NAIH (Hungary) - NAIH-5114-35/2022: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(12 intermediate revisions by 2 users not shown)
Line 38: Line 38:
|GDPR_Article_5=Article 31 GDPR
|GDPR_Article_5=Article 31 GDPR
|GDPR_Article_Link_5=Article 31 GDPR
|GDPR_Article_Link_5=Article 31 GDPR
|GDPR_Article_6=
|GDPR_Article_6=Article 58(2)(f) GDPR
|GDPR_Article_Link_6=
|GDPR_Article_Link_6=Article 58 GDPR#2f
|GDPR_Article_7=
|GDPR_Article_7=
|GDPR_Article_Link_7=
|GDPR_Article_Link_7=
Line 66: Line 66:
|
|
}}
}}
The Hungarian DPA investigated processing activities with regard to the company's CCTV sytem, and fined the company HUF 3 000 000 for violating multiple GDPR provisions.
 
The Hungarian DPA investigated the use of a surveillance camera sytem and fined the controller HUF 3,000,000.00 (approx. €8,000.00) for violating multiple GDPR provisions.


== English Summary ==
== English Summary ==
Line 73: Line 74:
The case initiated from a complaint made by a data subject who filed a complaint with the Hungarian DPA requesting the DPA to declare that a controller - a company providing accommodation services - within the neighbouring property unlawfully processes personal data with its surveillance camera systems (CCTV). The data subject requested the DPA to 1) prohibit the controller from monitoring the data subject's property with its CCTV systems, and 2) to order the controller to terminate the unlawful recordings.  
The case initiated from a complaint made by a data subject who filed a complaint with the Hungarian DPA requesting the DPA to declare that a controller - a company providing accommodation services - within the neighbouring property unlawfully processes personal data with its surveillance camera systems (CCTV). The data subject requested the DPA to 1) prohibit the controller from monitoring the data subject's property with its CCTV systems, and 2) to order the controller to terminate the unlawful recordings.  


The DPA extended the scope of the investigation (ex officio) against the controller. The DPA investigated all processing activities carried out by the controller with its CCTV systems and conducted an on-site inspection to the controller's property. The controller was using two CCTV systems that were identified within the investigation as Camera system No. 1 (consisting of 4 analogue cameras only providing live image) and Camera system No. 2 (consisting of 4 analogue cameras recording image and audio). The CCTV recordings were stored for three days.
The DPA extended the scope of the investigation (ex officio) against the controller. The DPA investigated all processing activities carried out by the controller with its CCTV systems and conducted an on-site inspection to the controller's property. The controller was using two CCTV systems that were identified within the investigation as Camera system No. 1 (consisting of 4 analogue cameras only providing live image) and Camera system No. 2 (consisting of 4 IP cameras recording image and audio) for which the recordings were said to be stored for three days by the controller.


The Camera system No. 1 showed views of: the parking area within the property, a view from the gate to the building and to the reception area, and a small part of the backyard of the property of the data subject, with a pavement leading to the reception area. The DPA noted that there were no recreational facilities located in these areas. The controller stated that the purposes of the CCTV in Camera sytem No. 1 were: 1) the protection of persons and property, 2) to detect possible infringements, 3) to catch a perpetrator in the act, and 4) to prevent infringing acts. The controller relied on legitimate interests under [[Article 6 GDPR|Article 6(1)(f) GDPR]] as a legal basis for the processing.
The Camera system No. 1 showed views of the parking area within the property of the controller, a view from the gate to the building and to the reception area, and a small part of the backyard of the property, with a pavement leading to the reception area. The DPA noted that there were no recreational facilities located in these areas. The controller stated that the purposes of the CCTV in Camera sytem No. 1 were: 1) the protection of persons and property, 2) to detect possible infringements, 3) to catch a perpetrator in the act, and 4) to prevent infringing acts. The controller relied on legitimate interests under [[Article 6 GDPR|Article 6(1)(f) GDPR]] as a legal basis for the processing.


With regard to Camera system No. 2 showed views of: 1) a dining room, 2) a panoramic jacuzzi on the terrace, 3) a patio, and 4) a reception desk. These cameras were motion-activated, recorded images, and some of them were placed with an angle of view to areas where the persons not only pass through but also rest and dine. The controller's balancing of interests -test lacked individual assessments of the cameras, and only included general wording (such as: the valuable objects are monitored, so the interest of the controller is to guard those objects). Regardless of the DPA's request, the controller did not present any previous cases justifying the necessity for the use of the CCTV. The DPA viewed that it was relevant whether any events had taken place in the past, which would justify the placement of the cameras, as the data processing was much extensive compared to Camera system No 1.
With regard to Camera system No. 2 showed views of: 1) a dining room, 2) a panoramic jacuzzi on the terrace - which previously showed a view of the data subject's property, but at the time of the DPA's on-site investigation, the controller had modified the angle view of the camera away from the data subject's property - 3) a patio, and 4) a reception desk. These cameras were motion-activated, recorded images, and some of them were placed with an angle of view to areas where the persons not only pass through but also rest and dine. Regardless of the DPA's request, the controller did not present any previous cases justifying the necessity for the use of the CCTV. The DPA considered that it was relevant whether any events had taken place in the past which would justify the placement of the cameras, as the data processing was more extensive compared to Camera system No 1. With regard to the previous monitoring of the data subject's property, the controller argued that it had had a legal basis under Article 6(1)(f), because it had legitimate interests for property protection purposes as it had accused the data subject’s husband for vandalism towards the fence separating the two properties.


With regard to Camera system No. 2, the DPA considered that due to the more extensive processing carried out by the cameras, it was necessary to assess each camera separately. The objectives and purposes pursued by the controller for each camera were unclear to the DPA. The DPA also took in consideration the fact that the controller had not examined any alternative(s) for the use of a CCTV system that would not involve processing or the processing would be more limited in scope. The DPA emphasized, that in order to use CCTV systems on the basis of a legitimate interest, the processing must be proportionate to the aim pursued and compatible with the purposes pursued, necessary to achieve the purpose, and the design and implementation of the processing must take into account the reasonable expectations of the data subjects. Secondly, the DPA emphasized that the legitimate interests must be real and present at the time when the processing starts because processing cannot be based on a possible future interests.
=== Holding ===
With regard to the Camera system No. 1 the DPA concluded that the operation of the cameras is appropriate for the purposes pursued and a necessary security measure for the objective pursued by the controller. Additionally, the DPA viewed that because the cameras within Camera system No. 1 only transmitted live image, and did not record any images that it constituted a significantly lower intrusion into the privacy of the persons concerned than if the video images were recorded.


=== Holding ===
With regard to Camera system No. 2, the DPA considered that due to the more extensive monitoring carried out by the cameras, it was necessary to assess each camera separately. The controller's balancing of interests test lacked individual assessments of the cameras, and only included general wording such as that valuable objects are monitored, so the interest of the controller is to safeguard the mentioned objects. 
With regard to the Camera system No. 1, the, DPA concluded that the operation of the cameras is appropriate for the purposes pursued and necessary security measures for the objective pursued by the controller. Additionally, the DPA viewed that because the cameras within Camera system No. 1 only transmitted live image, and did not record any images the it constituted a significantly less intrusion into the privacy of the persons concerned than would be then if the video images were recorded.
 
The objectives and purposes pursued by the controller for each camera were unclear to the DPA. The DPA also took in consideration the fact that the controller had not examined any alternative(s) for the use of a CCTV system that would not involve processing or the processing would be more limited in scope. The DPA emphasized, that in order to use CCTV systems on the basis of a legitimate interest, the processing must be proportionate to the aim pursued and compatible with the purposes pursued, necessary to achieve the purpose, and the design and implementation of the processing must take into account the reasonable expectations of the data subjects. Secondly, the DPA emphasized that the legitimate interests must be real and present at the time when the processing starts because processing cannot be based on a possible future interests.


With regard to the Camera system No. 2 recording also audio, the DPA viewed that the controller had not presented any reasons which would justify the necessity of audio recording, and emphasized that it is not a common practice in the case of CCTV surveillance of property. The DPA stated that data subjects cannot expect the cameras recording their voice and conversations, in particularly, when the cameras could also be activated by some small non-human movement and so start recording the conversations of persons who are not even in the camera's view (the DPA found examples of such situations from the CCTV recordings during its investigation).
With regard to the Camera system No. 2 recording also audio, the DPA viewed that the controller had not presented any reasons which would justify the necessity of audio recording, and emphasized that it is not a common practice in the case of CCTV surveillance of property. The DPA stated that data subjects cannot expect the cameras recording their voice and conversations, in particularly, when the cameras could also be activated by some small non-human movement and so start recording the conversations of persons who are not even in the camera's view (the DPA found examples of such situations from the CCTV recordings during its investigation).


Regarding Camera system No. 2, the DPA eventually found that the controller did not have legitimate interests for processing the personal data and held that the controller violated [[Article 6 GDPR|Article 6(1) GDPR]] with regard to 1) the camera installed in the dining room, 2) the camera monitoring the panoramic jacuzzi on the terrace, and 3) the camera facing the patio. With regard to 4) the camera above the reception desk, the DPA eventually found that the controller had legitimate interests that were: the protection of property and monitoring of cash payments.
The DPA furthermore found regarding Camera system No. 2, that the controller did not have legitimate interests for processing the personal data and held that the controller violated [[Article 6 GDPR|Article 6(1) GDPR]] with regard to 1) the camera installed in the dining room, 2) the camera monitoring the panoramic jacuzzi on the terrace, and 3) the camera facing the patio. With regard to 4) the camera above the reception desk, the DPA found that the controller had legitimate interests that were the protection of property and monitoring of cash payments. The DPA considered the previous monitoring of the data subject’s property as a serious interference with private life, and that only in very rare situations can there be legitimate interests that are not overruled. The DPA took in consideration, that the balancing of interests -test did not include the data subject’s property – only the controller’s property.
 
Eventually, the Hungarian DPA held, firstly, that the controller 1) had unlawfully processed personal data of the data subject who initially complained about the processing in breach of [[Article 6 GDPR|Article 6(1) GDPR;]] and that the controller infringed 2) the principle of storage limitation under [[Article 5 GDPR|Article 5(1)(e) GDPR]] by not taking any measures to ensure that the recordings were deleted after set limitation of 3 days, 3) [[Article 12 GDPR|Article 12(1) GDPR]] by failing to inform the data subjects on the use of the camera surveillance in an easily accessible way, 4) [[Article 13 GDPR]] by failing to provided adequate information about the processing, 5) [[Article 31 GDPR]] by failing to comply with its duty to cooperate with the DPA as, in the DPA's view, the controller did not cooperate with the Authority during the procedure to the extent necessary, and in several cases provided false, incorrect or incomplete information.


Secondly, with regard to the data subject's complaint, the DPA prohibited the controller under [[Article 58 GDPR|58(2)(f) GDPR]] from using a CCTV system that monitors the data subject's property and thereby unlawfully processes personal data of the data subject and their family, and ordered the controller to remove all data in question and to adapt its information practices on CCTV surveillance, in such a way, that they fully comply with [[Article 12 GDPR|Article 12(1) GDPR]] and [[Article 13 GDPR|13 GDPR]].
The Hungarian DPA held, firstly, that the controller 1) had unlawfully processed personal data of the data subject who initially complained about the processing in breach of [[Article 6 GDPR|Article 6(1) GDPR.]] The DPA also prohibited the controller under [[Article 58 GDPR|58(2)(f) GDPR]] from monitoring, in the future, the data subject's property. Secondly, the DPA held that the controller infringed 2) the principle of storage limitation under [[Article 5 GDPR|Article 5(1)(e) GDPR]] by not taking any measures to ensure that the recordings were deleted after set limitation of 3 days, 3) [[Article 12 GDPR|Article 12(1) GDPR]] by failing to inform the data subjects on the use of the camera surveillance in an easily accessible way, 4) [[Article 13 GDPR]] by failing to provided adequate information about the processing, 5) [[Article 31 GDPR]] by failing to comply with its duty to cooperate with the DPA as, in the DPA's view, the controller did not cooperate with the Authority during the procedure to the extent necessary, and in several cases provided false, incorrect or incomplete information.


Thirdly, the DPA fined the controller HUF 3 000 000 (three million forints).
The DPA fined the controller HUF 3 000 000 (three million forints).


== Comment ==
== Comment ==

Latest revision as of 15:52, 3 May 2023

NAIH - NAIH-5114-35/2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(e) GDPR
Article 6(1) GDPR
Article 12(1) GDPR
Article 13 GDPR
Article 31 GDPR
Article 58(2)(f) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 21.12.2022
Published:
Fine: 3000000 HUF
Parties: n/a
National Case Number/Name: NAIH-5114-35/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (Hungary) (in HU)
Initial Contributor: n/a

The Hungarian DPA investigated the use of a surveillance camera sytem and fined the controller HUF 3,000,000.00 (approx. €8,000.00) for violating multiple GDPR provisions.

English Summary

Facts

The case initiated from a complaint made by a data subject who filed a complaint with the Hungarian DPA requesting the DPA to declare that a controller - a company providing accommodation services - within the neighbouring property unlawfully processes personal data with its surveillance camera systems (CCTV). The data subject requested the DPA to 1) prohibit the controller from monitoring the data subject's property with its CCTV systems, and 2) to order the controller to terminate the unlawful recordings.

The DPA extended the scope of the investigation (ex officio) against the controller. The DPA investigated all processing activities carried out by the controller with its CCTV systems and conducted an on-site inspection to the controller's property. The controller was using two CCTV systems that were identified within the investigation as Camera system No. 1 (consisting of 4 analogue cameras only providing live image) and Camera system No. 2 (consisting of 4 IP cameras recording image and audio) for which the recordings were said to be stored for three days by the controller.

The Camera system No. 1 showed views of the parking area within the property of the controller, a view from the gate to the building and to the reception area, and a small part of the backyard of the property, with a pavement leading to the reception area. The DPA noted that there were no recreational facilities located in these areas. The controller stated that the purposes of the CCTV in Camera sytem No. 1 were: 1) the protection of persons and property, 2) to detect possible infringements, 3) to catch a perpetrator in the act, and 4) to prevent infringing acts. The controller relied on legitimate interests under Article 6(1)(f) GDPR as a legal basis for the processing.

With regard to Camera system No. 2 showed views of: 1) a dining room, 2) a panoramic jacuzzi on the terrace - which previously showed a view of the data subject's property, but at the time of the DPA's on-site investigation, the controller had modified the angle view of the camera away from the data subject's property - 3) a patio, and 4) a reception desk. These cameras were motion-activated, recorded images, and some of them were placed with an angle of view to areas where the persons not only pass through but also rest and dine. Regardless of the DPA's request, the controller did not present any previous cases justifying the necessity for the use of the CCTV. The DPA considered that it was relevant whether any events had taken place in the past which would justify the placement of the cameras, as the data processing was more extensive compared to Camera system No 1. With regard to the previous monitoring of the data subject's property, the controller argued that it had had a legal basis under Article 6(1)(f), because it had legitimate interests for property protection purposes as it had accused the data subject’s husband for vandalism towards the fence separating the two properties.

Holding

With regard to the Camera system No. 1 the DPA concluded that the operation of the cameras is appropriate for the purposes pursued and a necessary security measure for the objective pursued by the controller. Additionally, the DPA viewed that because the cameras within Camera system No. 1 only transmitted live image, and did not record any images that it constituted a significantly lower intrusion into the privacy of the persons concerned than if the video images were recorded.

With regard to Camera system No. 2, the DPA considered that due to the more extensive monitoring carried out by the cameras, it was necessary to assess each camera separately. The controller's balancing of interests test lacked individual assessments of the cameras, and only included general wording such as that valuable objects are monitored, so the interest of the controller is to safeguard the mentioned objects.

The objectives and purposes pursued by the controller for each camera were unclear to the DPA. The DPA also took in consideration the fact that the controller had not examined any alternative(s) for the use of a CCTV system that would not involve processing or the processing would be more limited in scope. The DPA emphasized, that in order to use CCTV systems on the basis of a legitimate interest, the processing must be proportionate to the aim pursued and compatible with the purposes pursued, necessary to achieve the purpose, and the design and implementation of the processing must take into account the reasonable expectations of the data subjects. Secondly, the DPA emphasized that the legitimate interests must be real and present at the time when the processing starts because processing cannot be based on a possible future interests.

With regard to the Camera system No. 2 recording also audio, the DPA viewed that the controller had not presented any reasons which would justify the necessity of audio recording, and emphasized that it is not a common practice in the case of CCTV surveillance of property. The DPA stated that data subjects cannot expect the cameras recording their voice and conversations, in particularly, when the cameras could also be activated by some small non-human movement and so start recording the conversations of persons who are not even in the camera's view (the DPA found examples of such situations from the CCTV recordings during its investigation).

The DPA furthermore found regarding Camera system No. 2, that the controller did not have legitimate interests for processing the personal data and held that the controller violated Article 6(1) GDPR with regard to 1) the camera installed in the dining room, 2) the camera monitoring the panoramic jacuzzi on the terrace, and 3) the camera facing the patio. With regard to 4) the camera above the reception desk, the DPA found that the controller had legitimate interests that were the protection of property and monitoring of cash payments. The DPA considered the previous monitoring of the data subject’s property as a serious interference with private life, and that only in very rare situations can there be legitimate interests that are not overruled. The DPA took in consideration, that the balancing of interests -test did not include the data subject’s property – only the controller’s property.

The Hungarian DPA held, firstly, that the controller 1) had unlawfully processed personal data of the data subject who initially complained about the processing in breach of Article 6(1) GDPR. The DPA also prohibited the controller under 58(2)(f) GDPR from monitoring, in the future, the data subject's property. Secondly, the DPA held that the controller infringed 2) the principle of storage limitation under Article 5(1)(e) GDPR by not taking any measures to ensure that the recordings were deleted after set limitation of 3 days, 3) Article 12(1) GDPR by failing to inform the data subjects on the use of the camera surveillance in an easily accessible way, 4) Article 13 GDPR by failing to provided adequate information about the processing, 5) Article 31 GDPR by failing to comply with its duty to cooperate with the DPA as, in the DPA's view, the controller did not cooperate with the Authority during the procedure to the extent necessary, and in several cases provided false, incorrect or incomplete information.

The DPA fined the controller HUF 3 000 000 (three million forints).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-5114-35/2022. Subject: decision
History case number: NAIH-7502/2021.





                                         H A T A R O Z A T



Before the National Data Protection and Freedom of Information Authority (hereinafter: Authority) [...]
[...] applicant represented by a lawyer (residential address: [...]; hereinafter: Applicant) to the Authority
Your request was received on October 4, 2021 with [Kft.] (headquarters: […]; hereinafter: Applicant 1) –

representative […] (seat: […]) – and with [natural person] (residential address: […]; hereinafter:
Respondent 2 or Obligor; Applicant 1 and Applicant 2 hereinafter together:
Respondents) against the data protection authorities in connection with the management of their personal data

makes the following decisions in the procedure:

   I. Granting the Applicant's request, the Authority determines that the Applicant 1
          handled the Applicant's personal data illegally, thereby violating Article 6 (1) of the GDPR

          paragraph.

   II. Granting the Applicant's request, the Authority condemns him for the violation according to point I
          Requested 1.

   III. The Authority, granting the Applicant's request, Article 58, Paragraph 2, Point f) of the GDPR

          prohibits Respondent 1 from operating in such a manner in the future
          camera system to monitor the Applicant's property, and thus illegally
          manage the personal data of the Applicant and his family.


The Authority operates in the area of [accommodation] (address: […]) vis-à-vis the Applicants
to examine the legality of data processing through camera systems November 15, 2021

in the official data protection procedure initiated by me ex officio and extended on August 4, 2022, the following
makes decisions:



   ARC. The Authority finds that Respondent 1 is unlawful, Article 6 (1) of the GDPR
          conducts conflicting data management in No. 2 camera system jacuzzi, restaurant and the inner courtyard
          during the operation of surveillance cameras.


   A. The Authority finds that Respondent 1 violated Article 5 (1) Paragraph e) of the GDPR
          the principle of limited storability according to point


   VI. The Authority finds that Respondent 1 violated Article 12 (1) of the GDPR,
          since he did not provide the information regarding camera data management to those concerned

          easily accessible.



…………………………………………………………………………………………………………
1055 Budapest Tel.: +36 1 391-1400 ugyfelszolgalat@naih.hu
Falk Miksa utca 9-11 Fax: +36 1 391-1410 www.naih.hu VII. The Authority finds that Respondent 1 violated Article 13 of the GDPR when it did not
           provided adequate information about the data management implemented through the camera system.

   VIII. The Authority finds that Respondent 1 violated Article 31 of the GDPR, as a

           He did not fulfill his obligation to cooperate with the authorities.

   IX. The Authority prohibits Applicant 1 from using the dining room, the panoramic Jacuzzi and the

           parts of the inner courtyard for relaxation, such as the jacuzzi and hot tub through the camera system
           monitoring, and the doors of the apartments opening from the courtyard, and the one in front of them
           monitoring of the rest area and orders the cameras directed to them

           disarmament.

   X. The Authority instructs Applicant 1 that the 2. camera system jacuzzi, restaurant and the

           delete all recordings recorded by your cameras monitoring the inner courtyard.

   XI. The Authority instructs Respondent 1 that it is related to camera data management
           transform its information practice in such a way that it fully complies with

           GDPR Article 12 (1) and GDPR Article 13.

   XII. The Authority is the I. and V-VIII. Requested 1 due to violations established in points


                                HUF 3,000,000 (i.e. three million forints)


obligates you to pay a data protection fine, which is due within 15 days of the delivery of this decision
                                        must fulfill within



                                                  * * *

The Authority warns Applicant 1 that Infotv. The decision based on § 61, subsection (6).
until the expiry of the time limit for filing an action, or in the event of the initiation of an administrative lawsuit a

until a final court decision, the data affected by the disputed data management cannot be deleted or not
can be destroyed.

The IV. and the IX.-XI. measures prescribed in points to Respondent 1 against this decision
must do so within 30 days after the expiry of the legal remedy deadline, and their implementation

immediately - together with the presentation of supporting evidence - certify to the Authority.

The fine is transferred to the Authority's centralized revenue collection purpose settlement account (10032000-

01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000)
must be paid in favor of When transferring the amount, NAIH-5114/2022. FINE. number must be referred to.


If Respondent 1 does not comply with his obligation to pay the fine within the deadline, a late fee
is obliged to pay. The amount of the late fee is the legal interest, which is the calendar interest affected by the delay
is the same as the central bank base rate valid on the first day of the semester. Fines and late fees
in the event of non-payment, the Authority orders the execution of the decision, the fine and the late fee


                                                   2 collection in the manner of taxes. The collection of fines and late fees in the manner of taxes is a
It is carried out by the National Tax and Customs Office.
                                                  * * *

                                              FINAL


The Authority terminates the procedure against Respondent 2.


There is no place for administrative appeal against this decision and order, but a
within 30 days from the date of notification, with a letter of claim addressed to the Capital Court
can be challenged in a lawsuit. The letter of claim must be submitted electronically to the Authority in charge of the case

forwards it to the court together with its documents. The request to hold a hearing must be indicated in the statement of claim. The
The petition submitted against the order terminating the proceedings was simplified by the Capital Court
judge it in a lawsuit, outside of a trial. For those who do not receive full personal tax exemption a
the fee for an administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to record fees. The Metropolitan Court

legal representation is mandatory in the procedure before it.

                                           I N D O C O L A S


    I. Facts


  Application and case history

  (1) The Requester for the data protection official procedure received by the Authority on October 4, 2021
        requested in his application that the Authority establish that the Applicants at [accommodation]

        with installed and operated cameras, they engage in illegal data management. He asked that this
        forbid the continuation of camera surveillance directed at the Applicant's property, a
        the recording of observed data and order its termination, as well as the unlawfully prepared

        destruction of recordings, and also prohibit the Applicants from further infringement and
        convict the Respondents and impose a data protection fine.


(2) The property of the Applicant is the […] inner area […] hrsz. registered under, in nature [...]
        property at no. He is the owner of the property next door, naturally at […]
        Respondent 2, on which [accommodation] operates and which is operated by Respondent 1.


(3) The fence between [two properties] has fallen, therefore Requested 1 new fence made of concrete elements
        made it to the plot boundary. On July 26, 2021, the fence was damaged, with an approx.
        A 30 cm vertical crack was created.


(4) According to the report of the […] Police Department dated July 27, 2021, the manager of Respondent 1,
        […] On July 26, 2021, an announcement was made at the [...] Police Station about the damage to the fence

        because he saw through the camera installed in the boarding house that the property of the Applicant
        the Applicant's husband was outside in his yard, around the fence [and in the present proceedings, legal
        representative], [...] but he did not see that he had caused any damage to the fence. THE […]

        Based on the information available at that time, according to the report of the Police Department No. […]
        violation/criminal offense could not be established.

                                                   3(5) After that, the Regional Public Order Department of the […] Police Department on case number […]
        However, the Commissioner's Sub-Department filed a violation report against the Applicant's husband
        willful vandalism due to the commission of a regulation violation. In the facts of the complaint, [...]

        The police station recorded that the construction of the fence was completed on July 26, 2021 by
        contractor, and sent a photo of the damaged item to Respondent 1 on the same day
        about a fence element. Since the manager was not on site, he looked back on his phone

        recordings of the camera system installed in [accommodation]. Requested by 1 for presentation of the recording
        went to the […] Police Department, on which three persons - the Applicant, the Applicant
        her husband and father - the new one between the two properties was visible in the area of [Applicant's property].

        at the fence. The recording showed that the Applicant's husband was standing in the yard, and then the
        for fencing. The fence of the neighboring lot did not fall into the camera's field of view
        part next to it, so from then on the recording could only be heard as a grinding sound. This

        based on the conversation heard on the recording beforehand, the Applicant and his father - who
        they are in bathing suits in the recording - they also told […], the Applicant's husband, not to do this
        he can do it, the fence is not his property.


(6) The […].Sabs. [the accommodation
        [accommodation] operated by Respondent 1]
        was the manager of the store, according to which the above camera recording, which can be linked to the vandalism

        […], the manager of Respondent 1 forwarded it to him. In the recording, according to the testimony, it is clear
        you hear "[…] don't do it, finish it, you can't touch other people's property!", and then this
        loud hammer blows could be heard afterwards. In the preparatory procedure for violation of rules a

        […] The police station established that a criminal offense was suspected, as a
        according to the victim's statement, the damage caused by vandalism exceeded the amount of the violation
        value limit, therefore this procedure was terminated, and the documents were sent to the person in charge
        criminal body, the Criminal Department of the […] Police Department.


(7) According to the Applicant's point of view, based on the above, the [accommodation] such technical devices
        operated by the Applicants, which monitor your property through the use of tools,

        his activities and communication there. According to him, given that
        had previously suspected that they were being observed in some way by the Applicants, therefore
        they documented the damage to the panel and its circumstances, and then organized a similar one

        situation, on the basis of which they were able to make sure that surveillance is taking place a
        On behalf of the applicants.

(8) The Applicant submitted that the surveillance directed at their property is of particular concern because

        right next to the fence is the terrace area where the garden furniture was placed, there
        receive their guests, clients, and the Applicant's husband is a lawyer, and if the weather is good, the
        he used to make customer calls from the terrace. The Applicant could not identify that a

        which of the cameras installed in the accommodation is suitable for monitoring their living space.

(9) The Authority ex officio expanded the subject of the procedure and dated November 15, 2021

        notified the Respondents in its order that it would initiate a data protection official procedure ex officio
        against them, data processing by the camera system operating in the [accommodation] area
        to examine its legality. The examined period is from July 1, 2021, when the procedure was initiated

                                                  It was flagged up to 4 days ago. The Authority extended the examined period on August 4, 2022
        until the day of the decision.

Characteristics of the camera system operated in the [accommodation] area


No. 1, analog camera system


(10) Based on the information provided by Respondent 1 and the on-site inspection conducted by the Authority - to which
        It took place on July 5, 2022 without prior notice to the Applicants - in the area of [the accommodation]
        two camera systems are in operation. The camera system consisting of 4 analog cameras (a

        hereinafter: No. 1 camera system) requested 2 decided personal and
        based on asset protection reasons, however, Respondent 1 stated that the examined
        period, only he is considered a data controller.


(11) No. 1 The center of the camera system in an apartment with a completely separate entrance is a built-in one
        it was placed in an attic-like room opening from a closet. The recording unit with a password
        protected, which for the examination of the system the executive of Applicant 1 both the Authority and

        previously made available to an IT expert assigned by the Police Department.
        The Authority obtained the opinion of the IT expert from the Police Department, who
        findings made only in relation to camera system No. 1. The IT

        for the assignment of an expert on the suspicion of the crime of illegal data collection based on the Applicant's report
        started due to […].bü. took place in procedure no.


(12) Two monitors are connected to the system, one is in the same room as the recording unit
        placed at the reception of the other [accommodation]. The latter monitor is only suitable for a
        show the images of the cameras according to the parameters set on the recorder, it does not control the recorder. The 1.
        s. camera system only transmits live images, for image and sound recording, as well as recordings

        not suitable for storage, as there is no hard disk in the recording unit. No. 1
        it is not possible to remotely access the images of the camera system or its center.


(13) The cameras are fixed and cannot be moved after installation and adjustment
        from a distance. No. 1 of the 4 analog cameras of the camera system, one is installed on the street front of the building
        camera – CH1 – does not work, it transmits neither image nor sound, the Authority is responsible for this

        was also convinced by the on-site inspection he conducted.

(14) On December 2, 2021, according to the screenshot attached by Respondent 1, the camera marked CH2
        observes a private area entirely owned by Respondent 2, marked CH3

        it was aimed at the parking lot, but a small part of the public area also fell into its line of sight. By the Authority
        during the on-site inspection, the image of the CH3 camera sometimes disappeared, vibrated or
        during certain periods nothing was visible on it. The current business manager of Respondent 1,

        According to […], there has been a problem with this since the on-site inspection conducted by the police
        with the camera.


(15) The CH4 camera is the camera images made available to the Authority in December 2021
        according to him, he was watching the part of the sidewalk from the gate entrance to the entrance of the accommodation, and fell into his line of sight
        the railway line separating the Applicant's property from the accommodation, and to a small extent the railway

                                                   Top of 5 soundproof walls. There is no sidewalk on the side of the sound-insulating wall, so typically, taking into account the
        also for the resolution of the image transmitted by a camera, the third passing through the public area is not suitable
        to monitor persons.


(16) Subsequent modification of the viewing angle of the CH4 camera, in April 2022 – a
        According to recordings made by an expert appointed by the police department - the camera
        the public space and the soundproof wall no longer fall into his line of sight, only the neighboring one

        line separating properties, but it is not possible to see through it to the Applicant's property.

No. 2, IP camera system


(17) The other camera system (hereinafter: camera system no. 2) in December 2021 2
        It consisted of a piece of IP camera according to the statement of Respondent 1 and the attached camera images, this

        at an unknown date, two more cameras were added. No. 2 camera system cameras
        images and sound are also recorded on the SD cards in the cameras, their resolution is Full HD, i.e
        2 megapixel resolution. All four cameras have an infrared night vision function, a
        10 meters for Tapo C200 cameras, 30 meters for Tapo C310 cameras

        with sight distance.

(18) The cameras of this camera system have a motion sensor, the cameras record the recordings

        not continuously, but only in the event of some movement
        way that the cameras a few minutes before the event, the camera
        movement taking place in its field of vision, and then for a few more minutes after it ends

        afterwards.

(19) In many cases, the quality of audio recordings is affected by other noises, especially outdoor ones
        in the case of cameras, e.g. the strength of the wind, the hum of the jacuzzi circulation pump. At the same time

        under suitable conditions, sound recordings that can be clearly discerned from a sufficient distance
        are made by the cameras.


(20) The images of the camera system and the recordings recorded by it on a closed system, online
        are available, the corresponding software stores and saves the recordings if necessary. THE
        the application required to access recordings is on the phone of the manager of Respondent 1

        installed, which is protected by a pin code and facial recognition system according to the statement of Respondent 1.
        The Authority could not check the phone of the manager of Respondent 1, as it
        he could not participate in the on-site inspection held without prior notice.


(21) At the time of the inspection, the Authority made a copy of the recordings on the SD cards and
        he used them during decision-making.


(22) No. 2 the first camera of the camera system was installed in the dining room, type TP-Link Tapo
        C200. At the time of the on-site inspection, a total of 28 GB of data could be found on the camera's SD card
        113 files in MP4 format, of which 1 is 0 bytes in size, i.e. a deleted or deleted recording

        volt. The other recordings are uniformly 256 MB in size and were created before the review
        From 15 days on, they included several recordings per day.


                                                   6(23) On the camera image taken on December 2, 2021 at 10:15 a.m. and attached by Applicant 1, three
        table and a refrigerator was visible from the side view.

(24) Respondent 1 explained to the Authority's question that he kept it in the dining area

        operation of the camera system is necessary, because there are several refrigerators that
        in which, on a general basis, hundreds of thousands of forints worth of alcoholic beverages are continuously stored
        drinks, other drinks and food. Further to the operation of the camera in the dining room

        as a reason, Respondent 1 submitted that the boarding house has a 4-star rating
        a professional expectation of a place of accommodation is to monitor the communal spaces with a camera a
        for the property and personal protection of guests. In support of the latter's statement

        you have not attached any documents.

(25) On the day of the on-site inspection conducted by the Authority on July 5, 2022, the angle of view of the camera
        has been modified compared to the status of December 2021, the camera has been rotated a
        towards reception. The area in front of the reception desk falls into his view of the room opening from there

        with its door and the short corridor leading to the dining room, the self-service counter and the coffee machine.
        Two of the tables in the dining room can be seen fully, one half, and the
        upper corner of refrigerator. The windows were replaced by a refrigerator containing only soft drinks

        for accommodation next to, from which - according to the inspection's testimony - the guests are free
        they could serve themselves. No other property fell into the camera's field of view.


(26) The second camera was installed on the elevated terrace part of the building, its type is TP-
        Link Tapo C310. This was the camera that recorded the infraction for vandalism,
        then the camera footage objected to by the Applicant used in criminal proceedings. July 2021
        On the 26th, according to the recording available to the Authority, the camera came into view

        A part of the Applicant's property with the willow tree, thus recording the likeness of the Applicant and his family,
        movement and their conversation.


(27) By December 2021, the angle of view of the camera had already been changed - about this, Respondent 1
        also declared to the Authority - he is no longer suitable for monitoring the Applicant's property, a
        on the camera image of the neighboring property on December 2, 2021, only one roof was visible -

        presumably the roof of the tool shed - and one of the foliage of the willow tree near the plot boundary
        part of. On December 7, 2021, the Company attached new pictures, at which time the roof part had not even fallen
        into the camera's field of view.


(28) During the on-site inspection, in addition to the above, the upper terrace and the
        jacuzzi in its entirety, depending on the layout, 2-4 outdoor chairs with a table, [a
        accommodation] pier.


(29) In his statement dated December 2, 2021, Respondent 1 explained with the angle of view of the cameras
        regarding the fact that none of them are aimed at the Applicant's property, not least because

        because the border between the properties is not in the line of the fence, but one meter from it, a
        In the direction of the applicant's property. However, there is no legal procedure in this regard
        initiated against the Applicant and her husband, he did not substantiate his statement,

        and according to the Applicant's statement, he is not aware of the plot boundary and the fence
        lines should not coincide.

                                                  7(30) The memory card of the camera on the jacuzzi terrace had 114 GB of data at the time of the inspection, the
        The earliest snapshot in the Snapshot directory was taken on March 24, 2022 at 10:28:34 a.m.
        last on the day of the inspection. At the time of the inspection, 473 MP4 files were stored on the camera's SD card

        it was a video file, 17 of which were 0 bytes in size, i.e. previously deleted or deleted recordings. The
        available files were all 256MB in size, SD card going back 19 days
        included recordings.


(31) In his statement dated December 2, 2021, Respondent 1 informed the Authority that the
        No. 2 want to install 2 more cameras for the camera system. Requested legal

        its representative stated in a statement dated June 8, 2022 that the camera system
        expansion and installation of the planned cameras did not take place. The Authority requested that a
        Requested 1 send pictures of the installed cameras in such a way that the cameras

        environment is also included. Among these recordings, there were recordings that, however,
        allowed us to conclude that the camera system had been expanded after all.

(32) During the on-site inspection held on July 5, 2022, the Authority was convinced that another 2

        a camera has been installed - 3rd camera - one of which monitors the reception desk from above - type
        TP-Link Tapo C200 – the L-shaped desk, the worker's chair and an additional chair.


(33) If an employee is behind the counter, it is suitable for observation, or
        records the conversations between the guests and the employee working at the reception. The Authority
        also found a recording that clearly shows the payment by bank card by a hotel guest

        your PIN and the camera also recorded the cash transactions.

(34) At the time of the inspection, this camera had 28 GB of 116 recordings in MP4 format in total
        there were 2 0-byte recordings, i.e. deleted or deleted recordings. On the SD card for 19 days

        recordings can be found retrospectively, each half has a uniform size of 256 MB
        was extensive.


(35) And the other camera - camera 4 - mainly on the door of one of the apartments opening from the courtyard, the
        to the front part with garden furniture, to the yard, the jacuzzi located there is approx. in half, a
        it is aimed at the bath tub, as well as the waterfront terrace and jetty and a part of Lake Balaton, type TP-

        Link Tapo C310. The memory card of this camera had a total of 28 GB of data at the time of the review
        stored, the Snapshot library snapshots taken by the camera at different times
        contained, the earliest was made on May 31, 2022 at 10:23:12. In addition, the SD
        card contained 110 video files in MP4 format going back 15 days, all in the same format

        It was 256 MB.





The purpose and legal basis of data processing through the camera system are the statements of Respondent 1

Based on



                                                   8(36) The Applicant 1 test of interests and the operation of the camera system, as well as the
        regulations on the use of recorded images - effective from July 1, 2021 - as well
        attached to the Authority's statement dated December 2, 2021, the latter being the document
        according to dated June 30, 2021.


(37) According to the camera regulations, the purpose of data management is the persons staying at the accommodation
        protection of life, physical integrity, personal freedom, as well as in the field of real estate

        staying persons, or assets owned or used by Respondent 1
        protection. The detection of legal violations, the perpetrator, was also named as a data management purpose
        prosecution, prevention of illegal acts, and also that the recordings with these

        be used as evidence in official proceedings.

(38) According to camera regulations, images are stored on the SD cards in the cameras

        for recording, which recordings in the absence of use by the Applicant 1, at most from the recording
        stored for 3 days, longer storage of recordings is not justified. The recordings are a
        according to the regulations, they are automatically deleted after 3 days.


(39) According to the camera regulations, the data management is based on the legitimate interests of Respondent 1, as well as
        in the case of employees, as part of the control of behavior related to the employment relationship
        Mt. 11/A. on the statutory authority based on paragraph (1) of §.


(40) To support the existence of a legitimate interest, Respondent 1 prepared an interest assessment test,
        and also recorded in the camera regulations that the data management implemented is to reach

        proportionally restricts the rights of the data subjects with the desired goal, since the angle of view of the cameras is set in such a way
        setting, that in any case it is a person or event to be protected
        be aimed at property. In addition, according to the camera regulations, the Data Controller is everything
        informs those concerned about the fact of camera surveillance and is essential

        about its circumstances, i.e. data processing does not affect the data subjects unexpectedly. Data management
        its duration is adjusted to the legal requirements, the only way to get to know the data is the regulations
        persons according to - Respondent 1's executive - are entitled in the cases specified therein -

        Asserting the legitimate interest of the respondent or exercising the rights of the affected parties - it may come to that
        beer.


(41) In the interest weighing test, as part of the identification of the existing legitimate interest, it was explained,
        that Respondent 1 has a legitimate interest in data management - which is the data subjects
        covers its image and sound - as it is of great value in the area open to guests
        valuables - e.g. the jacuzzi worth several million forints - have been installed, as well as the camera system

        its purpose is primarily asset protection and the protection of valuables. Data management is secondarily a
        serves to protect guests' values, person, and physical integrity. According to Respondent 1
        with the help of the camera system, you can ensure that you are not authorized to enter the accommodation area

        no persons may enter, no activity that endangers the security of property
        to continue.

(42) According to the weighing of interests test, if there is a decrease in the value of Respondent 1's valuables

        would occur or they would be appropriated, you can reveal it by viewing the recordings
        the reason for the decrease in value or the identity of the person who stole the valuable object, and the damage caused

                                                   9 can claim reimbursement. In the event of an accident, data management may contribute to the accident
        to clarify its circumstances.

(43) In response to the Authority's question as to whether property security had previously occurred in the area of the accommodation

        threatening event, Respondent 1 explained that the use of cameras is preventive
        device, so not from the point of view of the legality of data processing through cameras
        events that threaten property security in the relevant [accommodation] area

        list, as the camera system is intended to prevent such events.
        However, according to his statement, there were such incidents, but as an example, only the fence
        he mentioned his vandalism, he did not specifically name other events, their occurrence

        no supporting evidence was attached.

(44) In the weighing of interests test, it was explained in connection with the necessity of data management that

        in the event of damage, it can only be done as a result of viewing the camera footage
        to identify the perpetrator and to demand compensation from him. Respondent 1 explained
        furthermore, that the preparation and use of recordings is proportionate to the purpose of data management, since
        as a result of the data management, Respondent 1 can achieve the data management goal set by the data subjects

        without disproportionately invading your privacy. According to the weighing of interests test, a
        Respondent 1 has no alternative means or procedures at his disposal which
        you could achieve the purpose of data management without data management.


(45) In the interest weighing test, Respondent 1 interests and rights of the stakeholders
        during his identification, he recorded that the data management is informational for guests and other stakeholders

        has the right to self-determination, and within that the right to image and privacy
        effect. However, in his view, data management is not an internal, integral part of these
        limits, its effect is proportional to the achievement of the data management goal, it is absolutely necessary for that.
        The data is collected by Respondent 1 directly from the data subjects, which is clearly visible beforehand

        informs guests about data management on signs placed in
        the purpose and method of data management are widely and clearly understood."


(46) Respondent 1 in the weighing of interests test as the expected effect of data management
        he claimed that the injury to his property could be remedied. He also emphasized
        that those concerned do not lose control over their personal data, as the camera system

        they receive information about its operation, so the data management can have little effect on them. THE
        camera recordings will be viewed if the Applicant 1
        there is a decrease in the value of your assets or an asset is appropriated, and
        to discover the identity of the perpetrator or the circumstances of a possible accident

        it is necessary to review the recordings.

(47) As a result of the balance of interests test, Respondent 1 came to the conclusion that

        has a legitimate interest in data management and the camera recordings are justified for three days
        storage.


Information about data management



                                                 10(48) In relation to information on data management, the Respondent stated that it is clearly visible,
        warning signs were placed in the building, as well as [at the accommodation] a
        it is done by means of camera regulations kept in a place accessible to guests and other stakeholders
        fulfills its obligation to provide information. During the site inspection, the camera regulations are not good

        placed in a visible place, but it was found at the reception after a short search, however, in that a
        in the room for accommodation of hotel guests, where the staff of the Authority
        they were absent during registration, the regulations and the information sheet could not be found.

        The "Camera monitored area" sign was placed in several places in the building, one of which is
        at the end of the corridor leading to the dining room, on the side of the self-service counter of the dining room, the other is the jacuzzi
        at the entrance. Apart from that, the boards did not contain any additional information.


(49) According to the statement of Respondent 1, he verbally informed the Applicant several times that "the
        He observes the land beyond the applicant's property, towards the Company, with a camera, basically

        based on property protection reasons."

(50) According to Respondent 1, no information was received after the oral information
        consent to data management on the part of the Applicant, but since it is based on his legitimate interest

        data management, it was not even necessary, as the restriction of rights was proportionate, he even explained that "a
        in our opinion, monitoring is lower than the properly necessary and proportionate level
        level, which is no better proof than that the level of observation was not suitable for

        To protect the company's property, which led to the police investigation [due to vandalism].
        proceedings."


(51) To support the fact that the information was provided, Respondent 1 attached an unknown person
        audio recording made at the time, on which the Applicant, the Applicant's husband and
        The voice of the manager of Respondent 1 can be heard, a discussion about waste transportation with a wheelbarrow
        during. During the discussion, it is said that “Through this camera you can see exactly that

        how many times has he passed in front of our yard." The attached recording does not reveal which one exactly
        the information referred to the camera, and that Respondent 1 during the conversation
        observed a public area or the Applicants' property with the referred camera. The Applicant 1

        stated that on the audio recording No. 1 camera system for a camera facing the parking lot
        referred to, which does not record recordings, only transmits a live image.


Proceedings before the [...] Police Station

        Tampering procedure


(52) Complaint and notification of the Applicant and Respondent 1 to the Police Department
        on the basis of which two different procedures were in progress. The Police Department informed the
        Authority, that in relation to the damage to the fence, the […] Police Department

        Order of the Preparatory Group of the Public Order Protection Department […] decision no
        the Investigation Department of the Police Department ordered an investigation based on During the investigation
        it was established that the reported act is not a crime, therefore April 6, 2022

        XC of 2017 on criminal proceedings. based on point a) of § 398, paragraph (1) of the Act, the
        procedure was terminated.


                                                  11(53) The Police Department made the investigative documents available to the Authority, as well as the
        the decision on the termination of the procedure, which for Respondent 2, as the aggrieved party,
        It went to the manager of Respondent 1 as a whistleblower and to the […] District Prosecutor's Office
        for delivery.


(54) Terminating the proceedings, […].bü. according to decision no. during the investigation a
        The police department has assigned a forensic technical expert to the fence affected by the vandalism

        conducted an on-site inspection. The expert came to the conclusion that the fence
        during its design, the contractor made a technological error, and the lowest fence element was already in place
        it was installed in a cracked state. The on-site inspection is such an external and intentional force

        impact, which would have resulted in damage to the fence element, was not established on it
        no external damage was found. The person who built the fence during his witness interview
        said that there was a hairline crack on one of the fence elements, which was indicated by the customer,

        He applied to 1 and with his approval it was installed as a bottom panel.

(55) During the investigation, the Police Department interviewed the manager of Respondent 1 as a witness
        on January 4, 2022. In it [the executive] stated that "the property [accommodation] is at the back,

        A camera works on the Balaton side. It faces our own area and we installed it to
        that we can watch the jacuzzi, because usually they don't put the top back on. This camera does not
        it is there to observe the neighbor, but unfortunately it falls into its field of vision

        a very small part of the neighboring property on the other side of the fence. The camera
        however, it does not record footage.” […] stated in his testimony that when the contractor indicated to him,
        that someone from the other side of the fence shakes, pulls the fence, then he was looked at by the camera

        pointed to a picture, according to which several people were walking on the other side of the fence, including [a
        Applicant's husband] as well as the Applicant. […] according to his statement, then his own
        he filmed the camera image with his mobile phone and recorded a few minutes, on which you can hear [a
        [Applicant's husband] is tried by the person next to him to calm him down and calm him down, but he does not

        he is doing something at the fence that is not visible in the camera image.

(56) On January 4, 2022, [the executive] sent the Police Department by e-mail the

        the camera recordings made of suspected vandalism, damaged by the Applicant
        camera recording saved from the application for viewing. This recording was made by
        It was downloaded by the Police Department, written out on a CD, and a copy of this in its letter dated July 18, 2022

        made available to the Authority as an attachment.

(57) Footage recorded by the camera above the jacuzzi between 18:37:36 and 18:39:52 on July 26, 2021
        shows a period during which a part of the Applicant's yard with Lake Balaton was visible and

        along with a willow tree. In the specific camera recording, it can be heard in the yard in addition to the chopping sounds
        the conversation of three aloof people - not completely clear, but some sentences perfectly
        can be taken out - as well as the Applicant and his father in bathing suits, as well as short

        for a while the Applicant's husband was also in shorts and a T-shirt.

(58) In his submission dated December 2, 2021, Respondent 1 stated about the admission in question,

        that it is no longer in his possession, he cannot make it available to the Authority, thereby
        on the other hand, he sent it to the Police Department on January 4, 2022, and on
        on March 1, he presented it on his phone to the technical expert assigned by the Police Department.

                                                   12 Procedure related to illegal data collection

(59) On September 30, 2021, the Applicant filed a complaint with the Police Department, apartment,

        other rooms or the fenced areas belonging to them are done with a technical device
        due to the suspicion of the crime of illegal data acquisition committed by secretly monitoring and recording,
        on the basis of which the Police Department ordered an investigation.


(60) The Police Department terminated the procedure on June 8, 2022, because the available
        based on the information, it was not possible to establish that a crime had been committed. The procedure

        The Applicant filed a complaint against the termination decision, the complaint will be considered in July 2022
        It was still in progress on the 20th.


(61) In the course of the investigation, the Police Department appointed a forensic IT expert, who in 2022.
        On April 1, the on-site inspection carried out in the context of search and seizure examined the
        Camera systems operated by Applicant 1. It was recorded in the expert opinion,
        that there is a traditional closed-circuit security with 4 cameras on the property

        system (camera system no. 1) and a digital one containing both external and several internal cameras
        system (camera system no. 2). Regarding the latter, the expert is only towards the jacuzzi
        regarding the mounted camera, he stated that it is fixed, not remotely

        it can be moved and adjusted mechanically. He didn't check the camera image because
        according to his reasoning, the SD cards in the cameras can be accessed remotely from an application
        he didn't take it out of the cameras, he didn't watch the recordings on them, they weren't saved

        not made. As a result, the expert opinion no. 2 with a camera system
        does not contain additional findings in this context.

(62) The additional relevant findings in the expert opinion above –

        were described under the title "characteristics of camera systems".

Property ownership of [accommodation].


(63) Based on the Applicant's letter dated June 8, 2022, the Authority queried on July 20, 2022
        the title deed of […] property, according to which, on March 29, 2022, at […]
        a request for its registration was received at the Land Registry, which was stamped. Therefore

        - in case of registration of ownership - the property is removed from the property of Respondent 2, and its new
        will be owned by […] (residential address: […])

III. Applicable legislation


Recital (47): The data controller - including the data controller with whom the personal data
may be disclosed - or the legitimate interest of a third party may create a legal basis for data processing, provided

that the interests, fundamental rights and freedoms of the data subject do not take priority, taking into account that
the reasonable expectations of the data subject based on his relationship with the data controller. This can be a legitimate interest
for example, when there is a relevant and appropriate relationship between the data subject and the data controller,

for example, in cases where the data subject is a client of the data controller or is employed by it. THE
in order to establish the existence of a legitimate interest, it must be carefully examined by several others

                                                   13 that the data subject is at the time of collection of the personal data and in connection therewith
can you reasonably expect that data processing may take place for the given purpose. The interests of the person concerned and
your fundamental rights may take precedence over the interest of the data controller if personal data
it is handled in circumstances in which the persons concerned do not matter further

for data management. Since it is the task of the legislator to define in legislation that the public authority
bodies, on what legal basis can I process personal data, supporting the legitimate interest of the data controller
no legal basis can be applied, carried out by public authorities in the performance of their duties

for data management. The processing of personal data is absolutely necessary for the purpose of fraud prevention
is also considered the legitimate interest of the data controller concerned. Personal data is for direct business purposes
its treatment can also be considered based on legitimate interest.


Based on Article 2 (1) of the GDPR, the GDPR must be applied to the data management in this case.


GDPR Article 4, point 1: "personal data": for an identified or identifiable natural person
any information concerning (“data subject”); the natural person who is directly you can be identified
indirectly, in particular an identifier such as name, number, location data, online
physical, physiological, genetic, intellectual, economic, cultural, or identifier of the natural person

can be identified based on one or more factors related to his social identity;

GDPR Article 4, point 2: "data management": personal data or data files are automated

any operation or set of operations performed in a non-automated manner, such as collection, recording,
organization, segmentation, storage, transformation or change, query, insight, use,
communication by means of transmission, distribution or otherwise making it available, coordination

or linking, restriction, deletion or destruction;

GDPR Article 4, Point 7: "data controller": the natural or legal person, public authority, agency
or any other body that determines the purposes and means of personal data management independently

defines with others; if the purposes and means of data management are EU or member state law
determines the data controller or the special aspects regarding the designation of the data controller
can also be defined by EU or member state law;


GDPR Article 5 (1) point c: Personal data from the point of view of the purposes of data management
they must be appropriate and relevant and limited to what is necessary

("data saving");

GDPR Article 5 (1) point e): Personal data must be stored in a form that
which the identification of the data subjects is only necessary to achieve the goals of personal data management

allows for a period of time; personal data may only be stored for a longer period of time
line, if the processing of personal data is in the public interest in accordance with Article 89 (1).
will take place for archiving purposes, for scientific and historical research purposes or for statistical purposes, that is

the appropriate technical required in this regulation in order to protect the rights and freedoms of the data subjects
and subject to the implementation of organizational measures ("limited storage capacity")


Article 6 (1) GDPR: The processing of personal data is only lawful if and to the extent that
if at least one of the following is met:


                                                 14 a) the data subject has given his consent to the processing of his personal data for one or more specific purposes
        for its treatment;
    b) data management is necessary for the performance of a contract in which the data subject is one of the parties,
        or steps taken at the request of the data subject prior to the conclusion of the contract

        necessary to do;
    c) data management is necessary to fulfill the legal obligation of the data controller;
    d) the data processing is for the vital interests of the data subject or another natural person

        necessary for its protection;
    e) the data management is in the public interest or for the exercise of public authority delegated to the data controller
        necessary for the execution of the task carried out in the context of;

    f) data management to enforce the legitimate interests of the data controller or a third party
        necessary, unless the interests of the person concerned take precedence over these interests
        interests or fundamental rights and freedoms that make personal data protection

        necessary, especially if a child is involved.

Point f) of the first subparagraph cannot be applied by public authorities in the performance of their duties
for data management.


Article 12 (1) GDPR: The data controller takes appropriate measures to ensure that
all those mentioned in Articles 13 and 14 regarding the processing of personal data for the concerned party

information and 15–22. and each information according to Article 34 is concise, transparent, understandable and
provide it in an easily accessible form, clearly and comprehensibly worded, especially a
for any information addressed to children. The information in writing or otherwise –

including, where applicable, the electronic route - must be specified. Verbal information at the request of the person concerned
can be given, provided that the identity of the person concerned has been verified in another way.

GDPR Article 13: (1) If personal data concerning the data subject is collected from the data subject, the data controller shall

at the time of obtaining personal data, the following is made available to the data subject
all information:
    a) the identity and contact details of the data controller and, if any, the representative of the data controller;

    b) contact details of the data protection officer, if any;
    c) the purpose of the planned processing of personal data and the legal basis of data processing;
    d) in the case of data management based on point f) of paragraph (1) of Article 6, the data controller or a third party

        legitimate interests of a party;
    e) where appropriate, recipients of personal data, or categories of recipients, if any;
    f) where appropriate, the fact that the data controller is a third country or an international organization
        wishes to forward the personal data to, and the Compliance Committee

        existence or absence of its decision, or in Article 46, Article 47 or Article 49 (1)
        in the case of data transfer referred to in the second subparagraph of paragraph
        indication of suitable guarantees, as well as for obtaining their copies

        means or reference to their availability.

(2) In addition to the information mentioned in paragraph (1), the data controller is the personal data

at the time of acquisition, in order to ensure fair and transparent data management
ensure, informs the data subject of the following additional information:


                                                  15 a) on the period of storage of personal data, or if this is not possible, this period
       aspects of its definition;
    b) the data subject's right to request from the data controller the personal data relating to him
       access to data, their correction, deletion or restriction of processing, and

       you can object to the processing of such personal data, as well as to the data portability concerned
       about his right;
    c) based on point a) of Article 6 (1) or point a) of Article 9 (2)

       in the case of data processing, the right to withdraw consent at any time,
       which does not affect the data processing carried out on the basis of consent before the withdrawal
       legality;

    d) on the right to submit a complaint to the supervisory authority;
    e) that the provision of personal data is a legal or contractual obligation
       is a basis or a prerequisite for concluding a contract, and whether the person concerned is obliged to the personal

       provide data, as well as what possible consequences it may have
       failure to provide data;
    f) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including
       also profiling, and at least in these cases to the applied logic and that

       comprehensible information regarding the significance of such data management and
       what are the expected consequences for the person concerned.


(3) If the data controller performs additional data processing on personal data for a purpose other than the purpose of their collection
wish to perform, you must inform the data subject about this different purpose before further data processing
and all relevant additional information referred to in paragraph (2).


(4) Paragraphs (1), (2) and (3) do not apply if and to what extent the person concerned is already involved
has the information.


Article 25 (2) GDPR: The data controller implements appropriate technical and organizational measures
finally to ensure that, by default, only such personal data is processed
take place, which are necessary from the point of view of the given specific data management purpose. This is the obligation

applies to the amount of personal data collected, the extent of their processing, the duration of their storage and
their accessibility. These measures must in particular ensure that the personal
data should not become, by default, without the intervention of the natural person

accessible to an unspecified number of people.

GDPR Article 31: The data controller and the data processor and, if any, the data controller or the
during the execution of the tasks of the representative of the data processor with the supervisory authority - its inquiry

based on - cooperates.

GDPR Article 58 (2) points b), d), f) and i): Acting within the corrective powers of the supervisory authority:

b) condemns the data manager or the data processor if his data management activities violated e
the provisions of the decree;
d) instructs the data manager or the data processor that its data management operations - where applicable

in a specified manner and within a specified time - bring it into line with the provisions of this regulation;
f) temporarily or permanently restricts data management, including the prohibition of data management;


                                                 16i) imposes an administrative fine in accordance with Article 83, depending on the circumstances of the given case, e
in addition to or instead of the measures mentioned in paragraph

GDPR Article 77 Paragraph 1: Without prejudice to other administrative or judicial remedies,

all data subjects have the right to complain to a supervisory authority – especially the usual one
in the Member State of your place of residence, place of work or the place of the alleged infringement - if it is
according to the opinion of the data subject, the processing of personal data concerning him/her violates this regulation.


GDPR Article 83 Paragraphs (2)-(3) and (5): Administrative fines depend on the circumstances of the given case
in addition to or instead of the measures referred to in points a) to h) and j) of Article 58 (2), depending on the circumstances

must be imposed. When deciding whether it is necessary to impose an administrative fine or a
must be sufficiently taken into account in each case when determining the amount of the administrative fine
take the following:

   a) the nature, severity and duration of the infringement, taking into account the data management in question
      nature, scope or purpose, as well as the number of persons affected by the infringement, as well as the
      the extent of the damage they have suffered;
   b) the intentional or negligent nature of the infringement;

   c) mitigating the damage suffered by the data controller or the data processor
      any action taken in order to;
   d) the extent of the responsibility of the data manager or data processor, taking into account the 25 and

      technical and organizational measures implemented on the basis of Article 32;
   e) relevant violations previously committed by the data controller or data processor;
   f) with the supervisory authority to remedy the violation and the possible negative effects of the violation

      extent of cooperation to mitigate;
   g) categories of personal data affected by the infringement;
   h) the manner in which the supervisory authority became aware of the violation, in particular the fact that
      whether the data controller or the data processor reported the breach, and if so, what kind

      with detail;
   i) if against the relevant data controller or data processor earlier - in the same subject
      - one of the measures referred to in Article 58 (2) was ordered, in question

      compliance with measures;
   j) whether the data controller or the data processor considered itself approved according to Article 40
      to codes of conduct or approved certification mechanisms pursuant to Article 42;

      as well as
   k) other aggravating or mitigating factors relevant to the circumstances of the case, for example a
      financial benefit obtained or avoided as a direct or indirect consequence of a violation
      loss.


(3) If a data manager or data processor is involved in the same data management operation or is related to each other
with regard to data management operations - intentionally or negligently - this regulation has more

also violates its provision, the total amount of the fine may not exceed the most serious violation
in case of a specified amount.


(4) Violation of the following provisions - in accordance with paragraph (2) - a maximum of 10,000,000
with an administrative fine of EUR, and in the case of businesses, the entire previous financial year


                                                  can be hit with an amount of up to 2% of its 17-year world market turnover; the higher of the two
an amount must be imposed:
    a) with regard to the data manager and the data processor in Articles 8, 11, 25-39, 42 and 43
        specified obligations;


(5) Violation of the following provisions - in accordance with paragraph (2) - at most 20,000,000
with an administrative fine of EUR, and in the case of businesses, the entire previous financial year

shall be subject to an amount of no more than 4% of its annual world market turnover, provided that of the two
a higher amount must be imposed:
a) the principles of data management - including the conditions of consent - in accordance with Articles 5, 6, 7 and 9;

b) the rights of the data subjects in Articles 12–22. in accordance with Article; (…)

Infotv. Section 2 (2): Personal data according to (EU) 2016/679 of the European Parliament and of the Council

regulation (hereinafter: general data protection regulation) is the general
data protection decree III-V. and VI/A. In Chapter 3, as well as § 3, 4, 6, 11, 12, 13, 16, 17,
21., 23-24. point, paragraph (5) of § 4, paragraphs (3)-(5), (7) and (8) of § 5, § 13 (2)
paragraph, § 23, § 25, § 25/G. in paragraphs (3), (4) and (6) of § 25/H. § (2)

in paragraph 25/M. in paragraph (2) of § 25/N. § 51/A. in paragraph (1) of § 52-54. §-
in, paragraphs (1)-(2) of § 55, paragraphs 56-60 § 60/A. (1)-(3) and (6) of § § 61 (1)
paragraphs a) and c), § 61 paragraphs (2) and (3), paragraph (4) b) and (6)-(10)

in paragraph 62-71. §, § 72, § 75 (1)-(5), § 75/A. in § and 1.
shall be applied with the additions specified in the annex.

Infotv. Validation of the right to the protection of personal data based on § 60, paragraph (1).
in order to do so, the Authority may initiate an official data protection procedure ex officio. The data protection authority

for procedure CL. 2016 on the general administrative procedure. Act (hereinafter: Act)
rules shall be applied with the additions specified in Infotv. and the general data protection
with deviations according to the decree.


Infotv. According to § 61, paragraph (1), point a) in the decision made in the data protection official procedure
the Authority
a) in connection with the data management operations defined in paragraphs (2) and (4) of § 2, the

may apply the legal consequences specified in the general data protection decree, so in particular
upon request or ex officio order the unlawfully processed personal data determined by it
can be temporarily or permanently restricted in other ways
data management.


Infotv. Section 61, paragraph (6): Until the expiry of the time limit for filing an appeal against the decision,
and in case of initiation of a public administrative lawsuit, until the final decision of the court, affected by the disputed data management
data cannot be deleted or destroyed.


Infotv. 75/A. §: The Authority is contained in Article 83, Paragraphs (2)-(6) of the General Data Protection Regulation
exercises its powers taking into account the principle of proportionality, especially with the fact that the personal
regarding data management - in legislation or in a mandatory legal act of the European Union
in the case of the first violation of specified regulations, to remedy the violation - that

in accordance with Article 58 of the General Data Protection Regulation - you are primarily the data controller
takes action with a warning from the data processor.

                                                   18 On the detailed conditions for the continuation of accommodation service activities and the accommodation
239/2009 on the procedure for issuing an operating license. (X. 20.) Government Decree 4/A. § (1)
According to paragraph
prior to and after the first certification, the accommodation certifier is required every three years

to request an examination and evaluation of the organization, in accordance with the requirements for the type of accommodation
in order to be classified into a quality grade.

ARC. Decision


IV.1. Data management quality


(64) Based on the Applicant's request, the Authority notified both Respondent 1 and Respondent 2
        that an official data protection procedure was initiated against them upon request or ex officio. THE
        The authority's inquiries were received only by Respondent 1, and only he did so during the procedure
        statement, in all cases from Respondent 2 they came back with a not wanted signal

        Authority's orders, due to which the Authority imposed a procedural fine on Respondent 2.

(65) In his letter dated December 2, 2021, Respondent 1 informed the Authority that the

        only he is responsible for the examined data management and the cameras installed in the [accommodation].
        is considered a data controller.


(66) Based on the information revealed during the procedure and the statements of Respondent 1, the Authority
        states that it was Respondent 1 who determined the purpose and means of data management, he
        decided on the angle of view of the cameras, after the initiation of the procedure, he made changes to them,
        and the installation and operation of additional cameras on the property was also his decision. On this

        in addition, the indicated data management purposes were all intended to serve the interests of Respondent 1,
        since the primary purpose of data management is to protect the property of the accommodation and hotel guests
        has been flagged.


(67) It should also be noted that the document objected to by the Applicant, prepared on July 26, 2021
        camera footage was also saved by Respondent 1 and used against the Applicant's husband

        infraction and then criminal proceedings were initiated.

(68) During the procedure, the Applicant attached an audio recording, on which, according to his statement,

        The voice of Respondent 2 can be heard, on which the unidentified speaking party states that
        sees the image transmitted by cameras, including the Applicant and her husband, but the Authority does not
        had the opportunity to make sure that the other speaking party was Respondent 2 or someone else
        there is no evidence at the Authority's disposal that would prove beyond a doubt that a

        recordings were accessed by Applicant 2.

(69) In view of all of this, the Authority concludes that with regard to the examined data management

        Respondent 1 is considered a data controller. Due to this, as well as the fact that Applicant 2
        in the meantime, the property was sold and the new owner is on the stamp, the procedure with Respondent 2
        has become obsolete, since it does not affect the right or legitimate interest of the case, so the Authority a

        in relation to the Akr. Based on § 47, subsection (1), point c), the procedure is terminated.


                                                   19 IV. 2. Lawfulness of data management through the camera system - general practice

(70) Respondent 1 processed personal data using the two camera systems
        and considering that according to Article 4, point 1 of the GDPR, your natural personal voice,

        your image is personal data. The people involved can be identified in the recordings, as is well exemplified by
        They were also contained in the applicant's request. No. 1 camera system personal data, image and
        it does not record audio, but the image of the cameras and the person in their field of view

        transmits his natural personal image to the monitor located at the reception [of the accommodation],
        or, if it is switched on, to a monitor placed in the same room as the recording unit.
        Given that according to Article 4, point 2 of the GDPR, you are on personal data

        any operation performed on data files in an automated or non-automated manner or
        the totality of operations is considered data management, so no. 1. also through a camera system
        data management under the scope of the GDPR is implemented.


(71) No. 2 camera system cameras have a motion sensor and detect motion
        in this case, they record the image, voice, and activity of the persons concerned who are in their field of vision, that is
        conversations of data subjects, i.e. also through this camera system according to Article 4, point 2 of the GDPR

        implements data management Requested 1.

(72) The two camera systems and the legality of the data management carried out through them are the responsibility of the Authority

        it is examined separately, taking into account the differences in the monitored areas and the data management
        to its different nature.


No. 1 findings related to the camera system

(73) The 1st camera system consisting of 4 fixed, analog cameras - whose camera is marked CH1
        it does not work - it only broadcasts live images, the recordings shown by the cameras are not saved

        recording. The parking lot inside the [accommodation] and the building from the gate are in the view of the cameras
        next to it, the road leading to the reception falls into it, as well as a small part of the property's backyard, a
        with a sidewalk leading to reception. No recreational equipment was placed in this latter area

        for placement.

(74) Requested 1 uniform regulations for the two camera systems, as well as consideration of interests

        prepared a test, indicating the protection of personal and property as the purpose of data management -
        detection of possible violations of law, prosecution of the perpetrator, prevention of illegal acts -
        and as the legal basis for data management, he indicated his legitimate interest in the realization of this goal
        i.e. Article 6 (1) point f) of the GDPR.


(75) With reference to point f) of Article 6 (1) of the GDPR, the personal data is then legal
        management, if the data management is for the legitimate interests of the data controller or a third party

        necessary for its enforcement, unless they take priority over these interests
        concerned interests or fundamental rights and freedoms that protect personal data
        make it necessary, especially if the child is involved.

(76) The European Data Protection Board on the processing of personal data using video devices
        solo 3/2019. according to point 19 of guideline no. (hereinafter: Guidelines) is real
        and in a dangerous situation, the purpose of protecting property against burglary, theft or vandalism is a

                                                  20 may be considered a legitimate interest in video surveillance. For the legitimate interest indeed
        it must exist and actually exist at the time of data processing
        it cannot be theoretical, as the Court of Justice of the European Union stated in C-708/18. brought in case no
        he also stated in point 44 of his judgment.


(77) The Authority in the 1. does not consider it necessary in relation to the cameras of the camera system
        data management purposes and the proportionality of data management for each camera, since

        a uniform statement can be made about them.

(78) Requested 1, the Authority specifically for damage events that previously occurred at the accommodation

        he did not answer his relevant question in substance, did not give examples, did not prove cases, only
        stated that there were previous damage incidents. So Respondent 1 is legal
        has indicated a data management purpose, to which it may have a legitimate interest recognized by the Board,

        however, the existence of this legitimate interest was not factually supported or made probable.

(79) The Authority no. 1. in relation to the camera system, however, as existing even in its absence
        considers the legitimate interest related to data management. The reason for this is that No. 1 camera system

        all three working cameras are aimed at the property, the CH4 camera falls into the field of view
        partly the top of the railway soundproofing wall, but for monitoring movement on the street
        in a way suitable for personal identification, this camera is not suitable for both the distance and the

        camera resolution, both because of the viewing angle. The cameras monitor parts of the property that
        on which you can get to the area of the property on the one hand, and to the [accommodation] itself on the other hand,
        and where hotel guests can park their vehicles, and in the meantime on these a

        in these areas, hotel guests typically only pass through, not to rest or spend meaningful time
        they use them. Due to the location of these cameras - as they are also clearly visible from the street -
        have a deterrent effect against unauthorized entry into the property area, or
        against the commission of other crimes against property. Based on all this, the Authority

        determines that the operation of these cameras is appropriate for the purpose to be achieved and
        is considered a necessary safety measure.


(80) In addition, the cameras only transmit live images, no recording takes place, which is what it is
        it realizes a significantly lower degree of interference in the private sphere of stakeholders than if row
        their personal data would be recorded. Based on all of this, the Authority concludes that 1.

        s. data management through a camera system is suitable for achieving the goal, data management
        its scope is proportional to the goal to be achieved, so no. 1. realized by means of a camera system
        data management is legal, it complies with the regulations of the GDPR.


No. 2 findings related to the camera system

(81) Due to the more extensive data management carried out with this camera system, the Authority considers it necessary

        considers that it should be considered separately for each camera that it is
        data processing carried out by them is necessary, as well as the rights and freedoms of the data subjects
        does it limit proportionally.


(82) As the Authority explained earlier in its decision, asset protection is contingent
        enabling the subsequent proof of a legitimate data management purpose in connection with damage events

                                                 21 in general, but this alone is not enough for data management
        to its legality. In order to conduct video surveillance on the basis of a legitimate interest
        data management must be legal, the data management must be proportionate to the goal to be achieved, and the goal
        it must be necessary to achieve it, as well as the planning and implementation of data management

        the reasonable expectations of those concerned must be taken into account [GDPR (47)
        recital].


(83) In the interest assessment test attached by Respondent 1, the individual was not described
        in relation to cameras separately, that for data management the Respondent 1 exactly
        what legitimate interest it has - beyond the general wording that for the guests

        valuable valuables were placed in an open area, i.e. the camera system
        purpose is primarily asset protection - what are the circumstances that data management
        make it necessary, or the rights of the data subjects have not been separately identified, as well as

        their reasonable expectations regarding data management.

(84) The Authority in accordance with No. 2 regarding the cameras of the camera system, he refers back to his earlier statement,
        that the legitimate interest must be real and existing at the start of data processing,

        data management cannot be continued based on a possible future interest. As the
        As explained above by the Authority, Respondent 1 did not, despite the Authority's express request
        presented previous cases that would prove the need for camera data management,

        whose No. 2 is important in relation to the camera system, since they are on the one hand
        they are activated for movement, the completed recordings are recorded, on the other hand [the accommodation] is individual
        were placed in his premises and in his yard with a viewing angle setting that

        areas, the people concerned not only pass through, but rest and eat there, i.e. here
        in the case of cameras, it is actually important whether there have been previous events that
        which would justify the placement of the cameras, since the data management is good for them
        wider than No. 1 regarding the camera system.


(85) Regarding the necessity of operating the camera system, it should be noted that a
        according to available information, Respondent 1 did not check that the cameraman

        is there an alternative to data management that is not personal or less personal
        by handling data. In addition, it was revealed during the evidence procedure conducted by the Authority
        based on the circumstances, it cannot be declared that there is no alternative to No. 2. camera system

        to data management carried out through, or it could not be continued in a way that is less
        impairs the right of data subjects to protect their personal data.

(86) Regarding the necessity of data management, Respondent 1 also referred to the fact that a

        professional expectations for accommodations with four-star pension certification a
        surveillance of public spaces with a camera. Respondent 1 did not respond to the Authority's question
        stated what classification system requires this for accommodations, merely

        he referred to sector expectations, and to the fact that all hotels and pensions operate
        camera system. According to the photograph taken at the inspection, the accommodation is Panzió Nemzeti
        has a certification Trademark that is valid until 2024. The accommodation service

        on the detailed conditions for the continuation of the activity and the accommodation operation license
        239/2009 on the procedure for issuing (X. 20.) Government Decree 4/A. According to paragraph (1) of § a
        accommodation service provider prior to the notification of the accommodation's operational activity,

                                                 22 and the accommodation certification organization is obliged every three years after the first certification
        to request its examination and evaluation, in accordance with the requirements for the type of accommodation
        in order to be classified into a quality grade. The qualification requirements are the accommodation qualification
        are published on the organization's website, which is Hungarian Tourism from January 1, 2022

        Quality Certification Body Nonprofit Kft., website https://szallashelyminosites.hu/panzio. THE
        in the criteria system for boarding houses -
        https://szlashelyminosites.hu/docs/panzio_kriteriumrendszer_utmututatoval.pdf - not included

        as a qualification criterion, the monitoring of common spaces by means of a camera system, of which
        therefore, the Authority considers professional expectations as one of the reasons for the operation of the camera system
        does not consider it acceptable, as well as the argument that other accommodations

        carry out similar data management.

(87) Respondent 1 mentioned in the attached interest assessment test among the processed data that

        the cameras also record sound, but it was not covered at all in the consideration of interests test
        to why the audio recording is kept in order to achieve the indicated data management purposes
        necessary, and why you do not consider the marked available without audio recording
        data management purpose. According to the Authority's point of view, this is different from image recording

        data management, the legality of which and the legitimate interest attached to it should have been separate
        prove to Respondent 1 during the procedure. However, Respondent 1 did not during the procedure
        presented circumstances that would support the need for audio recording.


(88) The Authority's position is that it causes more serious damage to the private sector if the cameras
        in addition, sound is also recorded, especially considering that the sound recording cannot be viewed

        as a common practice in the case of asset protection camera surveillance, so it is
        in the absence of information, those concerned cannot expect the cameras to be their likeness
        also records their voices and conversations. This is especially true when the cameras
        they are also activated for some small, non-human movement, and thus the conversation of such persons

        are also recorded by those who are not in the camera's field of view, to which the SD-
        The Authority also found an example among the recordings on the cards (record number […]).


(89) Based on all of this, the Authority concludes that the 2. no. with the cameras of the camera system
        audio recording is illegal and violates Article 6 (1) of the GDPR.


(90) Further circumstances of data management, the proportionality and necessity of data management, and thus
        the legality of the Authority in the 2. no. in relation to some cameras of the camera system a
        further examined separately, due to the differences in the areas observed by them.


A camera located in the dining room

(91) In the dining room, Respondent 1 considers the camera system necessary

        operation, because there are several refrigerators in which, on a general basis,
        they continuously store hundreds of thousands of forints worth of alcoholic drinks, other drinks and
        foods.


(92) During the on-site inspection, the Authority established that the camera located in the dining room
        only one refrigerator falls into his field of vision - only the corner of it when it is closed -,

                                                 23 in which only non-alcoholic soft drinks were placed during the inspection, and of which a
        guests served themselves freely. The alcoholic beverages Requested 1 is a smaller one
        stored in a refrigerator, which is protected by a padlock.

(93) Due to the placement of the camera, however, not only this one piece of refrigerator falls into the

        into the camera's field of view, but the tables placed there, at which the guests are
        they complicate their meals.

(94) According to the Authority's point of view, the implemented data management is not proportionate to the desired goal

        for property protection purposes, since, on the one hand, contrary to the claim of Respondent 1, the camera
        hundreds of thousands of forints worth of food was not stored in the refrigerator within sight
        or alcoholic beverages, on the other hand, protecting the contents of the refrigerators is simple
        would be with the lock installed on the coolers - as is the case with the cooler containing small alcohols

        also happened - or by placing a lockable refrigerator in advance, i.e. it is not for the goal to be achieved
        need for data management.

(95) In relation to the secondary purpose - that is, if there is any decrease in assets

        causative event, so that the circumstances of the case can be revealed - Applicant 1 no
        made it probable that this is a real interest existing at the time of data processing, i.e. that
        you can realistically expect to damage the refrigerator or any food in it

        to steal a drink. The Authority further notes that in the event that the Applicant
        1 would have proved that he has a legitimate interest in the camera monitoring of the refrigerators, so
        even in that case, it would have been possible to place the camera in such a way, and the angle of view would have been such
        to monitor only the refrigerator and not the entire refrigerator

        dining room, subject to Article 5 (1) point c) of the GDPR.

(96) The Authority also notes that in the present case, the current position and angle of view of the camera
        in addition, he would not consider it sufficient if Respondent 1 were to mask the room outside the refrigerator

        parts, as the camera in its current position would create a sense of observation in this
        also in the case of those involved, who would not be able to ascertain in any way that
        the camera image has actually been masked.

(97) The Data Protection Board 3/2019. s. guidelines and recital (47) of the GDPR

        consideration of the interests of the data controller and the rights and freedoms of the data subjects
        the reasonable expectations of the stakeholders must be taken into account. According to the Guidelines, it is
        reasonable expectations of stakeholders should not be determined subjectively, but according to the fact that

        whether an objective third party can reasonably calculate and infer in the given situation
        to be observed.

(98) According to paragraphs (37)-(38) of the Guidelines, those concerned may expect not to be observed

        them in public places, especially if these places are typically for recuperation and rest
        and used for recreational activities as well as in places where individuals
        stay and communicate, for example in lounges, at restaurant tables, in parks,
        in cinemas and fitness facilities. In this case, the interests or rights of the data subject and

        your freedoms often take precedence over the legitimate interests of the data controller.

(99) Hostel guests typically come [to the accommodation] to relax, have breakfast there,
        they talk, organize their day. During these activities, their observation and

                                                 24 in particular, the recording of their conversation is particularly disadvantageous for those involved and in general
        it is not necessary for the purpose indicated by Respondent 1. The Guidelines emphasize that it is
        signs informing the person concerned about video camera surveillance are irrelevant
        when establishing the objective expectations of the stakeholders.

        Consequently, in connection with the data processing carried out by the camera placed in the restaurant
        you cannot rely on the fact that one has been placed on the side of the self-service counter
        area board observed with a camera, and especially not because of the fact of audio recording

        Respondent 1 did not draw the attention of those concerned anywhere.

(100) During the inspection, the Authority made a copy of a recording on which, on the one hand,
        workers packing up and cleaning after a meal can be seen, on the other hand, one

        a hotel guest sitting at one of the tables with a laptop, working, talking on the phone, then heading for the heat
        she stands up with respect and fans herself with her skirt while walking in such a way that a
        the recording also shows her underwear or the bottom of her swimsuit (video file named […]). All of these
        on the basis of which it can be stated that the hotel guests did not and do not reasonably count

        they could expect to be watched in the dining room.

(101) The Authority finds that Respondent 1 illegally operates the camera in the restaurant
        and illegally observes the hotel guests staying there, eating and conversing, thereby

        in violation of Article 6 (1) of the GDPR.

A camera monitoring the panoramic jacuzzi on the terrace

(102) The necessity of the camera directed mainly at the jacuzzi was justified by Respondent 1 by saying that the

        jacuzzi is worth several million forints, so data management is necessary to protect your property.

(103) The camera is mainly aimed at the jacuzzi, but e.g. shouting from the yard to the terrace

        also records ([…]; […]).

(104) In view of what was explained in the previous subsection, the Authority does not consider it to be the desired goal

        proportional to the fact that Applicant 1 typically sees hotel guests in bathing suits, resting,
        he observes and records them while relaxing. There are several couples in the recordings,
        who hug each other, kiss in the jacuzzi, others are naked or half-naked
        they bathe, take pictures of themselves in bathing suits, and children also use the jacuzzi

        ([…]; […]; […]). Based on the recordings, the people involved did not count at all, and reasonably not
        they could also count on being told about them while using the jacuzzi, while relaxing
        intimate moments are recorded. According to the Authority's point of view, it may play a role in this

        also that Respondent 1 also sells packages that include a private panoramic jacuzzi
        use is promised, which may give those concerned the impression that the panorama is a Jacuzzi
        they are actually alone while using the jacuzzi, no one is using them

        disturbs them, which includes not observing them while bathing
        with a camera.


(105) The Authority considers it necessary to state here again that the sign observed by the camera
        according to the Guidelines, its location is not relevant when determining that it is
        stakeholders, what their expectations may be objectively. Also, the area monitored by the camera


                                                  Based on 25 signals, those involved could not even expect that the camera would not only transmit live images,
        but also records the recordings.

(106) The Authority also does not consider the argument regarding the top of the jacuzzi to be acceptable, since

        the image of the camera cannot be followed live via a monitor in the accommodation, as in No. 1.
        in the case of a camera system, and for viewing the recorded camera images, Applicant 1
        according to his statement, it will only take place in justified cases, with the recording of minutes - log files

        in its absence, the Authority could not be convinced of this - i.e. the statement of Respondent 1
        system established according to is not suitable for the Applicant to check that the
        have guests put the top of the jacuzzi back on.


(107) Based on all of this, the Authority concludes that Respondent 1 illegally operates the
        a camera aimed at the jacuzzi and illegally records the voice and image of the persons concerned there,

        activities, thereby violating Article 6 (1) point f) of the GDPR.

The camera facing the inner courtyard


(108) The camera facing the inner courtyard on the door of one of the apartments opening from the courtyard, the one in front
        partly with garden furniture, to the yard, the jacuzzi located there is approx. in half, on the bath tub,
        and it is directed to the waterfront terrace and pier and a part of Lake Balaton.


(109) According to Respondent 1, the purpose of monitoring the inner courtyard with a camera is to protect property,
        in the event of a possible theft or break-in, there is a high chance of being identified by the cameras facing the inner courtyard

        they know the perpetrator of the crime.

(110) The Authority does not dispute that a certain degree of monitoring of the inner courtyard may be necessary
        prevention of potential crimes against property, or in the event of their occurrence

        in order to reveal them, as the Authority in no. 1 camera system marked CH2
        he also explained about his camera. A significant difference between the viewing angles of the two cameras is that
        No. 1 the rear camera of the camera system, facing the inner courtyard, does not record footage on the one hand,

        on the other hand, it is directed only to the part of the sidewalk where the entrance to the accommodation is located, and it is a thin one
        lane from the part of the yard next to the sidewalk. In these areas - as the Authority previously did
        also described - hotel guests typically only pass through this area to rest,

        not used for recreation. On the other hand, no. 2 camera system for the inner courtyard
        only areas where the hotel guests are in the field of view of the camera
        they rest and relax, in many cases in bathing suits, e.g. Jacuzzi, hot tub. Also on camera
        the movements and activities of hotel guests who are in the camera's field of view can be followed

        they stayed in the second apartment, who usually use the one located in front of the apartment
        also garden furniture, they talk and relax there.


(111) The Authority's position is that at the time of the inspection, the camera's field of view is much wider
        made monitoring possible, as was necessary to achieve the data management goal, since
        for property protection purposes, only the entrance leading to the reception of the accommodation would be sufficient

        camera surveillance, which does not require the hotel guests to be at rest
        observation. In addition, according to the Authority's point of view, the concerned parties reasonably do not
        they can count on video and audio recording of their movements in the hotel yard,

                                                  26 as it is an area for recreation. Based on all of this, the Authority determines,
        that Respondent 1 is illegally fixing the inner yard beyond the necessary extent
        with a camera aimed at the voice, likeness, and activity of the data subjects, in violation of the GDPR
        Article 6, paragraph 1, point f).


The camera above the reception desk


(112) The camera above the reception desk captures the reception desk from above, the person behind it
        employee or employees, or the cabinet placed next to the wall, as well as the
        hotel guests, whose faces are only visible when they are very close

        they go to the counter and lean over it a little or lean on it, if someone just
        he passes by the counter, his face is not visible in the footage. The store manager is in the camera's field of view
        monitor used by is not included.


(113) According to the statement of Respondent 1 dated August 28, 2022, the reception desk with a camera
        monitoring also has the purpose of asset protection, since according to his statement, the guests
        they regularly pay in cash. This statement was copied by the Authority during the inspection

        - 19 days - supported by camera footage.

(114) In view of this, the Authority does not consider data processing to be excessive, and considers that the

        Claimed 1's legitimate interest as there is actually cash flow at the front desk where
        the money box serving as the house cash register was also placed. Furthermore, the reception desk is not
        it is located in a closed space, it cannot be fenced off separately, as the reception also opens to an apartment

        from the side.

(115) According to the Authority's point of view, from the business manager's job and the nature of the job
        therefore, the camera above the reception desk is not suitable for monitoring the employee, or a

        to measure his performance, since the tasks of the business manager are not limited to those that
        you must finish sitting at your desk.


(116) Based on this, the Authority concludes that Respondent 1 legally installed the camera above the reception
        is operated, its legitimate interest – asset protection, monitoring of cash payments –
        data processing carried out in order to enforce

        typically the business manager's right to protect his personal data, the restriction does not
        can be considered excessive.

IV.3. Violation of the principle of limited storage capacity


(117) According to Article 5 (1) of the GDPR, personal data must be stored in such a form
        to happen, which identifies the data subjects only for the purposes of processing personal data
        for the time required to reach it.


(118) According to the statement of Respondent 1, the purpose of data management through the camera system is a
        it was property protection. In this regard, the camera regulation 6.2. for recording in point
        it was decided that, in the absence of use of the recorded images, the Applicant 1, at most a
        it is stored for 3 days from the date of recording, as the general person and


                                                  27, compared to property protection purposes, no special reason arises, which has a longer content
        would justify data retention. In the absence of use, the recordings will be on the 3rd day from the recording
        are automatically deleted.

(119) According to the Authority's point of view, the retention period of the camera recordings is adequate, as it was intended to be

        has been defined proportionally to the purpose in the camera regulations, since if it is of any kind
        a crime against or other event involving property damage occurs, within 3 days
        Respondent 1 will certainly detect and take appropriate action on the recordings

        in order to save.

(120) However, the Respondent did not take any measures against the provisions of the camera regulations
        in order for the recordings to be deleted after 3 days, he did not apply such a setting
        on the cameras, and placed relatively large SD cards in the cameras, which thus

        they can store much more than 3 days of recordings.

(121) At the time of the inspection, no. 2 camera system directed to the inner courtyard and in the dining room
        on the SD card of its cameras for 15 days, while for the jacuzzi and the reception

        the SD cards of the cameras had recordings going back 19 days.

(122) The Authority considers these retention periods neither necessary nor proportionate
        in relation to a camera system operated for property protection purposes, therefore it states that
        Respondent 1 violated the limited liability under Article 5 (1) point (e) of the GDPR

        storability principle.

IV.4. Information about camera data management


(123) In the case of data management through a camera system, the data controller is the personal data
        is collected from the data subject, therefore the obligation to provide information according to Article 13 of the GDPR is sufficient
        to the data controller.


(124) In relation to the information, the Authority primarily reviewed the website of Respondent 1, where separately
        there is no data management information or data protection tab. By clicking on the Reservation menu item
        at the bottom of the page there is a clickable menu item called Data Management Policy, however

        it redirects to the GTC.

(125) In point [...] of the Terms and Conditions on the website, under the heading Obligations of Guests, call the

        the attention of guests and potential guests that it operates a camera system [a
        accommodation] area: "[…]" In addition, they can be found in point [...] of the General Terms and Conditions with data management
        related information, e.g. newsletter subscription, transfer of personal data request

        for authority, etc.

(126) During the inspection, the Authority came to the conclusion that it was not found anywhere in the building
        detailed for posting, containing all the conditions of camera data management

        information sheet. The camera policy was found at the reception, although it was not posted,
        therefore, guests cannot access it without a special request. Area under surveillance
        sign was placed in several places - at the entrance to the jacuzzi and the self-service in the dining room

        on the side of the counter - however, the boards did not contain any additional information beyond the fact of data management.

                                                  28 In addition, information was not posted or placed in any other way in the rooms
        about data management through a camera system.

(127) As a result, the Authority disputes the interest assessment test made by Respondent 1

        statement that "guests are informed on signs placed in a clearly visible place
        on data management, on the basis of which the purpose and method of data management are broadly and clearly defined
        understandable."


(128) The Article 29 working group on transparency under Regulation EU 2016/679
        according to its guidelines (WP260), information is easily accessible if the person concerned

        you don't have to search for the information; it must be immediately visible to him that the information
        where and how it can be reached, for example by providing information directly, to the data subjects
        directing to information or clearly marking the path leading to information. The

        according to point 11 of the guideline, those data controllers who have a website know that
        make information about data management easily accessible, if it is on their website
        are made accessible. Direct to this data protection declaration, information
        link must be clearly visible on all pages of the website.


(129) Respondent 1 did not post detailed information on camera data management on its website
        information, as well as information related to data management, was not separated by it

        from GTC, i.e. did not draw the attention of hotel guests or potential hotel guests to the
        on the website that a camera surveillance system is operating in the area [of the accommodation], that a
        can already count on data management when booking, and that hotel guests need

        in the event that the staff of the accommodation can easily obtain information about data management
        without involving. In addition, Respondent 1 did not have an easy time at the accommodation
        made the information about camera data management available, did not post it, or
        placed one copy of each in the rooms, i.e. in the absence of active behavior of the affected person

        the essential elements of data management were not available to those concerned. Based on this, the
        Authority states that it is related to data management, according to Article 13 of the GDPR
        Respondent 1 did not make information easily accessible to any person concerned,

        thereby violating Article 12 (1) of the GDPR.

(130) The Authority also notes that the Guidelines per se apply to camera data management

        does not consider the posting of warning signs to be a sufficient measure, if the additional
        does not contain minimum information: identity of data controller, purpose of data processing, rights of data subjects,
        information about the biggest effects of data management, e.g. data controller for data management
        its legitimate interest. It must also include the availability of the complete prospectus. On this

        the signs posted by Respondent 1 did not meet this requirement.

(131) Respondent 1 does not have a separate data management information sheet for camera data management

        information regarding its circumstances is contained in the camera regulations
        According to Respondent 1's statement dated December 2, 2022. The camera policy is
        In connection with data management, there is also a lot of wrong or difficult to interpret information

        contain. On the one hand, text formulation and accurate knowledge of camera images
        in the absence of 3.1. The figure placed in point is not suitable for the people concerned
        get to know the scope of data management and the viewing angle of the cameras, on the one hand, its small size

                                                 29, on the other hand, because the function of the rooms was not indicated on the drawing. The policy
        on the other hand, it does not mention that the cameras marked in blue - these are the cameras that
        In December 2021 and June 2022, according to the statements of Respondent 1, not yet
        were put into operation, while they were already being installed when the second declaration was made

        were installed and operated - what the stakeholders need to know.

(132) In relation to the scope of data management, neither the camera regulations nor the posted signs

        they provide information that the cameras also record sound, which is part of the data management
        a very significant, not-to-be-ignored circumstance, to which, moreover, the affected parties
        they could not reasonably count, since there is no particularly clear reason which

        would support the need for audio recording and the general practice of data controllers
        in case of operation of cameras, that they do not record sound.


(133) In point 4 of the camera regulations, Respondent 1 stated that "The cameras
        in monitored areas, the purpose of camera surveillance is with less restrictive measures
        was not available.", even though Respondent 1 did not carry out the consideration of interests at all
        separately in relation to the camera, on the other hand, on the merits according to the weighing of interests test

        it did not even examine the possibility of alternative solutions, i.e. data management
        it gave incorrect information regarding its inevitability and its proportionality
        to those concerned.


(134) The 4.2. point, it is also mentioned that the duration of data management is required by law
        adjusts, and then further refers to point 6, according to which the recorded recordings are not used

        store it for up to 3 days and the recordings are automatically deleted on the 3rd day. On the one hand,
        of 2005 on personal and property protection and the rules of private detective activity.
        year CXXXIII. the rule of the law - 31/A. Section (2) - which was determined in 3 working days
        and the duration of storage of camera recordings, expired on April 26, 2019,

        i.e. wrongly informed those concerned about the duration of the storage of the camera recordings
        determined by law. On the other hand, contrary to what was stated in the information sheet, he did not
        measures to ensure that camera recordings are deleted within 3 days, a

        cameras have large SD cards - 32 and 128 GB - and the review
        according to his testimony, the recordings were available 15-19 days ago.


(135) The Authority further notes that in the camera regulations, the Authority until September 1, 2020
        valid contact information has been indicated, although the regulations came into effect on July 1, 2021
        into force.


(136) Based on all of this, the Authority concludes that Respondent 1 violated Article 13 of the GDPR
        Paragraphs (1)-(2), since the camera regulations, which also serve as information, incorrectly, or
        misleadingly informed those concerned about the handling of their personal data.


IV.5. Obligation to cooperate with the Authority

(137) According to Article 31 of the GDPR, the data controller, in the course of carrying out his duties, shall communicate with the supervisory authority

        - based on its inquiry - cooperates.


                                                  30(138) According to the Authority, Respondent 1 did not cooperate with the Authority during the procedure
        provided untrue, incorrect or incomplete information to the extent necessary, in several cases a
        For inquiries from the authority as follows.

(139) Respondent 1 stated in his statement dated December 2, 2021 that July 2021

        The recording made on the 26th, which was affected by the Applicant's request, is not available to you, and then that
        nevertheless sent it to the Police Department on January 4, 2022, and presented the technical
        as an expert on March 1, 2022. When the Authority asked about this contradiction,

        Respondent 1's legal representative stated that Respondent 1 made a false statement, which
        explained that the video was no longer available on the camera software because the SD
        the recordings are automatically deleted from the card, however, the recording is expressed by the police

        was saved at his request, and presumably about this saving, the manager of the Respondent a
        he forgot when making the statement. In this case, according to the Authority's opinion, at the latest
        On January 4, 2022, you should have noticed that the recording was still available to you, and that
        then he should have sent it to the Authority. In contrast, his statement is not

        amended, the recording was not released by the Authority's order, which the Authority finally a
        he obtained a recording from the Police Department, which recording was requested by the Applicant
        was of particular importance from the point of view, since without it the Authority would not have been able to

        without a doubt, make sure of the camera's setting and angle of view.

(140) On December 2, 2021, Respondent 1 stated that the cameras marked in blue on the floor plan
        they are not working yet, they are only planning to put them into operation. On May 17, 2022, in its order a

        The authority asked whether the planned cameras had been put into operation
        Respondent 1 received a negative response on June 7, 2022. In contrast, Respondent 1
        to the same statement he has already attached photographs based on which
        it could be established that the planned cameras were installed on the property, which a

        were already in operation at the time of the inspection, i.e. Respondent 1 did not provide complete information
        about the data management carried out by him at the request of the Authority.

(141) Respondent 1 also gave evasive answers to a number of the Authority's questions, e.g. what kind of

        classification system requires the operation of a camera system for accommodation facilities
        according to his point of view. He also did not inform the Authority that it was sold by Respondent 2
        property on which [the accommodation] is located, although he was aware that in the proceedings
        Respondent 2 is also a customer.


(142) Based on these, the Authority concludes that Respondent 1 violated Article 31 of the GDPR.

(143) In its order dated November 8, 2022, the Authority imposed a procedural fine on Applicant 1,
        because, despite a second invitation, he did not provide information that during the period under review,

        How many people stayed [at the accommodation] between July 2021 and October 2022, in the absence of
        the Authority was unable to determine the number of those affected. As a result, the Authority on this
        evaluates the behavior as contrary to Article 31 of the GDPR, however, during the imposition of the fine, it already
        does not take into account the fact that he was sanctioned earlier during the procedure.


IV.6. Assessment of the Applicant's request

(144) In its application for the data protection authority procedure, the Applicant requested that the Authority establish

        and that the cameras installed and operated by the Applicants at [accommodation] are illegal
                                                  They carry out 31 data management. He requested that, for this reason, he prohibit the access to the Applicant's property
        the continuation of surveillance with a camera, the recording of the observed and order it
        termination, as well as the destruction of illegally made recordings, and also prohibit it
        enjoin the Respondents from further infringement and enjoin the Respondents, as well as impose

        out data protection fine.

(145) The on-site inspection conducted by the Authority on July 5, 2022 without prior notification

        established that at the time of the inspection the cameras of both camera systems were as such
        setting that they were not suitable for the Applicant's property, the applicant and his family
        to monitor your activities on the property. The Applicant is dated July 11, 2022

        in response to his statement, the Authority considers it necessary to point out that the 1. no. camera system
        4.'s camera - as it was already recorded earlier in the factual part of the decision
        – is not suitable for monitoring the Applicant's property, only the

        The property used by applicant 1 and the row of fences between the two fences can be seen.

(146) The recording related to the damage to the fence can be found in no. 2. belonging to a camera system, a
        on the terrace, it was recorded by the camera placed above the jacuzzi, which on July 26, 2021

        according to the available recordings, it was determined that the Applicant was suitable
        his property, to observe the activities there, as the two fell into his field of vision
        fence separating the plot, as well as a small part of the Applicant's garden with the willow tree and Lake Balaton.


(147) According to Respondent 1, the monitoring of the Applicant's property with a camera,
        and the legal basis for recording what happened there (audio and image recording) is Article 6 (1) of the GDPR

        he had a legitimate interest according to paragraph f), which is his property, or Respondent 2
        related to the protection of his property. He further explained that, in his opinion, the Applicant
        monitoring of his property did not reach the required level, since on July 26, 2021
        the camera did not record the events that took place in a way that left no doubt

        to determine whether the Applicant's husband damaged the fence or the fence
        its concrete element cracked due to a construction error.


(148) The Authority does not share the position of Respondent 1. According to the position of the Authority, a
        it is considered a serious interference with private life if someone destroys another person's property,
        continuously monitors your movements and activities on the property. Camera surveillance

        only in the rarest of cases can it extend beyond the boundary of its own property, and in such cases it is
        legitimate interest in data management and the restriction of rights implemented on the basis thereof
        it must be proportionate to the objective to be achieved.


(149) According to the Authority's point of view, the continuous monitoring of a part of the Applicant's property, a
        Recording the movements, activities and conversations of the applicant and his family there -
        with particular regard to the fact that it is a property on the shores of Lake Balaton, i.e. the Applicant and

        her family is likely to be there often in bathing suits, as on July 26, 2021
        it was also done in the recording - it cannot be considered proportionate as indicated by the Applicant 1
        for property protection purposes. The circumstance to be taken into account in relation to the proportionality of data management is

        also that the Applicant and his family did not know that Applicant 1
        equipped camera is also partly aimed at the area of their property, which is obviously recreational
        purposes are used. Information referred to by Respondent 1, of which audio recording

                                                  32 is attached, even though it cannot be considered adequate information, since it is another, no. 1.
        related to a camera belonging to a camera system, or the appropriate information in itself
        nor would it make the data processing carried out by Respondent 1 legal.


(150) During the procedure, Respondent 1 attached a general interest assessment test, which
        however, it only covered the data management carried out in the hotel area - not enough for that
        with detail - it is not mentioned that the camera surveillance covers a

        Also for the applicant's property. As Respondent 1 admitted, on camera
        implemented data management was not suitable for achieving the goal, it did not serve a clear purpose
        as evidence in infringement and then criminal proceedings regarding vandalism. THE

        However, the authority does not draw the same conclusion from this as Respondent 1, that a
        the level of monitoring was too low, but that the data management was not suitable for the purpose
        access, and was also disproportionately limited by the personal data of the Applicant and his family

        their right to protection and to the inviolability of their private sphere.

(151) Based on all of this, the Authority concludes that Respondent 1 unlawfully observed the
        Applicant's property and unlawfully handled the personal data of the Applicant and his family,

        thereby violating Article 6 (1) of the GDPR.

(152) In its application, the Applicant requested that the Authority oblige the Respondents to unlawfully

        to delete recorded recordings. The Authority is only aware of one recording
        on which the Applicant appears, and this was taken at the fence on July 26, 2021
        camera recording, which he initiated as evidence for the vandalism

        used in criminal proceedings. For this use, according to the Authority's opinion
        Respondent 1 had a legitimate interest, as the admission was for the enforcement of his legal requirements and
        it was used for the purpose of protection, which is a legitimate interest also named by the GDPR. The vandalism
        in the meantime, the infringement or criminal proceedings initiated due to the Police Department have been completed

        terminated the procedure in the absence of a crime, and Respondent 2 was aggrieved by the decision
        against which he had no legal recourse. Consequently, the procedures in which the recording
        were used as evidence, they are no longer used in the present proceedings

        He requested, but the Police Department made the recording available to the Authority, that
        Respondent 1 did not attach it as evidence to the Authority's request. As a result, the
        Authority states that since the procedures where Applicant 1 as evidence

        used the recording depicting the Applicant and his family members, they have been legally terminated, so it is
        the purpose of data management has ceased, the legitimate interest in data management no longer exists.

(153) According to the statement of Respondent 1, the representation of the Applicant was carried out accordingly

        to delete camera recordings.

IV.6. The Applicant's request for the imposition of a fine


(154) The Authority rejects the Applicant's request for the imposition of a data protection fine, as this
        the application of a legal consequence does not directly affect the rights or legitimate interests of the Applicant,
        such a decision of the Authority does not create any right or obligation for him, as a result

        with regard to the application of this legal consequence falling within the scope of public interest enforcement - a
        regarding the imposition of fines - the Applicant is not considered a customer under Art. Section 10 (1)

                                                  33, so there is no place to submit an application in this regard, the submission is based on this
        part cannot be interpreted as a request.

IV.7. Motions for Evidence

(155) In the Applicant's submission to the Authority on December 8, 2022, a large number

        made a comment and motion for evidence.

(156) The Applicant made a motion for proof that the Authority should contact […]
        Police Department, and obtain by the executive of Respondent 1 on March 30, 2021 the
        the document of her report against her husband, as well as the report of the arriving police officers
        about on-site action. He considered this necessary in order to provide support
        avoid that the camera systems operated by Respondent 1 during this period
        cameras were set up in such a way that they were suitable for public areas

        for observation. According to the Authority's point of view, this evidentiary motion is so hypothetical
        refers to illegal behavior which, based on the Applicant's request, did not occur before
        the subject of the procedure, and the submission of a motion for proof in itself cannot be considered a request
        extension, and the Applicant did not make it likely that this data management
        in respect of which he is considered to be affected, only during the conversation referred to by him
        statements that her husband can be seen in the broadcast image of a camera.


(157) In addition, the Authority ex officio fully examined the
        The data processing carried out by means of camera systems operated by Respondent 1 was examined
        period, an on-site inspection was conducted in the case, the facts are the request
        revealed to the extent necessary for assessment and decision-making. The position of the Authority
        taking into account the findings made above and the provisions of the statutory part,
        there is no need to contact the […] Police Department, thus this evidence motion
        ignores.


(158) As an additional motion for evidence, the applicant requested that the Authority make new statements
        obtain from Respondent 1 in relation to the audio recording you have attached for the purpose of
        certifies that the Applicant has been informed about the operation of the camera system, and a
        In relation to Respondent 1's claim that the fence is not on the real plot boundary. The Authority a
        in terms of clarifying the facts, Respondent 1 does not consider this necessary
        his statement in the questions given that he did not accept it in the attached audio recording
        audible conversation as adequate information about data management, nor the Respondent 1

        did not support his argument regarding the plot boundary, so these statements are further
        the examination of his circumstances would only hinder the completion of the procedure, the disclosure of the facts
        and they are not important from the point of view of

(159) The Applicant also initiated as a proof motion that the Authority is newer
        invites Respondent 1 to make a statement in No. 2 for camera system recordings
        regarding access. According to the Authority's point of view, not for the assessment of the Applicant's request
        it is necessary for the Authority to accurately reveal to the minute that the applicant's 1 manager and

        where was the store manager on July 26, 2021, the recording he objected to was completed,
        rescue or at the time of the police's arrival, since the violation is in the absence of knowledge of these
        could also be established, and during the procedure, no information regarding
        that the camera footage taken on July 26, 2021 was illegally accessed by a third party
        person, so the Authority does not consider it necessary to investigate these circumstances. The Applicant
        furthermore, he also made a motion to clarify circumstances that the Authority considers him to be
        already revealed during the evidentiary procedure, and about which the Applicant was informed
        within the framework of ensuring the right to inspect documents, e.g. which camera made the objectionable recording,


                                                  34 which part of the fence was visible in the recording, was it recorded, when did you attach the
        recording in criminal proceedings, etc.

(160) The Applicant also requested the Authority that the site plan attached by Applicant 1 and the
        based on a photo taken by him earlier from a camera installed on the side of [the accommodation].
        determine the previous angle of view of this camera and the extent to which this camera was
        suitable for monitoring his property. According to the Authority's point of view, this is evidential
        motion is, on the one hand, unfulfillable, and, on the other hand, significant from the point of view of the Applicant's request

        does not hold, the legal consequences requested by him are the 1. for camera system CH4
        Even in the absence of knowledge of his "previous" angle of vision, they were revealed during the procedure
        based on other evidence.

(161) The requirement that the factual situation is well-founded in official cases does not mean that it is
        the acting authority must establish all the circumstances of the case step by step. THE
        The authority is only obliged to reveal the facts to the extent necessary for decision-making. THE

        the facts could be established in sufficient depth, the additional proposed by the Applicant
        even without proof, and based on the established facts, the Applicant's requests can be assessed
        they were.

(162) On the basis of the above, the Authority conducts the proof according to the evidentiary motions
        ignores. In this round, the Authority based on the evidence at its disposal, the facts
        sufficiently revealed, and his obligation to clarify the facts is not unlimited.


IV.8. Legal consequences, decision on the application

(163) At the request of the Applicant, the Authority determines that Respondent 1 unlawfully observed

        a part of the Applicant's property and thus unlawfully handled by the Applicant personally
        data, thereby violating Article 6 (1) of the GDPR. Due to the violation, the Authority is the GDPR
        Based on Article 58, paragraph (2), point b) it convicts Respondent 1.


(164) The Authority rejected the Applicant's request to prohibit Respondent 2 from
        the continuation of camera surveillance on your property and order its termination,
        rejects, given that the camera has 26 July 2021 and 2 December 2021

        made a modification between
        it includes the property of the Applicant.


(165) The Authority granted the Applicant's request in accordance with Article 58(2)(f) of the GDPR
        prohibits Respondent 1 from operating a camera system in the future in such a way that
        in the process observe the Applicant's property and thus unlawfully treat the Applicant and
        your family's personal information.


(166) The Authority ex officio finds that Respondent 1 is unlawful, Article 6 (1) of the GDPR
        conducts data management in conflict with paragraph 2 of Art. camera system jacuzzi, restaurant and the interior

        by its cameras monitoring the yard.

(167) The Authority finds ex officio that Respondent 1 violated Article 5 (1) of the GDPR

        the principle of limited storability according to paragraph e).



                                                  35(168) The Authority ex officio finds that Respondent 1 violated Article 12 (1) of the GDPR
        paragraph, as the information regarding camera data management was not provided by the data subjects
        easily accessible to him.


(169) The Authority finds ex officio that Respondent 1 violated Article 13 of the GDPR when
        did not provide adequate information about the data management carried out through the camera system.


(170) The Authority ex officio, on the basis of Article 58 (2) point f) of the GDPR, prohibits Respondent 1
        for him, the dining room, the panoramic jacuzzi, and the inner courtyard are for relaxation
        parts, such as the jacuzzi and the hot tub, through the camera system, as well as from the yard

        the observation of the opening doors of apartments and the area for rest in front of them and
        orders the decommissioning of the cameras directed at them.


        According to the Authority's point of view, the camera system in relation to the above areas
        Unlawful data processing that takes place cannot be remedied in any other way, it is personal to those concerned
        their right to data protection cannot be ensured in any other way. According to the Authority, there is none
        nor can a legitimate interest be shown on the data controller's side that would support and

        would justify the monitoring of the guests through a camera system and their personal data
        treatment in rooms for recreation and relaxation, where their expectations are reasonable
        otherwise they would not be able to be monitored - their personal data would not be processed -

        thus in the dining room, at the panoramic jacuzzi and in the relaxation areas of the inner courtyard.

(171) The Authority ex officio, Article 58 (2) point d) of the GDPR and Infotv. Section 61, paragraph (1).

        on the basis of point a) is ordered by no. 2 camera system monitoring the jacuzzi, restaurant and the inner courtyard
        the deletion of all recordings recorded by its cameras, given that they were made by the
        according to the provisions of this decision, it took place illegally.


(172) The Authority ex officio instructs Respondent 1, based on point d) of Article 58 (2) of the GDPR,
        to transform its information practices related to camera data management in a way that
        that it fully complies with Article 12 (1) of the GDPR and Article 13 of the GDPR.

        article, and take it into account when developing the information practice
        Regarding the guidelines and the accessibility of the information referred to in the Decision,
        WP260. working group opinion no.


(173) The Authority examined ex officio whether due to the established violations, the
        Imposition of a data protection fine against Respondent 1.

(174) In this context, the Authority is required by Article 83 (2) of the General Data Protection Regulation and Infotv.

        75/A. considered all the circumstances of the case based on §. Given the circumstances of the case, it is
        to the nature of data management, therefore the Authority established that it was revealed during this procedure
        in case of violation, the warning is neither a proportionate nor a dissuasive sanction, therefore

        it is necessary to impose a fine on the basis of Article 58 (2) point (i) of the GDPR.

(175) The violations committed by Respondent 1 are Article 83 (5) of the General Data Protection Regulation
        According to points a) and b) of paragraph 1, the category of fines with a higher amount is more serious
        constitute a violation of law, not including the violation of Article 31 of the GDPR. With attention to


                                                  36 Article 83 (3) of the GDPR, based on the nature of the violations, the maximum fine that can be imposed
        limit is 20,000,000 based on Article 83 (5) points a) and b) of the General Data Protection Regulation
        EUR, or a maximum of 4% of the total world market turnover of the previous financial year.

(176) According to Respondent 1's balance sheet for the year 2021, the net sales revenue was HUF […],

        the amount of the imposed fine is […] % of the net sales of Respondent 1.

(177) During the imposition of fines, the Authority assessed the following circumstances as aggravating circumstances:

            • Violations committed by Respondent 1 - excluding Article 31 of the GDPR

               violation - in terms of their nature, they are considered a more serious violation, since
               Requested 1 principle, related to the legality of data management (legal basis) and affected
               violated provisions on rights [GDPR Article 83 (1) point a)];

            • Implemented by Respondent 1 by operating camera system No. 2

               violations persisted for a long time, more than a year - on July 27, 2021
               definitely carried out illegal data processing - and also at the time of the decision
               exist [83. Article (2) point a)];


            • According to the statement of Respondent 1, approximately 1,300 in the examined period
               stayed [at the accommodation], i.e. the number of people affected can be considered high. The examined
               period, the number of hotel guests could not be precisely determined

               to the fact that data can only be retrieved from NTAK going back one year, while IFA
               on the declaration forms, the number of guest nights, not the
               number of guests will be registered. That is, the number of those affected is only approximate,

               the registered guest nights and the average days spent [at the accommodation].
               could be determined as a quotient. [83. Article (2) point a)];

            • The voice and likeness of the persons concerned due to the nature of the data processing carried out
               does not constitute a special category of personal data, however, for the jacuzzi and the interior

               in the field of view of the camera, the hotel guests are regularly in bathing suits
               are staying, and the Applicant is also wearing a bathing suit made for him
               on camera. According to the Authority's point of view, it is more harmful to those concerned

               data management through the camera system results in a situation, if not in the recordings
               in general street clothes, but in more incomplete clothes, such as in a bathing suit
               are included. Use of the jacuzzi based on the recordings of the camera located at the jacuzzi

               several guests took off their bathing suits during
               a camera shot of another guest without a top and without swimming trunks, or more
               the camera recorded the party in an intimate position. According to the Authority's point of view, the
               personal data recorded by a camera placed at the jacuzzi

               its illegal handling has greater material weight. [GDPR Article 83(2)(a)].

(178) During the imposition of the fine, the Authority assessed the following circumstances as mitigating circumstances:
            • the sign of the area monitored by the camera has been placed at the jacuzzi, so if the recordings

               not to record it, but those concerned could count on camera data management, and it is
               those involved were also involved in the fact that they were photographed without swimwear
               camera recordings [GDPR Article 83(2)(k)];


                                                   37 • the established violations can be considered negligent in nature, the Authority on intentionality
               no suggestive circumstance was revealed during the official data protection procedure [GDPR Article 83 (2)
               paragraph b)];


            • Respondent 1 has not previously committed a data protection matter under the scope of the GDPR
               breach of law [GDPR Article 83(2)(e)];


            • during the procedure, Respondent 1 canceled the audio recording by means of cameras
               Regarding the cameras of camera system No. 2 [GDPR Article 83 (2) f)
               point];


            • the Authority exceeded Infotv during the procedure. 60/A. Administrative according to paragraph (1) of §
               deadline [GDPR Article 83 (2) k)].


(179) The Authority also took it into account - but not as a mitigating or aggravating circumstance
        understood - that the established data protection violations do not affect personal data

        special category [GDPR Article 83 (2) point (g)].

(180) The Authority did not consider the general data protection regulation relevant when imposing the fine

        circumstances according to points c, d, h, i, j of Article 83 paragraph (2), since they are specific to the case
        cannot be interpreted in connection with


(181) The amount of the fine was determined by the Authority acting within its statutory discretion
        yes.

(182) On the basis of the above, the Authority made a decision in accordance with the statutory part.


A. Other questions

(183) The competence of the Authority is defined by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is

        covers the entire territory of the country.

(184) The decision in Art. 80-81 § and Infotv. It is based on paragraph (1) of § 61. The decision is in Art.
        Based on § 82, paragraph (1), it becomes final upon its publication.


(185) The Art. § 112, and § 116, paragraph (1), and § 114, paragraph (1) with the decision
        on the other hand, there is room for legal redress through a public administrative lawsuit.


(186) The rules of administrative proceedings are laid down in Act I of 2017 on Administrative Procedures (the
        hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority

        the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13, paragraph (3).
        Based on point a) subpoint aa), the Metropolitan Court is exclusively competent. The Kp. Section 27 (1)
        legal representation in a lawsuit within the jurisdiction of the court based on paragraph b).

        obligatory. The Kp. According to paragraph (6) of § 39, the submission of the claim is administrative
        does not have the effect of postponing the entry into force of the act.


                                                  38(187) Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, the electronic one is applicable
        CCXXII of 2015 on the general rules of administration and trust services. law (a
        hereinafter: E-administration act) according to § 9, paragraph (1), point b) of the customer's legal representative
        obliged to maintain electronic contact.


(188) The time and place of filing the statement of claim is specified in Kp. It is defined by § 39, paragraph (1). THE
        information on the possibility of a request to hold a hearing in Kp. Paragraphs (1)-(2) of § 77

        is based on. The amount of the fee for the administrative lawsuit is determined by Act XCIII of 1990 on fees. law
        (hereinafter: Itv.) 45/A. Section (1) defines. From the advance payment of the fee
        the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the person initiating the procedure

        half.

Budapest, December 21, 2022.


                                                                     Dr. Attila Péterfalvi
                                                                             president
                                                                       c. professor







































                                                    39