, under Article 12(1) GDPR, a controller must provide the data subject with the necessary assistance to enable him or her to exercise all data subject rights in an informed manner. The information obligation is not a mere "paperwork" obligation, but is intended to enable the data subject to make an informed choice about the processing and to exercise his or her data subject rights. In order to be capable to fully exercise their rights (such as their right to withdraw consent), it is necessary to know exactly when and under what conditions data processing based on the data subject's consent for the purpose of eDM will cease. Such information was not provided. The duration for which personal data would be processed for eDM was not sufficiently clear and unambiguous. Therefore the DPA found the controller in breach of Article 12(1) GDPR.
Third, the DPA decided that the data processing was not based on consent, as the controller did not fulfil the conditions of Article 7 GDPR. Consent was neither sufficiently informed. Referring to the European Data Protection Board's Guideline 5/2020, the DPA explained that any information that may be relevant to a typical data subject's decision must be provided. According to the DPA this includes the duration of processing in the case of eDM. Data subjects typically subscribe to a large number of newsletters over the course of their lives, which are difficult for them to keep track of. Therefore, the DPA was of the opinion that the time of the cessation of e-mailing in the case of eDM is important information for data subjects. Moreover, according to Article 7(2) and 7(4) GDPR, consent must be granular. To use consent as a legal basis, controller must not bundle different incompatible processing purposes. This was violated in the present case. Consent would have to be given separately for the subscription service, the eDM, and the prize draw. The investigation of the DPA showed that the controller had not complied with these criteria.
Consequently, the DPA found the data processing to be unlawful. The processing violated Article 7(2) GDPR, Article 7(4) GDPR and Article 6(1)(a) GDPR. The controller was fined 2,000,000 HUF (approx. €5,080). In determining the height of the fine, the DPA took into account some mitigating circumstances, namely, that the controller cooperated with the DPA during the proceedings, acknowledged the infringement and remedied it for the future in the present proceedings, conducted internal training, and that the infringement only concerned the data subjects' email address data and not any other data or sensitive data. An aggravating circumstance was that the data processing continued for an extended period of time.
Comment
On a weekly basis, the controller had sent eDM unlawfully to thousands of data subjects who had subscribed to its services. The fact that the data subjects were able to subsequently object to the eDM or to subsequently withdrawn their consent in the online account linked to the service does not alter the invalidity of the consent.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
File number: NAIH-7058-5/2022 Subject: decision DECISION The National Data Protection and Freedom of Information Authority (hereinafter: Authority) On August 31, 2022, official data protection proceedings were initiated ex officio by....………………. (head office: ………………………………..; hereinafter: Customer) January 1, 2021 and 2022 in the period between June 24, the "………………" service (hereinafter: Service) related to the provision and continuation of electronic direct marketing (hereinafter: EDM). in connection with its data management, to check that the above data management complies with e on the protection of natural persons with regard to the management of personal data and on the free flow of such data, as well as outside the scope of Directive 95/46/EC Regulation 2016/679/EU on the placement of data (hereinafter: general data protection regulation) its provisions. The Authority made the following decisions in the above official data protection procedure brings: I. The Authority determines that the Client did not provide adequate information to the persons concerned in relation to the duration of the EDM, as well as in view of the lack of separate specific consent the legal basis for EDM data processing specified by the Customer was invalid during the period under review, with this, the Customer violated Article 6 (1), Article 7 of the General Data Protection Regulation (2) and (4) and Article 12 (1). II. The Authority based on Article 58 (2) point d) of the General Data Protection Regulation ex officio instructs the Customer to provide appropriate information to those concerned, who are automatically subscribed to EDM specifically about the fact that it is contrary to the information received at the time of subscription, it was not valid separately for EDM their possibility to contribute and how exactly they can unsubscribe from EDM. CXII of 2011 on the right to information self-determination and freedom of information. Act (hereinafter: Infotv.) to challenge the decision based on Section 61 (6). until the expiration of the open deadline for filing an action, or in the case of an administrative lawsuit, the court until a final decision, the data affected by the disputed data management cannot be deleted or not can be destroyed. III. The Authority ex officio the Customer due to the above data protection violations HUF 2,000,000, i.e. two million forints data protection fine obliged to pay. The II. the fulfillment of the obligation prescribed by the Customer towards this decision must be in writing within 30 days of the expiration of the legal remedy deadline - the supporting document together with the presentation of evidence - to prove it to the Authority. EDM data management based solely on the express and appropriate information given separately to the EDM it can be continued with respect to those who gave their consent. The III. fine according to point 30 days from the date of this decision becoming final within the Authority's centralized revenue collection forint settlement account 2 (10032000-01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000) must be paid. When transferring the amount, "NAIH-7058/2022 FINE.” number must be referred to. If the Customer does not fulfill his obligation to pay the fine within the deadline, he is in default is obliged to pay a penalty. The rate of penalty is the legal interest, which is is the same as the central bank base rate valid on the first day of the relevant calendar semester. Non-payment of the fine and late fee, or the above II. obligation according to point in case of non-compliance, the Authority orders the implementation of the decision. There is no place for administrative appeal against the decision, but only from the announcement within 30 days from the date of issue, with a letter of claim addressed to the Capital Tribunal can be challenged in a lawsuit. The claim must be submitted to the Authority electronically, which forwards it to the court together with the case documents. The request for the holding of the trial is submitted by the must be indicated in the application. For those who do not receive full personal tax exemption the fee for the judicial review procedure is HUF 30,000, the lawsuit is subject to the right to record the fee. THE Legal representation is mandatory in proceedings before the Metropolitan Court. JUSTIFICATION I. Procedure and clarification of the facts I.1. History matters 1.1. On June 24, 2022, the Authority ex officio issued history number NAIH-6003/2022 initiated an audit (hereinafter: Authority Audit) of the provision of the Customer Service and general data management related to the continuation of EDM in 2021 and 2022 in connection with his practice. 1.2. The Authority sent the documents created during the Authority Inspection to Infotv. Paragraph (2) of § 71 can be used in this procedure based on 1.3. During the Authority Inspection, the Client requested and received what he requested from the Authority after a deadline extension, within the extended deadline - July 22, 2022 in his reply letter sent to NAIH-6003-4/2022, the following, the decision made relevant statements in terms of: (i) According to the status in force at the time of initiation of the Authority Inspection, the subscriber made a statement in which he stated the general terms and conditions (a hereinafter: General Terms and Conditions) and of which statement it was a part Also a contribution to EDM. According to the Customer's statement, he noticed that it was not provided the possibility of subscribing without participating in the prize draw, and for this he changed his practice in view. The Customer is …………. on a web interface (a hereinafter: Website) placed a separate checkbox on June 28, 2022. With this simultaneously amended the provisions of the General Terms and Conditions, in which it is clearly separated contract according to Article 6 (1) (b) of the General Data Protection Regulation for its fulfillment, or according to Article 6 (1) (a) of the General Data Protection Regulation 1 The NAIH_K01 form is used to initiate an administrative lawsuit: NAIH_K01 form (16.09.2019) The form is can be filled out using a general form filling program (ÁNYK program). 3 Data management related to EDM emails. In support of this, the Customer attached by ……………. modified version of the GTC for the product. (ii) The prize draw available on the Website is February 24, 2022 and March 24, 2022. took place between The Customer wanted all of its customers to win the prize opportunity, thus linking the prize draw with the subscription. With this at the same time, the Customer provided the option to unsubscribe in all EDM e-mails, and also provides the opportunity for this in the personal customer account. The Customer noticed that it was not provided the possibility of subscribing without participating in the prize draw, and for this he changed his practice in view. In the future, the Customer will participate in prize games clearly separates participation from the subscription as data management and manages it separately, and in all cases, it clearly ensures the data subject's independent data subject rights practice (iii) Subscribers of the winners listed in the regulations of the prize draw available on the Website his image and audio recording were not published, but the image and audio recording were Not made by customer. (iv) The Data Controller performs news service (news agency) activities (Main activity: ………………………………………..…………..). Those involved specifically for that register for the service to receive daily news and current affairs on a daily basis they get it. The daily "newsletters" are therefore essentially not in the traditional sense, inquiries for marketing purposes, but news summaries, i.e. the essence of the service. The the legal basis for data management in this regard is Article 6 (1)(b) of the General Data Protection Regulation fulfillment of the contract according to paragraph (v) EDM e-mails, on the other hand, promote the Data Controller's products and services, thus they are completely different from the daily news summaries. Legal basis for data management in this case, in Article 6 (1) (a) of the General Data Protection Regulation registered contribution. In addition, the data controller provided in all newsletters a the option to unsubscribe, and the option to send newsletters is also available in the customer account to unsubscribe. (vi) EDM e-mail is sent to those who are the data controller registered for its service or purchased a product from it. In the latter case as well registration is required. In connection with the registration, the data controller is general data management information and the GTC for the product in this regard information. The Customer has, and is currently already, clarifying its data management information provided by Article 7 of the GDPR, European Data Protection Board 5/2020. guidelines and the a separate consent is required in light of official practice. It's about the modifications The customer also provides separate information on his website, in the customer account, and embedded in the EDM e-mail offer. (vii) During the period of the Authority Inspection, the Customer shall register with a to use your service or to buy your product (or for these related registration). The Customer then sent it until the unsubscribe date information about its products and services for those concerned. With this simultaneous unsubscribe option in all EDM e-mails and on the customer account provided through As described above, the Customer is the automatic subscriber terminated its system, and this is also stated in the General Terms and Conditions and the data management information led him through (viii) To the question of what is the reason for the discrepancy that it is available on the Website data management information section number 10 regarding data management ("EDM sending" titled) says that the duration of EDM data management is until the user unsubscribes it lasts for 3 working days after its deletion, while according to the General Terms and Conditions, the user has to register on the 4th consents to the information and offers of the Customer's own services directly as long as the user unsubscribes from the message, that is The customer replied that in the case of news summaries, the data management is the subscription expires upon expiry. In the case of newsletters, data management ceases upon unsubscribing. In case of unsubscribing, the newsletter will no longer be sent to the person concerned. Given that this provision of the General Terms and Conditions was not precisely defined by it data management, so the Customer clarified this and the related data management information. (ix) To the question of what is the reason for the discrepancy that V.2 of the General Terms and Conditions according to point it is subscription is renewed if the user makes a declaration to this effect during registration, while at the bottom of the registration interface, according to the small print information, for the Service a access is provided by a renewable subscription, and there is no separate checkbox for this, the Customer replied that in view of the fact that GTC V.2. point inaccurately states, the renewal regulations have been modified by the Customer and with this on all surfaces brought it into line. He informed about the amendment as indicated in subsection I.1.3.(vi) above subscribers. (x) During the examined period, .... thousand people subscribed to the Service and they typically paid weekly received an EDM email. (xi) In support of the above, the Customer attached the modified ………… General Terms and Conditions, as well as the modified data management information. (xii) In the first half of August 2022 of the Customer in connection with the marketing area also organizes internal data protection training, and starting in August, the built-in takes into account the principle of data protection, it reviews all its data management repeatedly. 1.4. Since the amendment was important in terms of clarifying the facts in the examined period exploration of the prior state and the exact timing of the amendments, the Authority further asked the Customer clarifying questions about the facts. During the Authority Inspection, the Authority The Customer's inquiry was received on August 16, 2022 at number NAIH-6003-6/2022 in his reply letter, the following is relevant for the decision and not previously made detailed statements and indicated clarifications: (i) between January 1, 2021 and May 16, 2022 for the Service during subscription, acceptance of the Terms and Conditions for the service is given to EDM it was also classified as consent, i.e. it could only be declared at the same time. (ii) The Customer changed its practices on May 17, 2022. The purpose of the change is EDM was to create an independent data management consent for data management, but a during development, the text of the consent to the General Terms and Conditions and the EDM and the checkbox they slipped together, i.e. it was not properly implemented. So it is from then on data controller until June 27, 2022 (ordering the Authority Inspection on June 24, 2022 until the order is received by the Customer) still requested acceptance of the General Terms and Conditions with a checkbox and consent to EDM. The Customer will implement this merger on June 28, 2022 discontinued, and the modified online system has been available since then. This Customer is the following supported by documents: • GTC 14.10.2020-23.06.2021 • GTC 2021.06.24.-2022.05.17 • GTC 18.05.2022 - 27.06.2022 • Order process …………. • Information on data management 5 • Checkbox screen saver (17.05.2022 - 28.06.2022) (iii) It was not possible for the subscriber not to accept the rules of the prize draw away or stay out of it. In connection with participation in the prize draw you couldn't protest, you couldn't avoid it. This is done by the Customer with the following documents supported in addition to those attached to the previous point: • Sweepstakes regulations • "Become a ………… subscriber" EDM (iv) In the examined period, the General Terms and Conditions did not include the EDM e- provisions regarding emails. The General Terms and Conditions are only the contract regulated "newsletters" with content closely related to its performance, which however, they are content recommendations in all cases. By the Authority, I.1.3 above. in point (viii). the referenced GTC provision was included in the GTC together with the change to the GTC, when the Customer separates the EDM contribution as indicated previously wanted to regulate, but due to a development error, this was done incorrectly for implementation. (v) If the affected user deletes his entire profile, in that case the Customer deletes all data. Since this includes the email address, no further EDM message will be sent. (vi) The renewal is indicated in the same font size, in a way that is easily identifiable, as well as resignation. After the initiation of the official inspection, the Customer shall provide the text clarified. 1.5. The Customer is subject to I.1.3 above. on the basis of your answers detailed in point during the Authority Inspection admitted that his practices were not adequate in terms of data protection law, so he changed them. THE Authority's ex officio official data protection procedure of the violation and its legal consequences in order to determine the obligation of the Authority. The purpose of this official data protection procedure the period between January 1, 2021 and the start of the Authority Inspection (June 24, 2022) classification of data management, however, in determining the legal consequences, the Authority takes into account the data management implemented by the Customer during the procedure changes. 1.6. In view of the above, the Authority's 2016 CL. Act (hereinafter: Act) was closed by the Authority based on point a) of § 101, paragraph (1) Inspection and ex officio initiated the current data protection official procedure indicated in the header subject. I.2. This data protection official procedure 2.1. In this data protection official procedure, the Customer, upon request of the Authority, 2022. In his reply letter received on September 12, sent under number NAIH-7058-2/2022, the following made statements relevant to the decision: (i) The Customer maintains the statements made during the Authority Inspection. (ii) The Customer requests to take into account that after the initiation of the Authority's inspection, the reviewed and transformed its data management practices and compliance deficiencies eliminated and did everything to mitigate their consequences, and continuously monitors data protection compliance. In this context, he modified and attached the General Terms and Conditions, the data management information, and the screen saver in the new 6 about separate checkboxes on the Website. According to the Customer's point of view, it is general legitimate interest according to Article 6 (1) point f) of the data protection decree is also a legal basis the general data protection regulation (47) could have applied to EDM data management based on its preamble. Furthermore, according to the Customer's point of view, the shortcomings were the results of careless and unintentional conduct and the Authority had not previously established a violation of the law against the Customer, and during the procedure the Customer was enhanced has cooperated to the extent of discovering and remedying the violation, which is the violation significantly reduced its impact on those involved. In addition, the Customer requested it to take into account that the processing of special category or criminal data is not happened. The Customer also attached the change of information to those concerned general notification text. (iii) In 2021, the Customer achieved sales revenue of HUF …… billion. 2.2. According to the information sent by the Customer on ePaper on September 30, 2022, at the Customer On September 28, 2022, from 10:30 a.m. to 12:30 p.m., internal training took place at in the following topics: (i) Background of the training: NAIH examination and its exact background (ii) Data management tasks and responsibilities within the data controller's organization (iii) The role of normative regulation, sources of law, case law (iv) The role of data protection principles and legal bases (v) Preferred legal grounds: consent and legitimate interest, terms of use with examples (vi) Data protection aspects of sending newsletters and sweepstakes (vii) Legal cases and examples and practical cases related to the operation of the data controller (viii) Stakeholder rights and their promotion 2.3. The Akr. Based on § 76, no such evidence or statement arose from the Authority During the inspection and the present case, which would not come from the Customer, so the Authority is the Customer concluded the evidence without inviting him to make a repeated statement. II. Legal provisions applicable in the case According to Article 2 (1) of the General Data Protection Regulation, the general data protection regulation must be applied to personal data in part or in whole in an automated manner processing, as well as the non-automated processing of data that are part of a registration system or which are a registration system want to be part of. You are identified as "personal data" on the basis of Article 4, point 1 of the General Data Protection Regulation any information relating to an identifiable natural person ("data subject"), including also the online ID. According to Article 4, point 2 of the General Data Protection Regulation, "data management" is personal any 7 performed on data or data files in an automated or non-automated manner operation or a set of operations, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, transmission of communication, by means of distribution or other means of making available, coordination or connection, restriction, deletion or destruction. Based on Article 4, point 4 of the General Data Protection Regulation, "profiling" is personal data any form of automated processing during which personal data to evaluate certain personal characteristics related to a natural person, especially for work performance, economic situation, health status, for personal preferences, interest, reliability, behavior, residence used to analyze or predict characteristics related to location or movement. Pursuant to Article 4, point 7 of the General Data Protection Regulation, "data controller" is the natural or legal entity, public authority, agency or any other body that is personal determines the purposes and means of data management independently or together with others. If that the purposes and means of data management are determined by EU or member state law, the data manager or special considerations for the appointment of the data controller by the EU or the Member States can also be determined by law Pursuant to Article 4, point 11 of the General Data Protection Regulation, it is "the consent of the data subject". of the will of the person concerned, based on voluntary, specific and adequate information and clear declaration by which the relevant statement or confirmation is unambiguously expressed indicates by action that he gives his consent to the processing of his personal data. According to Article 6 (1) point a) of the General Data Protection Regulation, it may be legal to processing of personal data, if the data subject has given his consent to a or for its management for several specific purposes. According to Article 6 (1) point f) of the General Data Protection Regulation, it may be legal to processing of personal data, if the data processing is authorized by the data controller or a third party necessary to assert its interests, unless priority is given to these interests interests or fundamental rights and freedoms of the data subject that are personal data protection is necessary, especially if the person concerned is a child. According to recital (47) of the General Data Protection Regulation, the data controller – including the data controller with whom the personal data may be disclosed - or one the legitimate interest of a third party can create a legal basis for data processing, provided that the data subject is involved his interests, fundamental rights and freedoms do not take priority, taking into account that the reasonable expectations of the data subject based on his relationship with the data controller. About such a legitimate interest it can be the case, for example, when there is a relevant and appropriate relationship between the data subject and the between data controllers, for example in cases where the data subject is a customer of the data controller is in its application. In any case, to establish the existence of a legitimate interest it must be carefully examined, among other things, that the data subject is personal data at the time of its collection and in connection with it, can you reasonably expect that data may be processed for the given purpose. The interests and fundamental rights of the data subject take precedence may enjoy against the interest of the data controller if the personal data are in such circumstances between which the data subjects do not expect further data processing. Since it is the task of the legislator to define in legislation what the public authorities are like can process personal data on a legal basis, supporting the legitimate interest of the data controller no legal basis can be applied, carried out by public authorities in the performance of their duties for data management. Personal data is absolutely necessary to prevent fraud its handling is also considered a legitimate interest of the data controller concerned. Personal data direct its processing for the purpose of acquiring business can also be considered based on legitimate interest. 8 Based on Article 7 (2) of the General Data Protection Regulation, if the consent of the data subject given in the context of a written statement that also applies to other matters, a request for consent in a way that is clearly distinguishable from these other cases must be presented in an understandable and easily accessible form, with clear and simple language. The any part of such statement containing the consent of the affected person which violates e decree does not have binding force. Based on Article 7 (4) of the General Data Protection Regulation, during its determination, whether the consent is voluntary should be taken into account as much as possible the fact, among other things, that the fulfillment of the contract - including the provision of services also - whether consent to the processing of personal data which they are not necessary for the performance of the contract. Based on Article 12 (1) of the General Data Protection Regulation, the data controller is compliant takes measures in order to allow the data subject to process personal data all relevant information mentioned in Articles 13 and 14 and Articles 15-22 and Article 34 according to each information is concise, transparent, comprehensible and easily accessible provide it in a clear and comprehensible form, especially to children for any information received. Based on Article 13 (1) and (2) of the General Data Protection Regulation, if the personal data were obtained from the data subject, the data controller makes the data available to the data subject following information: a) the identity of the data controller and, if any, the representative of the data controller and your contact details; b) contact details of the data protection officer, if any; c) the purpose of the planned processing of personal data and the legal basis of data processing; d) based on point f) of Article 6 (1) of the General Data Protection Regulation in the case of data management, the legitimate interests of the data controller or a third party; e) where appropriate, recipients of personal data, or categories of recipients, if any; f) where appropriate, the fact that the data controller is in a third country or international organization wishes to forward the personal data to, and the Commission the existence or absence of a compliance decision, or general data protection regulation in Article 46, Article 47 or Article 49 (1) second in the case of data transfer referred to in subsection, the appropriate and suitable guarantees designation, as well as methods for obtaining a copy of i.e. or those reference to your contact information; g) on the duration of storage of personal data, or if this is not possible, on this aspects of determining the duration; h) on the data subject's right to request from the data controller the personal data relating to him access to data, their correction, deletion or restriction of processing, and may object to the processing of such personal data, as well as the data subject about your right to data portability; i) point a) of Article 6 (1) of the General Data Protection Regulation or Article 9 (2) in the case of data management based on point a) of paragraph 9. consent at any time the right to withdraw, which does not affect consent before the withdrawal the legality of data processing carried out on the basis of; j) on the right to submit a complaint to the supervisory authority; k) that the provision of personal data is legal or contractual whether it is based on an obligation or a prerequisite for the conclusion of a contract, as well as whether the person concerned whether you are required to provide personal data, and how it is possible failure to provide data may have consequences; l) automated referred to in Article 22 (1) and (4) of the General Data Protection Regulation the fact of decision-making, including profiling, and at least in these cases understandable information on the applied logic and that such data management what significance it has and what expected consequences it has for the person concerned. Based on Article 13(4) of the General Data Protection Regulation, Article 13(1)-(3) it does not have to be applied if and to what extent the data subject already has the information. Based on Article 26 (3) of the General Data Protection Regulation, the data subject is (1) regardless of the terms of the agreement referred to in paragraph in relation to and against each data manager according to this regulation rights. For data management under the scope of the General Data Protection Regulation, Infotv. Section 2 (2) according to paragraph of the general data protection regulation in the provisions indicated there must be used with included additions. Infotv. Validation of the right to the protection of personal data based on § 60, paragraph (1). in order to do so, the Authority initiates an official data protection procedure at the request of the data subject and may initiate official data protection proceedings ex officio. Infotv. According to § 61, paragraph (1), point a), it was made in the official data protection procedure in its decision, the Authority issued Infotv. Data management defined in paragraph (2) of § 2 in connection with operations defined in the general data protection regulation may apply legal consequences. Infotv. Pursuant to § 71, paragraph (2), the Authority lawfully acquired during its procedures can use documents, data or other means of proof in other proceedings. Infotv. 75/A. Based on § 83 of the General Data Protection Regulation, Article 83 (2)–(6) exercises its powers in accordance with the principle of proportionality, especially with the fact that you are in the legislation regarding the handling of personal data The regulations defined in the mandatory legal act of the European Union are being implemented for the first time in case of violation, to remedy the violation - with Article 58 of the General Data Protection Regulation in accordance with - takes action primarily with the warning of the data manager or data processor. It is ordered by the Authority based on Article 58 (2) point d) of the General Data Protection Regulation the data manager or the data processor to perform its data management operations - where applicable in a specified manner and within a specified period of time - is brought into line with this regulation with its provisions. On the basis of Article 58 (2) point i) of the General Data Protection Regulation, the Authority has the 83. imposes an administrative fine in accordance with Article, depending on the circumstances of the given case in addition to or instead of the measures mentioned in this paragraph. 10 Based on Article 83 (1) of the General Data Protection Regulation, all supervisory authority ensures that due to the violation mentioned in paragraphs (4), (5), (6) of this regulation the administrative fines imposed on the basis of this article are effective in each case, be proportionate and dissuasive. According to Article 83 (2) of the General Data Protection Regulation, administrative fines depending on the circumstances of the given case, Article 58 (2) of the General Data Protection Regulation must be imposed in addition to or instead of the measures mentioned in points a)-h) and j) of paragraph When deciding whether it is necessary to impose an administrative fine or a sufficiently in each case when determining the amount of the administrative fine the following should be taken into account: a) the nature, severity and duration of the infringement, taking into account the one in question the nature, scope or purpose of data processing, as well as the number of data subjects affected by the breach affected, as well as the extent of the damage they suffered; b) the intentional or negligent nature of the infringement; c) damage suffered by data subjects on the part of the data controller or data processor any measures taken to mitigate; d) the extent of the responsibility of the data controller or data processor, taking into account the technical and organizational measures; e) relevant violations previously committed by the data controller or data processor; f) the remedy of the violation with the supervisory authority and the possible negative nature of the violation extent of cooperation to mitigate its effects; g) categories of personal data affected by the infringement; h) the manner in which the supervisory authority became aware of the violation, in particular whether the data controller or the data processor has reported the breach, and if so, in what detail; i) if against the relevant data manager or data processor previously - in the same a subject matter - ordered referred to in Article 58 (2) of the General Data Protection Regulation one of the measures, compliance with the measures in question; j) whether the data manager or the data processor has observed general data protection for approved codes of conduct under Article 40 of the Decree or the general for approved certification mechanisms under Article 42 of the Data Protection Regulation; as well as k) other aggravating or mitigating factors relevant to the circumstances of the case, for example, financial gain as a direct or indirect consequence of the infringement or avoided loss. In the absence of a different provision of the general data protection regulation, the data protection authority for procedure in the Acr. provisions shall be applied with the deviations specified in Infotv. III. Decision III.1. Data management between January 1, 2021 and May 17, 2022 11 1.1. In case of online registration for the Service on the Website, the revealed facts and based on the Customer's express declarations, all subscribers are automatically also on the EDM signed up. A checkbox was used on the Website to accept the General Terms and Conditions of the Service (which is a condition of the subscription) and to subscribe to EDM. Not at the time of registration it was only possible to register for the Service via the Website for EDM without signing up. 1.2. The General Terms and Conditions did not contain a provision on EDM. 1.3. Data management for the examination period attached to document No. NAIH-6003-6/2022 based on the table on page 15 of the information, the legal basis for data processing is the data subject had his consent, and the Customer also stated this during the procedure, as written in point I.1.3.(v) above according to The Authority's declaration of the Client that a legitimate interest may have existed would have, for the following reasons, he did not consider it relevant when clarifying the facts. Data management the data controllers are obliged to decide its legal basis in advance, Article 6 of the General Data Protection Regulation To weigh up between the legitimate interest and the rights of the data subject according to point f) of paragraph (1). and to document, and about this and, among other things, the right to protest, the affected parties accordingly to inform. In the absence of all of these, the legal basis can be modified afterwards in general and in this case would also be unfair data management to the affected parties, and the consideration of interests is the above considering the circumstances, it would not lead to a positive result, so legitimate interest is the legal basis cannot exist. It is not the responsibility of the person concerned, nor of the Authority, to identify the appropriate legal basis before the start of data management, this is the built-in and default data management due to its principle, it is the sole responsibility of the data controller. For this reason, the Authority investigated only that also in the present case, that the legal basis for consent indicated by the Client to the affected parties was it valid. 1.4. Regarding the examination period, attached to document No. NAIH-6003-6/2022 based on the table on page 18 of the data management information, the duration of data management a lasts until withdrawal of consent. Compared to this, according to the Customer's statement, the Service cancellation automatically terminates the EDM data management separately from the EDM consent without withdrawal. The EDM consent could be revoked at any time through the Service related online account settings. 1.5. The data management information did not indicate that there was a possibility that a In addition to registering for the service, the person concerned does not subscribe to the EDM. 1.6. Subscribers to the Service on February 24, 2022 and March 24, 2022 will automatically they also took part in a prize draw, however, the additional data processing described there (image and audio recording) did not take place and the prize draw has already closed. III.2. Data management between May 18, 2022 and June 24, 2022 2.1. Based on the Customer's declaration according to point I.1.4.(ii), the Customer after May 17, 2022 period, he wanted to change the giving of consent to the EDM, however, this was not implemented in practice. 2.2. The Authority has actually implemented and indicated in the information sheet for those concerned examines data management, not data management that has not actually taken place. So the above despite the fact that the EDM contribution on the Website remains unchanged in practice could only be given with the acceptance of the General Terms and Conditions, in this regard, May 18, 2022 and May 18, 2022. between June 24 and the period before that, the substantive difference influencing the decision It was not. 12 2.3. The General Terms and Conditions contained a provision regarding EDM from May 18, 2022, however this information was not clear based on what was described in points I.1.3.(viii) and I.1.4.(iv) and was not fully consistent with the data management information, thus the duration of data management clear and adequate information still did not meet the requirements requirement. For legal compliance, EDM's data management practices the need for its basic modification, the Customer shall refer to I.1.3 above. his answers detailed in point based on the Authority's invitation, it was recognized, and its practice can also be seen on its website modified after June 24, 2022, however, this is a violation of previous years does not affect the fact. From this point of view, it is not relevant that the above applies to the Customer's website According to his statement in point I.1.4.(ii), what he wrote in his General Terms and Conditions was not included for technical reasons, since in the absence of actual implementation, it was not perceptible in reality and was only examined affected a small part of the period (about one month of the year and a half). Since the General Terms and Conditions 18 May 2022 the amendment applied since did not improve the transparency of the information from the previous period either and accuracy, regarding the information between May 18, 2022 and June 24, 2022 and between January 1, 2021 and May 17, 2022, the decision there was no significant substantive difference, so the provisions of III.1 above apply accordingly. was written in point 2.4. Due to the above, the Authority treated January 1, 2021 and 2022 uniformly in its decision. between May 17 and the period between May 18 and June 24, 2022, since the there was no significant difference influencing the decision. In the justification, if necessary, a Authority marks those findings that do not apply to the entire period. III.3. The information is provided in the entire examined period 3.1. According to Article 12 (1) of the General Data Protection Regulation, the Customer - as a data controller responsible for data management under investigation - obligation to take appropriate measures in order to ensure that, for the data subjects, the 13. and all the information mentioned in Articles 14 and 15-22. and each according to Article 34 information in a concise, transparent, understandable and easily accessible form, clearly and provide it in a comprehensible way. 3.2. The system of appropriate information in the general data protection regulation serves to so that the data subject can be aware of which personal data, which data controller and for which purpose and for how long will it be treated. This is essential to be in a position to to be able to meaningfully exercise its stakeholder rights. 3.3. Data management based on point a) of Article 6 (1) of the General Data Protection Regulation based on Article 4, point 11 of the General Data Protection Regulation, not only the data management beginning, but before obtaining consent, the data controller is obliged to to provide information based on which informed consent can be given, which is not possible a 3.2 above. in the absence of any of the basic information written in point. 3.4. In relation to the legal basis of data subject consent according to the General Data Protection Regulation it is important to emphasize that it does not mean that the data controller is subject to other legal obligations apply it as a general authorization regardless of conditions. For data management stakeholder consent can only be valid if it is provided by the general data protection according to the wording of Article 6 (1) point a) of the decree for specific purpose(s) - per purpose can be specified separately - is obtained and appropriate information is provided beforehand, which is such puts the person concerned in a position to make an appropriate decision about the consent and complies with all other provisions of the General Data Protection Regulation 13 validity requirement. Article 12 (1) of the General Data Protection Regulation According to can exercise his/her rights as a data subject in an informed manner. 3.5. As explained above, the obligation to provide information is not a mere "paperwork2" is an obligation in the General Data Protection Regulation. All in the preamble contained, all the articles of the general data protection regulation require the achievement of results when determining the obligations of a data controller, not just a specified minimum proof of effort on the part of the data controller. The aim of the information is to put you in such a situation brings the data subject to be in the right decision-making position with the data management and the data subject in connection with the exercise of your rights. Part of this is exactly when and under what conditions data processing based on the consent of stakeholders related to EDM will cease. 3.6. In all cases, the EDM consent could easily be revoked, but not this one aggravates the illegality of the Customer, but does not make the consent valid in itself despite the non-fulfillment of the other conditions. 3.7. Due to the above, it can be concluded that in the examined period, the Customer used the EDM provided on the duration of personal data processing in connection with information violated Article 12 (1) of the General Data Protection Regulation, as it was not sufficiently clear and unambiguous regarding the duration of data management, Between May 18, 2022 and June 24, 2022, the General Terms and Conditions were also contradictory regarding. III.4. The legality of EDM-related data management in the examined period 4.1. The above III.1.3. on the basis of what was explained in point 1, the Authority is responsible for data management related to EDM only the consent indicated by the Customer in the information is the legal basis investigated. In the absence of adequate information, as a general rule, it was based on consent data management in itself is illegal. This is supported by the European Data Protection Board Also paragraph 62 of the 5/2020 Guidelines (hereinafter: 5/2020 Guidelines). Accordingly if the data controller does not provide accessible information, the user has control over the data its provision becomes apparent and consent becomes an invalid basis for data management. The basic requirement of easy accessibility is confirmed by Guideline 66 of 5/2020. and also paragraph 67. 5/2020 regarding information regarding consent Paragraph 63 of the guidelines also emphasizes that consent based on information the consequence of not complying with relevant requirements is that a consent will be invalid and the data controller may violate the general data protection regulation Article 6. 4.2. Based on paragraph 64 of Directive 5/2020, in order for the consent to be informed be based on, the data subject must be informed about certain key elements. That's why it is The European Data Protection Board believes that valid consent requires at least a the following information is required: 2 For example, the beginning of recital (39) of the General Data Protection Regulation: "The processing of personal data shall be lawful and it should be fair. For natural persons, it must be transparent that the information concerning them is personal how their data is collected and used, how it is viewed or in what other way it is handled, as well as in connection with the extent to which personal data is or will be managed. [...]" 3 Guideline No. 5/2020 of the European Data Protection Board on consent pursuant to Regulation (EU) 2016/679: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf 14 (i) the identity of the data controller - this was fulfilled in this case; (ii) the purpose of each data processing operation for which consent is sought – this fulfilled, but for the purpose of EDM, only the General Terms and Conditions, which are a condition for the provision of the Service it was possible to consent with its acceptance; (iii) what type of data will be collected and used - this is fulfilled, that is according to the data management information, only the email address was processed; (iv) the existence of the right to withdraw consent - this has been fulfilled; (v) where applicable, to use the data for automated decision-making relevant information in accordance with point c) of Article 22 (2) - this is present not relevant in this case; (vi) the compliance decision for data transmissions and described in Article 46 possible risks arising from the lack of adequate guarantees - this is not the case in this case relevant. 4.3. At the end of the above list, the European Data Protection Board specifically indicates that it is based on Article 13 of the General Data Protection Regulation, it is only a minimum requirement, but in addition it is necessary to provide all information that may be important to a typical stakeholder decision, such as the duration of data management in the case of EDM. Those involved typically they subscribe to a number of newsletters in their lifetime that are difficult for them to keep track of by heart. The termination of sending emails based on the EDM is the termination of the Service (a Deleting an account related to a service) can be important information for those concerned. 4.4. It is important to choose the right legal basis and fulfill its conditions. The present in the case related to the duration of EDM data management, III.1.4 above. and III.2.3. in points detailed information is not a problem in itself in the absence of other factual elements would result in the invalidity of the legal basis in the specific case, however, the Authority is all examined the circumstances together and took this into account in his decision. 4.5. All according to Article 6 (1) point a) of the General Data Protection Regulation legal text ("for one or more specific purposes"), as well as 7 of the General Data Protection Regulation. into law based on the provision of discrimination from other cases according to paragraph (2) of Article conflicting if consent cannot be given separately for using the Service required for GTC and EDM. During the examined period, the Customer did not fulfill this condition completed, so in the case of subscriber … thousand affected persons, it was given to the EDM in the examined period consent was invalid, based on this the management of the email address for sending EDM was illegal on a weekly basis. It does not change the consent detailed above its validity condition is that the affected parties could have objected to the EDM afterwards, or the consent could later be withdrawn in the online account connected to the Service. 4.6. According to paragraph 26 of Directive 5/2020, "Article 7 of the General Data Protection Regulation paragraph (4) of Article 4 states, among other things, that they are expressly undesirable shall be considered the situation in which the consent to the acceptance of the contract conditions is given "connected" or "set as a condition" for the performance of a contract or service consent to the processing of personal data that is not necessary a to fulfill the contract or the service. If consent is given in such a situation, no considered voluntary ((recital 43)). Paragraph 4 of Article 7 thereof strives to ensure that the purpose of processing personal data is not hidden provision of a service contract and not be linked to a service 15 for the provisions of the contract, for which service these personal data are not are necessary. The General Data Protection Regulation thereby ensures that personal data management, for which consent is requested, should not directly or indirectly become a contract compensation. The two legal bases for the lawful processing of personal data, i.e. a consent and the contract cannot be combined and cannot obscure one another.". 4.7. In the present case, the subscription to EDM during the period under review is inseparable connection to the subscription to the Customer's online service is contrary to the 5/2020 With the prohibition explained in paragraph 26 of the guidelines, and Article 7 of the general data protection regulation (4) is completely disregarded. 4.8. Due to the above, it can be concluded that during the examined period, the Customer is with EDM violated Article 6 (1) of the General Data Protection Regulation and paragraphs (2) and (4) of Article 7. ARC. Legal consequences 1. The Authority complies with Article 58 (2) point i) and Article 83 (2) of the General Data Protection Regulation may impose a data protection fine instead of or in addition to the other measures. In case of violation of the General Data Protection Regulation, Article 58 of the General Data Protection Regulation. on the basis of point d) of paragraph (2) of Article, it is necessary to oblige the data controller to brings data management into line with the general data protection regulation. In view of this, the above III.1. on the basis of what was explained in point the Customer, so that the data subjects can decide on their data subject rights based on adequate information about its practice. Furthermore, the above III.1.3. for reasons detailed in point, according to the relevant part the Authority instructed the Client to - the above I.2.1.(ii) previously sent by the Client in addition to the general information according to point - provide more specific information to those concerned who subscribed automatically to EDM on the fact that it contrary to the information received at the time of subscription, it was not valid separately for EDM their possibility to contribute and how exactly they can unsubscribe from EDM. 2. On the question of whether the imposition of a data protection fine is justified, the Authority made a decision based on statutory discretion, taking into account Infotv. Section 61 (1) to paragraph a), Infotv. 75/A. 83 of the General Data Protection Regulation. (2) and Article 58 (2) of the General Data Protection Regulation, which based on this, the conviction in itself would not be a proportionate and dissuasive sanction, therefore a fine must be imposed. 3. Regarding the necessity and amount of the fine, the Authority took into account that Customer's net sales in 2021 .... was a billion forints. Based on this, a fine is possible the maximum was …………… Ft. 4. When determining the amount of the data protection fine, the Authority as a mitigating circumstance took into account the following: (i) The infringement …. was realized with regard to a thousand stakeholders, and also with the information related infringement was in itself minor. (general data protection regulation Article 83(2)(a) (ii) The breach was negligent. (Article 83 (2) of the General Data Protection Regulation point b) 16 (iii) The Customer cooperated with the Authority during the procedure, acknowledged the violation and a during the present procedure, he rectified it for the future and held internal trainings. (general data protection Regulation Article 83 (2) point c) (iv) The Authority has not previously established any relevant data protection provisions against the Client infringement and did not order any measures. (General Data Protection Regulation Article 83 (2) paragraph e) (v) The violation only affected the email address data of the data subjects, other data or sensitive data data was not affected. (General Data Protection Regulation Article 83 (2) point g) 5. When determining the amount of the data protection fine, the Authority as an aggravating circumstance took into account that the data management continued for a longer period of time. (general Article 83 (2) point b) of the Data Protection Regulation 6. The imposition of fines serves both special and general prevention, since they are the opposite in this case, the data controllers of the extremely widespread direct marketing type of data management could draw it as a conclusion that such activity can be carried out even in the absence of a valid legal basis without a significant disadvantage, with a profit. In accordance with the general prevention goal, the Authority a publishes an anonymized version of this decision on the website of the Authority. A. Other questions 1. Infotv. According to § 38, paragraph (2), the Authority is responsible for the protection of personal data, and the right to access data of public interest and public interest control and promotion of the validity of personal data in the European Union facilitating its free flow within. Infotv. According to Section 38 (2a), the general tasks and powers established for the supervisory authority in the data protection decree general data protection for legal entities under the jurisdiction of Hungary is exercised by the Authority as defined in the decree and this law. The Authority its jurisdiction covers the entire territory of Hungary. 2. The Art. Based on § 112, subsections (1) and (2), § 114, subsection (1) and § 116, subsection (1) the decision can be appealed through an administrative lawsuit. * * * 3. The rules of the administrative procedure are laid down in Act I of 2017 on the Administrative Procedure hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13, paragraph (3). Based on point a) subpoint aa), the Metropolitan Court is exclusively competent. The Kp. Section 27 (1) according to paragraph 1, legal representation is mandatory in administrative proceedings before the tribunal. The Kp. According to paragraph (6) of § 39, the submission of a claim is an administrative act does not have the effect of postponing its entry into force. 4. The Kp. Paragraph (1) of Section 29 and, in view of this, CXXX of 2016 on the Code of Civil Procedure. applicable according to § 604 of the Act, electronic administration and trust services CCXXII of 2015 on its general rules. according to § 9 (1) point b) of the Act, the the client's legal representative is obliged to maintain electronic contact. The submission of the statement of claim time and place of Kp. It is defined by § 39, paragraph (1). Request to hold the hearing information about the possibility of the Kp. It is based on paragraphs (1)-(2) of § 77. 17 5. The amount of the fee for the administrative lawsuit is determined by the XCIII of 1990 on fees. law (hereinafter: Itv.) 45/A. Section (1) defines. From the advance payment of the fee the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the person initiating the procedure half. 6. If the Customer does not adequately certify the fulfillment of the prescribed obligations, the Authority considers that the obligations have not been fulfilled within the deadline. The Akr. According to § 132, if the Customer did not comply with the obligation contained in the Authority's final decision, that is can be executed. The Authority's decision in Art. according to § 82, paragraph (1) with the communication becomes permanent. The Akr. Pursuant to § 133, enforcement - if you are a law government decree does not provide otherwise - it is ordered by the decision-making Authority. The Akr. 134. pursuant to § the execution - if it is a law, government decree or municipal authority the local government decree does not provide otherwise - the state tax authority undertakes. Infotv. Based on § 61, paragraph (7), contained in the Authority's decision, to carry out a specific act, to perform a specific behavior, to tolerate or regarding the obligation to stop, the Authority will implement the decision undertakes. dated: Budapest, according to the electronic signature Dr. Attila Péterfalvi president c. professor