NAIH (Hungary) - NAIH/2020/2555: Difference between revisions
No edit summary |
m (AD moved page NAIH - NAIH / 2020/2555 to NAIH - NAIH/2020/2555) |
(No difference)
|
Revision as of 12:56, 24 June 2020
NAIH - NAIH / 2020/2555 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 5(1) GDPR Article 11(2) GDPR Article 12(2) GDPR Article 12(3) GDPR Article 15(1) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 03.03.2020 |
Published: | 03.03.2020 |
Fine: | 30000 HUF |
Parties: | n/a |
National Case Number/Name: | NAIH / 2020/2555 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | HU DPA (in HU) |
Initial Contributor: | n/a |
The Hungarian DPA (NAIH) imposed a fine of 300 000 HUF (approx. €872) to a debtor for collecting the complainant's phone and sending reminder SMS after the amount due was already paid.
English Summary
Facts
The debtor collected the phone number of the complainant during a phone conversation without informing her/him that he would do so. Whereas the debt had been paid, the complainant kept receiving reminder SMS to pay the debt. The complainant filed a complaint with the HU DPA.
Dispute
Holding
HU DPA fined the controller 300 000 Florint for illegal collection and use of the phone data. However, the DPA concluded that the controller did not violate Article 15.2 by asking more information to identify the data subject when the complainant wanted to have her/his phone number erased.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
ase number: NAIH / 2020/2555. Subject: Partial decision granting the application, Background: NAIH / 2019/3261. order partially terminating the proceedings The National Authority for Data Protection and Freedom of Information (hereinafter: the Authority) […] applicant (hereinafter referred to as the “Applicant”) shall take the following decisions in the data protection authority proceedings initiated against […] (hereinafter referred to as the “Obliged”) regarding the illegal use of the telephone number used by the Applicant and the Applicant's address and e-mail address: I. In its decision, the Authority, in the part of the applicant's request to establish that the [[] telephone number was unlawful, gives place and finds that the Debtor has failed to fulfill its obligation under the principle of accuracy and that the Debtor has infringed Article 6 (1) of the General Data Protection Regulation. II. In the decision of the Authority, the part of the Applicant's request to establish the unlawful handling of the Applicant's address data and e-mail address rejects. III. The Authority shall issue the Debtor ex officio due to its unlawful data processing HUF 300,000, ie a three hundred thousand forint data protection fine obliges to pay. Within 15 days of the expiry of the time limit for initiating legal proceedings to initiate a judicial review or, in the case of initiating a review, of the court's decision, the Authority's centralized revenue collection forint account (1003200001040425-00000000 Centralized collection account IBAN: HU83 1003 2000 0104 . When transferring the amount, NAIH / 2019/3261. Quince. should be referred to. If the Debtor fails to meet the obligation to pay the fine within the time limit , he shall be liable to pay default interest. The amount of the late payment surcharge is the statutory interest rate, which is equal to the central bank base rate valid on the first day of the calendar half-year affected by the delay. In the event of non-payment of the fine and the late payment allowance, the Authority shall order the enforcement of the decision and the recovery of the fine and the late payment allowance in the form of taxes. The collection of fines and late fees in the form of taxes is carried out by the National Tax and Customs Board. ARC. In its order, the Authority initiated the data protection authority procedure in the part of the Order ordering the deletion of the telephone number of the Applicant. cancel. V. In view of the fact that the administrative deadline has been exceeded, the Authority shall pay HUF 10,000, ie ten thousand forints, to the Applicant - at its option - by bank transfer or postal order. No procedural costs were incurred during the official proceedings, so the Authority did not order them to be borne. I, II., III. There is no administrative remedy against the decision contained in clauses IV and V and the order contained in clauses IV and V , but it may be challenged in an administrative lawsuit within 30 days of the notification. The application must be submitted to the Authority, electronically, which it forwards to the court together with the case file. The request for a hearing must be indicated in the application. For those who do not receive a full personal tax exemption, the fee for the court review procedure is HUF 30,000, the lawsuit is subject to the right of engagement. Legal proceedings are mandatory in proceedings before the Metropolitan Court. EXPLANATORY STATEMENT I. Procedure and clarification of the facts On 29 March 2019, the Applicant submitted a petition in which it initiated the conduct of data protection authority proceedings. According to the information provided in the application, the Debtor's representative on 12.02.2019. A request for payment with file number [irat] was served on the Applicant's address on The document was received by the petitioner's husband, who informed the representative that the addressee of the summons had been living abroad for several years. The Applicant's husband also informed the Representative that he could send the summons to the debtor by e-mail, no other option was available. On the day of receipt of the above-mentioned document, the Applicant spoke by telephone to the person representing the Debtor who handed over the document, with whom the Applicant stated that the claim will be settled to the specified account number within 2-3 days and the Applicant will pay the money in person. During the telephone meeting, the Debtor's representative did not inform the Applicant whether the telephone conversation or his name and telephone number would be recorded, nor did he inform him that he might be treated as a client in the future. The Applicant paid the debt claimed by the Debtor on 13.02.2019. On February 15, 2019, Ké relmező received an SMS notification from the Debtor to its telephone, in which a debt was communicated with reference to the registration number […], failing which enforcement was envisaged. Subsequently, several SMS exchanges took place, in which the Applicant indicated that the payment had been made, however, more and more prompts were received for this. The texts of the SMS did not contain the name of the debtor, nor did they mention a specific person in the address. The Applicant attached a copy of the following documents to the application : - the Debtor on 31.01.2019. on the day of […], no. letter addressed to - for […] by the Applicant on 13.02.2019. proof of payment made on the day of payment, - payment request and correspondence from the Debtor to the telephone number [..] (15 February 2019, 16, 26, 13 March), […] Complaint handling policy, - the data subject's request for the deletion of his / her personal data sent by the applicant to the e-mail address [..] on 16 February 2019, enclosing the pdf form containing his / her related request, - 02/16/2019 a power of attorney issued to the Applicant's husband on the day of the petition, according to which she may act on behalf of the Applicant in the cases of the Debtor [..]. The content of the request did not comply with Article CXII of 2011 on the right to information and freedom of information. Act (hereinafter: Infotv.) Infotv. 60. § (5), therefore the Authority called on the Applicant to rectify the deficiencies, which the Applicant complied with within the deadline. The Applicant stated that he objected to the “sender of the SMS as […]” and informed the Authority that the […] telephone number used by him belonged to his […] subscription, which the Applicant was entitled to use as a representative. He substantiated his claim with a copy of the number of […] . The Applicant also attached a copy of the invoice according to which […], as the biller, re-invoiced the telephone fee to the Applicant. In his statement, the Applicant requested that the Authority establish the fact of the Debtor's unlawful data processing and instruct the Debtor to delete his personal data (telephone number, e-mail address, residential address). At the request of the Authority, the Debtor stated that he did not process the Applicant's personal data, only the aggrieved telephone number was recorded in their register, which the Applicant provided to the Debtor together with the fact that the debtor can be reached abroad in case of problems. as a contact. The […] telephone number was not recorded by the Debtor in his system for the Applicant, but for his client, ie the debtor of the claim he wishes to recover, who is a person other than the Applicant. The Applicant sent a letter to the Debtor on 16 February 2019 requesting data management information and requesting the deletion of his personal data. According to the Debtor's statement, the aggrieved telephone number will be issued on 23.03.2019. deleted from their system on The Debtor's statement that the telephone number was not stored in connection with the Applicant is also supported by a copy of the SMS messages sent to the Debtor's telephone number, as there is no reference to the Applicant's name, only a registration number to identify his client's case. According to the documents attached by the Debtor, the case identifier in the SMS messages cannot be linked to the case of the Applicant, but to the case of the Applicant's relative […]. As the Debtor stated that the “aggrieved telephone number - as a contact number provided by the Applicant - has been recorded in our system for the Client”, the Authority called on the Debtor to confirm the Applicant's consent by audio recording or otherwise for the period until the cancellation. on. At the request of the Authority, the Debtor could not prove the existence of the consent of the data subject related to the telephone number recorded in its system. II. Applicable law Article 2 of Regulation (EU) No 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter referred to as the General Data Protection Regulation ) (1) provides that the Regulation applies to the processing of personal data in a partially or fully automated manner and to the non - automated processing of data which form part of a registration system or which are intended to be part of a registration system. Infotv. Pursuant to Section 60 (1), in order to enforce the right to the protection of personal data, the Authority shall initiate a data protection authority procedure at the request of the data subject . Unless otherwise provided in the General Data Protection Decree, the data protection authority procedure initiated on request is governed by Act CL of 2016 on General Administrative Procedure. (hereinafter: Ákr.) shall apply with the exceptions specified in the Infotv . The Acre. Pursuant to § 36, the application is a written or personal statement of the client requesting the conduct of an official procedure or a decision of the authority in order to enforce his right or legitimate interest . Infotv. Pursuant to Article 60 (2), a request to initiate an official data protection procedure may be made in the case provided for in Article 77 (1) of the General Data Protection Regulation . Pursuant to Article 77 (1) of the General Data Protection Regulation, any data subject has the right to lodge a complaint with a supervisory authority if he or she considers that the processing of personal data concerning him or her infringes the General Data Protection Regulation. The Acre. Pursuant to Section 47 (1) (c), the authority shall terminate the proceedings if the proceedings have become devoid of purpose. Under Article 4 (1) of the General Data Protection Regulation, "personal data" means any information relating to an identified or identifiable natural person ("data subject"); identify a natural person who, directly or indirectly, in particular by means of an identifier such as a name, number, location, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable on the basis of. According to Article 4 (2) of the General Data Protection Regulation, "processing" means any operation or set of operations on personal data or files, whether automated or non-automated, such as collection, recording, systematisation, sorting , storage, transformation or alteration, retrieval, consultation, use, communication by transmission, distribution or otherwise making available, coordination or interconnection, restriction, deletion or destruction. Pursuant to Article 5 (1) (d) of the General Data Protection Regulation, personal data must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without delay ("accuracy"). Pursuant to Article 11 (2) of the General Data Protection Regulation, if, in the cases referred to in paragraph 1 of this Article, the controller can prove that he is not in a position to identify the data subject, he shall, as far as possible, inform him accordingly. In such cases, 15-20. Article 1 shall not apply unless the data subject provides additional information enabling him to be identified in order to exercise his rights under those Articles . Pursuant to Article 12 (2) of the General Data Protection Regulation, the controller shall facilitate the exercise of their rights under this Article. In the cases referred to in Article 11 (2), the controller shall He may not refuse to comply with his request for the exercise of his rights under Article c unless he proves that he is unable to identify the person concerned. Pursuant to Article 12 (3) of the General Data Protection Regulation, the controller shall, without undue delay, but in any case within one month of receipt of the request, inform the data subject in accordance with Articles 15 to 22. on the action taken on a request pursuant to Article. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The controller shall inform the data subject of the extension of the time limit, indicating the reasons for the delay, within one month of receiving the request. If the data subject has submitted the request by electronic means, the information shall, as far as possible, be provided by electronic means, unless the data subject requests otherwise. Pursuant to Article 15 (1) of the General Data Protection Regulation, the data subject has the right to receive feedback from the controller as to whether the processing of his or her personal data is in progress and, if such processing is in progress, the right to access the personal data and get access to the following information: (a) the purposes of the processing; (b) the categories of personal data concerned ; (c) the recipients or categories of recipients to whom the personal data have been or will be communicated, including in particular recipients in third countries or international organizations; (d) where applicable, the intended period for which the personal data will be stored or, failing that possible, criteria for determining this period; (e) the data subject's right to request personal data concerning him or her from the controller rectification, erasure or restriction of the use of such personal data and may object to the processing of such personal data; (f) the right to lodge a complaint with a supervisory authority; (g) if the data were not collected from the data subject, all available sources information; (h) the fact of the automated decision-making referred to in Article 22 (1) and (4), including profiling, and, at least in those cases, comprehensible information on the logic used and the significance of such processing and on the data subject. what are the expected consequences. Infotv. Pursuant to Section 38 (2), the Authority is responsible for monitoring and facilitating the protection of personal data and the right to know public data in the public interest, as well as for facilitating the free flow of personal data within the European Union. The Acre. Pursuant to Section 27 (1), the authority is entitled to know and process the natural personal identification data of the client and other participants in the proceedings and the personal data specified in the law regulating the type of case, and - unless otherwise provided by law - other personal data essential for clarifying the facts. . In the application procedure, it must be presumed that the requesting client has consented to the processing of personal data, including special data, necessary to clarify the facts. III. Decision: III.1. It is a question of treating the telephone number […] as personal data According to the Applicant's statement, the subscriber of the telephone number […] is not the Applicant, but [..], but the Applicant is the user of this telephone number. Pursuant to Article 2 (1) of the General Data Protection Regulation, the Regulation covers data management and data processing that concerns the data of a natural person. CLXXIX of 2011 on the rights of nationalities. Pursuant to Section 2 (2) of the Act […], an organization with legal personality, ie a non-natural person, can be directly identified on the basis of the telephone number connected to its subscription contract . However, given that the telephone number subscribed by the legal entity can be linked to the Applicant as a user as a representative, it can be contacted directly when making and receiving a call or, in this case, using the telephone number and clearly contacting the Applicant. , so his personal data can be considered under Article 4 (1) of the General Data Protection Regulation . III.2. Principle of accuracy The data controller's measures must promote the principle of accuracy and prevent the use of inaccurate data. In view of the above , the recording of the telephone number used by the Applicant as the telephone number of the Debtor's customer and the sending of SMS addressed to the Customer to the Applicant's telephone number was not lawful under Article 5 (1) (d) of the General Data Protection Regulation. when his data was recorded, his colleague knew that the telephone number he recorded was not his customer and the customer was not the source of the data. The Authority established from the statements of the Applicant and the Debtor that the Applicant's telephone number was recorded as the data of the Debtor's client without the Applicant being entitled to act on behalf of the Debtor's client, as he did not have a power of attorney enabling the Applicant to act . On the basis of the above, the Authority found that the Debtor had infringed Article 5 (1) (d) of the General Data Protection Regulation. III.3. Proof of clear , voluntary and specific consent based on adequate information required to process the Applicant's personal data Recital 32 of the General Data Protection Regulation stipulates that consent-based data processing must be accompanied by a clear confirmatory act, a voluntary, specific, informed contribution to the controller in accordance with Articles 7 (1) and 5 of the General Data Protection Regulation ( 2) you must also be able to prove it. When collecting the Applicant's personal data (during a telephone conversation with him ), the Debtor's employee was aware that he was handling and collecting the Applicant's personal data, therefore he should have asked the Applicant for consent to the personal data and proved the existence of this legal basis. In the zone, despite the invitation of the Authority, the Debtor did not provide the Authority with any audio material or document supporting the existence of the consent. Thus, compliance with the requirements set out in recital 32 and Article 7 of the General Data Protection Regulation has not been demonstrated for the period up to the deletion. Based on the above, the Authority concluded that the Debtor did not prove that he had the consent of the Applicant to process his personal data , so that the consent recorded the telephone number in his system in the absence of a legal basis, in breach of Article 6 (1) of the General Data Protection Regulation. III.4. The Applicant's request for access and deletion of data to the Debtor The Applicant also submitted its request for access and deletion of data to the Debtor on 16 February 2019. Within the time limit set out in Article 12 (3) of the General Data Protection Regulation, the Debtor informed by electronic means on 7 March 2019, in accordance with Article 15 (1) of the General Data Protection Regulation, that no claim was registered in his name and may not provide information to third parties on the number of cases referred to . According to the documents attached by the Debtor, the case identifier in the SMS messages may not be related to the case of the Applicant, but to the case of the Applicant's relative […]. The Applicant did not appear in the Debtor's register as a client or a proxy . Pursuant to Article 12 (2) of the General Data Protection Regulation, the controller may refuse to comply with a data subject's request if he or she proves that the data subject cannot be identified. During the proceedings, the Debtor stated that he was not in a position to identify the Applicant in his register, so that he complied with his request for cancellation only after the additional information enabling his identification was communicated on 7 March 2019. Given that the Debtor, in violation of the principle of accuracy, recorded the telephone number used by the Applicant with his client, he could not fulfill the Applicant's request for cancellation without providing additional information, as he could not identify him. After providing the additional information , the Debtor deleted the personal data from its records. Due to the above, the Debtor did not violate Article 15 (1) of the General Data Protection Regulation, as he did not treat the telephone number data provided for contact purposes as personal data concerning the Applicant, however, the - III.2. In view of the findings made in point - the Debtor should have noticed that it was not the data of his client, but the data of a person who did not come into contact with the Debtor as a donor. The Debtor complied with Article 11 (2) of the General Data Protection Regulation and deleted the inaccurate data from its records. III.5. The phone application to be ordered cancellation of em In the part of the application requesting the deletion of the telephone number, the Authority Pursuant to Section 47 (1) (c), the proceedings shall be terminated as the proceedings have become devoid of purpose, and the Debtor shall no longer continue the processing of the objected data. According to the screenshot of the Debtor's statement and register, the telephone number was deleted on 23 March 2019, ie before the start of the data protection authority proceedings. III.6. Unlawful handling of applicant's address and e-mail address data According to the Debtor's statement, only the telephone number […] was recorded in the register of the Applicant's personal data. From the Applicant's statement and the attached screenshots and correspondence with the Debtor - by electronic means only - the Authority found that the Debtor unlawfully processed only the Applicant's telephone number data, as it did not address the Payment Request to the Applicant, but to the previously notified address. customers. This is also supported by the Applicant's statement that the Applicant's husband received the letter addressed to the Debtor's client and made a "brother-in-law" note on the receipt, and indicated that the Debtor's client lives abroad as a way of life . It can be stated from the statements of the Debtor and the Applicant, as well as from the screenshots supporting the Applicant's claims, that the Debtor subsequently sent a notification about the debt of its client only by SMS to the Applicant . According to the attached documents, the Debtor only sent reply letters to the Applicant's e-mail address to the Applicant's e-mail address. Based on the above, the Authority concluded that the Applicant's address details and e-mail address were not unlawfully handled by the Debtor. III.7. sanctions The Authority accepts the Applicant's request in part and condemns the Debtor pursuant to Article 58 (2) (b) of the General Data Protection Regulation because its data processing activities violated Article 5 (1) (d) of the General Data Protection Regulation and the General Data Protection Regulation. Article 6 (1) of the Data Protection Regulation. The above infringements necessitated the establishment of a legal consequence, which was determined by the Authority acting in accordance with its statutory discretion. The Authority examined of its own motion whether it was justified to impose a data protection fine on the Obligation . In this context, the Authority shall comply with Article 83 (2) of the General Data Protection Regulation and Infotv.75 / A. §, it considered of its own motion all the circumstances of the case and found that in the case of the infringement discovered in the present proceedings , the warning was neither a proportionate nor a dissuasive sanction, therefore it is necessary to impose a fine. In imposing the fine, the Authority took into account the following factors: - The breach is moderately serious, because the Debtor has also committed a breach of principle by processing the unlawful data. (Article 83 (2) (a) of the General Data Protection Regulation) - Infringement caused by unjustified data processing due to negligent conduct of the Debtor, caused by his data management practices. ( Article 83 (2) (b) of the General Data Protection Regulation) - The Authority assessed as a mitigating circumstance the fact that the Debtor deleted the telephone number from the system before the initiation of the official procedure, at the request of the Applicant, after the necessary identification . (Article 83 (2) (c) of the General Data Protection Regulation) - The Debtor has not yet been convicted of a breach of the General Data Protection Regulation. (Article 83 (2) (e) and (i) of the General Data Protection Regulation) - Based on the Debtor's income statement for 2018, its pre-tax profit is HUF 23,000,000 volt. The data protection fine imposed shall not exceed the maximum fine that may be imposed. - A special prevention bírságkiszabással the Authority aims to encourage R ötelezettet to review data recording and telephone number management practices. The infringement committed by the Debtor is an infringement falling into the higher category of fines under Article 83 (5) (a) of the General Data Protection Regulation . Depending on the nature of the infringement, the maximum fine that may be imposed under Article 83 (5) (a) of the General Data Protection Regulation is EUR 20 000 000 or up to 4% of the total worldwide turnover in the preceding financial year. H ot meet the fine imposed in respect of Article 83 of the General Data Protection Regulation (2), the following provisions are not taken into account because they were not relevant to the objective case: d), f), g), h), j) and point (k). The basis of the above, the Authority decided in accordance with the part. ARC. Other issues: The competence of the Authority is limited by the Infotv. § 38 (2) and (2a), its jurisdiction extends to the entire territory of the country. The Acre. Pursuant to Section 112 and Section 116 (1) and Section 114 (1), the decision is subject to administrative appeal. * * * The rules of administrative litigation are defined in Act I of 2017 on the Procedure of Administrative Litigation (hereinafter : Kp.). A Kp. Pursuant to Section 12 (2) (a), the administrative lawsuit against the decision of the Authority falls within the jurisdiction of the court, the lawsuit is subject to the provisions of Art. Pursuant to Section 13 (11), the Metropolitan Court has exclusive jurisdiction. CXXX of 2016 on the Code of Civil Procedure. Act (hereinafter: Pp.) - the Kp. Applicable under Section 26 (1) - Under Section 72, legal representation is mandatory in litigation falling within the jurisdiction of the Tribunal. Kp. Pursuant to Section 39 (6), unless otherwise provided by law, the filing of an application does not have a suspensive effect on the entry into force of the administrative act. A Kp. Section 29 (1) and with this regard Pp. Act CCXXII of 2015 on the general rules of electronic administration and trust services , applicable pursuant to Section 604 . Pursuant to Section 9 (1) (b) of the Act (hereinafter: E-Administration Act), the legal representative of the customer is obliged to keep in touch. The time and place of filing the application is set out in the CC. Section 39 (1). Information on the possibility of requesting a hearing can be found in Kp. It is based on Section 77 (1) - (2). The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. Act (hereinafter: Act I ) 45 / A. § (1). From the advance payment of the fee, the Itv. Section 59 (1) and Section 62 (1) (h) shall release the party initiating the proceedings. If the Debtor fails to duly demonstrate compliance with the required obligations , the Authority shall consider that the obligations have not been fulfilled within the time limit. The Acre. Pursuant to Section 132, if the Debtor has not complied with its obligation contained in the final decision of the Authority, it may be enforced. The decision of the Authority Pursuant to Section 82 (1) , it becomes final upon notification. The Acre. Pursuant to Section 133, enforcement is ordered by the decision-making authority, unless otherwise provided by law or government decree. The Acre. Pursuant to Section 134, enforcement is carried out by the state tax authority, unless otherwise provided by law, governmental order or a decree of a local government in a municipal authority matter. During the procedure, the authority exceeded the Infotv. 60 / A (1) of the Act , therefore the Ákr. Pursuant to Section 51 b), it pays ten thousand forints to the Applicant. Pursuant to Section 46 (1) (a) of the Act, the authority rejects the application if the condition for initiating the procedure specified by law is missing and this Act does not have any other legal consequences. The Acre. Section 47 (1) (a) states that the authority shall terminate the proceedings if the application should have been rejected, but the reasons for this became known to the authority after the commencement of the proceedings. Budapest, March 9, 2020 Dr. Attila Péterfalvi chairman c. professor