NAIH (Hungary) - NAIH-6752-10/2023: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 71: Line 71:
}}
}}


The Hungarian DPA found three joint controllers to have breached [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], [[Article 9 GDPR#1|Article 9(1) GDPR]], as well as [[Article 12 GDPR|Article 12]] and [[Article 13 GDPR|13 GDPR]] for having unlawfully contacted a data subject after they had signed up to support a political movement.
The Hungarian DPA found three joint controllers to have breached [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], [[Article 9 GDPR#1|Article 9(1) GDPR]], as well as [[Article 12 GDPR|Article 12]] and [[Article 13 GDPR|13 GDPR]] for having unlawfully contacted a data subject after the latter had signed up to support a political movement.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A data subject complained to the Hungarian DPA that between 14 and 20 September 2021, they received unsolicited telephone inquiries via SMS and telephone calls from two phone numbers by LINK Mobility Kft. The SMS message, especially, contained a hyperlink to a website that allowed the data subject to support a political movement, specifically to support the election of Karácsony Gergely as prime minister.
After joining the movement supporting the election of Karácsony Gergely as prime minister, a data subject complained to the Hungarian DPA that between 14 and 20 September 2021, they received unsolicited telephone inquiries via SMS and telephone calls from two phone numbers by LINK Mobility Kft.


The DPA then contacted LINK Mobility Kft to request information. According to the statement of LINK Mobility Kft., the SMS messages were sent to the data subject via VCC Live Hungary Kft, a company that provides software usage, product support and other alternative telecommunication services to companies operating a customer service. For further information regarding the SMS messages, VCC Live Hungary Kft re-directed the DPA to Datadat Ltd, which tasked its subcontractor Datadat GmbH to send the SMS messages. Datadat GmbH explained that it had sent the SMS messages to another customer, the association Ninety-Nine Movement (the Association), the sole controller.
The DPA then contacted LINK Mobility Kft to request information. For further information regarding the SMS messages, the DPA was re-directed to Datadat Kft, which had tasked its subcontractor, Datadat GmbH, to send the messages. Datadat GmbH explained that it had sent the SMS messages on behalf of the association Ninety-Nine Movement (the Association).
 
The DPA requested the Association to provide information on the matter but did not receive any reply.


=== Holding ===
=== Holding ===
In the context of the processing under investigation, the DPA found that the purpose was to send an additional registration link for the day of the pre-election vote. However, the DPA found that the means of data processing was the Association, Datadat Kft. and Datadat GmbH together. Each acted on behalf of the other through a chain of interdependence since they decided together to send the message to the data subjects in the form of an SMS. Therefore, as a result of its investigation, the DPA established the Association, Datadat Kft. and Datadat GmbH to be joint controllers for the purposes of the data processing under examination under [[Article 26 GDPR#1|Article 26(1) GDPR]].
In the context of the processing under investigation, the DPA found that the Association, Datadat Kft and Datadat GmbH had decided together to send the SMS message to the data subject. Consequently, the DPA established the three to be joint controllers for the purposes of the data processing under examination under [[Article 26 GDPR#1|Article 26(1) GDPR]].


Secondly, the DPA acknowledged that the legal basis used for processing personal data by the joint controllers was the data subject's consent pursuant to [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. Considering that the SMS messages sent out always contained a hyperlink to a website with the relevant privacy information and subscription option, any disclosure of data by citizens on the linked interface was voluntary. Furthermore, since the data processed regarded the data subject’s political opinions, it stated that they constituted a special category of personal data within the meaning of [[Article 9 GDPR#1|Article 9(1) GDPR]]. As a general rule, the processing of special categories of personal data is prohibited by the GDPR or is subject to strict conditions.
Next, the DPA acknowledged that the joint controllers claimed to be using consent as a legal basis pursuant to [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. From the information provided, it was understood that 36,000 data subjects' contact details were gathered by direct collection through the website ninenines.com, aimed to support the election of Karácsony Gergely. Specifically, on the website, under the "Join" option, data subjects could show their support by entering their full name, e-mail address, and telephone number, among other details.


However, the DPA found that the joint controllers had infringed [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] for not providing the data subjects with adequate information on the purposes of the processing. On the website, they had not clearly indicated that the data subject's information would be used for further contact, nor explained the specific purposes to which the data subjects consented.
However, the DPA found that the joint controllers had infringed [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] for not providing the data subjects with adequate information on the purposes of the processing. On the website in question, they had not clearly indicated that the data subjects' information would be used for further contact, nor explained the specific purposes to which the data subjects consented. Moreover, the DPA noted that the website's privacy policy did not deliver adequate information on all the actual processing purposes. It did not provide data subjects with clear and detailed information on what they were consenting to. For example, when signing up, some details were mandatory to insert, and the privacy policy did not elucidate the reasons. The DPA further added that the privacy policy lacked information on the activities of each one of the joint controllers and legal persons involved in the data processing.


Regarding the content of the privacy policy, the DPA noted that it did not deliver adequate information on all the actual processing purposes. It did not provide data subjects with clear and detailed information on what they were exactly consenting to. For example, when signing up, some details were mandatory to insert, and the privacy policy did not elucidate the reasons. The DPA further added that the privacy policy lacked information on the activities of each one of the joint controllers and legal persons involved in the data processing.
Based on the above, the DPA concluded that the joint controllers violated [[Article 12 GDPR#1|Article 12(1) GDPR]] in conjunction with [[Article 13 GDPR|Article 13(1) and (2) GDPR]] for failing to provide the data subjects with clear, adequate and fair information on their processing of personal data.


Based on the above, the DPA concluded that the joint controllers did not provide the data subject with clear, adequate and fair information on all material circumstances of the processing of personal data, nor any information on the data management, in violation of the [[Article 13 GDPR|Article 13(1) and (2) GDPR]]. The joint controllers further failed to provide information on their processing of personal data, infringing [[Article 12 GDPR#1|Article 12(1) GDPR]].
Consequently, the DPA found that the consent of the data subject to the processing lacked the elements necessary to establish the legal basis since consent was not informed. As a result, the joint controllers processed personal data without a valid legal basis, violating [[Article 6 GDPR]]. Since the data provided by the data subjects were also sensitive data, given that they revealed political opinions, the processing violated [[Article 9 GDPR#1|Article 9(1) GDPR]] as well. Lastly, considering that the Association did not respond to the information requests made by the DPA, it also breached the duty to cooperate under [[Article 31 GDPR]].


Consequently, the DPA found that the consent of the data subject to the processing lacked the elements necessary to establish the legal basis since the consent was not informed. As a consequence, the joint controllers processed personal data without a valid legal basis, violating [[Article 6 GDPR|Article 6 GDPR]]. Since the data provided by the data subject were also sensitive data: the processing violated [[Article 9 GDPR#1|Article 9(1) GDPR]] as well. Lastly, considering that the Association did not respond to the several requests made by the DPA, it also breached the duty to cooperate under [[Article 31 GDPR|Article 31 GDPR]].
Therefore, the DPA ordered the joint controllers to bring their processing operations into compliance with the GDPR.
 
Therefore, the DPA ordered the joint controllers to bring their processing operations into compliance.


== Comment ==
== Comment ==
Due to the automated translation of the decision, we apologise for any mistakes in the translation of entities or for misunderstandings. Should you note any discrepancy, please do not hesitate to modify this page directly or let us know.
Due to the automated translation of the decision, we apologise for any mistakes in the translation of entities or for misunderstandings. Should you note any discrepancy, please do not hesitate to modify this page directly or let us know.
In this case, LINK Mobility Kft seems to be a processor of the joint controllers. However, in the decision, the relationship between LINK Mobility Kft, the data subject and the joint controllers is not explicitly elucidated.


== Further Resources ==
== Further Resources ==

Latest revision as of 11:10, 21 February 2024

NAIH - NAIH-6752-10/2023
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 9(1) GDPR
Article 12(1) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 26(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 20.12.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: NAIH-6752-10/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Hungarian
Original Source: Nemzeti Adatvédelmi és Információszabadság Hatósághoz (in HU)
Initial Contributor: ar

The Hungarian DPA found three joint controllers to have breached Article 6(1)(a) GDPR, Article 9(1) GDPR, as well as Article 12 and 13 GDPR for having unlawfully contacted a data subject after the latter had signed up to support a political movement.

English Summary

Facts

After joining the movement supporting the election of Karácsony Gergely as prime minister, a data subject complained to the Hungarian DPA that between 14 and 20 September 2021, they received unsolicited telephone inquiries via SMS and telephone calls from two phone numbers by LINK Mobility Kft.

The DPA then contacted LINK Mobility Kft to request information. For further information regarding the SMS messages, the DPA was re-directed to Datadat Kft, which had tasked its subcontractor, Datadat GmbH, to send the messages. Datadat GmbH explained that it had sent the SMS messages on behalf of the association Ninety-Nine Movement (the Association).

The DPA requested the Association to provide information on the matter but did not receive any reply.

Holding

In the context of the processing under investigation, the DPA found that the Association, Datadat Kft and Datadat GmbH had decided together to send the SMS message to the data subject. Consequently, the DPA established the three to be joint controllers for the purposes of the data processing under examination under Article 26(1) GDPR.

Next, the DPA acknowledged that the joint controllers claimed to be using consent as a legal basis pursuant to Article 6(1)(a) GDPR. From the information provided, it was understood that 36,000 data subjects' contact details were gathered by direct collection through the website ninenines.com, aimed to support the election of Karácsony Gergely. Specifically, on the website, under the "Join" option, data subjects could show their support by entering their full name, e-mail address, and telephone number, among other details.

However, the DPA found that the joint controllers had infringed Article 5(1)(a) GDPR for not providing the data subjects with adequate information on the purposes of the processing. On the website in question, they had not clearly indicated that the data subjects' information would be used for further contact, nor explained the specific purposes to which the data subjects consented. Moreover, the DPA noted that the website's privacy policy did not deliver adequate information on all the actual processing purposes. It did not provide data subjects with clear and detailed information on what they were consenting to. For example, when signing up, some details were mandatory to insert, and the privacy policy did not elucidate the reasons. The DPA further added that the privacy policy lacked information on the activities of each one of the joint controllers and legal persons involved in the data processing.

Based on the above, the DPA concluded that the joint controllers violated Article 12(1) GDPR in conjunction with Article 13(1) and (2) GDPR for failing to provide the data subjects with clear, adequate and fair information on their processing of personal data.

Consequently, the DPA found that the consent of the data subject to the processing lacked the elements necessary to establish the legal basis since consent was not informed. As a result, the joint controllers processed personal data without a valid legal basis, violating Article 6 GDPR. Since the data provided by the data subjects were also sensitive data, given that they revealed political opinions, the processing violated Article 9(1) GDPR as well. Lastly, considering that the Association did not respond to the information requests made by the DPA, it also breached the duty to cooperate under Article 31 GDPR.

Therefore, the DPA ordered the joint controllers to bring their processing operations into compliance with the GDPR.

Comment

Due to the automated translation of the decision, we apologise for any mistakes in the translation of entities or for misunderstandings. Should you note any discrepancy, please do not hesitate to modify this page directly or let us know.

In this case, LINK Mobility Kft seems to be a processor of the joint controllers. However, in the decision, the relationship between LINK Mobility Kft, the data subject and the joint controllers is not explicitly elucidated.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

File history
Click on a date/time to view the file as it appeared at that time.
Date/TimeDimensionsUserComment
current14:07, 16 February 2024 (769 KB)Ar (talk | contribs)
You cannot overwrite this file.File usage
There are no pages that use this file.