NAIH (Hungary) - NAIH-5802-9/2022.

From GDPRhub
Revision as of 10:48, 9 November 2022 by Jg (talk | contribs) (changed short summary to company name)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
NAIH - NAIH-5802-9/2022.
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1)(a) GDPR
Article 12(1) GDPR
Article 14 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 11.08.2022
Published: 11.08.2022
Fine: 200000 EUR
Parties: Amplifon Magyarország Kft.
National Case Number/Name: NAIH-5802-9/2022.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Abel Kaszian

The Hungarian DPA imposed a €200,000 fine on Amplifon for sending direct marketing letters. The company mislead approximately 3-400.000 data subjects about the purposes of processing and unlawfully used consent as a legal basis.

English Summary

Facts

The DPA received a number of complaints from data subjects about Amplifon, a company selling hearing aids (the controller). The controller allegedly sent them a written letter via post inviting them to a free hearing test, despite the fact that they had not previously consented to receiving such marketing communication. The DPA therefore launched an ex officio investigation on 1 January 2020.

The controller claimed that letter assessing the need for hearing tests were only sent to persons listed in the database provided by the Ministry of Interior. On average, the controller requested data every 2-3 months, with an average of 3-400.000 data subjects' names and addresses per request. All data were transferred to a separate, secure server by the controller's competent employees, and the entire contents of the device were irretrievably deleted after the transfer. The purpose of the data collection – stated by the controller in the request to the Ministry – was to contact and maintain contacts for direct marketing purposes and, in subsequent requests (after 23 February 2021), for market research.

In the controller's view, Article 3(1)(d) of the Act CXIX of 1995 on the processing of name and address data for research and direct marketing allowed the collection of data from the sources specified in the legislation. Accordingly, the market researcher may request name and address data from the register of the Ministry of Interior for the purpose of contacting the data subject. Provided that the data subject had not refused the disclosure of his or her data.

The controller stated that it used consent of the data subjects as the legal basis, arguing that the data subjects had the possibility to withdraw their consent at the Ministry of Interior or the controller if they do not wish their personal data to be processed.

Holding

First, in the DPA's view, the silence of the data subject could not be accepted as an affirmative act. If the data subject did not take any active steps to give consent, the controller cannot infer that the data subject consented to the processing. Consent is also closely linked to adequate prior information, i.e. that the data subject had adequate information about the circumstances of the processing before giving consent. The DPA found that this was clearly lacking in this case. Therefore, the DPA held that the controller violated Article 6(1) GDPR by unlawfully using consent as a legal basis.

Second, the DPA also found that, from 26 April 2019, the Act CXIX of 1995 on the processing of name and address data for research and direct marketing no longer covered requests or processing for the purpose of contacting for direct marketing. In other words, as of 26 April 2019, the legal authorisation for processing for direct marketing purposes ceased to exist. The controller nevertheless continued to process the requested data for the purpose.

The DPA noted that following the controller's request to the Ministry of Interior dated 23 February 2021, the purpose of the processing was “to contact the public in the field of health promotion, including hearing and hearing loss.” However, in its previous applications, the purpose was “to inform the public about our hearing care services.” Thus, from March 2021, the controller no longer requested the data for direct marketing, but for market research purposes. The use of the personal data was also solely authorised for this purpose by the Ministry of Interior. The DPA was of the opinion that the controller adjusted its request to the Ministry of Interior to market research purposes in order to comply with the changed legal requirements, only to continue its processing for direct marketing purposes. The DPA therefore found that the controller violated the purpose limitation principle under Article 5(1)(b) GDPR. It misled the data subjects and the Ministry of Interior by disguising the true purpose of the processing, thereby also violating the principle of fairness under Article 5(1)(a) GDPR.

The DPA emphasized that since the controller contacted potential patients after collecting personal data not from the data subject but from another source, it should have provided the information to the data subjects within a reasonable time, taking into account Article 14 GDPR. In addition, the DPA found that the provided information sheet did not indicate the legal basis for the processing. Furthermore, it did not indicate the real purposes of the processing and the small font size of the notice made it inadequate. The DPA held that the controller had thereby violated Article 14(1) and (2) GDPR. Because it failed to provide clear and transparent information, the controller also violated Article 12(1) GDPR.

The DPA imposed a €200,000 fine on the controller and ordered the controller to delete all data of the data subjects, i.e. all name and address data provided by the Ministry of Interior.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-5802-9/2022. Subject: decision History: NAIH-7550/2021.
H A T A R O Z A T
The National Data Protection and Freedom of Information Authority (hereinafter: the Authority) is represented by [...] ([...]) AMPLIFON Magyarország Kereskedelmi és Szolgáltató Llátolt Anelösségő Társaság Társaság (headquarters: 1097 Budapest, Könyves Kálmán krt. 12-14. 3) .em.; hereinafter: Obliged) makes the following decisions in the official data protection procedure initiated ex officio to investigate its practices related to its "market research" data processing by mail:
1. The Authority determines that, in connection with the sending of the postal notification containing the invitation to the screening test, the Obligee handles the contact data (name and address) of the data subjects without adequate information, a concretely defined and real purpose, and without an adequate legal basis, and thereby violated the general data protection regulation the principle of fair data management according to Article 5 (1) point a), the principle of purpose limitation according to Article 5 (1) point b), Article 6 (1) and, in connection with the above, Article 12 (1) and the obligation to provide information according to Article 14.
2. Due to the provisions of point 1, the Authority ex officio instructs the Obligee on the basis of Article 58 (2) point g) of the General Data Protection Regulation to delete the name and address data of the data subjects stored by it in connection with the sending of postal notifications, i.e. all personal data - and the name and address data provided by the Ministry of the Interior at the request of the Obligee from the address register.
3. The Authority ex officio the Obliger due to the above data protection violations
HUF 80,000,000, i.e. eighty million HUF
data protection fine
obliged to pay.
The data protection fine must be paid within 30 days from the date this decision becomes final to the HUF account for the collection of centralized revenues of the Authority (10032000-01040425-00000000 Centralized collection account IBAN: HU83 1003 2000 0104 0425 0000 0000). When transferring the amount, NAIH-5802/2022. FINE. number must be referred to. If the Obligee does not fulfill his obligation to pay the fine within the deadline, he is obliged to pay a late fee. The amount of the late fee is the legal interest, which is the same as the central bank base rate valid on the first day of the calendar semester affected by the delay.
Within 30 (thirty) days from the date of the finalization of this decision, the Obligee must certify the fulfillment of the obligation stipulated in point 2 in writing to the Authority, together with the presentation of supporting evidence. In case of non-fulfilment of the obligation, the Authority orders the execution of the decision.
The Authority draws the Obligee's attention to the fact that the decision is open to appeal
1055 Budapest Tel.: +36 1 391-1400 ugyfelszolgalat@naih.hu
Falk Miksa utca 9-11 Fax: +36 1 391-1410 www.naih.hu
 
2
the data affected by the disputed data processing cannot be deleted or destroyed until the deadline for filing an action expires, or until the final decision of the court in the case of an administrative lawsuit.
No procedural costs were incurred in the procedure.
There is no place for an administrative appeal against this decision, but it can be challenged in an administrative lawsuit within 30 days from the date of notification. The statement of claim must be submitted electronically1 to the Authority, which forwards it to the court together with the case documents. The request to hold a hearing must be indicated in the statement of claim. For those who do not benefit from the full personal tax exemption, the fee for the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to file a tax record. Legal representation is mandatory in proceedings before the Metropolitan Court.
The Authority will publish this decision on the Authority's website, specifying the Obligor's identification data.
I N D O C O L A S
I. Procedure and clarification of the facts
1. Cases of precedent
1.1. The Authority received several reports, in which the informants objected that the Obliger sent them a notification by post - an invitation to a screening test - despite the fact that they had not previously consented to it.
Due to the above, the Authority considered it justified to initiate an official audit ex officio in order to check whether the Obligor complies with the requirements of the General Data Protection Regulation during the data management practices it uses. The Authority NAIH-4181-1/2021. in his order, he notified the Obligee of the initiation of the data protection official control and called him several times to provide written information on the questions asked in order to clarify the situation. The Obligee made a statement in relation to the questions contained in the Authority's inquiries through its legal representative certified by power of attorney.
1.2. Due to the presumed violation of Article 5, Article 6, Paragraph (1), and Article 14 of the General Data Protection Regulation, the Authority closed the official inspection and on October 5, 2021 CL. Act (hereinafter: Ákr.) initiated a data protection official procedure ex officio on the basis of point a) of § 101, paragraph (1).
1.3. Infotv. On the basis of Section 71 (2), the Authority has used the facts and other evidence in the following documents related to the Obligor in this procedure, which were created in previous procedures related to the Obligor:
a) By the Authority NAIH/2019/6052/1. registered stakeholder complaint and its attachments, which are postal requests for a free hearing screening sent by the Obligee to the complainant's address between February 4 and 28, 2019, and between July 20 and August 14, 2020.
1 The NAIH_K01 form is used to initiate the administrative lawsuit: NAIH_K01 form (September 16, 2019) The form can be filled out using the general form filling program (ÁNYK program). https://www.naih.hu/kozig-hatarozat-birosagi-felulvizsgalata
 
3
b) By the Authority NAIH/2020/2031/1. stakeholder complaint and its attachment, which is a postal request for a free hearing screening sent by the Obligee to the complainant's address between November 18 and December 13, 2019.
c) NAIH/2017/4819/1/V by the Authority. notice to close the investigation of the data management practices of the Obliged Party in connection with its direct marketing activities carried out through general practitioners.
1.4. NAIH-4181-5/2021. No., dated May 20, 2021, and NAIH-4181-7/2021. No., dated June 29, 2021, the Obligor made the following statements relevant to the decision and attached documents:
i) The Obligor is NAIH-4181-5/2021. No., dated May 20, 2021
attached as Annex No. 2 the data management document dated March 1, 2021
information sheet.
VII.1 of the data management information. Point A describes data management for market research purposes
According to the following:
- Purpose: market research to assess the need for hearing tests at the regional level;
- Legal basis: voluntary consent;
- Scope of stakeholders: all persons of a given age group who did not request identification can be identified
deletion from the database;
- Managed personal data: name, address;
- Source of data: KKtv through the provision of data by the Ministry of the Interior. according to;
- Duration of data management: based on the decision of the Ministry of the Interior a
Data provided by the Ministry of the Interior is provided by the Customer
for 6 months after receipt;
- Name and address of data processors and their activities related to data processing: [...]
Kft. (printing and envelopes of generated letters, delivery to the post office),
Magyar Posta Zrt. (postage);
- There is no common data controller;
- There is no shared data management;
- No data transfer.
ii) The Obligee requests - exclusively - name and address data within the framework of the request for data provision from the personal data and address register addressed to the Personal Data Provision and Licensing Department of the Department of Personal Registration and Administration of the Ministry of the Interior (hereinafter: BM).
iii) The purpose of data use is to contact and maintain contact within the framework of market and public opinion research.
iv) During the provision of data by the BM, the data of citizens who have not previously requested the restriction of the provision of their data will be transferred. Based on the decision of the BM, the period of use of the requested personal data is 6 months.
v) The Obligor attached a copy to the Authority's invitation
- BM BMSZAE/3262-2/2020 dated July 1, 2020. decision no.
- BM BMSZAE/4498-2/2020 dated September 9, 2020. decision no.
- BM BMSZAE/5261-2/2020 dated October 21, 2020. decision no. and the
 
4
It is obliged to submit its application for a data provision license for direct marketing purposes dated October 13, 2020, which is its basis.
vi) In its applications, the Obligee requested the provision of data from the register of citizens' personal data and addresses from the BM in order to be able to inform the public about its hearing care service. According to the contents of the application, he sent the specific settlements and screening data by age group to the ministry electronically before the current campaign.
vii) In the attached decisions, the BM granted the Obligee's requests for data provision and allowed it to use regular group data provision from the register of citizens' personal data and residential addresses and to use the requested data to contact them directly for the purpose of obtaining business.
viii) The Obligee also attached its request for a data provision license for direct marketing purposes dated January 25, 2021, as well as the related BMSZAE/225-1/2021 dated February 24, 2021. order no., in which the procedure was terminated in view of the fact that on February 22, 2021, the Obligor informed him electronically that his request for data provision had become obsolete, therefore he withdrew it and did not request data provision.
ix) In addition to the above, the Obligor has attached a copy of the request for a 1-year license to contact and maintain contact for the purpose of market research dated February 23, 2021, as well as BMSZAE/382-1/2021 of the BM dated March 2, 2021. decision no., in which it granted the Obligee's request for data provision and allowed it to use regular group data provision from the register of citizens' personal data and residential addresses for 6 months and to use the data in the context of market and public opinion research for the purpose of contacting and maintaining contact. According to the reasons for the decision, the Obligee proved his right to "conduct market and public opinion research activities with a copy of the company certificate, Nytv. in paragraph (3) of § 19 and Dmtv. In accordance with the provisions of paragraph (2) of § 4".
x) According to his declaration, the Obligee compares the table received from the BM with his register, which contains the persons who requested their deletion from the database during inquiries based on previous data requests, i.e. so that the Obligee does not send further inquiries to them.
The table updated in this way is prepared by the Obligor's marketing department and sent to its printing partner, which also participates in the mailing. Based on the table, the letters are prepared in the form of a circular letter, and after printing, the data is deleted directly by the printing partner.
xi) NAIH-4181-5/2021 sent by the Obligor to the Authority. According to the sample letter attached as attachment No. 9 to the response letter dated May 20, 2021 (for the hearing screening date between April 12 and May 7, 2021), the letters contain the following informative text:
"1. We would like to inform you that the GDPR, Infotv. and the LLC. provides information.
2. Data controller: AMPLIFON Magyarország Kft. (head office: 1097 Budapest, Könyves Kálmán körút 12-14. III. floor, company registration number: Cg.01-09-710015, tax number: 10762099-2-43, website: https://amplifon .com/web/hu/).
3. Data protection officer: You can contact our data protection officer at any time at the following contact details: AMPLIFON Magyarország Kft. 1097 Budapest, Könyves Kálmán körút 12-14, e-mail address: adatvedelem@amplifon.hu. telephone number: 06-1-350-60-70
 
5
(9 a.m. to 5 p.m.).
4. Purpose of data management/data use: market research. We are contacting you with this letter because we want to assess how much of the population of Hungary between the ages of ...-... wants to use our company for a hearing test. If you participate in a hearing test, we will clarify the relevant data management during it.
5. Where did we get your data from: For our company, the Ministry of the Interior...
authorized the communication of your and other persons' names and addresses in the context of market and public opinion research in order to contact and maintain contact.
6. Scope of processed data: Our company only processes your name and address in connection with market research.
7. Method of data management: Our company handles your data discreetly, in accordance with the laws and the purpose indicated above. We will contact you with your personal data only by post, together with our present inquiry and other similar inquiries. Our partner prints the generated database and forwards it to you via Magyar Posta Zrt. We handle your data exclusively digitally on AMPLIFON Kft.'s own server.
8. Your data will not be transferred to other data controllers. Our contracted partner [...] Kft. (headquarters: [...]) carries out the printing and mailing of the items.
9. Duration of data management: we received your data on
From the Ministry of the Interior, we process it for 6 months from that date, or until the day after your request for deletion is received.
10. Your rights: Request for information, Right to rectification, Right to deletion, Right to request restriction, Right to request transfer to another data controller, and the right to request data in a machine-readable format, Right to protest, Right to file a complaint and go to court: You have the right to appeal , you can file a complaint with the National Data Protection and Freedom of Information Authority (1363 Budapest, Pf.: 9. www.naih.hu), and you can also file a complaint with the court of our company's registered office or your place of residence.
You can find more information about data management
You can find information on the website https://www.amplifon.com/web/hu/adatkezelesi-declaration.”
xii) The Obligee has also attached a sample letter inviting a hearing screening between June 28 and July 23, 2021, which, contrary to the above, contains the following informative text:
"If you no longer wish to receive such inquiries from Amplifon Magyarország Kft., you can cancel using one of the following contact details:
On the Internet at the e-mail address adatvedelem@amplifon.com.
By letter to the Company's address, Amplifon Magyarország Kft. 1097 Budapest, Könyves Kálmán krt. 12-14.
We bought your address data from the Central Office of Public Administration and Electronic Public Services on the CXIX of 1995. Act § 3 (1) point d) and LXVI of 1992. based on Section 17 (1) of the Act. If you no longer wish to be publicly listed in such a database, you must submit your blocking statement in writing or in person at the document office at your place of residence. Your data will be automatically deleted from Amplifon Magyarország Kft.'s database."
xiii) Requests for deletion may be received by e-mail or letter after the letters have been sent, which requests will be filed by the Obligee based on its administrative procedures and fulfilled immediately, but no later than within 25 days of receipt of the request for deletion. The personal data of the other persons included in the database will be irreversibly deleted on the last day of 6 months from the date of receipt of the database.
 
6
xiv) [...] Kft. (headquarters: [...]) cooperates in the preparation, printing, and enveloping of the circulars based on the framework business agreement concluded with the Obligor. To the reply letter sent to the Authority, the Obligee attached a copy of the framework agreement and - according to its declaration - the sample of the data processing agreement currently used as a model.
The sealed envelopes are then forwarded by the printer to Magyar Posta Zrt, which company delivers the inquiries to the addressees.
xv) The Obligee continues its inquiries for market research purposes. Accordingly, the Obligee, as a market researcher, is subject to the CXIX of 1995 on the management of name and address data for the purpose of research and direct business acquisition. Act (hereinafter: Kktv.) § 3 (1) point d) for the purpose of contacting and maintaining contact, name and address data according to Act LXVI of 1992 on the registration of personal data and addresses of citizens. Act (hereinafter: Nytv.) from the register under the scope of the Nytv. under the conditions specified in the Nytv. According to his declaration, the Obligee requests the name and address data according to the year of birth, bearing in mind that the market research is aimed at the age group affected by hearing loss.
xvi) In the case of exercising the rights of the data subject both by e-mail and by post, without giving reasons, but in any case within 25 days from the receipt of the request, the data subject shall be informed of the measures taken as a result of his request, which deadline will be extended by another 2 months if necessary.
If the data subject does not take measures following his request, he shall inform the data subject without delay, but at the latest within 25 days of the receipt of the request, of the reasons for the failure to take action, as well as that the data subject may file a complaint with a supervisory authority and exercise his right to judicial redress.
The Obligor attached to his reply letter the sample letter that is sent to the data subjects in response to data subject requests received by mail or e-mail, and also attached a copy of a request for deletion received by e-mail and the related correspondence with the data subject.
xvii) According to his statement, the Obligor stores personal data on paper in a cardboard cabinet or drawer at his headquarters, and in electronic form using the Microsoft Dynamics CRM software (hereinafter: CRM). In addition, postal inquiries are handled specifically in Excel.
According to the screenshots attached to the reply letter, data is stored in the CRM system under the following column names: Date of creation, related hearing center, customer name, customer number, address, last name, first name, main phone, locality, name of public area, nature of public area, house number.
In the attached Excel database, the Obligee stores the following data: last name, first name, first name2, PIR (postal code), settlement, public area, nature, house number, building, floor, building, door, county code.
xviii) In response to the question about the size of its database, the Obligee stated that, since the data provided from the personal data and address register is used for 6 months, in this context it stores the personal data of 585,131 people based on the amount of data received in the months of March and May 2021. The previous database is not available. In addition, the Obligor's database at the time of retrieval on May 20, 2021 had 502,025 people.
xix) During the processing of personal data, the Obligee has contractual relationships with several data processors, according to its declaration. According to his statement, between him and that
 
7
in each case, a framework contract (e.g. commission contract, business contract, etc.) is created between data processors, and as an inseparable part of it, a data processor legal relationship in relation to personal data management, which is defined in a separate document called a data processor agreement. He attached a sample of this to the Obligor's response letter.
xx) At the request of the Authority, the Obligee also attached a copy of the detailed record of the requested (surname) name, a copy of the record of its data management activities according to Article 30 (1) of the General Data Protection Regulation, as well as the information security policy of the Obligor.
2. This official data protection procedure
2.1. In relation to the issues contained in the Authority's inquiry dated October 5, 2021 in this data protection official procedure, the Obligee - after a deadline extension - NAIH-7550-5/2021 dated November 2, 2021. in his reply letter received at no. he made the following statements relevant to the decision:
i) In all cases, postal inquiries for the purpose of assessing the need for a hearing test are sent exclusively to the persons included in the database provided by BM, the Obligee does not use data provided from other sources and for other purposes.
ii) The Obligor requests data every 2-3 months on average. In the Mandatory letter, in the form of a request addressed to the BM, only name and address information is requested for specific age groups. This means that it does not indicate a specific year of birth, but requests data for a period of time covering several years, with no claim to the date of birth, nor even year-level identification. BM provides the data to the Obligor on an electronic data carrier. The competent employees of the Obligor place all data from the data carrier on a separate server volume with a code, and then the entire content of the data carrier is irreversibly deleted.
iii) BM provides the data in tabular form, in a format that can be opened with the Excel program.
iv) Within the examined data management period - according to the attached application copies, between June 24, 2020 and August 4, 2021 - the Obligee applied to the BM 9 times with a request for data provision. In connection with these requests, the Obligee received an average of 300,000-400,000 name and address data from BM.
v) According to the Obligor's point of view, CXIX of 1995 on the management of name and address data for the purpose of research and direct business acquisition. Act (Kktv.) Section 3 (1) point d) enables the collection of data from the sources specified in the law: according to the cited legal place, the market researcher may request name and address information for the purpose of contacting and maintaining contact, as well as the name and address of the body entrusted by them to handle and receive the data LXVI of 1992 on the registration of citizens' personal data and residential address. Act (hereafter: Nytv.) from the register under the conditions specified in the Nytv., provided that the citizen has not prohibited the release of his data [Nytv. Section 2 (1))]. Accordingly, the Obligee may request data from the BM for the purpose of contacting and maintaining contact, if he has not prohibited the release of the citizen's data. BM is Nytv. According to § 17, paragraph (1), the Obligor shall provide data at the request of the Obligor - in case of proof of the purpose and legal basis of the use.
 
8
vi) The Obligee requests the name and address according to the year of birth (not time!), bearing in mind that the market research is aimed at the age groups affected by hearing loss.
vii) The Obligee is the Nytv. Pursuant to Section 19 (1) point c) of Nytv. You can request the provision of data according to point a) of § 17, paragraph (2), i.e. name, residential address and notification address data.
viii) According to the Obligor's current practice, the Kktv. Section 5 (1) and Infotv. Pursuant to § 20, it strives to provide adequate information and does everything to ensure the voluntary nature of data provision.
ix) Based on the Obliger's point of view, the legal basis for the inquiries is provided by Article 6 (1) point a) of the General Data Protection Regulation, i.e. the Obliger - according to its declaration - manages personal data based on voluntary consent and ensures the exercise of the rights of the data subject, so in particular that the data subject can withdraw the consent at any time.
In its response letter, the Obligee noted that "in the case of the market research purpose, it can be seen that the legislation already provides the possibility for the concerned party to indicate to the Ministry of the Interior that he does not wish to make his data available in relation to the specified purpose". According to the Obligor's point of view, the exercise of the data subject's rights is ensured by adequate information, so that the data subject can declare in the form of a statement or confirm unequivocally whether or not he consents to the further processing of the data, based on specific and appropriate information. Therefore, according to the Obligor's point of view, the data subject has the maximum possibility to make a statement to the BM or the Obligor if he does not wish to consent to the processing of his data, however, in the absence of this, the consent can be considered given by the data subject's behavior expressing that the request and thus the you consent to the processing of your data. Because - according to his point of view - the national practice also shows that the actual limit of data management in such cases is a clear declaration by the data subject that he no longer consents to data management.
x) In response to the Authority's call and question to present its market research activities and the purpose of the market research, the Obligee attached as Annex No. 1 the "Market Research: Study on the hearing quality of the Hungarian population 55+ age group, and the COVID "On the impact of the pandemic on the industry", undated study, which, however, includes not only market research, but also research beyond that.
The Obligee stated that, as Hungary's market-leading hearing specialist, it has set itself the task of preserving the health of the country's population and, within that, monitoring trends in hearing loss in Hungary, as well as increasing the level of effective services aimed at this. The purpose of the market research described in the study is to determine the attitude of Hungary's aging population to hearing, the level of hearing quality, their regional distribution, and gender differences. The study addresses the main questions, such as how seriously people take their hearing and how much their real hearing loss is compared to that, and how much of the population who bothers to take a hearing test for the purpose of health preservation is struggling with real hearing loss, whether there are geographical differences within the country or gender differences.
xi) To the request of the Authority to make a statement regarding the reason why, according to its statement dated June 29, 2021, from the second half of 2020, based on the sample letter attached to the statement as Annex No. 6, the purpose of data management is market research, while the BM according to the request for permission to provide data sent to and the decision of the BM, the goal was direct marketing until March 2021, the Obligee as
 
9
stated that previously - due to an administrative error - he worded it incorrectly, and from the second half of 2020, the letter according to the attachment attached under number 6 was not used, but NAIH-7550-5/2021. letter sample attached at number 2 to your reply letter received at no.
xii) The Authority also formulated a question for the Obligee regarding the sample letters inviting hearing screening sent from the second half of 2020, according to the Obligor's statement in the referenced reply letter attached as Annex 6 to his statement dated June 29, 2021. The sample letters sent advertised free hearing screening for the period between June 28 and July 23, 2021, in the settlement of Bonyhád. However, the address pages of the sample letters - 1.4 of this decision. as described in sub-points x)-xi) of section - they contained information with different wording regarding data management. The Authority called the Obligee to state the reason why the hearing screening invitation letter advertised for the same period and for the same settlement contained different information.
According to the Obligor's statement, their statement in the reply letter sent to the Authority earlier, dated June 29, 2021, was incorrect, and from the second half of 2020, the sample letter attached as Annex No. 6 of the referenced letter was not used, but NAIH-7550-5/2021. sample letter attached at number 2 to the reply letter received at number 2, which contains the following information:
"If you no longer wish to receive such inquiries from Amplifon Magyarország Kft., you can cancel using one of the following contact details:
On the Internet at the e-mail address adatvedelem@amplifon.com.
By letter to the Company's address, Amplifon Magyarország Kft. 1097 Budapest, Könyves Kálmán krt. 12-14.
We bought your address data from the Central Office of Public Administration and Electronic Public Services on the CXIX of 1995. Act § 3 (1) point d) and LXVI of 1992. based on Section 17 (1) of the Act. If you no longer wish to be publicly listed in such a database, you must submit your blocking statement in writing or in person at the document office at your place of residence. Your data will be automatically deleted from Amplifon Magyarország Kft.'s database."
xiii) According to the Obligor's statement, the sample letter originally attached as Annex 6 to the statement dated June 29, 2021, will be used from July 2021, while NAIH-7550-5/2021. the letter sample attached to the reply letter received at number 2 was used in the period prior to this.
2.2. The Authority NAIH-5802-2/2022 dated June 14, 2022. in order no
- informed the Obligee that the available documents date back to the previous period as well, therefore extending the examined data management period, thus the examined period lasts from January 1, 2020 to October 5, 2021;
- informed the Obligee about what other complaints filed by the Authority and their annexes were included in the official data protection procedure;
- invited the Obligee to make further declarations and attach documents, furthermore
- notified the Obligee that the evidence procedure in the data protection authority procedure will be completed with the above proof and invited the Obligee to exercise his right to inspect documents and make a statement.
2.3. The Obligee is the Authority NAIH-5802-2/2022. in relation to the questions included in his order no. - after the extension of the deadline - in his reply letter dated July 15, 2022, he stated as follows:
 
10
i) The Authority called on the Obligee to confirm with documents the existence of the market research objective, to confirm who prepared the previously attached market research study and when, and to provide information on its progress; if a research plan has been drawn up, attach a copy of it; declare what kind of research data and sample were used to prepare the study; also attach a copy of the study and all available documents that form the basis of the market research itself.
According to the Obligor's statement, the attached market research study "was prepared by the marketing team and it is constantly reviewed and updated, taking into account that the Obligor's marketing department prepares continuous analyses". The Obligee "compiled the study on the basis of predetermined questions, the answers to which were sought". The Obligee "basically, during the preparation of the study, always takes into account a specific period and analyzes the trends of the given period, from which the study for the given period is prepared based on the information extracted. The attached market research covers the period from March 2021 to September 2021. Its preparation is continuous and the results are summarized every six months by the marketing department. The minimum period of six months is the appropriate time interval to see a market trend, a shorter period would not show significant data or deviation.“.
The Obligee attached a two-page, undated document called "Market Research Plan", at the end of which it was stated that "Made by: marketing department". The content of the attached "Market Research Plan" is essentially a verbatim repetition of the first two pages of the previously sent market research study.
According to his statement, the Obligor exclusively used the database served by BM to prepare the study. He also submitted that the Obligee basically used its available data for market research.
ii) Upon the request of the Authority, which business and other decisions were based on the results of the market research, the Obligor stated that, based on the study, the Obligor's decision to
- it will place greater emphasis on educating the population, through television, sports events, medical interviews, advertisements, professional statements, press materials, and various internet channels;
- prepares an action plan for the following year in which the average age is brought back to 72 years, since prevention is easier than trying to restore the affected person's hearing afterwards;
- based on the results of the study, a strategy based on market analysis was developed, the target audience was determined, the target audience was personalized, the main touchpoints were created, and sales strategy planning was carried out: planning, closing new hearing salons, planning or downsizing additional resources.
iii) For the market research, the Obligee needed name and address data because, with the help of this data, he was able to contact customers with nationwide coverage and in accordance with age groups. The Obligee is able to reach the relevant target group in a targeted way by sending an invitation addressed to the addressees by name, informing them of the possibility of a hearing test, which is free of charge and without obligations.
 
11
iv) The study sent to the Authority concerned only those persons who participated in the study based on the delivered request letter. Data requests in the order of hundreds of thousands were necessary because not all contacted persons will decide to take advantage of the hearing test or possibly not even receive the mail. Furthermore, since the research and analysis is continuous and during this process the Obligee examines different periods, target groups, and areas, that is why continuous data requests are necessary.
v) The Obligee continuously, on a monthly basis, prepares analyzes based on various conditions and patterns, thus conducting approximately 10-12 market researches on a yearly basis, which represents a monthly frequency.
Market research is continuous because the market is constantly changing, mainly due to covid, economic influencing factors and the change of generations. The Obligor can analyze the trends at six-monthly intervals, otherwise the material is not sufficiently comprehensive.
vi) At the request of the Authority, the Obligee shall present with a detailed description exactly how the free hearing screening takes place with the help of forms, samples, correspondence, internal regulations used internally and by sending a copy of them up to and including his departure) stated that
a) as previously stated, customers are contacted by mail based on the name and address information requested and received from BM. The Obligee attached to his submission dated July 28, 2021, the requests submitted to the BM, as well as the related decisions made by the BM, which are part I 1.4 of this decision. were described in subsections v)-ix).
The Obligee also attached to his reply letter dated July 15, 2022 requests not yet known to the Authority, the decision made by the BM based on them, and a copy of the related e-mail correspondence with the BM, thus the
- the Obligor's request for a data provision license for direct marketing purposes dated June 24, 2020,
- the Obligor's request for data provision for contacting and maintaining contact for the purpose of market research, dated April 15, 2021,
- the Obligor's request for the provision of data for contacting and maintaining contact for the purpose of market research, dated June 15, 2021, and
- the Obligor's request for data provision for contacting and maintaining contact for the purpose of market research, dated July 12, 2021.
- Address order sent to the BM on July 15, 2021 via e-mail, in which the Obligor states BMSZAE/382-1/2021. name and address data requested in reference to the data service license no. 1, in relation to the settlements indicated in the table attached to the letter (which was also sent to the Authority as an attachment to the e-mail) (name and address data of those born before December 31, 1956 in 44 indicated settlements),
- the address order sent to the BM on August 4, 2021 by e-mail, in which the Obligor states BMSZAE/382-1/2021. name and address information requested in the table attached to his letter - worksheet 1 of the table was also sent to the Authority as an attachment to the e-mail - in relation to the settlements indicated in reference to data service license no.
On worksheet 1 of the attached annex, 1,229 settlements were marked, in which those born before December 31, 1956 with a place of residence, name and
 
12
the Obligor requested his residential address data. In addition, according to the content of the e-mail message, the Obligee provided the names and addresses of those born between 1956 and 1966 in 3 more marked settlements, the names and addresses of those born between 1957 and 1966 in 11 more marked settlements, and in 1 other settlement between 1957 and 1960 requested the names and addresses of those born.
- The Obligor also attached the BM BMSZAE/905-2/2020 dated March 3, 2020. also decision no.
b) After providing the data, the Obligor compares the data in the received table with the records of deletion from the database of data subjects related to inquiries based on previous data requests, so that the Obligor does not send further inquiries to them.
c) This is followed by sending the filtered table to the printer, preparing circulars, then printing and envelopes, in which [...] Kft. acts as an intermediary. After that, the printing house forwards the sealed envelopes to Magyar Posta Zrt., which delivers them to the recipients.
d) If the contacted person decides to take advantage of the free and no-obligation hearing screening, he or she will receive information about its progress at the telephone number on the postal letters, and will be able to make an appointment.
e) If applicable, this is followed by a free hearing screening, a hearing test, and then, if applicable, the purchase of a hearing aid.
vii) The Authority also invited the Obligee to attach a database detail of the persons with the initials indicated in the order: on the one hand, the extract according to the last day of the examined period, i.e. October 5, 2021, and the receipt of the Authority's order, i.e. June 27, 2022 to attach an extract according to
In connection with this, the Obligee stated that he could not attach a copy of his database excerpt according to the last day of the period under review, i.e. October 5, 2021, given that the data of those who were included in the database provided by BM had already been deleted, as the statutory retention period of 6 months.
The Obligor also submitted that it is not clear to him why his entire customer database, which also contains other personal data, which the Obligor manages on the basis of such data management activity, which, to the best of his knowledge, is not the subject of the present procedure, is relevant, therefore, in relation to the question, the Authority asked for clarification as to whether he is requesting a copy of the details of the register only in relation to the investigated data management (direct marketing) or in relation to all data.
In view of the fact that the Obligor did not send a copy of the requested database detail despite the Authority's request, the Authority issued NAIH-5802-6/2022 dated July 20, 2022. in his order no., he repeatedly requested the additional sending of the requested database within 3 days.
viii) At the request of the Authority to make a statement, supported by documents, that
 
13
what percentage of the sales revenue shown in the data for the 2020 report was made up of product sales to customers achieved through postal inquiries using BM data services, the Obligee stated that the records kept by the marketing department only show sales starting from June 1, 2020, because On June 1, 2020, they switched to a new system and such data stored by the previous system are no longer included in the new register.
According to the Obligor's records, the so-called In the case of "miniDM", i.e. persons contacted by mail for direct marketing purposes, a total of 1,045 hearing aids were sold after June 1, 2020, of which 599 were customers who came for a hearing test based on a postal request letter using BM data services, after which hearing aid for sale.
The Authority NAIH-5802-6/2022 dated July 20, 2022. in his order no., he repeatedly requested the fulfillment of this request by stating that if he does not have the requested information and data for the period between January 1, 2020 and June 1, 2020,
for the period after June 1, 2020 - with documents
supported - present the BM data services broken down by year
to customers reached by postal inquiry
product sales ratio, both the Obligor and the AMPLIFON group of companies
regarding.

NAIH-5802-6/2022 dated July 20, 2022 is the Obligor's Authority. received its order no. on August 5, 2022. In its reply dated August 8, 2022, the Obligor stated the following:
- The Obligee has sent its database excerpt from its entire customer database as of August 5, 2022, in relation to persons with the surname beginning with the last name indicated by the Authority.
The attached table contains 913 records, in which the Obligor maintains the following customer data: name, customer number, postal code, name and nature of public area, house number (building, stairwell, floor, door), main phone/mobile phone number, e-mail address , associated hearing center, date of birth.
In relation to the attached table, the Obligee submitted that it manages several databases depending on the legal basis, for what purpose and for how long. The Obligor basically stores the data in electronic form using the Microsoft Dynamics CRM software (hereinafter: CRM). The database registered in the CRM system is the most extensive, while in the case of data requested from the BM, the data of the affected parties are recorded in a separate Excel table (hereinafter: DM table). If a person applies for a hearing test after the postal inquiry, the person is removed from the DM table and transferred to the CRM system, because the contacted person becomes a potential customer who is open to being examined and buying a hearing aid. This is necessary so that if the person in question decides to take part in the hearing test and requests an appointment for this, he/she will be removed from the scope of data that the Obligee is entitled to handle for 6 months according to the law.
The DM table is therefore a separate independent table whose data is automatically deleted every 6 months. The table attached to the Authority does not include the data handled for direct marketing purposes, because they are handled by the Obligee in a completely different way (for a different purpose, with a different legal basis, different data, for a different period of time) than the data of customers who are already customers.
 
14
The Obligor repeatedly highlighted in his statement that he cannot attach a copy of the database detail of the persons with the indicated surname from his customer database as of the last day of the examined period, i.e. October 5, 2021, taking into account that those who appeared in the database provided by BM with such a surname beginning are your data has since been deleted, as the statutory 6-month period has expired.
- According to the Obligor's statement, he does not have any documentation and records with which he could give an exact percentage regarding the proportion of product sales to customers reached by postal inquiry using BM data services. The Obligee records all sales of hearing aids in a table, regardless of who bought them and under what influence, so no separate aspect is recorded in the table.
In the register, the Obligee only sees how many people participated in hearing tests and how many hearing aids were sold on an annual basis. What is the relationship between these, i.e. in what forum did the people who bought the sold hearing aids find out about it and as a result of the postal inquiry or other direct marketing activity (television and radio advertisements, internet advertisements, press products, postal inquiries, events, professional statements, etc.) were purchased from the Obligation as a result, you have no information.
A significant part of the Obligor's sales revenue comes from the sale of the device, however, there is no data available regarding who bought a hearing aid, where they learned about its possibility, and whether those who went for a hearing test bought a hearing aid.
According to the Obligor's statement, direct marketing mail inquiries account for approximately 5-10% of the total sales, however, since these data must be deleted every 6 months according to the law, the Obligor is not in a position to prove what caused them hearing aids for sale.
II. Applicable legal regulations
According to the preamble (39) of the General Data Protection Regulation, the specific purposes of personal data management must first of all be explicitly formulated and legal, and also defined at the time of personal data collection. Personal data must be suitable and relevant for the purpose of their management, and the range of data must be limited to the minimum necessary for the purpose.
According to recital (42) of the General Data Protection Regulation, if the data processing is based on the data subject's consent, the data controller must be able to prove that the data processing operation has been consented to by the data subject. Especially in connection with the written statement made in another case, it is necessary to ensure with guarantees that the person concerned is aware of the fact that he gave his consent, as well as to what extent he did so. In accordance with Council Directive 93/13/EEC, the data controller provides a pre-drafted consent statement, which is made available in an understandable and easily accessible form, and its language must be clear and simple and must not contain unfair terms. In order for the consent to be considered based on information, the data subject must at least be aware of the identity of the data controller and the purpose of processing personal data. Giving consent cannot be considered voluntary if the data subject does not have real or free will
 
15
with the possibility of choice, and it is not possible to refuse or withdraw the consent without it being to its detriment.
Based on Article 2 (1) of the General Data Protection Regulation, the General Data Protection Regulation shall be applied to the processing of personal data in a partially or fully automated manner, as well as to the non-automated processing of personal data that are part of a registration system or that are they want to make it part of a registration system. For data management under the scope of the General Data Protection Regulation, Infotv. According to Section 2 (2), the general data protection regulation must be applied with the additions indicated there.
Pursuant to Article 2 (2) of the General Data Protection Regulation, the regulation does not apply to the processing of personal data if:
a) they are carried out during activities outside the scope of EU law;
b) it is carried out by the member states in the course of activities falling within the scope of Chapter 2 of Title V of the EUSZ;
c) carried out by natural persons exclusively in the context of their personal or home activities;
d) it is carried out by the competent authorities for the purpose of preventing, investigating, detecting, prosecuting or enforcing criminal sanctions, including the protection against threats to public safety and the prevention of these threats.
According to Article 4, point 1 of the General Data Protection Regulation, “personal data: any information relating to an identified or identifiable natural person (“data subject”); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable."
According to Article 4, Clause 11 of the General Data Protection Regulation, "the consent of the data subject": the voluntary, specific, and clear declaration of the will of the data subject based on adequate information, with which the data subject indicates by means of a statement or an unmistakable act of confirmation that he gives his consent to the data concerning him to manage personal data.
According to Article 5 (1) of the General Data Protection Regulation, personal data:
a) it must be handled legally and fairly, as well as in a transparent manner for the data subject ("legality, fair procedure and transparency");
b) it is collected only for specific, clear and legitimate purposes, and they are not handled in a way that is incompatible with these purposes; in accordance with Article 89 (1), further data processing for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes is not considered incompatible with the original purpose ("purpose limitation");
c) they must be appropriate and relevant from the point of view of the purposes of data management, and must be limited to what is necessary ("data economy");
d) they must be accurate and, if necessary, up-to-date; all reasonable measures must be taken to promptly delete or correct personal data that is inaccurate for the purposes of data processing ("accuracy");
e) it must be stored in a form that allows the identification of the data subjects only for the time necessary to achieve the goals of personal data management; personal data may be stored for a longer period only if the processing of personal data is carried out in the public interest in accordance with Article 89 (1)
 
16
purpose, will take place for scientific and historical research purposes or for statistical purposes, subject to the implementation of the appropriate technical and organizational measures prescribed in this regulation to protect the rights and freedoms of the data subjects ("limited storage");
f) must be handled in such a way that adequate security of personal data is ensured by the application of appropriate technical or organizational measures, including protection against unauthorized or illegal processing, accidental loss, destruction or damage of data ("integrity and confidentiality").
According to paragraph (2), the data controller is responsible for compliance with paragraph (1) and must also be able to prove this compliance ("accountability").
Pursuant to Article 6 of the General Data Protection Regulation, the processing of personal data is legal only if and to the extent that at least one of the following is met:
a) the data subject has given his consent to the processing of his personal data for one or more specific purposes;
b) data processing is necessary for the performance of a contract in which the data subject is one of the parties, or it is necessary for taking steps at the request of the data subject prior to the conclusion of the contract;
c) data management is necessary to fulfill the legal obligation of the data controller;
d) data processing is necessary to protect the vital interests of the data subject or another natural person;
e) data processing is in the public interest or is necessary for the execution of a task performed in the context of the exercise of public authority delegated to the data controller;
f) data management is necessary to enforce the legitimate interests of the data controller or a third party, unless the interests or fundamental rights and freedoms of the data subject take precedence over these interests, which require the protection of personal data, especially if the data subject is a child.
Point f) of the first subparagraph cannot be applied to data management carried out by public authorities in the performance of their duties.
According to Article 7 (1) of the General Data Protection Regulation, if the data management is based on consent, the data controller must be able to prove that the data subject has consented to the processing of his personal data.
Based on Article 12 (1) of the General Data Protection Regulation, the data controller shall take appropriate measures to ensure that the data subject is provided with all the information referred to in Articles 13 and 14 and Articles 15-22 regarding the processing of personal data. and Article 34 provide each and every piece of information in a concise, transparent, understandable and easily accessible form, clearly and comprehensibly worded, especially in the case of any information addressed to children. The information must be provided in writing or in another way, including, where applicable, the electronic way. Verbal information can also be provided at the request of the data subject, provided that the identity of the data subject has been verified in another way.
Paragraphs (1)-(2) of Article 14 of the General Data Protection Regulation:
(1) If the personal data were not obtained from the data subject, the data controller is the data subject
provides the following information:
a) the identity and contact details of the data controller and - if any - the representative of the data controller;
b) contact details of the data protection officer, if any;
c) the purpose of the planned processing of personal data and the legal basis of data processing;
d) categories of personal data concerned;
e) recipients of personal data, or categories of recipients, if any;
 
17
f) where applicable, the fact that the data controller wishes to forward the personal data to a recipient in a third country or to an international organization, and the existence or absence of the Commission's compliance decision, or in Article 46, Article 47 or Article 49 In the case of data transfer referred to in the second subparagraph of paragraph (1), the indication of suitable and suitable guarantees, as well as a reference to the methods for obtaining a copy of them or their availability.
(2) In addition to the information mentioned in paragraph (1), the data controller provides the data subject with the following additional information necessary to ensure fair and transparent data management for the data subject:
a) the period of storage of personal data, or if this is not possible, the criteria for determining this period;
b) if the data management is based on point f) of paragraph 1 of Article 6, on the legitimate interests of the data controller or a third party;
c) the data subject's right to request from the data controller access to personal data relating to him, their correction, deletion or limitation of processing, and to object to the processing of personal data, as well as the data subject's right to data portability;
d) in the case of data management based on point a) of Article 6 (1) or point a) of Article 9 (2), the right to withdraw consent at any time, which does not affect the legality of data management carried out on the basis of consent before the withdrawal;
e) the right to submit a complaint addressed to a supervisory authority;
f) the source of the personal data and, where appropriate, whether the data comes from publicly available sources; and
g) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including profiling, as well as, at least in these cases, comprehensible information regarding the logic used and the significance of such data management and the benefits for the data subject has expected consequences.
Nytv. According to Section 2 (1), the citizen - unless the law provides otherwise - has the right to prohibit the release of the data registered about him. The data affected by the ban can be released based on the individual permission of the citizen. The costs of the latter procedure shall be borne by the applicant.
Nytv. Paragraphs (1) - (2) of § 3:
(1) The register is a public authority register that contains and certifies the personal, residential address and notification address data of the citizens included in the register, as well as the changes that have occurred in them, as defined in this Act.
(2) The task of the register is to collect and manage the data defined in this law and their changes, to issue documents about them and to provide data to the legally defined rights holders.
Nytv. According to § 5, paragraph (7):
(7) Data provision: the data of citizens included in the register in the law
communication of specified content and scope. Including:
a) individual data provision: communication of a citizen's data;
b) group data provision: regular or ad hoc communication of the data of citizens belonging to a group formed by the data requester or according to criteria defined by law.
Nytv. Section 17, subsection (1) and subsection (2), point a):
 
18
(1) The bodies of the registry shall provide data under the conditions and limits defined in this law - at the request of the citizen, legal person or organization without legal personality, in case of proof of the purpose and legal basis of the use.
(2) Data from the register can be provided according to the following grouping: a) name and address data (information about the address);
Nytv. According to § 19:
(1) Any citizen, legal person or organization without legal personality is entitled to request the provision of data pursuant to Section 17, Subsection (2), point a) upon proof of the purpose and legal basis of use:
a) in order to enforce his right or legitimate interest,
b) for the purpose of scientific research,
c) sample required to start public opinion polls and market research, and
d)
(2) Persons entitled to request data based on points b) and c) of paragraph (1) may request data according to the following selection criteria:
a) for the purpose of scientific research, according to the data specified in points a)-e), g)-h) and k) of § 11, paragraph (1) of the Act,
b) for the purpose of public opinion research and market research, according to points c)-d), h) and k) of Section 11 (1),
c)
(3) In the case of a data request based on points b) and c) of paragraph (1), the applicant must properly prove his/her right to perform the activity specified therein and to request the data.
(4) The application must be refused if
a) the release of the data has been blocked by the citizen, unless he has given permission for the release of the data on a case-by-case basis;
b) the applicant did not or did not adequately prove the purpose of using the data, as well as its legal basis;
c) the stated purpose does not affect the applicant's right or legitimate interest, or violates the privacy rights of the citizen affected by the data;
d) ninety days have not yet passed after the registration of the newborn's data.
(5)
(6)
LXVI of 1992 on the registration of citizens' personal data and residential address. 146/1993 on the implementation of the law (X.26.) According to the provisions of Section 24 (1) of Government Decree (hereinafter: Nytv. vhr.):
Citizens, legal entities, or organizations without legal personality may request the provision of data from the register in writing - or recorded in minutes. The data content of the application is contained in Annex 2.
Section 25, paragraph (1): The applicant certifies:
a) his right to request data, if in his application the Nytv. Section 19, paragraph (1).
It refers to the purposes indicated in points b) and c).
Nytv. vhr. According to paragraphs (2)-(3) of § 26:
(2) In the case of group data provision, in addition to what is contained in paragraph (1), the license includes the method of data provision, other conditions and requirements related to the performance of the service.
(3) In addition to the provisions of paragraphs (1) and (2), the license for regular data provision includes the date of the service (periodic or continuous) and the
 
19
license validity period.
The Kktv. According to Article 2, paragraph (1), point 3, market research: examination of the consumer habits of the person concerned.
The Kktv. According to Section 2 (1) point 4 of its text version valid until April 25, 2019 Direct business acquisition (direct marketing): the set of informational activities and additional services carried out by the method of direct inquiry, the purpose of which is to sell products or services, provide or XLVIII of 2008 on the basic conditions and certain limitations of economic advertising, which is directly related to sales promotion. transmission of advertising to consumers or trading partners (hereinafter referred to as: customers) according to point d) of § 3 of the Act (hereinafter: Grt.).
Infotv. According to Section 60 (1), in order to assert the right to the protection of personal data, the Authority may initiate a data protection official procedure ex officio.
Infotv. 60/A. According to § (1), the administrative deadline in the official data protection procedure is one hundred and fifty days, which does not include the time from the request for the disclosure of the data necessary to clarify the facts to its completion.
Infotv. According to § 61, paragraph (1), point a), in the decision made in the official data protection procedure, the Authority shall refer to Infotv. You may apply the legal consequences defined in the general data protection regulation in connection with the data management operations defined in § 2, paragraph (2).
Infotv. According to Section 61 (2), the Authority may order the publication of its decision - by publishing the identification data of the data controller or data processor - if the decision affects a wide range of persons, it was made in connection with the activities of a body performing a public task, or the gravity of the infringement is made public justifies bringing.
Infotv. 75/A. §: The Authority exercises its powers contained in paragraphs (2)-(6) of Article 83 of the General Data Protection Regulation by taking into account the principle of proportionality, in particular by the fact that, for the first time, the regulations regarding the handling of personal data - defined in legislation or in a binding legal act of the European Union in the case of a violation of the law, in accordance with Article 58 of the General Data Protection Regulation, measures are taken to remedy the violation, primarily by warning the data controller or data processor.
GDPR Article 58 (2) points b), d), i) and g): Acting within the corrective powers of the supervisory authority:
b) condemn the data manager or the data processor if their data management activities violated the provisions of this regulation;
i) imposes an administrative fine in accordance with Article 83, depending on the circumstances of the given case, in addition to or instead of the measures mentioned in this paragraph;
g) in accordance with the provisions of Articles 16, 17 and 18, orders the correction or deletion of personal data, or the restriction of data management, and in accordance with Article 17, paragraph (2) and Article 19, orders the recipients to notification to whom or to which the personal data was disclosed.
Based on Article 83 (1) of the General Data Protection Regulation, all supervisory
 
20
authority ensures that the administrative fines imposed on the basis of this article due to the violation mentioned in paragraphs (4), (5), (6) of this regulation are effective, proportionate and dissuasive in each case.
According to Article 83 (2) of the General Data Protection Regulation, administrative fines must be imposed in addition to or instead of the measures mentioned in Article 58 (2) a)-h) and j) of the General Data Protection Regulation, depending on the circumstances of the case. When deciding whether it is necessary to impose an administrative fine, and when determining the amount of the administrative fine, the following must be sufficiently taken into account in each case:
a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the data processing in question, as well as the number of data subjects affected by the infringement, as well as the extent of the damage suffered by them;
b) the intentional or negligent nature of the infringement;
c) any measures taken by the data controller or the data processor to alleviate the damage suffered by the data subjects;
d) the extent of the responsibility of the data manager or data processor, taking into account the technical and organizational measures taken by it on the basis of Articles 25 and 32 of the General Data Protection Regulation;
e) relevant violations previously committed by the data controller or data processor;
f) the degree of cooperation with the supervisory authority in order to remedy the violation and mitigate the possible negative effects of the violation;
g) categories of personal data affected by the infringement;
h) the manner in which the supervisory authority became aware of the violation, with particular regard to whether the data controller or data processor reported the violation, and if so, in what detail;
i) if one of the measures mentioned in Article 58 (2) of the General Data Protection Regulation was previously ordered against the data controller or data processor in the same subject, compliance with the measures in question;
j) whether the data manager or the data processor adhered to the approved codes of conduct pursuant to Article 40 of the General Data Protection Regulation or the approved certification mechanisms pursuant to Article 42 of the General Data Protection Regulation; as well as
k) other aggravating or mitigating factors relevant to the circumstances of the case, such as financial gain or avoided loss as a direct or indirect consequence of the infringement.
According to Article 83 (5) of the General Data Protection Regulation, the violation of the following provisions - in accordance with paragraph (2) - with an administrative fine of up to EUR 20,000,000 or, in the case of businesses, a maximum of 4% of the total annual world market turnover of the previous financial year shall be charged with an amount equal to, with the higher of the two amounts to be imposed:
a) the principles of data management - including the conditions of consent - in accordance with Articles 5, 6, 7 and 9 of the General Data Protection Regulation;
b) the rights of the data subjects are set out in Articles 12-22 of the General Data Protection Regulation. in accordance with Article;
c) transmission of personal data to a recipient in a third country or an international organization pursuant to Articles 44-49 of the General Data Protection Regulation. in accordance with Article;
d) IX of the general data protection regulation. obligations according to the law of the Member States adopted on the basis of chapter;
e) according to Article 58 (2) of the general data protection regulation of the supervisory authority
 
21
failure to comply with its instructions, or its request for temporary or permanent restriction of data processing or suspension of data flow, or failure to provide access in violation of Article 58 (1) of the General Data Protection Regulation.
III. Decision of the Authority
III.1. The subject of the official data protection procedure and the examined data management period
III.1.1. The Authority received a number of reports in which the whistleblowers objected to the fact that the Obliger sent them a notification - an invitation to a screening test - by post, despite the fact that the whistleblowers had not previously consented to it.
The Authority launched ex officio proceedings to investigate whether the Obligor complies with the provisions of the General Data Protection Regulation during this data management practice.
According to the company register, the Obligor was founded on May 8, 1992. Its main activity is the retail trade of medical products. According to the Obligor's statement and the information available on his website, he is the market-leading distributor of hearing aids in the country and the world. According to the company register, the Obligor currently operates 20 locations and 62 branches in Hungary.
III.1.2. The Authority NAIH-7550-1/2021. as stated in order no.
The data management period of the Obligor examined in this procedure is the period from January 1, 2020 to October 5, 2021.
III.2. Brief summary of the examined data management activity
III.2.1. In connection with inquiries sent by post, the Obligee manages the name and address data of the persons concerned - as possible patients. The Obligee requested the name and address data from the BM in order to find the persons concerned.
During the examined data management period, the purpose of data use indicated by the Obligee in the data request was, on the one hand, contacting and maintaining contact for direct marketing purposes, and then, as indicated in subsequent requests (after February 23, 2021), the purpose of data management was market research.
III.2.2. According to the Obligor's declaration, he requests name and address data from BM on average every month. Within the examined data management period - according to the attached application copies, between June 24, 2020 and August 4, 2021 - the Obligee applied to the BM 9 times with a request for data provision. In connection with these requests, the Obligee received an average of 300,000-400,000 name and address data from the BM.
According to the Obligee's declaration, the personal data processed in connection with postal inquiries is managed in an Excel spreadsheet, and the data provided by BM is also done in this format. In the attached Excel database, the obligee's surname, first name, first name2, PIR
 
22
(zip code), settlement, public area, character, house number, building, Lph., Em., Door, County code data is stored.
The legal basis for the data management related to the sending of postal notifications is both the declaration of the Obligee and the voluntary consent of the data subjects, as stated in the data management information attached by him and also available on the Obliger's website.
III.3. Data management practices related to postal inquiries of prospective customers of the Obligor
III.3.1. Requesting data from the personal data and address register
In accordance with its declaration and the attached data management information and data management register, the Obligee manages the names and addresses of the data subjects as potential customers in connection with postal inquiries. According to the Obligor's declaration, the source of the data is exclusively the citizens' personal data and address register.
According to his declaration, the Obligee requests name and address data from the BM for specific age groups on average every month - i.e. by defining a time interval covering several years. The period of use of the requested data is 6 months.
According to the attached copies of the data request request, the Obligee indicated the direct marketing purpose as the basis for the data provision in its requests dated June 24, 2020, September 4, 2020, and October 13, 2020.
The Obligor's request of January 25, 2021 also indicated the direct marketing purpose as the basis for the provision of data. However, the BM terminated the procedure in connection with this request, according to the reasons for its order, the reason for this was that the Obligee withdrew the request on February 22, 2021, citing lack of reason for the request.
Immediately thereafter, on February 23, 2021, the Obligee submitted another request for data provision to the BM, in which, however, the direct marketing purpose was no longer indicated as the basis for the provision of data, but contact and contact for market research purposes was indicated. In its decision, the BM granted the Obligee's request for data provision and allowed him to use regular group data provision for 6 months and to use the data in the context of market and public opinion research for the purpose of contacting and maintaining contact. BMSZAE/382-1/2021 dated March 2, 2021. according to the reasons for decision no., the Obligee proved his right to "conduct market and public opinion research activities" with a copy of the company extract from Nytv. in paragraph (3) of § 19 and Dmtv. In accordance with the provisions of paragraph (2) of § 4".
III.3.2. Legal basis for data management
Based on the definition of the GDPR, the name and address are the personal data of the data subject, while any operation performed on the data, such as the collection, recording, storage, organization and use of the data, is considered data management.
For data processing to be legal, the data controller must have a legal basis for data processing in accordance with Article 6 (1) of the GDPR.
 
23
The Obligee indicated the voluntary consent of the data subjects as the legal basis for its data processing – i.e. contact via postal inquiry – since, according to its position, the exercise of data subject rights is ensured and the data subjects can withdraw their consent at any time. The affected parties can do this by indicating in a statement addressed to the BM that they do not wish to make their data available for market and public opinion research purposes, i.e. they live according to Nytv. with the right to prohibit the release of data contained in § 2.
According to the Obliger's point of view, the data subjects have the opportunity to declare to BM or to the Obliger that they do not wish to consent to the processing of their data. If they do not do this, their consent will be deemed to have been given.
Nytv. According to the provisions of § 3, the personal data and address register is a public register, which contains and certifies the personal, address and notification address data of the citizens included in the register as specified in the Official Gazette, as well as the changes that have occurred in them. The task of the registry is to collect and manage the data specified in the Official Gazette and their changes, to issue documents about them and to provide data to the authorized persons defined by law.
According to the Obligor's point of view, the consent of the persons concerned, i.e. the citizens included in the personal data and address register, can be considered automatically given, unless the release of their data has been prohibited in the personal data and address register.
Article 4, Clause 11 of the General Data Protection Regulation states that the data subject's consent is a voluntary, specific and clearly informed statement of the data subject's will, by which the data subject indicates by means of a statement or an unmistakable act of confirmation that he/she gives his/her consent to the personal data concerning him/her to manage data.
In order for the data controller to be able to legitimately refer to the legal basis of the consent, all conceptual elements of the consent must meet the relevant requirements.
5/2020 on consent of the European Data Protection Board. guidelines No. 2, as well as those explained in the guidelines No. WP259 on consent of the Data Protection Working Group established on the basis of Article 29 of the Data Protection Directive, issued as its predecessor, confirm that a statement or an act clearly expressing confirmation is a prerequisite for regular consent. The data subject must make a clear declaration of consent. Recital (42) of the General Data Protection Regulation also states that the data controller must provide a pre-formulated declaration of consent, which must be made available in an understandable and easily accessible form.
Based on the data subject's consent, data processing may take place if he/she consents to the processing of his/her personal data by a clear affirmative act. This affirmative action fulfills the data subject's right to informational self-determination: based on adequate information, the data subject considers whether or not to give consent to specific data management. Consent will be clear if the data controller ensures that the data subject must take an active action in order for data processing to take place. For this, any statement or action that clearly indicates that the data subject has given his consent to the planned processing of his personal data is acceptable.
At the same time, the silence of the person concerned cannot be accepted as an affirmative act. If the data subject does not take any active action regarding the granting of consent, then the data controller cannot conclude from this that the data subject has consented to data processing.
 
24
The Obligee therefore bases the existence of consent to data management on the fact of being included in a public register. However, according to the Authority's point of view, being in the register alone cannot be considered a concrete, clear declaration of the will of the person concerned, and above all it cannot be considered voluntary and based on adequate information. Citizens included in the personal data and address register, as a public register, do not have the option of choosing whether or not to be included in the register, the register is not a register based on the voluntary consent of citizens. Nytv. Pursuant to the provisions of § 2, they have the right to prohibit the release of the data registered about them, the failure to do so - i.e. the "listening" of the data subject as explained above - does not mean that the data subject has consented to the Nytv . It can be issued during the performance of data provision in accordance with § 19, paragraph (1), and the data subject can therefore be contacted by anyone by post.
Consent is also closely related to appropriate prior information, i.e. that the data subject has adequate information in connection with the data management conditions before making the decision to grant consent, which is also clearly lacking in this case.
According to Article 7 (1) of the General Data Protection Regulation, in the case of consent as a legal basis, the data controller must also be able to prove that the data subject has consented to the processing of his personal data, which obligation - subject to the principle of accountability - also includes that the data controller can prove , that certain conceptual elements of the consent (adequate information, voluntariness, clarity of the consent) were properly applied during the obtaining of the consent, and also fulfilled the additional requirements set out by the decree in connection with the consent. These conditions obviously do not apply during data processing by the Obligor due to the reasons explained above.
Based on all of this, the data management of the Obligor in this form - i.e. contacting by mail - cannot have a legal basis for consent according to Article 6 (1) point a) of the General Data Protection Regulation, since all its conceptual elements are missing.
Based on the above, the Obligee violated Article 6 (1) of the General Data Protection Regulation, as it unlawfully based its data processing on the legal basis of consent and did not prove the existence of a valid legal basis to the Authority.
According to the Authority's point of view, an appropriate procedure that can be followed in order to ensure the legality of the additional requirements of data management is if the organization requesting the data does not request the provision of citizens' personal data from the personal data and residential address register, but Nytv. As explained in paragraph (4) of § 18, the so-called initiates a contact procedure, during which the body of the register searches for the designated circle of persons, delivering the initiator's message to the recipients. The recipient, in case of interest, visits the initiating body himself, so the legal basis for data management on the part of the initiating body will in this case be the consent of the person concerned.
III.3.3. Purpose-bound data management
According to the principle of purpose-bound data management according to Article 5 (1) point b) of the General Data Protection Regulation, the collection of personal data is only defined, clear and
 
25
may be done for a legitimate purpose and may not be processed in a way that is incompatible with these purposes. Furthermore, according to the provisions of recital (39), the specific purposes of personal data management must be explicitly stated and legal, and must be defined at the time of collection of personal data.
The scope of the data must be limited to the minimum necessary for the purpose in accordance with the principle of data saving according to Article 5 (1) point c) of the General Data Protection Regulation.
According to the Obligor's statement, the purpose of using the requested data (name and address data) is to contact and maintain contact within the framework of market and public opinion research.
Nytv. According to Section 19 (1) point c), any legal person is entitled to request the provision of name and address data, with proof of the purpose and legal basis of the use, in order to compile a sample necessary to start public opinion polls and market research. According to paragraph (3) of the same §, the applicant must also properly prove his/her right to perform the activity specified there, as well as to request data.
According to the justification of the "1-year license application for contacting and maintaining contact for the purpose of market research" submitted to the Obligatory BM dated February 23, 2021, the purpose of data use is "to be able to contact the population in areas related to health preservation, including hearing and hearing loss. ".
Based on the justification for the license application for direct marketing data previously submitted to the BM, the purpose of data use is to "inform the public about our hearing care service.".
Therefore, from March 2021, the Obligee requested the requested data no longer for use related to direct marketing purposes, but in connection with market research, and the provision of data was authorized by the BM for this purpose.
Therefore, the Obligor requested data from BM for direct marketing, i.e. direct business acquisition, up to this date (March 2021), despite the fact that since April 26, 2019, Kktv. its scope no longer extends to natural and legal persons who require or process name and address data for the purpose of contacting them for direct business acquisition, i.e. as of April 26, 2019, the legal authorization of this data management has ceased.
The Kktv. according to its previous definition, direct business acquisition (direct marketing) is the set of informational activities and additional services carried out by the method of direct inquiry, the purpose of which is directly related to the sale, service or sales promotion of products or services, Grt. transmission of advertising to consumers or commercial partners according to point d) of § 3.
At the same time, it can be concluded that, despite the newly indicated purpose of data use (market research) in the application, the Obligor's actual data use practice did not change compared to the previous ones until July 2021, according to the Obligor's statement and the content of the postal notification sample attached by him, the notification remained unchanged until July 2021. part 2.1. the same informative text described in sub-point xii) of section 10 was included as on the postal notices previously sent for direct marketing purposes. The Obligor provides the requested data
 
26
therefore, he continued to use it unchanged, i.e. he handled the requested data for the purpose of contacting his potential patients by mail in a addressed letter and informing them of the location and time of the free hearing screening service provided by the Obligor.
It can be concluded that the "market research" as a data processing purpose indicated in the information sheet, however, masks the real purpose, which is also confirmed by the fact that the subject indicated as a data processing purpose in the data requests submitted to the BM is not specifically market research, but misleadingly "contacting for the purpose of market research and contact", which purpose is a general concept, and taking into account the data management activity carried out by the Obligor, the underlying purpose is still the direct marketing purpose.
In relation to the two-page, undated document called "Market Research Plan" attached by the Obligee to the Authority's invitation, the Authority found that it cannot actually be considered a research plan, but in terms of content is only a copy of the first two pages of the previously attached market research study, so the Authority considers it a research plan. he could not evaluate it as a plan and as a support for the market research goal.
According to the Authority, in the statements of the Obligee regarding what business and other decisions were based on his activities, which he assessed as market research, he only formulated ideas for the future. The market research study attached by the Obligee during the procedure indicated the period between March 2021 and September 2021 as the period examined during the market research, despite this, the Obliger was unable to present the decisions and results made on the basis of the market research, the actual professional market research, upon the call of the Authority did not prove it to the Authority.
Also based on the Obligor's statements - "based on the results of the study, a strategy based on market analysis was developed, the target audience was defined, the target audience was personalized, the main touchpoints were created, a sales strategy was planned, new hearing salons were planned, closed, additional resources were planned or downsized" - the conclusion it can be deduced that the activity he evaluates as market research is an activity closely related to marketing.
According to the Obligor's reference, the name and address data were needed to establish contact with future customers, which essentially meant that he tried to reach new customers by sending an invitation, which also proves the marketing purpose. This is supported by the finding already referred to above, that until July 2021, the content of the information placed on the notices did not provide any information that the Obligor's activities would serve the purpose of market research.
In its reply letter sent to the Authority on August 8, 2022, the Obligee also referred to the postal inquiries as "direct marketing postal inquiries" in several places, and in its statements also referred to the table containing the data requested from the BM as "for direct marketing purposes data managed and stored in the DM table" (points 6 and 14 of the response letter dated August 8, 2022).
The Authority evaluates the above as the fact that the Mandatory did not provide information confirming the conduct of the market research, and the attached documents and statements were evaluated by the Authority as not proving the existence of the market research objective.
Based on all of this, according to the Authority's point of view, it can be established that the Obligor's data requests to the BM from the end of February 2021 - the apparent compliance with the legal requirements
 
27
in order to comply - he tried to transform his data management into market research in such a way that he continued his data management for the purpose of direct marketing under this name. However, despite the fact that the Obligee indicated market research as the purpose of the data use, it continued to address the data subjects with the previous request samples until July 2021, so the primary purpose of the data management - about which the request sent to the data subjects did not contain any information at all - remains direct business acquisition volt.
The informational text subsequently placed on the notices by the Obligor - following the start of the official inspection and modified as a result - indicates market research as the purpose of data use, taking into account, however, that the Obligor - according to both his declaration and the information available on his website - country and the world's leading distributor of hearing aids, and the company's main activity is also the retail trade of medical products, based on the reasons presented above, the primary purpose of the data management was still the previously mentioned direct business acquisition (direct marketing), and not the Kktv. According to the definition of point 3 of § 2, the examination of the consumer habits of the data subject (market research), i.e. as stated in the information contained in the notification applicable from July 2021: "4. Purpose of data management/data use: market research. We are contacting you with this letter because we want to assess how much of the population of Hungary in the age group between ...-... wants to use our company for a hearing test".
Based on the above, the Obligee violated the principle of purpose limitation according to Article 5 (1) point b) of the General Data Protection Regulation.
III.3.4. The purpose must be explained in a clear, obvious, understandable language in such a way that the affected parties are aware of all the essential circumstances of data management, the specific goals and the range of data aligned with them, as well as the process of managing their personal data. This expectation of the data controller follows from the principle of transparency and fair data management according to Article 5 (1) point a) of the General Data Protection Regulation, and the conditions for the enforcement of the data subject's rights can be derived from this.
Compliance with the principle of being bound to a purpose therefore consists of two main parts: on the one hand, it includes the choice of a clear and at the same time legal purpose, and on the other hand, as a consequence, the handling of personal data in a way that is compatible with the purpose and goals. The expectations arising from these are the following:
- a concretely defined purpose, declared before the start of data management (this was completely omitted when contacting the data subjects by post);
- legitimate purpose in accordance with the legal basis and in connection with the data management (the Obligee based its data management related to postal inquiries on an inappropriate legal basis as explained in point III.3.2, and the definition of the purpose of the data management (data use) cannot be considered realistic during the examined data management period;
- understandable communication to the target group, not ambiguous or misleading (in the first half of the examined data management period, no adequate information was provided to the data subjects - especially about the purpose and legal basis of data management - the Obligor, based on the available information, in order to fulfill the request for data changed the purpose of data use indicated earlier (direct marketing) to the purpose of market research in order to apparently comply with legal requirements, but at the same time there was no change in the actual data use activity and notification sending practice, which confirms that the purpose of data management
 
28
has not actually changed, the market research goal has always been pushed into the background compared to the primary, direct marketing goal);
- in the case of additional goals and objectives, interpretation according to the test of compatibility, which usually assumes a high degree of similarity between the earlier and later goals (in this case, the compatibility of goals did not arise, so compliance with this condition is irrelevant).
Based on the available information, the Authority established that the Obligor - in III.3.3. as detailed in point - despite the change in legislation, in order to demonstrate compliance with it, it deceptively wanted to continue its previous direct marketing data processing as if the purpose of the data processing was market research, i.e. as if its data processing met the changed legal conditions. However, providing the opportunity to participate in the free hearing screening and sending invitations to those concerned by mail was still primarily for the purpose of sales, because according to the Authority's point of view, the research into consumer habits from the point of view of who buys the hearing screening cannot be considered market research, nor is it primarily market research. part and who subsequently buys a product. If this were solely for the purpose of market research, then the research of the intention to participate would be sufficient for the market research, following the principle of data saving.
According to the Authority's findings, the data processing was still carried out for sales and direct marketing purposes, to which the information should have been extended. On the other hand, the Obligor indicated market research as the purpose of data management. As a result, there was a clear lack of accurate and factual information, which is essential for proper information.
On the basis of the above, the Authority concludes that the Obligor has violated the fair procedure pursuant to Article 5 (1) point a) of the General Data Protection Regulation by misleading the affected parties and the Ministry of the Interior regarding the real purpose of the data management, and by concealing the real purpose of the data management principle.
III.3.5. Information provided during the postal inquiry
III.3.5.1. According to Article 12 (1) of the General Data Protection Regulation, the Obligee, as an independent data controller, is obliged to take appropriate measures in order to provide the data subjects with all the information referred to in Articles 13 and 14 regarding the processing of personal data and Articles 15-22 . and provide each piece of information according to Article 34 in a concise, transparent, comprehensible and easily accessible form, clearly and comprehensibly worded.
The system of appropriate information in the General Data Protection Regulation serves to ensure that the data subject is aware of which personal data will be handled by which data controller and for which purpose and how. This is essential in order to be in a position to meaningfully exercise your data subject rights.
In the case of data management based on Article 6(1)(a) of the General Data Protection Regulation, based on Article 4, Point 11 of the General Data Protection Regulation, the data controller is obliged to provide information on the basis of which informed consent can be given, not only before data processing begins, but also before consent is obtained .
The data subject's consent to data processing can only be valid if it is specific
 
29
for the purpose(s) - which can be specified separately for each purpose - and appropriate information is provided before that, which puts the data subject in a position to make an appropriate decision on granting consent and meets all other validity requirements stipulated in the General Data Protection Regulation. Both the provisions of the preamble and Article 12 (1) of the General Data Protection Regulation require the achievement of results when determining the data controller's obligations, i.e. the data controller must provide such assistance to the data subject so that he or she can exercise all data subject rights in an informed manner.
III.3.5.2. During the investigated data management, the Obligee visits potential patients by mail in such a way that it sends a notification about the location and time of the free hearing screening service it provides.
The principle of fair and transparent data management contained in Article 5 (1) point a) of the General Data Protection Regulation requires that the data subject be informed of the fact and purpose of data management. Therefore, one of the essential conditions for the legality of data management is that the data controller properly informs the data subject about all the important circumstances of data management.
13-14 of the General Data Protection Regulation. articles determine the content of the information that must be provided during the processing of personal data. Different rules apply to this (content and deadline) depending on whether the data was obtained from the data subject or not, while Article 12 of the General Data Protection Regulation provides guidelines for the formal requirements of the information.
Since the Obligor uses the data provided by the BM - i.e. after collecting the personal data not from the data subject, but from another source - to search for potential patients through postal inquiries, the Obligor must, taking into account the provisions of Article 14 of the General Data Protection Regulation, provide the data subjects with their personal data information related to its management must be made available within a reasonable period of time.
Regarding the examined data management period, the Obligor has attached two notification samples, according to his declaration, applied consecutively.
Both notification samples contain information related to data management, and the notification samples are actually distinguished by the content of the informational text placed on them.
III.3.5.3. According to the Obligor's statement, until July 2021, the name notification sent to potential patients by post contained the following information:
"If you no longer wish to receive such inquiries from Amplifon Magyarország Kft., you can cancel using one of the following contact details:
On the Internet at the e-mail address adatvedelem@amplifon.com.
By letter to the Company's address, Amplifon Magyarország Kft. 1097 Budapest, Könyves Kálmán krt. 12-14.
We bought your address data from the Central Office of Public Administration and Electronic Public Services on the CXIX of 1995. Act § 3 (1) point d) and LXVI of 1992. based on Section 17 (1) of the Act. If you no longer wish to be publicly listed in such a database, you must submit your blocking statement in writing or in person at the document office at your place of residence. Your data will be automatically deleted from Amplifon Magyarország Kft.'s database."
 
30
In connection with the examined data management, the Authority established that the information placed on the notice sent by the Obligor to potential patients by post until July 2021 did not contain the most important information contained in Article 14 of the General Data Protection Regulation:
i) The prospectus did not specifically name who can be considered a data controller. Although the information did mention the name and contact information of the Obligor, the only conclusion that can be drawn from it is that the Obligor is the data controller in connection with the examined data management [GDPR Article 14 (1) a)].
ii) The prospectus did not inform the data subjects about the (real) purpose of personal data management and the legal basis for data management [GDPR Article 14 (1) c)].
However, the information also contains two legal references, which gives the impression, in a deceptive way, that the processing of the personal data of the recipient of the information, as a data subject, is necessary to fulfill the legal obligation contained in the legislation referred to in the information, i.e. its legal basis is Article 6 (1) of the GDPR c) would be the fulfillment of a legal obligation.
iii) In its response to the Authority, the Obligee provided information about the data processors it used, however, the information placed on the notice did not include any information regarding which data processors it uses during data processing and what data processing activities they carry out [GDPR Article 14 (1 ) e)].
In addition to the above, the information sheet did not contain additional important information necessary to ensure fair and transparent data management:
iv) The information tangentially mentioned the possibility of blocking personal data and data in the address register, if the data subject does not wish to receive similar inquiries, and then informed that his data will be automatically deleted from the Obligor's database. However, the information provided no explanation as to what the automatic deletion takes place automatically in relation to. This sentence of the information is in contradiction with the provisions of the BM's decision authorizing the provision of data, according to which "the requested data from the personal data and address register can only be used within six months of the request or the last consultation." [GDPR Article 14 (2) a)].
v) Regarding the source of the data, contrary to the Obligor's statement and the contents of the attached documents, the information also provided the data subjects with the information until July 2021 that the Obligor purchased the data from the Central Office of Public Administration and Electronic Public Services, which office, however, operates on December 31, 2016 , i.e. nearly a year and a half before the General Data Protection Regulation became applicable. All of this could also be interpreted by the affected parties as - assuming that the information contained in the information corresponds to reality - that their personal data will be processed by the Obligor from this date at the latest [GDPR Article 14 (2) f)].
In connection with the previous point (iv), this also calls into question the veracity of the statement in the information that the data subject's data is automatically deleted from the Obligor's database.
vi) The information did not provide comprehensive information regarding the data subject's rights either, it only contained that the data subject could cancel the sending of inquiries at the contact details of the Obligor, which can be interpreted as information about the right to erasure [GDPR Article 14 (2) c)].
vii) In the statement given during the procedure, the Obligee indicated the consent of the data subjects as the legal basis for its data processing. In addition to the information regarding this
 
31
did not contain any information at all, in which case the information should have provided the data subjects with additional information about their right to withdraw consent [GDPR Article 14 (2) d)].
viii) The prospectus also does not provide data subjects with information on the right to submit a complaint to the supervisory authority [GDPR Article 14 (2) e)].
The Authority established that, based on the details detailed above, the information placed on the notice sent by the Obligor to potential patients by post until July 2021 did not provide the data subjects with information on all the essential circumstances of data management, thereby violating the provisions of Article 14 of the GDPR.
III.3.5.4. According to its declaration, the Obligee has updated the data management information on the notification sent to the data subjects from July 2021 (hereinafter: current information). After this date, the name notification sent to potential patients by mail is part 1 1.4 of this decision. contained the information described in subsection xi) of
In relation to the current information, the Authority established that the legal basis for data management was not indicated in it, but only informs the data subjects of the purpose of data management [GDPR Article 14 (1) c)]. Furthermore, in relation to the stated purpose of data management, the Authority shall refer to Section III.3.3 of this decision. according to what was explained and established in point 2, the real and actual purpose of the data management was not identified to the data subjects.
According to point 1 of the information sheet, "We inform you that the GDPR, Infotv. and the LLC. provides information", which, taking into account that the information sheet does not provide information on the legal basis of data management, misleads those concerned, as it creates the impression that data management takes place in the context of fulfilling a legal obligation.
Furthermore, regarding the information on the notice, the Authority found that it was not appropriate due to its small font size. The transparency of data management must also be ensured by the use of a suitable font size that facilitates the readability of the text.
During the period under review, the Obligee therefore did not provide clear, adequate and truthful information to those concerned about all the essential circumstances of data management in connection with postal enquiries, thus violating Article 14, Paragraphs (1)-(2) of the GDPR.
Furthermore, by not providing transparent and clear information, the Obligee violated the provisions of Article 12 (1) of the GDPR.
ARC. Legal consequences
IV.1. Based on Article 58(2)(b) of the General Data Protection Regulation, the Authority determines that the Obligee, by sending a postal notification containing an invitation to a screening test, without adequate information, a concretely defined and real purpose, and with an inadequate legal basis, treats the data subjects contact data (name and address), violates the principle of fair procedure according to Article 5 (1) point a) of the General Data Protection Regulation, the principle of purposefulness according to Article 5 (1) point b), Article 6 ( 1) and, in connection with the above, the obligation to provide information according to Article 12 (1) and Article 14.
 
32
In view of this, the Authority, on the basis of Article 58 (2) point g) of the General Data Protection Regulation, ex officio instructs the Obligee to delete in a documented manner the name and address data of the data subjects stored by it in connection with the sending of postal notifications, i.e. from all personal data and address registers contact data provided by BM at the request of the Obligor.
IV.2. The Authority examined whether the imposition of a data protection fine against the Obligor is justified. In this context, the Authority is in accordance with Article 83 (2) of the General Data Protection Regulation and Infotv. 75/A. §, considered all the circumstances of the case and determined that, in the case of the violations discovered during the present procedure, the warning is neither a proportionate nor a dissuasive sanction, and therefore a fine must be imposed. In the present case, the protection of personal data - which is the responsibility of the Authority - cannot be achieved without imposing a data protection fine based on the set of circumstances detailed below. The imposition of fines serves both special and general prevention, according to which the decision is also published on the website of the Authority.
IV.3. When determining the amount of the fine, the Authority first of all took into account that the violations committed by the Obligor are classified as violations of the category of higher fines according to Article 83 (5) point a) of the General Data Protection Regulation [GDPR Article 83 (2) point a) ], based on this, the maximum fine that can be imposed is EUR 20,000,000, or, in the case of enterprises, an amount of no more than 4% of the total annual world market turnover of the previous financial year. Taking this into account, the maximum fine that can be imposed on the Obligor is HUF 101,677,120.
When determining the amount of the data protection fine imposed on the Obligor, the Authority considered the following as mitigating circumstances:
- The Obligor has not yet been convicted for violating the general data protection regulation. However, the Authority has already condemned the Obligee in the investigation procedure conducted before the general data protection regulation became applicable - in which case it examined the Obligor's data management practices related to its direct marketing activities carried out through general practitioners (NAIH/2017/4819/V.), therefore the Authority took into account to a lesser extent [GDPR Article 83(2)(e)];
- After the start of the official inspection, the Obligee changed the text of the information on the notice sent by post, and tried to bring its information into line with the requirements contained in the General Data Protection Regulation [GDPR Article 83 (2) point c).
- The Authority exceeded Infotv. 60/A. § (1), the reason for this was the difficulty of clarifying the facts.
When imposing a fine on the Obligor, the Authority took into account the following as aggravating circumstances:
- the nature of the violations is particularly serious, the Obligee has committed several violations, furthermore
the principle of fair procedure is also violated [GDPR Article 83 (2) point a)];
- I.1 of this decision part 1.4. in subsection xviii) and III.2. based on what was written in point 2, the number of data subjects is significant: in the period under review, during a total of 9 data services, the Obligee received the personal data of 3-400,000 data subjects from the BM, to whom it sent postal letters [GDPR Article 83 (2) point a)];
- the range of stakeholders targeted by the Obligor is mostly the elderly, who are less able to judge the legality of the processing of their personal data and are more easily influenced for the sake of their health [GDPR Article 83 (2) point a)];
 
33
- the illegal data processing was caused by the Obligor's seriously negligent behavior and data processing practices [GDPR Article 83 (2) point b)].
IV.4. When determining the amount of the data protection fine, the following circumstances neither aggravated nor alleviated the amount of the fine, they had a neutral effect:
- the Obligee cooperated with the Authority during the procedure, but this is legal
obligation, the absence of which could be an aggravating circumstance [GDPR Article 83 (2) point f)];
- based on stakeholder complaints received against the Obligor, the Authority detected the likelihood that the Obligor's data management practices were unlawful, which resulted in the procedure initiated by the present office [GDPR Article 83 (2) point h)];
- according to the latest available 2020 data, the net sales revenue of the Obligor was HUF 2,541,928,000. The Obligor has no published report for the year 2021.
A. Other questions
The Authority calculated the procedural deadline as follows: the Authority issued the Obligor NAIH-7550-1/2021 dated October 5, 2021. notified the initiation of the official data protection procedure in order no., which order was accepted by the Obligor on October 8, 2021. In its request received on October 15, 2021, the Obligee requested an extension of the 15-day response deadline provided for in the Authority's order. The Authority extended the response deadline until November 1, 2021. The Obligor's answer is the Authority's NAIH-7550-1/2021. arrived at the Authority on November 2, 2021.
The Authority is Infotv. 60/A. Taking into account § (1), the period between October 8, 2021 and November 2, 2021 was not included in the administrative deadline, so the administrative deadline expired on March 29, 2022.
The competence of the Authority is set by Infotv. Section 38, paragraphs (2) and (2a), its jurisdiction covers the entire territory of the country.
The decision is in Art. 80-81 § and Infotv. It is based on paragraph (1) of § 61. The decision is in Art. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. On the basis of § 112, § 116, paragraph (1), and § 114, paragraph (1), the decision can be appealed through a public administrative lawsuit.
* * *
The rules of the administrative proceedings are determined by Act I of 2017 on the Administrative Procedures (hereinafter: Act). The Kp. On the basis of point a) of § 12, paragraph (2), the administrative lawsuit against the Authority's decision falls under the jurisdiction of the court, for the lawsuit, Kp. Based on Section 13 (11), the Metropolitan Court is exclusively competent. CXXX of 2016 on the Code of Civil Procedure. to the law (hereinafter: Pp.) - the Kp. Applicable based on § 26, paragraph (1) - legal representation is mandatory in a lawsuit within the jurisdiction of the court based on § 72. Cp. According to paragraph (6) of § 39 - unless the law provides otherwise - the submission of a claim for the administrative act to take effect
 
34
does not have a deferral effect.
The Kp. Paragraph (1) of § 29 and, in view of this, Pp. CCXXII of 2015 on the general rules of electronic administration and trust services, applicable according to § 604. According to Article 9 (1) point b) of the Act, the legal representative of the Obligor is obliged to maintain electronic contact.
The time and place of submitting the statement of claim is set by Kp. It is defined by § 39, paragraph (1).
The amount of the fee for the administrative lawsuit is determined by Act XCIII of 1990 on fees. Act (hereinafter: Itv.) 45/A. Section (1) defines. Regarding the advance payment of the fee, the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the party initiating the procedure.
If the Obligor does not adequately certify the fulfillment of the prescribed obligation, the Authority considers that the obligation has not been fulfilled within the deadline. The Akr. According to § 132, if the obligee has not complied with the obligation contained in the final decision of the authority, it can be enforced. The Authority's decision in Art. According to § 82, paragraph (1), it becomes final with the communication. The Akr. Pursuant to § 133, enforcement is ordered by the decision-making authority, unless otherwise provided by law or government decree. The Akr. Pursuant to § 134, the enforcement - unless otherwise provided by law, government decree or local government decree in municipal authority matters - is carried out by the state tax authority. Infotv. Pursuant to § 60, paragraph (7), the Authority undertakes the implementation of the decision in relation to the obligation to carry out a specific act, to behave in a specific manner, to tolerate or stop, contained in the Authority's decision.
Dated in Budapest, August 11, 2022.
Dr. Attila Péterfalvi
president
c. professor