NAIH (Hungary) - NAIH/2020/6484: Difference between revisions
m (→Facts) |
m (Ar moved page NAIH - NAIH/2020/6484 to NAIH (Hungary) - NAIH/2020/6484) |
(No difference)
|
Latest revision as of 10:13, 17 November 2023
NAIH - NAIH / 2020/6484 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 15(1)(a) GDPR Article 15(1)(c) GDPR Article 15(1)(d) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 16.12.2020 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | NAIH / 2020/6484 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | n/a |
The Hungarian DPA (NAIH) found a violation of Article 15 GDPR and obliged a controller to grant a complainant access to his personal data.
English Summary
Facts
A complainant requested a controller to provide him with accurate, personalized information about processing of personal data. The controller failed to do so and shared with him only a general data protection notice.
Holding
The DPA found out that a content of controller's reply did not provide the complainant with an accurate, personalized information about the handling of his personal data. The DPA concluded that the controller has breached the general rule of Article 15 (1) (a), c) and d) of the GDPR by not giving substantive, specific answers to the request under Article 15 and by sharing only a link to a general data protection notice.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case No: NAIH / 2020/6484 /… Subject: Decision Administrator: […] H A T Á R O Z A T Before the National Data Protection and Freedom of Information Authority (hereinafter: the Authority) […] applicant (hereinafter referred to as “Applicant”) against […] applicant (hereinafter referred to as Applicant) received on 31 August 2020 In the data protection official proceedings initiated following the request of the Applicant grant his request, and I. finds that the Applicant has not properly complied with the Applicant 's 2020. request for exercise of the right of access dated 23 June violated by the Applicant the processing of personal data of natural persons and the free movement of such data, and Regulation (EU) 2016/679 repealing Directive 95/46 / EC (a hereinafter referred to as the "General Data Protection Regulation") Article 15 (1) (a) and (c) to (d); II. obliges the Applicant to do so within 15 days of the decision becoming final provide the Applicant with Article 15 (1) (a) of the General Data Protection Regulation; c) - d) complete information with the content handled by the Applicant personal information. The required action shall be taken by the Applicant for the action must be made in writing within 8 days of its submission - the supporting evidence to the Authority, thus giving it to the Applicant information (in full) and proof of posting by sending a copy of the mail to the Authority. III. Due to the above violation, the Authority will inform the Applicant - by another data protection violation. in determining the legal consequences of establishing the present infringement as history will be taken into account with increased weight - it will be warned. There is no administrative appeal against the decision, but no later than 30 days after notification within one day of the application filed with the Metropolitan Court in an administrative lawsuit can be challenged. The application must be submitted to the Authority, electronically, which is the case forward it to the court together with its documents. Indicate the request for a hearing in the application must. For those who do not receive a full personal exemption from judicial review the fee of the procedure is HUF 30,000, the lawsuit is subject to the right to record material fees. Before the Metropolitan Court legal representation is mandatory in proceedings. EXPLANATORY STATEMENT I. Facts On 31 August 2020, the Applicant submitted an application to the Authority stating that by letter dated 23 June 2020, requested the processing of your personal data information from the Applicant by indicating the item by the Applicant electronically processed data. The Applicant requested the Applicant's reply letter by post sending. According to the return receipt attached by the Applicant, the Applicant shall received his application on 29 July 2020. The Applicant objected to the Applicant's legislation did not reply to its request within the time limit set by the In the light of the above, the Applicant requested the Authority to order Applicant to fulfill your access request. In order to clarify the facts, the Authority in its order of 9 September 2020 amended the Ákr. Pursuant to Section 63, he summoned the Applicant to make a statement. It was sent to the Authority by order of the Applicant in its reply received on 28 September 2020 information. The Applicant stated that although the Applicant’s letter is June 2020 It is dated 23 July, and it was not actually dispatched until 23 July 2020. The Applicant a In support of its statement, it attached a document certifying the tracking of items by Magyar Posta. THE Applicant added that it had been sent to Applicant on 25 August 2020 provided in the reply letter received by the Applicant on 26 August 2020. Attached to the Applicant's application is a copy of the Applicant's contracts, the person being treated is personal list of data, the Applicant’s group-level privacy policy and customer data management Magyar Posta on the information of the Applicant and the Letter of the Applicant data requested from the tracking service and a mailing book for informing the Applicant a copy of the reply and the content of the reply to the Applicant. Based on the attached documents, the Applicant provided the following information to the Applicant. On the one hand, it referred to attaching a list of personal data processed in connection with the Applicant, and on the other hand stated that it only handles the range of personal data provided by the Applicant. Data management purpose, legal basis, duration, data processors used and other recipients a Applicant provided the link to the data management information to the Applicant. In addition, the Applicant emphasized that it is not transmitted by the Applicant for any data management purpose personal data to third countries outside the European Union and does not use it a service related to the processing of personal data that is the Applicant's customers would involve the international transfer of personal data (in this context, cloud-based services). Finally, the Applicant explained the possibility to contact the Authority at at the same time as the relevant contact details. II. Applicable legal provisions Pursuant to Article 2 (1) of the General Data Protection Regulation, this is the case here the general data protection regulation applies to data processing. Infotv. Pursuant to Section 2 (2), the General Data Protection Decree is indicated therein shall apply with the additions provided for in Infotv. Pursuant to Section 38 (3) (b), within the scope of its responsibilities under Section 38 (2) and (2a) as defined in this Act, in particular at the request of the data subject and ex officio data protection conduct an official procedure. Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data To that end, the Authority shall, at the request of the data subject, initiate a data protection authority procedure. Unless otherwise provided in the General Data Protection Regulation, data protection was initiated upon request CL of the General Administrative Procedure Act 2016. Act (a hereinafter: Ákr.) shall apply with the exceptions specified in the Information Act. Under Article 12 (1) to (6) of the General Data Protection Regulation: ‘1. The controller shall take measures to enable the data subject to process personal data all the information referred to in Articles 13 and 14 and Articles 15 to 22. and 34 each piece of information in a concise, transparent, comprehensible and easily accessible form, in a clear manner and provide it in plain language, in particular any information addressed to children in the case of. The information shall be provided in writing or by other means, including, where appropriate, by electronic means also - must be specified. Oral information may be provided at the request of the data subject, provided otherwise the identity of the data subject has been verified. 2. The controller shall facilitate the processing of the data subject concerned in accordance with Articles 15 to 22. exercise of their rights under this Article. Article 11 (2) In the cases referred to in paragraphs 15 to 22, the controller shall exercise their rights under Article may not refuse to comply with his request unless he proves that the person concerned unable to identify. 3. The controller shall, without undue delay, but in any case upon receipt of the request, inform the data subject within one month of the following an application under Article measures. If necessary, taking into account the complexity of the application and the requests this period may be extended by a further two months. On the extension of the deadline the controller shall indicate the reasons for the delay from the date of receipt of the request inform the data subject within one month. If the application has been submitted by electronic means, the information shall, as far as possible, be provided by electronic means, unless the data subject provides otherwise asks. If the controller does not act on the data subject 's request without delay, but shall inform the data subject no later than one month after receipt of the request the reasons for not taking action and the fact that the person concerned may lodge a complaint supervisory authority and may exercise its right of judicial review 5. The information referred to in Articles 13 and 14 and Articles 15 to 22 and 34 the measure shall be provided free of charge. If the data subject's request is clearly unfounded - in particular because of its repetitive nature - excessive, the controller, depending on the information requested or administrative costs of providing information or taking the requested action: (a) charge a reasonable fee, or (b) refuse to act on the request. The burden of proving that the request is manifestly unfounded or excessive is on the controller. 6. Without prejudice to Article 11, if the controller has reasonable doubts as to the application of Articles 15 to 21. article the identity of the natural person submitting the application under request the information necessary to confirm his identity. " Under Article 15 of the General Data Protection Regulation: '1. The data subject shall have the right to: receive feedback from the data controller on the processing of your personal data is in progress, and if such data processing is in progress, you are entitled to personal access to data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients with whom the personal data are held communicated or will be communicated, including in particular to third country consignees, and international organizations; (d) where applicable, the intended period for which the personal data will be stored or, if that is not possible, criteria for determining this period; (e) the data subject's right to request personal data concerning him or her from the controller rectification, erasure or restriction of the processing and may object to such personal data treatment; (f) the right to lodge a complaint with a supervisory authority; (g) if the data were not collected from the data subject, all available information on their source; (h) the fact of automated decision-making referred to in Article 22 (1) and (4), including: profiling and, at least in these cases, the logic used comprehensible information on the significance of such data processing and on the data subject what are the expected consequences. (2) If personal data are transferred to a third country or to an international organization the data subject is entitled to be informed of the transfer appropriate guarantees in accordance with Article 46. (3) The data controller shall provide the data subject with a copy of the personal data which are the subject of the data processing make it available. For additional copies requested by the data subject, the controller shall charge a reasonable fee based on costs. If the person concerned provided it electronically application, the information shall be in a widely used electronic format unless the person concerned requests otherwise. 4. The right to request a copy referred to in paragraph 3 shall not be adversely affected the rights and freedoms of others. " Infotv. Pursuant to Section 61 (1) (a), it was taken in a data protection authority proceeding In its decision, the Authority Data management specified in Section 2 (2) defined in the General Data Protection Regulation in relation to may apply legal consequences. According to Article 58 (2) of the General Data Protection Regulation: “The supervisory authority shall be corrective acting within its competence: (a) warn the controller or processor that certain data processing operations are planned its activities are likely to infringe the provisions of this Regulation; (b) condemn the controller or the processor if his or her data processing activities has infringed the provisions of this Regulation; (c) instruct the controller or the processor to comply with this Regulation exercise its rights under this Regulation; (d) instruct the controller or processor to carry out its data processing operations, where applicable in a specified manner and within a specified period, in accordance with this Regulation with its provisions; (e) instruct the controller to inform the data subject of the data protection incident; (f) temporarily or permanently restrict the processing, including the prohibition of the processing; (g) order personal data in accordance with Articles 16, 17 and 18 respectively rectification or erasure of data or restrictions on data processing, and in accordance with Article 17 (2). order to notify the addressees with whom it is addressed in accordance with paragraph 1 and Article 19 or with whom personal data have been communicated; (h) withdraw the certificate or instruct the certification body in accordance with Articles 42 and 43 revoke a duly issued certificate or instruct the certification body not to grant it issue the certificate if the conditions for certification are not or are no longer met; (i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case in addition to or instead of the measures referred to in this paragraph; and (j) order the flow of data to a recipient in a third country or to an international organization suspension. " Under Article 83 (2), (5) and (7) of the General Data Protection Regulation: administrative fines in accordance with Article 58 (2) (a) to (b), depending on the circumstances of the case. It shall be imposed in addition to or instead of the measures referred to in points (h) and (j). When deciding whether it is necessary to impose an administrative fine or the amount of the administrative fine In each case, due account shall be taken of the following: (a) the nature, gravity and duration of the breach, taking into account the processing in question the nature, scope or purpose of the infringement and the number of persons affected by the infringement; the extent of the damage they have suffered; (b) the intentional or negligent nature of the infringement; (c) the mitigation of damage suffered by the data subject by the controller or the processor any measures taken to (d) the extent of the responsibility of the controller or processor, taking into account the and technical and organizational measures taken pursuant to Article 32; (e) relevant infringements previously committed by the controller or the processor; (f) the supervisory authority to remedy the breach and the possible negative effects of the breach the extent of cooperation to alleviate (g) the categories of personal data affected by the breach; (h) the manner in which the supervisory authority became aware of the infringement, in particular that: whether the breach has been reported by the controller or processor and, if so, what in detail; 5 (i) if previously against the controller or processor concerned, on the same subject matter - ordered one of the measures referred to in Article 58 (2), the measure in question compliance with measures; (j) whether the controller or processor has considered itself approved in accordance with Article 40 codes of conduct or approved certification mechanisms in accordance with Article 42; and (k) other aggravating or mitigating factors relevant to the circumstances of the case, such as: financial gain obtained or avoided as a direct or indirect consequence of the infringement loss. […] 5. Infringements of the following provisions in accordance with paragraph 2 shall not exceed 20 000 000 With an administrative fine of EUR 1 million or, in the case of undertakings, the previous financial year in full amounting to a maximum of 4% of its annual worldwide turnover, provided that the two the higher of which shall be charged: (a) the principles of data processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9; (b) the rights of data subjects under Articles 12 to 22. in accordance with Article (c) the transfer of personal data to a recipient in a third country or to an international organization transmission in accordance with Articles 44 to 49. in accordance with Article d) IX. obligations under the law of a Member State adopted pursuant to this Chapter; (e) instructions from the supervisory authority pursuant to Article 58 (2) and data processing temporary or permanent restriction or suspension of data flows or in breach of Article 58 (1) failure to provide. […] (7) Without prejudice to the supervisory powers of the supervisory authorities under Article 58 (2), each Member State may lay down rules on the may be imposed on a public authority or other body with a public function administrative fine and, if so, the amount. " Infotv. 75 / A. Pursuant to Article 83 (2) - (6) of the General Data Protection Regulation, the Authority exercise the powers set out in paragraph 1 in accordance with the principle of proportionality, in particular by the legislation on the processing of personal data or by the European - breach for the first time of the requirements laid down in a binding act of the Union in accordance with Article 58 of the General Data Protection Regulation - act primarily by alerting the controller or processor. Infotv. According to Section 61 (4) (b): “The amount of the fine is from one hundred thousand to twenty million forints may be extended if the fine imposed in a decision taken in a data protection authority proceeding budgetary body under Article 83 of the General Data Protection Regulation in the case of a fine imposed. " III. Decision The date of the Applicant's request for access is June 23, 2020, which he has attached as evidenced by a return receipt, it was mailed to the Applicant on 23 July 2020. THE According to the return receipt, the applicant received the consignment on July 29, 2020. According to the copy of the postal book attached by the Applicant, his reply letter was sent by August 2020. 25, so required by Article 12 (3) of the General Data Protection Regulation fulfilled its obligation to act within the time allowed. The Applicant shall provide the Applicant with all Article 15 (1) of the General Data Protection Regulation provided information on the legal basis, purpose, duration and the scope of the recipients only the data management information in force reference to the relevant points. In addition, the personal information actually described on the site compiled from an electronic database based on the path shown at the bottom. 6 The content of the reply letter did not provide the Applicant with an accurate, personalized information about the handling of your personal data for the following reasons. Not to fulfill access requests in a manner that complies with data protection requirements a formal answer without relevant information is sufficient, as it is general The essential element of Article 15 of the Data Protection Regulation is that it provides targeted and clear information data subjects in relation to the personal data actually processed in connection with them. THE information appearing on the controllers' page as a result of the exercise of the right of access obligation is not an administrative obligation that can be fulfilled in a template. THE when executing access requests, the controllers shall provide the information to the specific data subject tailored, individualized and the substance of the questions asked by the data subject make available to them. Failing this, the person concerned will not receive a clear picture of the person management of your data, it will not become transparent to them. Therefore, if the general concerned Article 15 of the Data Protection Regulation information leaflets prepared under Article 13 of the General Data Protection Regulation - as stated in the Applicant’s reply, the purpose and legal basis of the data processing, the recipients and, in the case of data processors, the prospectuses published on the website and reference to business rules - as it is not personalized, not explicitly the person concerned management of your data. In addition, the Authority notes that they themselves referred to documents also contained only general information. Pursuant to Article 15 (1) of the General Data Protection Regulation, the data subject is entitled to: receive feedback from the data controller on the processing of your personal data is in progress and, if such data processing is in progress, you are entitled to it in addition to the information you provide, access to your personal information. The general Recital 63 of the Data Protection Regulation also distinguishes between personal data and therefore the data subject should have access to both. In view of the above, the Authority finds that the Applicant has breached the general rule Article 15 (1) (a) of the Data Protection Regulation; c) -d) when not given substantive, specific answers to the itemized criteria under Article 15, only described a link to general data management information. ARC. Legal consequences In addition to the finding of an infringement, the Authority is Article 58 (2) of the General Data Protection Regulation (c) instructs the Applicant to comply with the Applicant’s exercise of the right of access Article 15 (1) (a) of the General Data Protection Regulation (c) to (d), and the fact that the information was provided shall be certified to the Authority by the addressee addressed to the Applicant by sending a copy of the information and a copy of the postmark certifying its posting. The Authority also examined whether a data protection fine against the Applicant was justified imposition. In this context, the Authority shall comply with Article 83 (2) of the General Data Protection Regulation and Infotv. 75 / A. § considered all the circumstances of the case and found that the present in the case of infringements detected during the procedure, the warning shall be a proportionate, dissuasive sanction, therefore, it is not necessary to impose a fine. In that regard, it took particular account of the infringement severity is low and no harm has been incurred in the proceedings, and the Authority The applicant has not been convicted of the present breach of the general data protection regulation until the date of the decision. Based on the above, the Authority has decided in accordance with the operative part. V. Other issues 7 The powers of the Authority are limited by the Infotv. Section 38 (2) and (2a), its jurisdiction is covers the whole country. The present decision of the Authority is based on Art. 80-81. § and Infotv. It is based on Section 61 (1). The decision the Acre. Pursuant to Section 82 (1), it becomes final with its communication. The Acre. Section 112 and Section 116 (1) and (4) (d) and § 114 (1) against the decision there is a right of appeal through an administrative lawsuit. * * * The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by a decision of the Authority The administrative lawsuit against the court falls within the jurisdiction of the court. Section 13 (3) a) The General Court has exclusive jurisdiction under point (aa) of A Kp. Section 27 (1) In a dispute in which the tribunal has exclusive jurisdiction, the representation is mandatory. A Kp. Pursuant to Section 39 (6), the filing of the application a has no suspensive effect on the entry into force of an administrative act. A Kp. Section 29 (1) and with this regard Act CXXX of 2016 on the Code of Civil Procedure. applicable pursuant to Section 604 of the Act, electronic administration and trust services CCXXII of 2015 on the general rules of pursuant to Section 9 (1) (b) of the Act legal representative is required to communicate electronically. The time and place of the filing of the application is Section 39 (1). The trial Information on the possibility of requesting the maintenance of the It is based on Section 77 (1) - (2). THE the amount of the fee for an administrative lawsuit in accordance with Act XCIII of 1990 on Fees. Act (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee, the Itv. Section 59 (1) and Section 62 (1) (h) exempt the party initiating the proceedings. Budapest, December 16, 2020 Dr. Attila Péterfalvi President c. professor