NAIH (Hungary) - NAIH-5114-35/2022
NAIH - NAIH-5114-35/2022 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(1)(e) GDPR Article 6(1) GDPR Article 12(1) GDPR Article 13 GDPR Article 31 GDPR Article 58(2)(f) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 21.12.2022 |
Published: | |
Fine: | 3000000 HUF |
Parties: | n/a |
National Case Number/Name: | NAIH-5114-35/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | NAIH (Hungary) (in HU) |
Initial Contributor: | n/a |
The Hungarian DPA investigated the use of a surveillance camera sytem and fined the controller HUF 3,000,000.00 (€7,978.20) for violating multiple GDPR provisions.
English Summary
Facts
The case initiated from a complaint made by a data subject who filed a complaint with the Hungarian DPA requesting the DPA to declare that a controller - a company providing accommodation services - within the neighbouring property unlawfully processes personal data with its surveillance camera systems (CCTV). The data subject requested the DPA to 1) prohibit the controller from monitoring the data subject's property with its CCTV systems, and 2) to order the controller to terminate the unlawful recordings.
The DPA extended the scope of the investigation (ex officio) against the controller. The DPA investigated all processing activities carried out by the controller with its CCTV systems and conducted an on-site inspection to the controller's property. The controller was using two CCTV systems that were identified within the investigation as Camera system No. 1 (consisting of 4 analogue cameras only providing live image) and Camera system No. 2 (consisting of 4 IP cameras recording image and audio) for which the recordings were said to be stored for three days by the controller.
The Camera system No. 1 showed views of the parking area within the property of the controller, a view from the gate to the building and to the reception area, and a small part of the backyard of the property, with a pavement leading to the reception area. The DPA noted that there were no recreational facilities located in these areas. The controller stated that the purposes of the CCTV in Camera sytem No. 1 were: 1) the protection of persons and property, 2) to detect possible infringements, 3) to catch a perpetrator in the act, and 4) to prevent infringing acts. The controller relied on legitimate interests under Article 6(1)(f) GDPR as a legal basis for the processing.
With regard to Camera system No. 2 showed views of: 1) a dining room, 2) a panoramic jacuzzi on the terrace - which previously showed a view of the data subject's property, but at the time of the DPA's on-site investigation, the controller had modified the angle view of the camera away from the data subject's property - 3) a patio, and 4) a reception desk. These cameras were motion-activated, recorded images, and some of them were placed with an angle of view to areas where the persons not only pass through but also rest and dine. Regardless of the DPA's request, the controller did not present any previous cases justifying the necessity for the use of the CCTV. The DPA considered that it was relevant whether any events had taken place in the past which would justify the placement of the cameras, as the data processing was more extensive compared to Camera system No 1. With regard to the previous monitoring of the data subject's property, the controller argued that it had had a legal basis under Article 6(1)(f), because it had legitimate interests for property protection purposes as it had accused the data subject’s husband for vandalism towards the fence separating the two properties.
Holding
With regard to the Camera system No. 1 the DPA concluded that the operation of the cameras is appropriate for the purposes pursued and a necessary security measure for the objective pursued by the controller. Additionally, the DPA viewed that because the cameras within Camera system No. 1 only transmitted live image, and did not record any images that it constituted a significantly lower intrusion into the privacy of the persons concerned than if the video images were recorded.
With regard to Camera system No. 2, the DPA considered that due to the more extensive monitoring carried out by the cameras, it was necessary to assess each camera separately. The controller's balancing of interests test lacked individual assessments of the cameras, and only included general wording such as that valuable objects are monitored, so the interest of the controller is to safeguard the mentioned objects.
The objectives and purposes pursued by the controller for each camera were unclear to the DPA. The DPA also took in consideration the fact that the controller had not examined any alternative(s) for the use of a CCTV system that would not involve processing or the processing would be more limited in scope. The DPA emphasized, that in order to use CCTV systems on the basis of a legitimate interest, the processing must be proportionate to the aim pursued and compatible with the purposes pursued, necessary to achieve the purpose, and the design and implementation of the processing must take into account the reasonable expectations of the data subjects. Secondly, the DPA emphasized that the legitimate interests must be real and present at the time when the processing starts because processing cannot be based on a possible future interests.
With regard to the Camera system No. 2 recording also audio, the DPA viewed that the controller had not presented any reasons which would justify the necessity of audio recording, and emphasized that it is not a common practice in the case of CCTV surveillance of property. The DPA stated that data subjects cannot expect the cameras recording their voice and conversations, in particularly, when the cameras could also be activated by some small non-human movement and so start recording the conversations of persons who are not even in the camera's view (the DPA found examples of such situations from the CCTV recordings during its investigation).
The DPA furthermore found regarding Camera system No. 2, that the controller did not have legitimate interests for processing the personal data and held that the controller violated Article 6(1) GDPR with regard to 1) the camera installed in the dining room, 2) the camera monitoring the panoramic jacuzzi on the terrace, and 3) the camera facing the patio. With regard to 4) the camera above the reception desk, the DPA found that the controller had legitimate interests that were the protection of property and monitoring of cash payments. The DPA considered the previous monitoring of the data subject’s property as a serious interference with private life, and that only in very rare situations can there be legitimate interests that are not overruled. The DPA took in consideration, that the balancing of interests -test did not include the data subject’s property – only the controller’s property.
The Hungarian DPA held, firstly, that the controller 1) had unlawfully processed personal data of the data subject who initially complained about the processing in breach of Article 6(1) GDPR; and that the controller infringed 2) the principle of storage limitation under Article 5(1)(e) GDPR by not taking any measures to ensure that the recordings were deleted after set limitation of 3 days, 3) Article 12(1) GDPR by failing to inform the data subjects on the use of the camera surveillance in an easily accessible way, 4) Article 13 GDPR by failing to provided adequate information about the processing, 5) Article 31 GDPR by failing to comply with its duty to cooperate with the DPA as, in the DPA's view, the controller did not cooperate with the Authority during the procedure to the extent necessary, and in several cases provided false, incorrect or incomplete information.
With regard to the data subject's complaint, the DPA prohibited the controller under 58(2)(f) GDPR from using a CCTV system that monitors the data subject's property and thereby unlawfully processes personal data of the data subject and their family. The DPA ordered the controller to remove all data in question and to adapt its information practices on CCTV surveillance, in such a way, that the company complies with Article 12(1) GDPR and 13 GDPR.
The DPA fined the controller HUF 3 000 000 (three million forints).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH-5114-35/2022. Subject: decision History case number: NAIH-7502/2021. H A T A R O Z A T Before the National Data Protection and Freedom of Information Authority (hereinafter: Authority) [...] [...] applicant represented by a lawyer (residential address: [...]; hereinafter: Applicant) to the Authority Your request was received on October 4, 2021 with [Kft.] (headquarters: […]; hereinafter: Applicant 1) – representative […] (seat: […]) – and with [natural person] (residential address: […]; hereinafter: Respondent 2 or Obligor; Applicant 1 and Applicant 2 hereinafter together: Respondents) against the data protection authorities in connection with the management of their personal data makes the following decisions in the procedure: I. Granting the Applicant's request, the Authority determines that the Applicant 1 handled the Applicant's personal data illegally, thereby violating Article 6 (1) of the GDPR paragraph. II. Granting the Applicant's request, the Authority condemns him for the violation according to point I Requested 1. III. The Authority, granting the Applicant's request, Article 58, Paragraph 2, Point f) of the GDPR prohibits Respondent 1 from operating in such a manner in the future camera system to monitor the Applicant's property, and thus illegally manage the personal data of the Applicant and his family. The Authority operates in the area of [accommodation] (address: […]) vis-à-vis the Applicants to examine the legality of data processing through camera systems November 15, 2021 in the official data protection procedure initiated by me ex officio and extended on August 4, 2022, the following makes decisions: ARC. The Authority finds that Respondent 1 is unlawful, Article 6 (1) of the GDPR conducts conflicting data management in No. 2 camera system jacuzzi, restaurant and the inner courtyard during the operation of surveillance cameras. A. The Authority finds that Respondent 1 violated Article 5 (1) Paragraph e) of the GDPR the principle of limited storability according to point VI. The Authority finds that Respondent 1 violated Article 12 (1) of the GDPR, since he did not provide the information regarding camera data management to those concerned easily accessible. ………………………………………………………………………………………………………… 1055 Budapest Tel.: +36 1 391-1400 ugyfelszolgalat@naih.hu Falk Miksa utca 9-11 Fax: +36 1 391-1410 www.naih.hu VII. The Authority finds that Respondent 1 violated Article 13 of the GDPR when it did not provided adequate information about the data management implemented through the camera system. VIII. The Authority finds that Respondent 1 violated Article 31 of the GDPR, as a He did not fulfill his obligation to cooperate with the authorities. IX. The Authority prohibits Applicant 1 from using the dining room, the panoramic Jacuzzi and the parts of the inner courtyard for relaxation, such as the jacuzzi and hot tub through the camera system monitoring, and the doors of the apartments opening from the courtyard, and the one in front of them monitoring of the rest area and orders the cameras directed to them disarmament. X. The Authority instructs Applicant 1 that the 2. camera system jacuzzi, restaurant and the delete all recordings recorded by your cameras monitoring the inner courtyard. XI. The Authority instructs Respondent 1 that it is related to camera data management transform its information practice in such a way that it fully complies with GDPR Article 12 (1) and GDPR Article 13. XII. The Authority is the I. and V-VIII. Requested 1 due to violations established in points HUF 3,000,000 (i.e. three million forints) obligates you to pay a data protection fine, which is due within 15 days of the delivery of this decision must fulfill within * * * The Authority warns Applicant 1 that Infotv. The decision based on § 61, subsection (6). until the expiry of the time limit for filing an action, or in the event of the initiation of an administrative lawsuit a until a final court decision, the data affected by the disputed data management cannot be deleted or not can be destroyed. The IV. and the IX.-XI. measures prescribed in points to Respondent 1 against this decision must do so within 30 days after the expiry of the legal remedy deadline, and their implementation immediately - together with the presentation of supporting evidence - certify to the Authority. The fine is transferred to the Authority's centralized revenue collection purpose settlement account (10032000- 01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000) must be paid in favor of When transferring the amount, NAIH-5114/2022. FINE. number must be referred to. If Respondent 1 does not comply with his obligation to pay the fine within the deadline, a late fee is obliged to pay. The amount of the late fee is the legal interest, which is the calendar interest affected by the delay is the same as the central bank base rate valid on the first day of the semester. Fines and late fees in the event of non-payment, the Authority orders the execution of the decision, the fine and the late fee 2 collection in the manner of taxes. The collection of fines and late fees in the manner of taxes is a It is carried out by the National Tax and Customs Office. * * * FINAL The Authority terminates the procedure against Respondent 2. There is no place for administrative appeal against this decision and order, but a within 30 days from the date of notification, with a letter of claim addressed to the Capital Court can be challenged in a lawsuit. The letter of claim must be submitted electronically to the Authority in charge of the case forwards it to the court together with its documents. The request to hold a hearing must be indicated in the statement of claim. The The petition submitted against the order terminating the proceedings was simplified by the Capital Court judge it in a lawsuit, outside of a trial. For those who do not receive full personal tax exemption a the fee for an administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to record fees. The Metropolitan Court legal representation is mandatory in the procedure before it. I N D O C O L A S I. Facts Application and case history (1) The Requester for the data protection official procedure received by the Authority on October 4, 2021 requested in his application that the Authority establish that the Applicants at [accommodation] with installed and operated cameras, they engage in illegal data management. He asked that this forbid the continuation of camera surveillance directed at the Applicant's property, a the recording of observed data and order its termination, as well as the unlawfully prepared destruction of recordings, and also prohibit the Applicants from further infringement and convict the Respondents and impose a data protection fine. (2) The property of the Applicant is the […] inner area […] hrsz. registered under, in nature [...] property at no. He is the owner of the property next door, naturally at […] Respondent 2, on which [accommodation] operates and which is operated by Respondent 1. (3) The fence between [two properties] has fallen, therefore Requested 1 new fence made of concrete elements made it to the plot boundary. On July 26, 2021, the fence was damaged, with an approx. A 30 cm vertical crack was created. (4) According to the report of the […] Police Department dated July 27, 2021, the manager of Respondent 1, […] On July 26, 2021, an announcement was made at the [...] Police Station about the damage to the fence because he saw through the camera installed in the boarding house that the property of the Applicant the Applicant's husband was outside in his yard, around the fence [and in the present proceedings, legal representative], [...] but he did not see that he had caused any damage to the fence. THE […] Based on the information available at that time, according to the report of the Police Department No. […] violation/criminal offense could not be established. 3(5) After that, the Regional Public Order Department of the […] Police Department on case number […] However, the Commissioner's Sub-Department filed a violation report against the Applicant's husband willful vandalism due to the commission of a regulation violation. In the facts of the complaint, [...] The police station recorded that the construction of the fence was completed on July 26, 2021 by contractor, and sent a photo of the damaged item to Respondent 1 on the same day about a fence element. Since the manager was not on site, he looked back on his phone recordings of the camera system installed in [accommodation]. Requested by 1 for presentation of the recording went to the […] Police Department, on which three persons - the Applicant, the Applicant her husband and father - the new one between the two properties was visible in the area of [Applicant's property]. at the fence. The recording showed that the Applicant's husband was standing in the yard, and then the for fencing. The fence of the neighboring lot did not fall into the camera's field of view part next to it, so from then on the recording could only be heard as a grinding sound. This based on the conversation heard on the recording beforehand, the Applicant and his father - who they are in bathing suits in the recording - they also told […], the Applicant's husband, not to do this he can do it, the fence is not his property. (6) The […].Sabs. [the accommodation [accommodation] operated by Respondent 1] was the manager of the store, according to which the above camera recording, which can be linked to the vandalism […], the manager of Respondent 1 forwarded it to him. In the recording, according to the testimony, it is clear you hear "[…] don't do it, finish it, you can't touch other people's property!", and then this loud hammer blows could be heard afterwards. In the preparatory procedure for violation of rules a […] The police station established that a criminal offense was suspected, as a according to the victim's statement, the damage caused by vandalism exceeded the amount of the violation value limit, therefore this procedure was terminated, and the documents were sent to the person in charge criminal body, the Criminal Department of the […] Police Department. (7) According to the Applicant's point of view, based on the above, the [accommodation] such technical devices operated by the Applicants, which monitor your property through the use of tools, his activities and communication there. According to him, given that had previously suspected that they were being observed in some way by the Applicants, therefore they documented the damage to the panel and its circumstances, and then organized a similar one situation, on the basis of which they were able to make sure that surveillance is taking place a On behalf of the applicants. (8) The Applicant submitted that the surveillance directed at their property is of particular concern because right next to the fence is the terrace area where the garden furniture was placed, there receive their guests, clients, and the Applicant's husband is a lawyer, and if the weather is good, the he used to make customer calls from the terrace. The Applicant could not identify that a which of the cameras installed in the accommodation is suitable for monitoring their living space. (9) The Authority ex officio expanded the subject of the procedure and dated November 15, 2021 notified the Respondents in its order that it would initiate a data protection official procedure ex officio against them, data processing by the camera system operating in the [accommodation] area to examine its legality. The examined period is from July 1, 2021, when the procedure was initiated It was flagged up to 4 days ago. The Authority extended the examined period on August 4, 2022 until the day of the decision. Characteristics of the camera system operated in the [accommodation] area No. 1, analog camera system (10) Based on the information provided by Respondent 1 and the on-site inspection conducted by the Authority - to which It took place on July 5, 2022 without prior notice to the Applicants - in the area of [the accommodation] two camera systems are in operation. The camera system consisting of 4 analog cameras (a hereinafter: No. 1 camera system) requested 2 decided personal and based on asset protection reasons, however, Respondent 1 stated that the examined period, only he is considered a data controller. (11) No. 1 The center of the camera system in an apartment with a completely separate entrance is a built-in one it was placed in an attic-like room opening from a closet. The recording unit with a password protected, which for the examination of the system the executive of Applicant 1 both the Authority and previously made available to an IT expert assigned by the Police Department. The Authority obtained the opinion of the IT expert from the Police Department, who findings made only in relation to camera system No. 1. The IT for the assignment of an expert on the suspicion of the crime of illegal data collection based on the Applicant's report started due to […].bü. took place in procedure no. (12) Two monitors are connected to the system, one is in the same room as the recording unit placed at the reception of the other [accommodation]. The latter monitor is only suitable for a show the images of the cameras according to the parameters set on the recorder, it does not control the recorder. The 1. s. camera system only transmits live images, for image and sound recording, as well as recordings not suitable for storage, as there is no hard disk in the recording unit. No. 1 it is not possible to remotely access the images of the camera system or its center. (13) The cameras are fixed and cannot be moved after installation and adjustment from a distance. No. 1 of the 4 analog cameras of the camera system, one is installed on the street front of the building camera – CH1 – does not work, it transmits neither image nor sound, the Authority is responsible for this was also convinced by the on-site inspection he conducted. (14) On December 2, 2021, according to the screenshot attached by Respondent 1, the camera marked CH2 observes a private area entirely owned by Respondent 2, marked CH3 it was aimed at the parking lot, but a small part of the public area also fell into its line of sight. By the Authority during the on-site inspection, the image of the CH3 camera sometimes disappeared, vibrated or during certain periods nothing was visible on it. The current business manager of Respondent 1, According to […], there has been a problem with this since the on-site inspection conducted by the police with the camera. (15) The CH4 camera is the camera images made available to the Authority in December 2021 according to him, he was watching the part of the sidewalk from the gate entrance to the entrance of the accommodation, and fell into his line of sight the railway line separating the Applicant's property from the accommodation, and to a small extent the railway Top of 5 soundproof walls. There is no sidewalk on the side of the sound-insulating wall, so typically, taking into account the also for the resolution of the image transmitted by a camera, the third passing through the public area is not suitable to monitor persons. (16) Subsequent modification of the viewing angle of the CH4 camera, in April 2022 – a According to recordings made by an expert appointed by the police department - the camera the public space and the soundproof wall no longer fall into his line of sight, only the neighboring one line separating properties, but it is not possible to see through it to the Applicant's property. No. 2, IP camera system (17) The other camera system (hereinafter: camera system no. 2) in December 2021 2 It consisted of a piece of IP camera according to the statement of Respondent 1 and the attached camera images, this at an unknown date, two more cameras were added. No. 2 camera system cameras images and sound are also recorded on the SD cards in the cameras, their resolution is Full HD, i.e 2 megapixel resolution. All four cameras have an infrared night vision function, a 10 meters for Tapo C200 cameras, 30 meters for Tapo C310 cameras with sight distance. (18) The cameras of this camera system have a motion sensor, the cameras record the recordings not continuously, but only in the event of some movement way that the cameras a few minutes before the event, the camera movement taking place in its field of vision, and then for a few more minutes after it ends afterwards. (19) In many cases, the quality of audio recordings is affected by other noises, especially outdoor ones in the case of cameras, e.g. the strength of the wind, the hum of the jacuzzi circulation pump. At the same time under suitable conditions, sound recordings that can be clearly discerned from a sufficient distance are made by the cameras. (20) The images of the camera system and the recordings recorded by it on a closed system, online are available, the corresponding software stores and saves the recordings if necessary. THE the application required to access recordings is on the phone of the manager of Respondent 1 installed, which is protected by a pin code and facial recognition system according to the statement of Respondent 1. The Authority could not check the phone of the manager of Respondent 1, as it he could not participate in the on-site inspection held without prior notice. (21) At the time of the inspection, the Authority made a copy of the recordings on the SD cards and he used them during decision-making. (22) No. 2 the first camera of the camera system was installed in the dining room, type TP-Link Tapo C200. At the time of the on-site inspection, a total of 28 GB of data could be found on the camera's SD card 113 files in MP4 format, of which 1 is 0 bytes in size, i.e. a deleted or deleted recording volt. The other recordings are uniformly 256 MB in size and were created before the review From 15 days on, they included several recordings per day. 6(23) On the camera image taken on December 2, 2021 at 10:15 a.m. and attached by Applicant 1, three table and a refrigerator was visible from the side view. (24) Respondent 1 explained to the Authority's question that he kept it in the dining area operation of the camera system is necessary, because there are several refrigerators that in which, on a general basis, hundreds of thousands of forints worth of alcoholic beverages are continuously stored drinks, other drinks and food. Further to the operation of the camera in the dining room as a reason, Respondent 1 submitted that the boarding house has a 4-star rating a professional expectation of a place of accommodation is to monitor the communal spaces with a camera a for the property and personal protection of guests. In support of the latter's statement you have not attached any documents. (25) On the day of the on-site inspection conducted by the Authority on July 5, 2022, the angle of view of the camera has been modified compared to the status of December 2021, the camera has been rotated a towards reception. The area in front of the reception desk falls into his view of the room opening from there with its door and the short corridor leading to the dining room, the self-service counter and the coffee machine. Two of the tables in the dining room can be seen fully, one half, and the upper corner of refrigerator. The windows were replaced by a refrigerator containing only soft drinks for accommodation next to, from which - according to the inspection's testimony - the guests are free they could serve themselves. No other property fell into the camera's field of view. (26) The second camera was installed on the elevated terrace part of the building, its type is TP- Link Tapo C310. This was the camera that recorded the infraction for vandalism, then the camera footage objected to by the Applicant used in criminal proceedings. July 2021 On the 26th, according to the recording available to the Authority, the camera came into view A part of the Applicant's property with the willow tree, thus recording the likeness of the Applicant and his family, movement and their conversation. (27) By December 2021, the angle of view of the camera had already been changed - about this, Respondent 1 also declared to the Authority - he is no longer suitable for monitoring the Applicant's property, a on the camera image of the neighboring property on December 2, 2021, only one roof was visible - presumably the roof of the tool shed - and one of the foliage of the willow tree near the plot boundary part of. On December 7, 2021, the Company attached new pictures, at which time the roof part had not even fallen into the camera's field of view. (28) During the on-site inspection, in addition to the above, the upper terrace and the jacuzzi in its entirety, depending on the layout, 2-4 outdoor chairs with a table, [a accommodation] pier. (29) In his statement dated December 2, 2021, Respondent 1 explained with the angle of view of the cameras regarding the fact that none of them are aimed at the Applicant's property, not least because because the border between the properties is not in the line of the fence, but one meter from it, a In the direction of the applicant's property. However, there is no legal procedure in this regard initiated against the Applicant and her husband, he did not substantiate his statement, and according to the Applicant's statement, he is not aware of the plot boundary and the fence lines should not coincide. 7(30) The memory card of the camera on the jacuzzi terrace had 114 GB of data at the time of the inspection, the The earliest snapshot in the Snapshot directory was taken on March 24, 2022 at 10:28:34 a.m. last on the day of the inspection. At the time of the inspection, 473 MP4 files were stored on the camera's SD card it was a video file, 17 of which were 0 bytes in size, i.e. previously deleted or deleted recordings. The available files were all 256MB in size, SD card going back 19 days included recordings. (31) In his statement dated December 2, 2021, Respondent 1 informed the Authority that the No. 2 want to install 2 more cameras for the camera system. Requested legal its representative stated in a statement dated June 8, 2022 that the camera system expansion and installation of the planned cameras did not take place. The Authority requested that a Requested 1 send pictures of the installed cameras in such a way that the cameras environment is also included. Among these recordings, there were recordings that, however, allowed us to conclude that the camera system had been expanded after all. (32) During the on-site inspection held on July 5, 2022, the Authority was convinced that another 2 a camera has been installed - 3rd camera - one of which monitors the reception desk from above - type TP-Link Tapo C200 – the L-shaped desk, the worker's chair and an additional chair. (33) If an employee is behind the counter, it is suitable for observation, or records the conversations between the guests and the employee working at the reception. The Authority also found a recording that clearly shows the payment by bank card by a hotel guest your PIN and the camera also recorded the cash transactions. (34) At the time of the inspection, this camera had 28 GB of 116 recordings in MP4 format in total there were 2 0-byte recordings, i.e. deleted or deleted recordings. On the SD card for 19 days recordings can be found retrospectively, each half has a uniform size of 256 MB was extensive. (35) And the other camera - camera 4 - mainly on the door of one of the apartments opening from the courtyard, the to the front part with garden furniture, to the yard, the jacuzzi located there is approx. in half, a it is aimed at the bath tub, as well as the waterfront terrace and jetty and a part of Lake Balaton, type TP- Link Tapo C310. The memory card of this camera had a total of 28 GB of data at the time of the review stored, the Snapshot library snapshots taken by the camera at different times contained, the earliest was made on May 31, 2022 at 10:23:12. In addition, the SD card contained 110 video files in MP4 format going back 15 days, all in the same format It was 256 MB. The purpose and legal basis of data processing through the camera system are the statements of Respondent 1 Based on 8(36) The Applicant 1 test of interests and the operation of the camera system, as well as the regulations on the use of recorded images - effective from July 1, 2021 - as well attached to the Authority's statement dated December 2, 2021, the latter being the document according to dated June 30, 2021. (37) According to the camera regulations, the purpose of data management is the persons staying at the accommodation protection of life, physical integrity, personal freedom, as well as in the field of real estate staying persons, or assets owned or used by Respondent 1 protection. The detection of legal violations, the perpetrator, was also named as a data management purpose prosecution, prevention of illegal acts, and also that the recordings with these be used as evidence in official proceedings. (38) According to camera regulations, images are stored on the SD cards in the cameras for recording, which recordings in the absence of use by the Applicant 1, at most from the recording stored for 3 days, longer storage of recordings is not justified. The recordings are a according to the regulations, they are automatically deleted after 3 days. (39) According to the camera regulations, the data management is based on the legitimate interests of Respondent 1, as well as in the case of employees, as part of the control of behavior related to the employment relationship Mt. 11/A. on the statutory authority based on paragraph (1) of §. (40) To support the existence of a legitimate interest, Respondent 1 prepared an interest assessment test, and also recorded in the camera regulations that the data management implemented is to reach proportionally restricts the rights of the data subjects with the desired goal, since the angle of view of the cameras is set in such a way setting, that in any case it is a person or event to be protected be aimed at property. In addition, according to the camera regulations, the Data Controller is everything informs those concerned about the fact of camera surveillance and is essential about its circumstances, i.e. data processing does not affect the data subjects unexpectedly. Data management its duration is adjusted to the legal requirements, the only way to get to know the data is the regulations persons according to - Respondent 1's executive - are entitled in the cases specified therein - Asserting the legitimate interest of the respondent or exercising the rights of the affected parties - it may come to that beer. (41) In the interest weighing test, as part of the identification of the existing legitimate interest, it was explained, that Respondent 1 has a legitimate interest in data management - which is the data subjects covers its image and sound - as it is of great value in the area open to guests valuables - e.g. the jacuzzi worth several million forints - have been installed, as well as the camera system its purpose is primarily asset protection and the protection of valuables. Data management is secondarily a serves to protect guests' values, person, and physical integrity. According to Respondent 1 with the help of the camera system, you can ensure that you are not authorized to enter the accommodation area no persons may enter, no activity that endangers the security of property to continue. (42) According to the weighing of interests test, if there is a decrease in the value of Respondent 1's valuables would occur or they would be appropriated, you can reveal it by viewing the recordings the reason for the decrease in value or the identity of the person who stole the valuable object, and the damage caused 9 can claim reimbursement. In the event of an accident, data management may contribute to the accident to clarify its circumstances. (43) In response to the Authority's question as to whether property security had previously occurred in the area of the accommodation threatening event, Respondent 1 explained that the use of cameras is preventive device, so not from the point of view of the legality of data processing through cameras events that threaten property security in the relevant [accommodation] area list, as the camera system is intended to prevent such events. However, according to his statement, there were such incidents, but as an example, only the fence he mentioned his vandalism, he did not specifically name other events, their occurrence no supporting evidence was attached. (44) In the weighing of interests test, it was explained in connection with the necessity of data management that in the event of damage, it can only be done as a result of viewing the camera footage to identify the perpetrator and to demand compensation from him. Respondent 1 explained furthermore, that the preparation and use of recordings is proportionate to the purpose of data management, since as a result of the data management, Respondent 1 can achieve the data management goal set by the data subjects without disproportionately invading your privacy. According to the weighing of interests test, a Respondent 1 has no alternative means or procedures at his disposal which you could achieve the purpose of data management without data management. (45) In the interest weighing test, Respondent 1 interests and rights of the stakeholders during his identification, he recorded that the data management is informational for guests and other stakeholders has the right to self-determination, and within that the right to image and privacy effect. However, in his view, data management is not an internal, integral part of these limits, its effect is proportional to the achievement of the data management goal, it is absolutely necessary for that. The data is collected by Respondent 1 directly from the data subjects, which is clearly visible beforehand informs guests about data management on signs placed in the purpose and method of data management are widely and clearly understood." (46) Respondent 1 in the weighing of interests test as the expected effect of data management he claimed that the injury to his property could be remedied. He also emphasized that those concerned do not lose control over their personal data, as the camera system they receive information about its operation, so the data management can have little effect on them. THE camera recordings will be viewed if the Applicant 1 there is a decrease in the value of your assets or an asset is appropriated, and to discover the identity of the perpetrator or the circumstances of a possible accident it is necessary to review the recordings. (47) As a result of the balance of interests test, Respondent 1 came to the conclusion that has a legitimate interest in data management and the camera recordings are justified for three days storage. Information about data management 10(48) In relation to information on data management, the Respondent stated that it is clearly visible, warning signs were placed in the building, as well as [at the accommodation] a it is done by means of camera regulations kept in a place accessible to guests and other stakeholders fulfills its obligation to provide information. During the site inspection, the camera regulations are not good placed in a visible place, but it was found at the reception after a short search, however, in that a in the room for accommodation of hotel guests, where the staff of the Authority they were absent during registration, the regulations and the information sheet could not be found. The "Camera monitored area" sign was placed in several places in the building, one of which is at the end of the corridor leading to the dining room, on the side of the self-service counter of the dining room, the other is the jacuzzi at the entrance. Apart from that, the boards did not contain any additional information. (49) According to the statement of Respondent 1, he verbally informed the Applicant several times that "the He observes the land beyond the applicant's property, towards the Company, with a camera, basically based on property protection reasons." (50) According to Respondent 1, no information was received after the oral information consent to data management on the part of the Applicant, but since it is based on his legitimate interest data management, it was not even necessary, as the restriction of rights was proportionate, he even explained that "a in our opinion, monitoring is lower than the properly necessary and proportionate level level, which is no better proof than that the level of observation was not suitable for To protect the company's property, which led to the police investigation [due to vandalism]. proceedings." (51) To support the fact that the information was provided, Respondent 1 attached an unknown person audio recording made at the time, on which the Applicant, the Applicant's husband and The voice of the manager of Respondent 1 can be heard, a discussion about waste transportation with a wheelbarrow during. During the discussion, it is said that “Through this camera you can see exactly that how many times has he passed in front of our yard." The attached recording does not reveal which one exactly the information referred to the camera, and that Respondent 1 during the conversation observed a public area or the Applicants' property with the referred camera. The Applicant 1 stated that on the audio recording No. 1 camera system for a camera facing the parking lot referred to, which does not record recordings, only transmits a live image. Proceedings before the [...] Police Station Tampering procedure (52) Complaint and notification of the Applicant and Respondent 1 to the Police Department on the basis of which two different procedures were in progress. The Police Department informed the Authority, that in relation to the damage to the fence, the […] Police Department Order of the Preparatory Group of the Public Order Protection Department […] decision no the Investigation Department of the Police Department ordered an investigation based on During the investigation it was established that the reported act is not a crime, therefore April 6, 2022 XC of 2017 on criminal proceedings. based on point a) of § 398, paragraph (1) of the Act, the procedure was terminated. 11(53) The Police Department made the investigative documents available to the Authority, as well as the the decision on the termination of the procedure, which for Respondent 2, as the aggrieved party, It went to the manager of Respondent 1 as a whistleblower and to the […] District Prosecutor's Office for delivery. (54) Terminating the proceedings, […].bü. according to decision no. during the investigation a The police department has assigned a forensic technical expert to the fence affected by the vandalism conducted an on-site inspection. The expert came to the conclusion that the fence during its design, the contractor made a technological error, and the lowest fence element was already in place it was installed in a cracked state. The on-site inspection is such an external and intentional force impact, which would have resulted in damage to the fence element, was not established on it no external damage was found. The person who built the fence during his witness interview said that there was a hairline crack on one of the fence elements, which was indicated by the customer, He applied to 1 and with his approval it was installed as a bottom panel. (55) During the investigation, the Police Department interviewed the manager of Respondent 1 as a witness on January 4, 2022. In it [the executive] stated that "the property [accommodation] is at the back, A camera works on the Balaton side. It faces our own area and we installed it to that we can watch the jacuzzi, because usually they don't put the top back on. This camera does not it is there to observe the neighbor, but unfortunately it falls into its field of vision a very small part of the neighboring property on the other side of the fence. The camera however, it does not record footage.” […] stated in his testimony that when the contractor indicated to him, that someone from the other side of the fence shakes, pulls the fence, then he was looked at by the camera pointed to a picture, according to which several people were walking on the other side of the fence, including [a Applicant's husband] as well as the Applicant. […] according to his statement, then his own he filmed the camera image with his mobile phone and recorded a few minutes, on which you can hear [a [Applicant's husband] is tried by the person next to him to calm him down and calm him down, but he does not he is doing something at the fence that is not visible in the camera image. (56) On January 4, 2022, [the executive] sent the Police Department by e-mail the the camera recordings made of suspected vandalism, damaged by the Applicant camera recording saved from the application for viewing. This recording was made by It was downloaded by the Police Department, written out on a CD, and a copy of this in its letter dated July 18, 2022 made available to the Authority as an attachment. (57) Footage recorded by the camera above the jacuzzi between 18:37:36 and 18:39:52 on July 26, 2021 shows a period during which a part of the Applicant's yard with Lake Balaton was visible and along with a willow tree. In the specific camera recording, it can be heard in the yard in addition to the chopping sounds the conversation of three aloof people - not completely clear, but some sentences perfectly can be taken out - as well as the Applicant and his father in bathing suits, as well as short for a while the Applicant's husband was also in shorts and a T-shirt. (58) In his submission dated December 2, 2021, Respondent 1 stated about the admission in question, that it is no longer in his possession, he cannot make it available to the Authority, thereby on the other hand, he sent it to the Police Department on January 4, 2022, and on on March 1, he presented it on his phone to the technical expert assigned by the Police Department. 12 Procedure related to illegal data collection (59) On September 30, 2021, the Applicant filed a complaint with the Police Department, apartment, other rooms or the fenced areas belonging to them are done with a technical device due to the suspicion of the crime of illegal data acquisition committed by secretly monitoring and recording, on the basis of which the Police Department ordered an investigation. (60) The Police Department terminated the procedure on June 8, 2022, because the available based on the information, it was not possible to establish that a crime had been committed. The procedure The Applicant filed a complaint against the termination decision, the complaint will be considered in July 2022 It was still in progress on the 20th. (61) In the course of the investigation, the Police Department appointed a forensic IT expert, who in 2022. On April 1, the on-site inspection carried out in the context of search and seizure examined the Camera systems operated by Applicant 1. It was recorded in the expert opinion, that there is a traditional closed-circuit security with 4 cameras on the property system (camera system no. 1) and a digital one containing both external and several internal cameras system (camera system no. 2). Regarding the latter, the expert is only towards the jacuzzi regarding the mounted camera, he stated that it is fixed, not remotely it can be moved and adjusted mechanically. He didn't check the camera image because according to his reasoning, the SD cards in the cameras can be accessed remotely from an application he didn't take it out of the cameras, he didn't watch the recordings on them, they weren't saved not made. As a result, the expert opinion no. 2 with a camera system does not contain additional findings in this context. (62) The additional relevant findings in the expert opinion above – were described under the title "characteristics of camera systems". Property ownership of [accommodation]. (63) Based on the Applicant's letter dated June 8, 2022, the Authority queried on July 20, 2022 the title deed of […] property, according to which, on March 29, 2022, at […] a request for its registration was received at the Land Registry, which was stamped. Therefore - in case of registration of ownership - the property is removed from the property of Respondent 2, and its new will be owned by […] (residential address: […]) III. Applicable legislation Recital (47): The data controller - including the data controller with whom the personal data may be disclosed - or the legitimate interest of a third party may create a legal basis for data processing, provided that the interests, fundamental rights and freedoms of the data subject do not take priority, taking into account that the reasonable expectations of the data subject based on his relationship with the data controller. This can be a legitimate interest for example, when there is a relevant and appropriate relationship between the data subject and the data controller, for example, in cases where the data subject is a client of the data controller or is employed by it. THE in order to establish the existence of a legitimate interest, it must be carefully examined by several others 13 that the data subject is at the time of collection of the personal data and in connection therewith can you reasonably expect that data processing may take place for the given purpose. The interests of the person concerned and your fundamental rights may take precedence over the interest of the data controller if personal data it is handled in circumstances in which the persons concerned do not matter further for data management. Since it is the task of the legislator to define in legislation that the public authority bodies, on what legal basis can I process personal data, supporting the legitimate interest of the data controller no legal basis can be applied, carried out by public authorities in the performance of their duties for data management. The processing of personal data is absolutely necessary for the purpose of fraud prevention is also considered the legitimate interest of the data controller concerned. Personal data is for direct business purposes its treatment can also be considered based on legitimate interest. Based on Article 2 (1) of the GDPR, the GDPR must be applied to the data management in this case. GDPR Article 4, point 1: "personal data": for an identified or identifiable natural person any information concerning (“data subject”); the natural person who is directly you can be identified indirectly, in particular an identifier such as name, number, location data, online physical, physiological, genetic, intellectual, economic, cultural, or identifier of the natural person can be identified based on one or more factors related to his social identity; GDPR Article 4, point 2: "data management": personal data or data files are automated any operation or set of operations performed in a non-automated manner, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication by means of transmission, distribution or otherwise making it available, coordination or linking, restriction, deletion or destruction; GDPR Article 4, Point 7: "data controller": the natural or legal person, public authority, agency or any other body that determines the purposes and means of personal data management independently defines with others; if the purposes and means of data management are EU or member state law determines the data controller or the special aspects regarding the designation of the data controller can also be defined by EU or member state law; GDPR Article 5 (1) point c: Personal data from the point of view of the purposes of data management they must be appropriate and relevant and limited to what is necessary ("data saving"); GDPR Article 5 (1) point e): Personal data must be stored in a form that which the identification of the data subjects is only necessary to achieve the goals of personal data management allows for a period of time; personal data may only be stored for a longer period of time line, if the processing of personal data is in the public interest in accordance with Article 89 (1). will take place for archiving purposes, for scientific and historical research purposes or for statistical purposes, that is the appropriate technical required in this regulation in order to protect the rights and freedoms of the data subjects and subject to the implementation of organizational measures ("limited storage capacity") Article 6 (1) GDPR: The processing of personal data is only lawful if and to the extent that if at least one of the following is met: 14 a) the data subject has given his consent to the processing of his personal data for one or more specific purposes for its treatment; b) data management is necessary for the performance of a contract in which the data subject is one of the parties, or steps taken at the request of the data subject prior to the conclusion of the contract necessary to do; c) data management is necessary to fulfill the legal obligation of the data controller; d) the data processing is for the vital interests of the data subject or another natural person necessary for its protection; e) the data management is in the public interest or for the exercise of public authority delegated to the data controller necessary for the execution of the task carried out in the context of; f) data management to enforce the legitimate interests of the data controller or a third party necessary, unless the interests of the person concerned take precedence over these interests interests or fundamental rights and freedoms that make personal data protection necessary, especially if a child is involved. Point f) of the first subparagraph cannot be applied by public authorities in the performance of their duties for data management. Article 12 (1) GDPR: The data controller takes appropriate measures to ensure that all those mentioned in Articles 13 and 14 regarding the processing of personal data for the concerned party information and 15–22. and each information according to Article 34 is concise, transparent, understandable and provide it in an easily accessible form, clearly and comprehensibly worded, especially a for any information addressed to children. The information in writing or otherwise – including, where applicable, the electronic route - must be specified. Verbal information at the request of the person concerned can be given, provided that the identity of the person concerned has been verified in another way. GDPR Article 13: (1) If personal data concerning the data subject is collected from the data subject, the data controller shall at the time of obtaining personal data, the following is made available to the data subject all information: a) the identity and contact details of the data controller and, if any, the representative of the data controller; b) contact details of the data protection officer, if any; c) the purpose of the planned processing of personal data and the legal basis of data processing; d) in the case of data management based on point f) of paragraph (1) of Article 6, the data controller or a third party legitimate interests of a party; e) where appropriate, recipients of personal data, or categories of recipients, if any; f) where appropriate, the fact that the data controller is a third country or an international organization wishes to forward the personal data to, and the Compliance Committee existence or absence of its decision, or in Article 46, Article 47 or Article 49 (1) in the case of data transfer referred to in the second subparagraph of paragraph indication of suitable guarantees, as well as for obtaining their copies means or reference to their availability. (2) In addition to the information mentioned in paragraph (1), the data controller is the personal data at the time of acquisition, in order to ensure fair and transparent data management ensure, informs the data subject of the following additional information: 15 a) on the period of storage of personal data, or if this is not possible, this period aspects of its definition; b) the data subject's right to request from the data controller the personal data relating to him access to data, their correction, deletion or restriction of processing, and you can object to the processing of such personal data, as well as to the data portability concerned about his right; c) based on point a) of Article 6 (1) or point a) of Article 9 (2) in the case of data processing, the right to withdraw consent at any time, which does not affect the data processing carried out on the basis of consent before the withdrawal legality; d) on the right to submit a complaint to the supervisory authority; e) that the provision of personal data is a legal or contractual obligation is a basis or a prerequisite for concluding a contract, and whether the person concerned is obliged to the personal provide data, as well as what possible consequences it may have failure to provide data; f) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including also profiling, and at least in these cases to the applied logic and that comprehensible information regarding the significance of such data management and what are the expected consequences for the person concerned. (3) If the data controller performs additional data processing on personal data for a purpose other than the purpose of their collection wish to perform, you must inform the data subject about this different purpose before further data processing and all relevant additional information referred to in paragraph (2). (4) Paragraphs (1), (2) and (3) do not apply if and to what extent the person concerned is already involved has the information. Article 25 (2) GDPR: The data controller implements appropriate technical and organizational measures finally to ensure that, by default, only such personal data is processed take place, which are necessary from the point of view of the given specific data management purpose. This is the obligation applies to the amount of personal data collected, the extent of their processing, the duration of their storage and their accessibility. These measures must in particular ensure that the personal data should not become, by default, without the intervention of the natural person accessible to an unspecified number of people. GDPR Article 31: The data controller and the data processor and, if any, the data controller or the during the execution of the tasks of the representative of the data processor with the supervisory authority - its inquiry based on - cooperates. GDPR Article 58 (2) points b), d), f) and i): Acting within the corrective powers of the supervisory authority: b) condemns the data manager or the data processor if his data management activities violated e the provisions of the decree; d) instructs the data manager or the data processor that its data management operations - where applicable in a specified manner and within a specified time - bring it into line with the provisions of this regulation; f) temporarily or permanently restricts data management, including the prohibition of data management; 16i) imposes an administrative fine in accordance with Article 83, depending on the circumstances of the given case, e in addition to or instead of the measures mentioned in paragraph GDPR Article 77 Paragraph 1: Without prejudice to other administrative or judicial remedies, all data subjects have the right to complain to a supervisory authority – especially the usual one in the Member State of your place of residence, place of work or the place of the alleged infringement - if it is according to the opinion of the data subject, the processing of personal data concerning him/her violates this regulation. GDPR Article 83 Paragraphs (2)-(3) and (5): Administrative fines depend on the circumstances of the given case in addition to or instead of the measures referred to in points a) to h) and j) of Article 58 (2), depending on the circumstances must be imposed. When deciding whether it is necessary to impose an administrative fine or a must be sufficiently taken into account in each case when determining the amount of the administrative fine take the following: a) the nature, severity and duration of the infringement, taking into account the data management in question nature, scope or purpose, as well as the number of persons affected by the infringement, as well as the the extent of the damage they have suffered; b) the intentional or negligent nature of the infringement; c) mitigating the damage suffered by the data controller or the data processor any action taken in order to; d) the extent of the responsibility of the data manager or data processor, taking into account the 25 and technical and organizational measures implemented on the basis of Article 32; e) relevant violations previously committed by the data controller or data processor; f) with the supervisory authority to remedy the violation and the possible negative effects of the violation extent of cooperation to mitigate; g) categories of personal data affected by the infringement; h) the manner in which the supervisory authority became aware of the violation, in particular the fact that whether the data controller or the data processor reported the breach, and if so, what kind with detail; i) if against the relevant data controller or data processor earlier - in the same subject - one of the measures referred to in Article 58 (2) was ordered, in question compliance with measures; j) whether the data controller or the data processor considered itself approved according to Article 40 to codes of conduct or approved certification mechanisms pursuant to Article 42; as well as k) other aggravating or mitigating factors relevant to the circumstances of the case, for example a financial benefit obtained or avoided as a direct or indirect consequence of a violation loss. (3) If a data manager or data processor is involved in the same data management operation or is related to each other with regard to data management operations - intentionally or negligently - this regulation has more also violates its provision, the total amount of the fine may not exceed the most serious violation in case of a specified amount. (4) Violation of the following provisions - in accordance with paragraph (2) - a maximum of 10,000,000 with an administrative fine of EUR, and in the case of businesses, the entire previous financial year can be hit with an amount of up to 2% of its 17-year world market turnover; the higher of the two an amount must be imposed: a) with regard to the data manager and the data processor in Articles 8, 11, 25-39, 42 and 43 specified obligations; (5) Violation of the following provisions - in accordance with paragraph (2) - at most 20,000,000 with an administrative fine of EUR, and in the case of businesses, the entire previous financial year shall be subject to an amount of no more than 4% of its annual world market turnover, provided that of the two a higher amount must be imposed: a) the principles of data management - including the conditions of consent - in accordance with Articles 5, 6, 7 and 9; b) the rights of the data subjects in Articles 12–22. in accordance with Article; (…) Infotv. Section 2 (2): Personal data according to (EU) 2016/679 of the European Parliament and of the Council regulation (hereinafter: general data protection regulation) is the general data protection decree III-V. and VI/A. In Chapter 3, as well as § 3, 4, 6, 11, 12, 13, 16, 17, 21., 23-24. point, paragraph (5) of § 4, paragraphs (3)-(5), (7) and (8) of § 5, § 13 (2) paragraph, § 23, § 25, § 25/G. in paragraphs (3), (4) and (6) of § 25/H. § (2) in paragraph 25/M. in paragraph (2) of § 25/N. § 51/A. in paragraph (1) of § 52-54. §- in, paragraphs (1)-(2) of § 55, paragraphs 56-60 § 60/A. (1)-(3) and (6) of § § 61 (1) paragraphs a) and c), § 61 paragraphs (2) and (3), paragraph (4) b) and (6)-(10) in paragraph 62-71. §, § 72, § 75 (1)-(5), § 75/A. in § and 1. shall be applied with the additions specified in the annex. Infotv. Validation of the right to the protection of personal data based on § 60, paragraph (1). in order to do so, the Authority may initiate an official data protection procedure ex officio. The data protection authority for procedure CL. 2016 on the general administrative procedure. Act (hereinafter: Act) rules shall be applied with the additions specified in Infotv. and the general data protection with deviations according to the decree. Infotv. According to § 61, paragraph (1), point a) in the decision made in the data protection official procedure the Authority a) in connection with the data management operations defined in paragraphs (2) and (4) of § 2, the may apply the legal consequences specified in the general data protection decree, so in particular upon request or ex officio order the unlawfully processed personal data determined by it can be temporarily or permanently restricted in other ways data management. Infotv. Section 61, paragraph (6): Until the expiry of the time limit for filing an appeal against the decision, and in case of initiation of a public administrative lawsuit, until the final decision of the court, affected by the disputed data management data cannot be deleted or destroyed. Infotv. 75/A. §: The Authority is contained in Article 83, Paragraphs (2)-(6) of the General Data Protection Regulation exercises its powers taking into account the principle of proportionality, especially with the fact that the personal regarding data management - in legislation or in a mandatory legal act of the European Union in the case of the first violation of specified regulations, to remedy the violation - that in accordance with Article 58 of the General Data Protection Regulation - you are primarily the data controller takes action with a warning from the data processor. 18 On the detailed conditions for the continuation of accommodation service activities and the accommodation 239/2009 on the procedure for issuing an operating license. (X. 20.) Government Decree 4/A. § (1) According to paragraph prior to and after the first certification, the accommodation certifier is required every three years to request an examination and evaluation of the organization, in accordance with the requirements for the type of accommodation in order to be classified into a quality grade. ARC. Decision IV.1. Data management quality (64) Based on the Applicant's request, the Authority notified both Respondent 1 and Respondent 2 that an official data protection procedure was initiated against them upon request or ex officio. THE The authority's inquiries were received only by Respondent 1, and only he did so during the procedure statement, in all cases from Respondent 2 they came back with a not wanted signal Authority's orders, due to which the Authority imposed a procedural fine on Respondent 2. (65) In his letter dated December 2, 2021, Respondent 1 informed the Authority that the only he is responsible for the examined data management and the cameras installed in the [accommodation]. is considered a data controller. (66) Based on the information revealed during the procedure and the statements of Respondent 1, the Authority states that it was Respondent 1 who determined the purpose and means of data management, he decided on the angle of view of the cameras, after the initiation of the procedure, he made changes to them, and the installation and operation of additional cameras on the property was also his decision. On this in addition, the indicated data management purposes were all intended to serve the interests of Respondent 1, since the primary purpose of data management is to protect the property of the accommodation and hotel guests has been flagged. (67) It should also be noted that the document objected to by the Applicant, prepared on July 26, 2021 camera footage was also saved by Respondent 1 and used against the Applicant's husband infraction and then criminal proceedings were initiated. (68) During the procedure, the Applicant attached an audio recording, on which, according to his statement, The voice of Respondent 2 can be heard, on which the unidentified speaking party states that sees the image transmitted by cameras, including the Applicant and her husband, but the Authority does not had the opportunity to make sure that the other speaking party was Respondent 2 or someone else there is no evidence at the Authority's disposal that would prove beyond a doubt that a recordings were accessed by Applicant 2. (69) In view of all of this, the Authority concludes that with regard to the examined data management Respondent 1 is considered a data controller. Due to this, as well as the fact that Applicant 2 in the meantime, the property was sold and the new owner is on the stamp, the procedure with Respondent 2 has become obsolete, since it does not affect the right or legitimate interest of the case, so the Authority a in relation to the Akr. Based on § 47, subsection (1), point c), the procedure is terminated. 19 IV. 2. Lawfulness of data management through the camera system - general practice (70) Respondent 1 processed personal data using the two camera systems and considering that according to Article 4, point 1 of the GDPR, your natural personal voice, your image is personal data. The people involved can be identified in the recordings, as is well exemplified by They were also contained in the applicant's request. No. 1 camera system personal data, image and it does not record audio, but the image of the cameras and the person in their field of view transmits his natural personal image to the monitor located at the reception [of the accommodation], or, if it is switched on, to a monitor placed in the same room as the recording unit. Given that according to Article 4, point 2 of the GDPR, you are on personal data any operation performed on data files in an automated or non-automated manner or the totality of operations is considered data management, so no. 1. also through a camera system data management under the scope of the GDPR is implemented. (71) No. 2 camera system cameras have a motion sensor and detect motion in this case, they record the image, voice, and activity of the persons concerned who are in their field of vision, that is conversations of data subjects, i.e. also through this camera system according to Article 4, point 2 of the GDPR implements data management Requested 1. (72) The two camera systems and the legality of the data management carried out through them are the responsibility of the Authority it is examined separately, taking into account the differences in the monitored areas and the data management to its different nature. No. 1 findings related to the camera system (73) The 1st camera system consisting of 4 fixed, analog cameras - whose camera is marked CH1 it does not work - it only broadcasts live images, the recordings shown by the cameras are not saved recording. The parking lot inside the [accommodation] and the building from the gate are in the view of the cameras next to it, the road leading to the reception falls into it, as well as a small part of the property's backyard, a with a sidewalk leading to reception. No recreational equipment was placed in this latter area for placement. (74) Requested 1 uniform regulations for the two camera systems, as well as consideration of interests prepared a test, indicating the protection of personal and property as the purpose of data management - detection of possible violations of law, prosecution of the perpetrator, prevention of illegal acts - and as the legal basis for data management, he indicated his legitimate interest in the realization of this goal i.e. Article 6 (1) point f) of the GDPR. (75) With reference to point f) of Article 6 (1) of the GDPR, the personal data is then legal management, if the data management is for the legitimate interests of the data controller or a third party necessary for its enforcement, unless they take priority over these interests concerned interests or fundamental rights and freedoms that protect personal data make it necessary, especially if the child is involved. (76) The European Data Protection Board on the processing of personal data using video devices solo 3/2019. according to point 19 of guideline no. (hereinafter: Guidelines) is real and in a dangerous situation, the purpose of protecting property against burglary, theft or vandalism is a 20 may be considered a legitimate interest in video surveillance. For the legitimate interest indeed it must exist and actually exist at the time of data processing it cannot be theoretical, as the Court of Justice of the European Union stated in C-708/18. brought in case no he also stated in point 44 of his judgment. (77) The Authority in the 1. does not consider it necessary in relation to the cameras of the camera system data management purposes and the proportionality of data management for each camera, since a uniform statement can be made about them. (78) Requested 1, the Authority specifically for damage events that previously occurred at the accommodation he did not answer his relevant question in substance, did not give examples, did not prove cases, only stated that there were previous damage incidents. So Respondent 1 is legal has indicated a data management purpose, to which it may have a legitimate interest recognized by the Board, however, the existence of this legitimate interest was not factually supported or made probable. (79) The Authority no. 1. in relation to the camera system, however, as existing even in its absence considers the legitimate interest related to data management. The reason for this is that No. 1 camera system all three working cameras are aimed at the property, the CH4 camera falls into the field of view partly the top of the railway soundproofing wall, but for monitoring movement on the street in a way suitable for personal identification, this camera is not suitable for both the distance and the camera resolution, both because of the viewing angle. The cameras monitor parts of the property that on which you can get to the area of the property on the one hand, and to the [accommodation] itself on the other hand, and where hotel guests can park their vehicles, and in the meantime on these a in these areas, hotel guests typically only pass through, not to rest or spend meaningful time they use them. Due to the location of these cameras - as they are also clearly visible from the street - have a deterrent effect against unauthorized entry into the property area, or against the commission of other crimes against property. Based on all this, the Authority determines that the operation of these cameras is appropriate for the purpose to be achieved and is considered a necessary safety measure. (80) In addition, the cameras only transmit live images, no recording takes place, which is what it is it realizes a significantly lower degree of interference in the private sphere of stakeholders than if row their personal data would be recorded. Based on all of this, the Authority concludes that 1. s. data management through a camera system is suitable for achieving the goal, data management its scope is proportional to the goal to be achieved, so no. 1. realized by means of a camera system data management is legal, it complies with the regulations of the GDPR. No. 2 findings related to the camera system (81) Due to the more extensive data management carried out with this camera system, the Authority considers it necessary considers that it should be considered separately for each camera that it is data processing carried out by them is necessary, as well as the rights and freedoms of the data subjects does it limit proportionally. (82) As the Authority explained earlier in its decision, asset protection is contingent enabling the subsequent proof of a legitimate data management purpose in connection with damage events 21 in general, but this alone is not enough for data management to its legality. In order to conduct video surveillance on the basis of a legitimate interest data management must be legal, the data management must be proportionate to the goal to be achieved, and the goal it must be necessary to achieve it, as well as the planning and implementation of data management the reasonable expectations of those concerned must be taken into account [GDPR (47) recital]. (83) In the interest assessment test attached by Respondent 1, the individual was not described in relation to cameras separately, that for data management the Respondent 1 exactly what legitimate interest it has - beyond the general wording that for the guests valuable valuables were placed in an open area, i.e. the camera system purpose is primarily asset protection - what are the circumstances that data management make it necessary, or the rights of the data subjects have not been separately identified, as well as their reasonable expectations regarding data management. (84) The Authority in accordance with No. 2 regarding the cameras of the camera system, he refers back to his earlier statement, that the legitimate interest must be real and existing at the start of data processing, data management cannot be continued based on a possible future interest. As the As explained above by the Authority, Respondent 1 did not, despite the Authority's express request presented previous cases that would prove the need for camera data management, whose No. 2 is important in relation to the camera system, since they are on the one hand they are activated for movement, the completed recordings are recorded, on the other hand [the accommodation] is individual were placed in his premises and in his yard with a viewing angle setting that areas, the people concerned not only pass through, but rest and eat there, i.e. here in the case of cameras, it is actually important whether there have been previous events that which would justify the placement of the cameras, since the data management is good for them wider than No. 1 regarding the camera system. (85) Regarding the necessity of operating the camera system, it should be noted that a according to available information, Respondent 1 did not check that the cameraman is there an alternative to data management that is not personal or less personal by handling data. In addition, it was revealed during the evidence procedure conducted by the Authority based on the circumstances, it cannot be declared that there is no alternative to No. 2. camera system to data management carried out through, or it could not be continued in a way that is less impairs the right of data subjects to protect their personal data. (86) Regarding the necessity of data management, Respondent 1 also referred to the fact that a professional expectations for accommodations with four-star pension certification a surveillance of public spaces with a camera. Respondent 1 did not respond to the Authority's question stated what classification system requires this for accommodations, merely he referred to sector expectations, and to the fact that all hotels and pensions operate camera system. According to the photograph taken at the inspection, the accommodation is Panzió Nemzeti has a certification Trademark that is valid until 2024. The accommodation service on the detailed conditions for the continuation of the activity and the accommodation operation license 239/2009 on the procedure for issuing (X. 20.) Government Decree 4/A. According to paragraph (1) of § a accommodation service provider prior to the notification of the accommodation's operational activity, 22 and the accommodation certification organization is obliged every three years after the first certification to request its examination and evaluation, in accordance with the requirements for the type of accommodation in order to be classified into a quality grade. The qualification requirements are the accommodation qualification are published on the organization's website, which is Hungarian Tourism from January 1, 2022 Quality Certification Body Nonprofit Kft., website https://szallashelyminosites.hu/panzio. THE in the criteria system for boarding houses - https://szlashelyminosites.hu/docs/panzio_kriteriumrendszer_utmututatoval.pdf - not included as a qualification criterion, the monitoring of common spaces by means of a camera system, of which therefore, the Authority considers professional expectations as one of the reasons for the operation of the camera system does not consider it acceptable, as well as the argument that other accommodations carry out similar data management. (87) Respondent 1 mentioned in the attached interest assessment test among the processed data that the cameras also record sound, but it was not covered at all in the consideration of interests test to why the audio recording is kept in order to achieve the indicated data management purposes necessary, and why you do not consider the marked available without audio recording data management purpose. According to the Authority's point of view, this is different from image recording data management, the legality of which and the legitimate interest attached to it should have been separate prove to Respondent 1 during the procedure. However, Respondent 1 did not during the procedure presented circumstances that would support the need for audio recording. (88) The Authority's position is that it causes more serious damage to the private sector if the cameras in addition, sound is also recorded, especially considering that the sound recording cannot be viewed as a common practice in the case of asset protection camera surveillance, so it is in the absence of information, those concerned cannot expect the cameras to be their likeness also records their voices and conversations. This is especially true when the cameras they are also activated for some small, non-human movement, and thus the conversation of such persons are also recorded by those who are not in the camera's field of view, to which the SD- The Authority also found an example among the recordings on the cards (record number […]). (89) Based on all of this, the Authority concludes that the 2. no. with the cameras of the camera system audio recording is illegal and violates Article 6 (1) of the GDPR. (90) Further circumstances of data management, the proportionality and necessity of data management, and thus the legality of the Authority in the 2. no. in relation to some cameras of the camera system a further examined separately, due to the differences in the areas observed by them. A camera located in the dining room (91) In the dining room, Respondent 1 considers the camera system necessary operation, because there are several refrigerators in which, on a general basis, they continuously store hundreds of thousands of forints worth of alcoholic drinks, other drinks and foods. (92) During the on-site inspection, the Authority established that the camera located in the dining room only one refrigerator falls into his field of vision - only the corner of it when it is closed -, 23 in which only non-alcoholic soft drinks were placed during the inspection, and of which a guests served themselves freely. The alcoholic beverages Requested 1 is a smaller one stored in a refrigerator, which is protected by a padlock. (93) Due to the placement of the camera, however, not only this one piece of refrigerator falls into the into the camera's field of view, but the tables placed there, at which the guests are they complicate their meals. (94) According to the Authority's point of view, the implemented data management is not proportionate to the desired goal for property protection purposes, since, on the one hand, contrary to the claim of Respondent 1, the camera hundreds of thousands of forints worth of food was not stored in the refrigerator within sight or alcoholic beverages, on the other hand, protecting the contents of the refrigerators is simple would be with the lock installed on the coolers - as is the case with the cooler containing small alcohols also happened - or by placing a lockable refrigerator in advance, i.e. it is not for the goal to be achieved need for data management. (95) In relation to the secondary purpose - that is, if there is any decrease in assets causative event, so that the circumstances of the case can be revealed - Applicant 1 no made it probable that this is a real interest existing at the time of data processing, i.e. that you can realistically expect to damage the refrigerator or any food in it to steal a drink. The Authority further notes that in the event that the Applicant 1 would have proved that he has a legitimate interest in the camera monitoring of the refrigerators, so even in that case, it would have been possible to place the camera in such a way, and the angle of view would have been such to monitor only the refrigerator and not the entire refrigerator dining room, subject to Article 5 (1) point c) of the GDPR. (96) The Authority also notes that in the present case, the current position and angle of view of the camera in addition, he would not consider it sufficient if Respondent 1 were to mask the room outside the refrigerator parts, as the camera in its current position would create a sense of observation in this also in the case of those involved, who would not be able to ascertain in any way that the camera image has actually been masked. (97) The Data Protection Board 3/2019. s. guidelines and recital (47) of the GDPR consideration of the interests of the data controller and the rights and freedoms of the data subjects the reasonable expectations of the stakeholders must be taken into account. According to the Guidelines, it is reasonable expectations of stakeholders should not be determined subjectively, but according to the fact that whether an objective third party can reasonably calculate and infer in the given situation to be observed. (98) According to paragraphs (37)-(38) of the Guidelines, those concerned may expect not to be observed them in public places, especially if these places are typically for recuperation and rest and used for recreational activities as well as in places where individuals stay and communicate, for example in lounges, at restaurant tables, in parks, in cinemas and fitness facilities. In this case, the interests or rights of the data subject and your freedoms often take precedence over the legitimate interests of the data controller. (99) Hostel guests typically come [to the accommodation] to relax, have breakfast there, they talk, organize their day. During these activities, their observation and 24 in particular, the recording of their conversation is particularly disadvantageous for those involved and in general it is not necessary for the purpose indicated by Respondent 1. The Guidelines emphasize that it is signs informing the person concerned about video camera surveillance are irrelevant when establishing the objective expectations of the stakeholders. Consequently, in connection with the data processing carried out by the camera placed in the restaurant you cannot rely on the fact that one has been placed on the side of the self-service counter area board observed with a camera, and especially not because of the fact of audio recording Respondent 1 did not draw the attention of those concerned anywhere. (100) During the inspection, the Authority made a copy of a recording on which, on the one hand, workers packing up and cleaning after a meal can be seen, on the other hand, one a hotel guest sitting at one of the tables with a laptop, working, talking on the phone, then heading for the heat she stands up with respect and fans herself with her skirt while walking in such a way that a the recording also shows her underwear or the bottom of her swimsuit (video file named […]). All of these on the basis of which it can be stated that the hotel guests did not and do not reasonably count they could expect to be watched in the dining room. (101) The Authority finds that Respondent 1 illegally operates the camera in the restaurant and illegally observes the hotel guests staying there, eating and conversing, thereby in violation of Article 6 (1) of the GDPR. A camera monitoring the panoramic jacuzzi on the terrace (102) The necessity of the camera directed mainly at the jacuzzi was justified by Respondent 1 by saying that the jacuzzi is worth several million forints, so data management is necessary to protect your property. (103) The camera is mainly aimed at the jacuzzi, but e.g. shouting from the yard to the terrace also records ([…]; […]). (104) In view of what was explained in the previous subsection, the Authority does not consider it to be the desired goal proportional to the fact that Applicant 1 typically sees hotel guests in bathing suits, resting, he observes and records them while relaxing. There are several couples in the recordings, who hug each other, kiss in the jacuzzi, others are naked or half-naked they bathe, take pictures of themselves in bathing suits, and children also use the jacuzzi ([…]; […]; […]). Based on the recordings, the people involved did not count at all, and reasonably not they could also count on being told about them while using the jacuzzi, while relaxing intimate moments are recorded. According to the Authority's point of view, it may play a role in this also that Respondent 1 also sells packages that include a private panoramic jacuzzi use is promised, which may give those concerned the impression that the panorama is a Jacuzzi they are actually alone while using the jacuzzi, no one is using them disturbs them, which includes not observing them while bathing with a camera. (105) The Authority considers it necessary to state here again that the sign observed by the camera according to the Guidelines, its location is not relevant when determining that it is stakeholders, what their expectations may be objectively. Also, the area monitored by the camera Based on 25 signals, those involved could not even expect that the camera would not only transmit live images, but also records the recordings. (106) The Authority also does not consider the argument regarding the top of the jacuzzi to be acceptable, since the image of the camera cannot be followed live via a monitor in the accommodation, as in No. 1. in the case of a camera system, and for viewing the recorded camera images, Applicant 1 according to his statement, it will only take place in justified cases, with the recording of minutes - log files in its absence, the Authority could not be convinced of this - i.e. the statement of Respondent 1 system established according to is not suitable for the Applicant to check that the have guests put the top of the jacuzzi back on. (107) Based on all of this, the Authority concludes that Respondent 1 illegally operates the a camera aimed at the jacuzzi and illegally records the voice and image of the persons concerned there, activities, thereby violating Article 6 (1) point f) of the GDPR. The camera facing the inner courtyard (108) The camera facing the inner courtyard on the door of one of the apartments opening from the courtyard, the one in front partly with garden furniture, to the yard, the jacuzzi located there is approx. in half, on the bath tub, and it is directed to the waterfront terrace and pier and a part of Lake Balaton. (109) According to Respondent 1, the purpose of monitoring the inner courtyard with a camera is to protect property, in the event of a possible theft or break-in, there is a high chance of being identified by the cameras facing the inner courtyard they know the perpetrator of the crime. (110) The Authority does not dispute that a certain degree of monitoring of the inner courtyard may be necessary prevention of potential crimes against property, or in the event of their occurrence in order to reveal them, as the Authority in no. 1 camera system marked CH2 he also explained about his camera. A significant difference between the viewing angles of the two cameras is that No. 1 the rear camera of the camera system, facing the inner courtyard, does not record footage on the one hand, on the other hand, it is directed only to the part of the sidewalk where the entrance to the accommodation is located, and it is a thin one lane from the part of the yard next to the sidewalk. In these areas - as the Authority previously did also described - hotel guests typically only pass through this area to rest, not used for recreation. On the other hand, no. 2 camera system for the inner courtyard only areas where the hotel guests are in the field of view of the camera they rest and relax, in many cases in bathing suits, e.g. Jacuzzi, hot tub. Also on camera the movements and activities of hotel guests who are in the camera's field of view can be followed they stayed in the second apartment, who usually use the one located in front of the apartment also garden furniture, they talk and relax there. (111) The Authority's position is that at the time of the inspection, the camera's field of view is much wider made monitoring possible, as was necessary to achieve the data management goal, since for property protection purposes, only the entrance leading to the reception of the accommodation would be sufficient camera surveillance, which does not require the hotel guests to be at rest observation. In addition, according to the Authority's point of view, the concerned parties reasonably do not they can count on video and audio recording of their movements in the hotel yard, 26 as it is an area for recreation. Based on all of this, the Authority determines, that Respondent 1 is illegally fixing the inner yard beyond the necessary extent with a camera aimed at the voice, likeness, and activity of the data subjects, in violation of the GDPR Article 6, paragraph 1, point f). The camera above the reception desk (112) The camera above the reception desk captures the reception desk from above, the person behind it employee or employees, or the cabinet placed next to the wall, as well as the hotel guests, whose faces are only visible when they are very close they go to the counter and lean over it a little or lean on it, if someone just he passes by the counter, his face is not visible in the footage. The store manager is in the camera's field of view monitor used by is not included. (113) According to the statement of Respondent 1 dated August 28, 2022, the reception desk with a camera monitoring also has the purpose of asset protection, since according to his statement, the guests they regularly pay in cash. This statement was copied by the Authority during the inspection - 19 days - supported by camera footage. (114) In view of this, the Authority does not consider data processing to be excessive, and considers that the Claimed 1's legitimate interest as there is actually cash flow at the front desk where the money box serving as the house cash register was also placed. Furthermore, the reception desk is not it is located in a closed space, it cannot be fenced off separately, as the reception also opens to an apartment from the side. (115) According to the Authority's point of view, from the business manager's job and the nature of the job therefore, the camera above the reception desk is not suitable for monitoring the employee, or a to measure his performance, since the tasks of the business manager are not limited to those that you must finish sitting at your desk. (116) Based on this, the Authority concludes that Respondent 1 legally installed the camera above the reception is operated, its legitimate interest – asset protection, monitoring of cash payments – data processing carried out in order to enforce typically the business manager's right to protect his personal data, the restriction does not can be considered excessive. IV.3. Violation of the principle of limited storage capacity (117) According to Article 5 (1) of the GDPR, personal data must be stored in such a form to happen, which identifies the data subjects only for the purposes of processing personal data for the time required to reach it. (118) According to the statement of Respondent 1, the purpose of data management through the camera system is a it was property protection. In this regard, the camera regulation 6.2. for recording in point it was decided that, in the absence of use of the recorded images, the Applicant 1, at most a it is stored for 3 days from the date of recording, as the general person and 27, compared to property protection purposes, no special reason arises, which has a longer content would justify data retention. In the absence of use, the recordings will be on the 3rd day from the recording are automatically deleted. (119) According to the Authority's point of view, the retention period of the camera recordings is adequate, as it was intended to be has been defined proportionally to the purpose in the camera regulations, since if it is of any kind a crime against or other event involving property damage occurs, within 3 days Respondent 1 will certainly detect and take appropriate action on the recordings in order to save. (120) However, the Respondent did not take any measures against the provisions of the camera regulations in order for the recordings to be deleted after 3 days, he did not apply such a setting on the cameras, and placed relatively large SD cards in the cameras, which thus they can store much more than 3 days of recordings. (121) At the time of the inspection, no. 2 camera system directed to the inner courtyard and in the dining room on the SD card of its cameras for 15 days, while for the jacuzzi and the reception the SD cards of the cameras had recordings going back 19 days. (122) The Authority considers these retention periods neither necessary nor proportionate in relation to a camera system operated for property protection purposes, therefore it states that Respondent 1 violated the limited liability under Article 5 (1) point (e) of the GDPR storability principle. IV.4. Information about camera data management (123) In the case of data management through a camera system, the data controller is the personal data is collected from the data subject, therefore the obligation to provide information according to Article 13 of the GDPR is sufficient to the data controller. (124) In relation to the information, the Authority primarily reviewed the website of Respondent 1, where separately there is no data management information or data protection tab. By clicking on the Reservation menu item at the bottom of the page there is a clickable menu item called Data Management Policy, however it redirects to the GTC. (125) In point [...] of the Terms and Conditions on the website, under the heading Obligations of Guests, call the the attention of guests and potential guests that it operates a camera system [a accommodation] area: "[…]" In addition, they can be found in point [...] of the General Terms and Conditions with data management related information, e.g. newsletter subscription, transfer of personal data request for authority, etc. (126) During the inspection, the Authority came to the conclusion that it was not found anywhere in the building detailed for posting, containing all the conditions of camera data management information sheet. The camera policy was found at the reception, although it was not posted, therefore, guests cannot access it without a special request. Area under surveillance sign was placed in several places - at the entrance to the jacuzzi and the self-service in the dining room on the side of the counter - however, the boards did not contain any additional information beyond the fact of data management. 28 In addition, information was not posted or placed in any other way in the rooms about data management through a camera system. (127) As a result, the Authority disputes the interest assessment test made by Respondent 1 statement that "guests are informed on signs placed in a clearly visible place on data management, on the basis of which the purpose and method of data management are broadly and clearly defined understandable." (128) The Article 29 working group on transparency under Regulation EU 2016/679 according to its guidelines (WP260), information is easily accessible if the person concerned you don't have to search for the information; it must be immediately visible to him that the information where and how it can be reached, for example by providing information directly, to the data subjects directing to information or clearly marking the path leading to information. The according to point 11 of the guideline, those data controllers who have a website know that make information about data management easily accessible, if it is on their website are made accessible. Direct to this data protection declaration, information link must be clearly visible on all pages of the website. (129) Respondent 1 did not post detailed information on camera data management on its website information, as well as information related to data management, was not separated by it from GTC, i.e. did not draw the attention of hotel guests or potential hotel guests to the on the website that a camera surveillance system is operating in the area [of the accommodation], that a can already count on data management when booking, and that hotel guests need in the event that the staff of the accommodation can easily obtain information about data management without involving. In addition, Respondent 1 did not have an easy time at the accommodation made the information about camera data management available, did not post it, or placed one copy of each in the rooms, i.e. in the absence of active behavior of the affected person the essential elements of data management were not available to those concerned. Based on this, the Authority states that it is related to data management, according to Article 13 of the GDPR Respondent 1 did not make information easily accessible to any person concerned, thereby violating Article 12 (1) of the GDPR. (130) The Authority also notes that the Guidelines per se apply to camera data management does not consider the posting of warning signs to be a sufficient measure, if the additional does not contain minimum information: identity of data controller, purpose of data processing, rights of data subjects, information about the biggest effects of data management, e.g. data controller for data management its legitimate interest. It must also include the availability of the complete prospectus. On this the signs posted by Respondent 1 did not meet this requirement. (131) Respondent 1 does not have a separate data management information sheet for camera data management information regarding its circumstances is contained in the camera regulations According to Respondent 1's statement dated December 2, 2022. The camera policy is In connection with data management, there is also a lot of wrong or difficult to interpret information contain. On the one hand, text formulation and accurate knowledge of camera images in the absence of 3.1. The figure placed in point is not suitable for the people concerned get to know the scope of data management and the viewing angle of the cameras, on the one hand, its small size 29, on the other hand, because the function of the rooms was not indicated on the drawing. The policy on the other hand, it does not mention that the cameras marked in blue - these are the cameras that In December 2021 and June 2022, according to the statements of Respondent 1, not yet were put into operation, while they were already being installed when the second declaration was made were installed and operated - what the stakeholders need to know. (132) In relation to the scope of data management, neither the camera regulations nor the posted signs they provide information that the cameras also record sound, which is part of the data management a very significant, not-to-be-ignored circumstance, to which, moreover, the affected parties they could not reasonably count, since there is no particularly clear reason which would support the need for audio recording and the general practice of data controllers in case of operation of cameras, that they do not record sound. (133) In point 4 of the camera regulations, Respondent 1 stated that "The cameras in monitored areas, the purpose of camera surveillance is with less restrictive measures was not available.", even though Respondent 1 did not carry out the consideration of interests at all separately in relation to the camera, on the other hand, on the merits according to the weighing of interests test it did not even examine the possibility of alternative solutions, i.e. data management it gave incorrect information regarding its inevitability and its proportionality to those concerned. (134) The 4.2. point, it is also mentioned that the duration of data management is required by law adjusts, and then further refers to point 6, according to which the recorded recordings are not used store it for up to 3 days and the recordings are automatically deleted on the 3rd day. On the one hand, of 2005 on personal and property protection and the rules of private detective activity. year CXXXIII. the rule of the law - 31/A. Section (2) - which was determined in 3 working days and the duration of storage of camera recordings, expired on April 26, 2019, i.e. wrongly informed those concerned about the duration of the storage of the camera recordings determined by law. On the other hand, contrary to what was stated in the information sheet, he did not measures to ensure that camera recordings are deleted within 3 days, a cameras have large SD cards - 32 and 128 GB - and the review according to his testimony, the recordings were available 15-19 days ago. (135) The Authority further notes that in the camera regulations, the Authority until September 1, 2020 valid contact information has been indicated, although the regulations came into effect on July 1, 2021 into force. (136) Based on all of this, the Authority concludes that Respondent 1 violated Article 13 of the GDPR Paragraphs (1)-(2), since the camera regulations, which also serve as information, incorrectly, or misleadingly informed those concerned about the handling of their personal data. IV.5. Obligation to cooperate with the Authority (137) According to Article 31 of the GDPR, the data controller, in the course of carrying out his duties, shall communicate with the supervisory authority - based on its inquiry - cooperates. 30(138) According to the Authority, Respondent 1 did not cooperate with the Authority during the procedure provided untrue, incorrect or incomplete information to the extent necessary, in several cases a For inquiries from the authority as follows. (139) Respondent 1 stated in his statement dated December 2, 2021 that July 2021 The recording made on the 26th, which was affected by the Applicant's request, is not available to you, and then that nevertheless sent it to the Police Department on January 4, 2022, and presented the technical as an expert on March 1, 2022. When the Authority asked about this contradiction, Respondent 1's legal representative stated that Respondent 1 made a false statement, which explained that the video was no longer available on the camera software because the SD the recordings are automatically deleted from the card, however, the recording is expressed by the police was saved at his request, and presumably about this saving, the manager of the Respondent a he forgot when making the statement. In this case, according to the Authority's opinion, at the latest On January 4, 2022, you should have noticed that the recording was still available to you, and that then he should have sent it to the Authority. In contrast, his statement is not amended, the recording was not released by the Authority's order, which the Authority finally a he obtained a recording from the Police Department, which recording was requested by the Applicant was of particular importance from the point of view, since without it the Authority would not have been able to without a doubt, make sure of the camera's setting and angle of view. (140) On December 2, 2021, Respondent 1 stated that the cameras marked in blue on the floor plan they are not working yet, they are only planning to put them into operation. On May 17, 2022, in its order a The authority asked whether the planned cameras had been put into operation Respondent 1 received a negative response on June 7, 2022. In contrast, Respondent 1 to the same statement he has already attached photographs based on which it could be established that the planned cameras were installed on the property, which a were already in operation at the time of the inspection, i.e. Respondent 1 did not provide complete information about the data management carried out by him at the request of the Authority. (141) Respondent 1 also gave evasive answers to a number of the Authority's questions, e.g. what kind of classification system requires the operation of a camera system for accommodation facilities according to his point of view. He also did not inform the Authority that it was sold by Respondent 2 property on which [the accommodation] is located, although he was aware that in the proceedings Respondent 2 is also a customer. (142) Based on these, the Authority concludes that Respondent 1 violated Article 31 of the GDPR. (143) In its order dated November 8, 2022, the Authority imposed a procedural fine on Applicant 1, because, despite a second invitation, he did not provide information that during the period under review, How many people stayed [at the accommodation] between July 2021 and October 2022, in the absence of the Authority was unable to determine the number of those affected. As a result, the Authority on this evaluates the behavior as contrary to Article 31 of the GDPR, however, during the imposition of the fine, it already does not take into account the fact that he was sanctioned earlier during the procedure. IV.6. Assessment of the Applicant's request (144) In its application for the data protection authority procedure, the Applicant requested that the Authority establish and that the cameras installed and operated by the Applicants at [accommodation] are illegal They carry out 31 data management. He requested that, for this reason, he prohibit the access to the Applicant's property the continuation of surveillance with a camera, the recording of the observed and order it termination, as well as the destruction of illegally made recordings, and also prohibit it enjoin the Respondents from further infringement and enjoin the Respondents, as well as impose out data protection fine. (145) The on-site inspection conducted by the Authority on July 5, 2022 without prior notification established that at the time of the inspection the cameras of both camera systems were as such setting that they were not suitable for the Applicant's property, the applicant and his family to monitor your activities on the property. The Applicant is dated July 11, 2022 in response to his statement, the Authority considers it necessary to point out that the 1. no. camera system 4.'s camera - as it was already recorded earlier in the factual part of the decision – is not suitable for monitoring the Applicant's property, only the The property used by applicant 1 and the row of fences between the two fences can be seen. (146) The recording related to the damage to the fence can be found in no. 2. belonging to a camera system, a on the terrace, it was recorded by the camera placed above the jacuzzi, which on July 26, 2021 according to the available recordings, it was determined that the Applicant was suitable his property, to observe the activities there, as the two fell into his field of vision fence separating the plot, as well as a small part of the Applicant's garden with the willow tree and Lake Balaton. (147) According to Respondent 1, the monitoring of the Applicant's property with a camera, and the legal basis for recording what happened there (audio and image recording) is Article 6 (1) of the GDPR he had a legitimate interest according to paragraph f), which is his property, or Respondent 2 related to the protection of his property. He further explained that, in his opinion, the Applicant monitoring of his property did not reach the required level, since on July 26, 2021 the camera did not record the events that took place in a way that left no doubt to determine whether the Applicant's husband damaged the fence or the fence its concrete element cracked due to a construction error. (148) The Authority does not share the position of Respondent 1. According to the position of the Authority, a it is considered a serious interference with private life if someone destroys another person's property, continuously monitors your movements and activities on the property. Camera surveillance only in the rarest of cases can it extend beyond the boundary of its own property, and in such cases it is legitimate interest in data management and the restriction of rights implemented on the basis thereof it must be proportionate to the objective to be achieved. (149) According to the Authority's point of view, the continuous monitoring of a part of the Applicant's property, a Recording the movements, activities and conversations of the applicant and his family there - with particular regard to the fact that it is a property on the shores of Lake Balaton, i.e. the Applicant and her family is likely to be there often in bathing suits, as on July 26, 2021 it was also done in the recording - it cannot be considered proportionate as indicated by the Applicant 1 for property protection purposes. The circumstance to be taken into account in relation to the proportionality of data management is also that the Applicant and his family did not know that Applicant 1 equipped camera is also partly aimed at the area of their property, which is obviously recreational purposes are used. Information referred to by Respondent 1, of which audio recording 32 is attached, even though it cannot be considered adequate information, since it is another, no. 1. related to a camera belonging to a camera system, or the appropriate information in itself nor would it make the data processing carried out by Respondent 1 legal. (150) During the procedure, Respondent 1 attached a general interest assessment test, which however, it only covered the data management carried out in the hotel area - not enough for that with detail - it is not mentioned that the camera surveillance covers a Also for the applicant's property. As Respondent 1 admitted, on camera implemented data management was not suitable for achieving the goal, it did not serve a clear purpose as evidence in infringement and then criminal proceedings regarding vandalism. THE However, the authority does not draw the same conclusion from this as Respondent 1, that a the level of monitoring was too low, but that the data management was not suitable for the purpose access, and was also disproportionately limited by the personal data of the Applicant and his family their right to protection and to the inviolability of their private sphere. (151) Based on all of this, the Authority concludes that Respondent 1 unlawfully observed the Applicant's property and unlawfully handled the personal data of the Applicant and his family, thereby violating Article 6 (1) of the GDPR. (152) In its application, the Applicant requested that the Authority oblige the Respondents to unlawfully to delete recorded recordings. The Authority is only aware of one recording on which the Applicant appears, and this was taken at the fence on July 26, 2021 camera recording, which he initiated as evidence for the vandalism used in criminal proceedings. For this use, according to the Authority's opinion Respondent 1 had a legitimate interest, as the admission was for the enforcement of his legal requirements and it was used for the purpose of protection, which is a legitimate interest also named by the GDPR. The vandalism in the meantime, the infringement or criminal proceedings initiated due to the Police Department have been completed terminated the procedure in the absence of a crime, and Respondent 2 was aggrieved by the decision against which he had no legal recourse. Consequently, the procedures in which the recording were used as evidence, they are no longer used in the present proceedings He requested, but the Police Department made the recording available to the Authority, that Respondent 1 did not attach it as evidence to the Authority's request. As a result, the Authority states that since the procedures where Applicant 1 as evidence used the recording depicting the Applicant and his family members, they have been legally terminated, so it is the purpose of data management has ceased, the legitimate interest in data management no longer exists. (153) According to the statement of Respondent 1, the representation of the Applicant was carried out accordingly to delete camera recordings. IV.6. The Applicant's request for the imposition of a fine (154) The Authority rejects the Applicant's request for the imposition of a data protection fine, as this the application of a legal consequence does not directly affect the rights or legitimate interests of the Applicant, such a decision of the Authority does not create any right or obligation for him, as a result with regard to the application of this legal consequence falling within the scope of public interest enforcement - a regarding the imposition of fines - the Applicant is not considered a customer under Art. Section 10 (1) 33, so there is no place to submit an application in this regard, the submission is based on this part cannot be interpreted as a request. IV.7. Motions for Evidence (155) In the Applicant's submission to the Authority on December 8, 2022, a large number made a comment and motion for evidence. (156) The Applicant made a motion for proof that the Authority should contact […] Police Department, and obtain by the executive of Respondent 1 on March 30, 2021 the the document of her report against her husband, as well as the report of the arriving police officers about on-site action. He considered this necessary in order to provide support avoid that the camera systems operated by Respondent 1 during this period cameras were set up in such a way that they were suitable for public areas for observation. According to the Authority's point of view, this evidentiary motion is so hypothetical refers to illegal behavior which, based on the Applicant's request, did not occur before the subject of the procedure, and the submission of a motion for proof in itself cannot be considered a request extension, and the Applicant did not make it likely that this data management in respect of which he is considered to be affected, only during the conversation referred to by him statements that her husband can be seen in the broadcast image of a camera. (157) In addition, the Authority ex officio fully examined the The data processing carried out by means of camera systems operated by Respondent 1 was examined period, an on-site inspection was conducted in the case, the facts are the request revealed to the extent necessary for assessment and decision-making. The position of the Authority taking into account the findings made above and the provisions of the statutory part, there is no need to contact the […] Police Department, thus this evidence motion ignores. (158) As an additional motion for evidence, the applicant requested that the Authority make new statements obtain from Respondent 1 in relation to the audio recording you have attached for the purpose of certifies that the Applicant has been informed about the operation of the camera system, and a In relation to Respondent 1's claim that the fence is not on the real plot boundary. The Authority a in terms of clarifying the facts, Respondent 1 does not consider this necessary his statement in the questions given that he did not accept it in the attached audio recording audible conversation as adequate information about data management, nor the Respondent 1 did not support his argument regarding the plot boundary, so these statements are further the examination of his circumstances would only hinder the completion of the procedure, the disclosure of the facts and they are not important from the point of view of (159) The Applicant also initiated as a proof motion that the Authority is newer invites Respondent 1 to make a statement in No. 2 for camera system recordings regarding access. According to the Authority's point of view, not for the assessment of the Applicant's request it is necessary for the Authority to accurately reveal to the minute that the applicant's 1 manager and where was the store manager on July 26, 2021, the recording he objected to was completed, rescue or at the time of the police's arrival, since the violation is in the absence of knowledge of these could also be established, and during the procedure, no information regarding that the camera footage taken on July 26, 2021 was illegally accessed by a third party person, so the Authority does not consider it necessary to investigate these circumstances. The Applicant furthermore, he also made a motion to clarify circumstances that the Authority considers him to be already revealed during the evidentiary procedure, and about which the Applicant was informed within the framework of ensuring the right to inspect documents, e.g. which camera made the objectionable recording, 34 which part of the fence was visible in the recording, was it recorded, when did you attach the recording in criminal proceedings, etc. (160) The Applicant also requested the Authority that the site plan attached by Applicant 1 and the based on a photo taken by him earlier from a camera installed on the side of [the accommodation]. determine the previous angle of view of this camera and the extent to which this camera was suitable for monitoring his property. According to the Authority's point of view, this is evidential motion is, on the one hand, unfulfillable, and, on the other hand, significant from the point of view of the Applicant's request does not hold, the legal consequences requested by him are the 1. for camera system CH4 Even in the absence of knowledge of his "previous" angle of vision, they were revealed during the procedure based on other evidence. (161) The requirement that the factual situation is well-founded in official cases does not mean that it is the acting authority must establish all the circumstances of the case step by step. THE The authority is only obliged to reveal the facts to the extent necessary for decision-making. THE the facts could be established in sufficient depth, the additional proposed by the Applicant even without proof, and based on the established facts, the Applicant's requests can be assessed they were. (162) On the basis of the above, the Authority conducts the proof according to the evidentiary motions ignores. In this round, the Authority based on the evidence at its disposal, the facts sufficiently revealed, and his obligation to clarify the facts is not unlimited. IV.8. Legal consequences, decision on the application (163) At the request of the Applicant, the Authority determines that Respondent 1 unlawfully observed a part of the Applicant's property and thus unlawfully handled by the Applicant personally data, thereby violating Article 6 (1) of the GDPR. Due to the violation, the Authority is the GDPR Based on Article 58, paragraph (2), point b) it convicts Respondent 1. (164) The Authority rejected the Applicant's request to prohibit Respondent 2 from the continuation of camera surveillance on your property and order its termination, rejects, given that the camera has 26 July 2021 and 2 December 2021 made a modification between it includes the property of the Applicant. (165) The Authority granted the Applicant's request in accordance with Article 58(2)(f) of the GDPR prohibits Respondent 1 from operating a camera system in the future in such a way that in the process observe the Applicant's property and thus unlawfully treat the Applicant and your family's personal information. (166) The Authority ex officio finds that Respondent 1 is unlawful, Article 6 (1) of the GDPR conducts data management in conflict with paragraph 2 of Art. camera system jacuzzi, restaurant and the interior by its cameras monitoring the yard. (167) The Authority finds ex officio that Respondent 1 violated Article 5 (1) of the GDPR the principle of limited storability according to paragraph e). 35(168) The Authority ex officio finds that Respondent 1 violated Article 12 (1) of the GDPR paragraph, as the information regarding camera data management was not provided by the data subjects easily accessible to him. (169) The Authority finds ex officio that Respondent 1 violated Article 13 of the GDPR when did not provide adequate information about the data management carried out through the camera system. (170) The Authority ex officio, on the basis of Article 58 (2) point f) of the GDPR, prohibits Respondent 1 for him, the dining room, the panoramic jacuzzi, and the inner courtyard are for relaxation parts, such as the jacuzzi and the hot tub, through the camera system, as well as from the yard the observation of the opening doors of apartments and the area for rest in front of them and orders the decommissioning of the cameras directed at them. According to the Authority's point of view, the camera system in relation to the above areas Unlawful data processing that takes place cannot be remedied in any other way, it is personal to those concerned their right to data protection cannot be ensured in any other way. According to the Authority, there is none nor can a legitimate interest be shown on the data controller's side that would support and would justify the monitoring of the guests through a camera system and their personal data treatment in rooms for recreation and relaxation, where their expectations are reasonable otherwise they would not be able to be monitored - their personal data would not be processed - thus in the dining room, at the panoramic jacuzzi and in the relaxation areas of the inner courtyard. (171) The Authority ex officio, Article 58 (2) point d) of the GDPR and Infotv. Section 61, paragraph (1). on the basis of point a) is ordered by no. 2 camera system monitoring the jacuzzi, restaurant and the inner courtyard the deletion of all recordings recorded by its cameras, given that they were made by the according to the provisions of this decision, it took place illegally. (172) The Authority ex officio instructs Respondent 1, based on point d) of Article 58 (2) of the GDPR, to transform its information practices related to camera data management in a way that that it fully complies with Article 12 (1) of the GDPR and Article 13 of the GDPR. article, and take it into account when developing the information practice Regarding the guidelines and the accessibility of the information referred to in the Decision, WP260. working group opinion no. (173) The Authority examined ex officio whether due to the established violations, the Imposition of a data protection fine against Respondent 1. (174) In this context, the Authority is required by Article 83 (2) of the General Data Protection Regulation and Infotv. 75/A. considered all the circumstances of the case based on §. Given the circumstances of the case, it is to the nature of data management, therefore the Authority established that it was revealed during this procedure in case of violation, the warning is neither a proportionate nor a dissuasive sanction, therefore it is necessary to impose a fine on the basis of Article 58 (2) point (i) of the GDPR. (175) The violations committed by Respondent 1 are Article 83 (5) of the General Data Protection Regulation According to points a) and b) of paragraph 1, the category of fines with a higher amount is more serious constitute a violation of law, not including the violation of Article 31 of the GDPR. With attention to 36 Article 83 (3) of the GDPR, based on the nature of the violations, the maximum fine that can be imposed limit is 20,000,000 based on Article 83 (5) points a) and b) of the General Data Protection Regulation EUR, or a maximum of 4% of the total world market turnover of the previous financial year. (176) According to Respondent 1's balance sheet for the year 2021, the net sales revenue was HUF […], the amount of the imposed fine is […] % of the net sales of Respondent 1. (177) During the imposition of fines, the Authority assessed the following circumstances as aggravating circumstances: • Violations committed by Respondent 1 - excluding Article 31 of the GDPR violation - in terms of their nature, they are considered a more serious violation, since Requested 1 principle, related to the legality of data management (legal basis) and affected violated provisions on rights [GDPR Article 83 (1) point a)]; • Implemented by Respondent 1 by operating camera system No. 2 violations persisted for a long time, more than a year - on July 27, 2021 definitely carried out illegal data processing - and also at the time of the decision exist [83. Article (2) point a)]; • According to the statement of Respondent 1, approximately 1,300 in the examined period stayed [at the accommodation], i.e. the number of people affected can be considered high. The examined period, the number of hotel guests could not be precisely determined to the fact that data can only be retrieved from NTAK going back one year, while IFA on the declaration forms, the number of guest nights, not the number of guests will be registered. That is, the number of those affected is only approximate, the registered guest nights and the average days spent [at the accommodation]. could be determined as a quotient. [83. Article (2) point a)]; • The voice and likeness of the persons concerned due to the nature of the data processing carried out does not constitute a special category of personal data, however, for the jacuzzi and the interior in the field of view of the camera, the hotel guests are regularly in bathing suits are staying, and the Applicant is also wearing a bathing suit made for him on camera. According to the Authority's point of view, it is more harmful to those concerned data management through the camera system results in a situation, if not in the recordings in general street clothes, but in more incomplete clothes, such as in a bathing suit are included. Use of the jacuzzi based on the recordings of the camera located at the jacuzzi several guests took off their bathing suits during a camera shot of another guest without a top and without swimming trunks, or more the camera recorded the party in an intimate position. According to the Authority's point of view, the personal data recorded by a camera placed at the jacuzzi its illegal handling has greater material weight. [GDPR Article 83(2)(a)]. (178) During the imposition of the fine, the Authority assessed the following circumstances as mitigating circumstances: • the sign of the area monitored by the camera has been placed at the jacuzzi, so if the recordings not to record it, but those concerned could count on camera data management, and it is those involved were also involved in the fact that they were photographed without swimwear camera recordings [GDPR Article 83(2)(k)]; 37 • the established violations can be considered negligent in nature, the Authority on intentionality no suggestive circumstance was revealed during the official data protection procedure [GDPR Article 83 (2) paragraph b)]; • Respondent 1 has not previously committed a data protection matter under the scope of the GDPR breach of law [GDPR Article 83(2)(e)]; • during the procedure, Respondent 1 canceled the audio recording by means of cameras Regarding the cameras of camera system No. 2 [GDPR Article 83 (2) f) point]; • the Authority exceeded Infotv during the procedure. 60/A. Administrative according to paragraph (1) of § deadline [GDPR Article 83 (2) k)]. (179) The Authority also took it into account - but not as a mitigating or aggravating circumstance understood - that the established data protection violations do not affect personal data special category [GDPR Article 83 (2) point (g)]. (180) The Authority did not consider the general data protection regulation relevant when imposing the fine circumstances according to points c, d, h, i, j of Article 83 paragraph (2), since they are specific to the case cannot be interpreted in connection with (181) The amount of the fine was determined by the Authority acting within its statutory discretion yes. (182) On the basis of the above, the Authority made a decision in accordance with the statutory part. A. Other questions (183) The competence of the Authority is defined by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is covers the entire territory of the country. (184) The decision in Art. 80-81 § and Infotv. It is based on paragraph (1) of § 61. The decision is in Art. Based on § 82, paragraph (1), it becomes final upon its publication. (185) The Art. § 112, and § 116, paragraph (1), and § 114, paragraph (1) with the decision on the other hand, there is room for legal redress through a public administrative lawsuit. (186) The rules of administrative proceedings are laid down in Act I of 2017 on Administrative Procedures (the hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13, paragraph (3). Based on point a) subpoint aa), the Metropolitan Court is exclusively competent. The Kp. Section 27 (1) legal representation in a lawsuit within the jurisdiction of the court based on paragraph b). obligatory. The Kp. According to paragraph (6) of § 39, the submission of the claim is administrative does not have the effect of postponing the entry into force of the act. 38(187) Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, the electronic one is applicable CCXXII of 2015 on the general rules of administration and trust services. law (a hereinafter: E-administration act) according to § 9, paragraph (1), point b) of the customer's legal representative obliged to maintain electronic contact. (188) The time and place of filing the statement of claim is specified in Kp. It is defined by § 39, paragraph (1). THE information on the possibility of a request to hold a hearing in Kp. Paragraphs (1)-(2) of § 77 is based on. The amount of the fee for the administrative lawsuit is determined by Act XCIII of 1990 on fees. law (hereinafter: Itv.) 45/A. Section (1) defines. From the advance payment of the fee the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the person initiating the procedure half. Budapest, December 21, 2022. Dr. Attila Péterfalvi president c. professor 39