NAIH (Hungary) - NAIH 6737 1/2024

From GDPRhub
Revision as of 14:53, 18 June 2024 by Lm (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=NAIH 6737 1/2024 |ECLI= |Original_Source_Name_1=NAIH |Original_Source_Link_1=https://naih.hu/hatarozatok-vegzesek |Original_Source_Language_1=Hungarian |Original_Source_Language__Code_1=HU |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
NAIH - NAIH 6737 1/2024
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(a) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
2012. évi CLIX. törvény a postai szolgáltatásokról
Type: Complaint
Outcome: Upheld
Started: 29.12.2021
Decided: 29.04.2024
Published:
Fine: 5,000,000 HUF
Parties: n/a
National Case Number/Name: NAIH 6737 1/2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: lm

The DPA fined a postal service €12,680 (HUF 5 million) for adding unsolicited content to its delivery updates. While a customer satisfaction questionnaire did not require a separate legal basis, the inclusion of direct marketing information did.

English Summary

Facts

On 29 December 2021, a data subject filed a complaint with the Hungarian DPA (NAIH) against a mail delivery service (the controller). As part of its services, the controller corresponds with mail recipients via email and mobile notifications to update the status of a parcel’s delivery. The data subject, who was the recipient of a package delivered by the controller, alleged that in addition to these messages the controller also sent them two emails in November and December 2021 noting that the delivery had been completed. The emails also contained a questionnaire for feedback and a marketing offer. The data subject claimed that these two additional types of content had no legal basis. The data subject also claimed that the controller had failed to facilitate the data subject’s rights in response to a complaint it sent to the controller in November 2021.

The controller provides postal services on the basis of Act CLIX of 2012 on Postal Services (Postal Act) and the General Terms and Conditions of Business (GTC) adopted by the National Media and Infocommunications Authority. Under the Postal Act, the recipient of a delivery must be informed of the delivery by electronic message informing the recipient.

In its reply brief, the controller argued that given to the Postal Act’s legal requirements, it must provide data subjects with information on the status of their delivery and it is thus not possible to unsubscribe from status messages with such information. The contested follow-up email, the controller argued, was a part of these permitted notifications. The purpose of the processing was to send the data subject a notification of the entire delivery process, and its legal basis was necessity of contract to ensure the recipient received the parcel. Neither the survey nor the marketing content, the controller argued, constituted a separate processing because they were merely added to the delivery notification message rather than being sent to the data subject separately.

With regard to the data subject’s letter to the controller, the controller stated that it did not detect the email due to an IT system issue. The controller also argued that the letter was framed only as a general complaint and did not constitute an exercise of any rights under Articles 15-21 GDPR. It cited to a previous NAIH decision in which the DPA stated that applicants must rely on ‘grounds relating to their own situation’ in objecting, noting that the data subject did not do so here.

Holding

The NAIH found that the controller violated Articles 5(1)(a) as well as 13(1) and (2) GDPR. It issued a fine of about €12,680 (HUF 5,000,000).

First, the NAIH considered the legal basis in this case. Although the controller claimed that its legal basis was contract, the NAIH noted that the processing information provided in its emails were prepared in 2016 and claimed consent as the legal basis for processing. Now, the controller claims contract as its legal basis. However, its information notice did not indicate this legal basis. The NAIH found that controller should have brought the processing into compliance with the GDPR, which it failed to do in this case. As a result, the lawfulness of the legal basis for processing could not be established in violation of Article 5(1)(a) GDPR. Its inaccurate information in this regard was also a violation of Article 13(1) and (2) GDPR. However, since the NAIH could not examine the lawfulness of the controller’s legal basis prior to the GDPR’s application, it could not establish the lack of a legal basis for processing with certainty either. As a result, the NAIH rejected the data subject’s request to destroy the unlawfully processed data.

For the future, the NAIH considered it acceptable for the controller to base its processing on Article 6(1)(b) GDPR because the sending of emails for traceability of the parcel is necessary for the contractual performances between the deliverer and recipient as well as between the deliverer and online shop. The data subject can reasonably expect such processing to take place.

Next, the NAIH considered whether the controller’s legal basis extended to the survey and marketing content on the email. In the case of the survey, it found there was no need for a separate legal basis as there was a close link between the original and further processing purposes, both of which are focused on the efficacious provision of its services. It also noted no adverse effects on the data subject’s privacy, as both additional messages could have ignored. With regard to the marketing information, on the other hand, the NAIH found that it was not directly related to the performance of the contract and sending of status-related messages. Instead, it was an independent direct marketing communication to promote the use of its services. Thus, this processing required a legal basis and the controller was prohibited by Article 6(1)(b) GDPR from processing the data subject’s information for direct marketing purposes. In addition, the controller failed to mention processing for direct marketing purposes in its privacy notice in violation of Article 13 GDPR.

Another Article 13 violation resulted from the message at the bottom of the controller’s email. This concerned an email received by the NAIH as part of the investigation, not an email sent to the data subject, which stated that “under a statutory obligation, [we] will provide you with electronic tracking of your mail.” The NAIH found that the controller is not legally obliged to email the data subject to evaluate the service or give marketing. Indeed, no part of that email is fulfilling the purpose of electronic tracking, as the notification is of a completed service. Thus, the NAIH ordered the controller to modify this information in its emails.

With regard to the data subject’s complaint to the controller in November 2021, the NAIH found that the data subject’s letter to the controller was not a request to exercise its rights under Articles 15-21 GDPR. Thus, the NAIH concluded that the controller didn’t infringe the data subject’s right to be heard. Nonetheless, even if the submission was not a request to exercise its rights, the NAIH said that the controller must establish a procedure so that technical issues don’t prevent it from responding to privacy-related correspondence.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

20
(81) In the present case, the Applicant complained that on 22 November and 21 December 2021,
the Respondent sent it an e-mail with the subject [...], which, in its view, contained direct
marketing content, for which it had no legal basis, and that the sending of the e-mail was also
a general breach of the General Data Protection Regulation.
(82) Taking into account the dates of the two letters received by the Applicant, the Authority
examined the legality of the letters sent during this period from a data protection perspective.
Changes after that period, such as the changes in the wording and subject matter of the
letters of [...] referred to by the Respondent, implemented and planned as of 27 January
2022, changes in the legal basis for the processing, can be taken into account in the
consequences and the implementation of the Decision.
(83) Article 5 of the General Data Protection Regulation sets out the main principles which must
be taken into account when processing personal data and which must be applied at all times
during the processing. It follows from the requirement of accountability under Article 5(2) of
the GDPR that the controller is responsible for compliance with the data protection principles
and must be able to demonstrate such compliance. On this basis, the controller must
document and record the processing in such a way that its lawfulness can be demonstrated
a posteriori.
(84) According to the principles of lawfulness, fairness and transparency as set out in Article
5(1)(a) of the General Data Protection Regulation, personal data must be processed fairly
and lawfully and in a transparent manner for the data subject.
(85) According to the purpose limitation principle of Article 5(1)(b) of the GDPR, personal data
may only be processed for specified, explicit and legitimate purposes.
(86) A further requirement for the lawfulness of processing is that the processing may be based
on a legal ground within the meaning of Article 6(1) of the General Data Protection
Regulation.
(87) According to the defendant's declarations to the Authority, the primary purpose of the [...] e-
mail is for the defendant to provide feedback to the addressee on the successful delivery or
to provide information on the progress of the delivery of the product by means of status
messages, which is an obligation under the Postal Act. According to its declaration, the legal
basis for the processing of data in this context is the contractual legal basis pursuant to
Article 6(1)(b) of the General Data Protection Regulation. In addition to the request to fill in a
questionnaire to ascertain customer satisfaction, the purpose of sending the e-mail is also to
provide information on [...], which the applicant objects to and which, in its view, contains
marketing content. In the Respondent's view, this is not a specific marketing offer, but a
permanent opportunity for any data subject and, like the request to fill in a customer
satisfaction questionnaire, the information on [...] does not constitute separate processing.
According to the Respondent, this is because the Respondent does not use the e-mail
addresses separately for this other processing purpose, but adds a new content to the e-mail
containing the status messages sent pursuant to Article 6(1)(b) of the GDPR.
(88) In the case of this e-mail, the Respondent considers that, on the basis of Article 6(4) of the
General Data Protection Regulation, the use of the information about [...] as a message or e-
mail address for other purposes, as well as the request to fill in a questionnaire to find out
about customer satisfaction, is compatible with the original purpose of the information about
the delivery and its process. Therefore, the information of [...] on [...] is not a separate
processing and cannot be considered, for example, as a newsletter or marketing message.
In view of the fact that the Respondent is subject to the Postal Act and the GTC
21
has undertaken, subject to its provisions, to provide data subjects with information on the
status of the delivery in order to ensure the traceability of the postal item, it is therefore not
possible to unsubscribe from the status message including information on [...], as this is part
of the provision of the service and the contractual information.
The Respondent, having reviewed its processing in the light of the Authority's present
procedure, and having, inter alia, carried out an examination of the criteria under Article 6(4)
of the GDPR, the results of which have been made available to the Authority, concluded that
the information about [...] as another purpose of sending the e-mail is compatible with the
original purpose of the processing (sending a status message about the delivery process)
and that, therefore, in view of recital 50 of the GDPR, there is no need to invoke Article 6(4)
of the GDPR.
(1)(b), on a separate legal basis other than the legal basis under paragraph 1(b).
(89) However, contrary to these declarations, the data processing information sent by the
Respondent on 22 November and 21 December 2021, the date of sending the emails to the
Respondent, was prepared in 2016, published by the Respondent on its website in
September 2016, and according to which the legal basis for data processing was the data
subject's consent under the then applicable Infotv.
(90) The Authority cannot make any findings on the compliance of the legal basis under the
GDPR prior to the date of application of the General Data Protection Regulation and the
2016 Data Protection Notice with the General Data Protection Regulation in the present DPA
procedure, but it should be noted that recital 171 of the General Data Protection Regulation
provides that processing that started before the date of application of the General Data
Protection Regulation, i.e. 25 May 2018, must be brought into compliance with the General
Data Protection Regulation within two years of the date of entry into force of the General
Data Protection Regulation, i.e. 25 May 2016.
(91) On this basis, the Respondent should have brought the data processing at issue in the
present case into compliance with the General Data Protection Regulation, which was not
fully done.
(92) Although the Respondent indicated the legal basis for its processing in its declaration, Article
6(1)(b) of the GDPR, the actual application of this legal basis was not supported by any
document. The information notice on data processing in force on 22 November and 21
December 2021, the date of sending the emails to the Applicant and published on the
Applicant's website, contained the legal basis for consent under the GDPR in relation to the
letters of [...], the whole of the information notice itself being based on the rules of the GDPR.
Moreover, the GTC also cited by the Respondent does not support the actual application of
the legal basis under Article 6(1)(b) of the GDPR. In addition, Clauses 6.3.1, 6.3.2 of the
GTCs provide for system messages which the Respondent receives and are therefore not
relevant to the present case, while Clause 9.2 of the GTCs provides that "the arrival of the
shipment and the possibility of receipt will be notified to the Customer or the Recipient by
means of an automatic system message sent by SMS to the mobile phone number, in which
the Customer or the Recipient will receive the code to open the compartment." Nor does it
follow from this provision that the Respondent has processed the personal data of the
Applicant - and other data subjects - on a legal basis corresponding to its declaration.
Moreover, this provision of the GTC does not cover the processing of e-mail addresses. The
fact that subsequently, as a result of the Authority's present procedure, the Applicant has
amended its privacy notice, which it itself acknowledged was inadequate and needed to be
amended, to bring it into conformity with its declaration and to set out Article 6(1)(b) of the
GDPR as the legal basis for the processing, does not affect the legal assessment of its
processing in the period prior to that date.
22
(93) Consequently, the Authority is of the opinion that the Respondent decided to change the
legal basis for the processing as a result of the procedure, by changing the consent under
the Infotv. to the legal basis under Article 6(1)(b) of the GDPR.
(94) According to the principles of lawfulness, fairness and transparency as set out in Article
5(1)(a) of the GDPR, lawfulness presupposes in the first place the existence of an adequate
legal basis, i.e. the processing must be based on the data subject's consent or have another
legal basis laid down in the GDPR, including the need to comply with legal obligations to
which the controller is subject, the performance of a contract by the data subject and the
steps to be taken prior to that performance. The requirement of transparency is closely linked
to the requirement of lawfulness, in that the process and documentation of the processing
should be made known to the outside world. Communication between the controller and the
data subject is ensured, the data subject is informed of all material aspects of the processing
and receives this information in an intelligible, simple and meaningful way. Effective and
complete information is an essential element of transparency and a threshold condition for
the enforcement of the data subject's rights. The General Data Protection Regulation favours
written information. The principle of transparency requires that information relating to the
processing of personal data is easily accessible and comprehensible, and that it is drafted in
clear and plain language. This principle applies in particular to the provision of information to
data subjects about the identity of the controller and the purposes of the processing. The
principle of transparency is also part of and a prerequisite for the enforceability of
accountability. Data controllers must inform data subjects and the public that data will be
processed lawfully and transparently and must be able to demonstrate that processing
operations comply with the General Data Protection Regulation. In the context of Internet
services, the features of the data processing systems should allow data subjects to really
know what happens to their personal data.
(95) According to the above, the Authority cannot examine the adequacy of the legal basis for
consent under the Infotv. and the 2016 data management prospectus in the present
proceedings, but it can be concluded that, contrary to the statements, the 2016 data
management prospectus does indeed include the sending of system messages related to
services as a processing purpose in point 4.1, but according to the prospectus, the data
subject's consent was the legal basis for processing during this period. This point of the
Prospectus also includes the sending of a questionnaire to measure user satisfaction as a
processing purpose, but not as a processing purpose compatible with the status message.
However, information on [...] is not included in the prospectus. None of the processing
operations mentioned and described in the prospectus are compatible with Article 6(1) of the
General Data Protection Regulation
(b) is the legal basis for. In addition, the bottom of the two e-mails sent to the Applicant states
that the letter was sent by the Applicant pursuant to Section 54(2)(a) of the Postal Act.
Therefore, the lawfulness of the legal basis for the processing cannot be established, nor can
it be established that the processing complies with the General Data Protection Regulation.
(96) In view of the above and the fact that the Respondent did not bring its processing into
compliance with the General Data Protection Regulation during the period under
examination, it cannot be established that the processing under examination in the present
procedure was based on an appropriate legal basis and, consequently, the Authority
concludes that the Respondent has infringed Article 5. However, as the Authority cannot
examine the lawfulness of consents obtained prior to the GDPR in the present procedure and
as the legal basis used by the Respondent is not clear, it cannot conclude that there is a
clear lack of a legal basis for the processing. Consequently, the Authority rejects the
applicant's request that the Authority should order the
23
The applicant requests the defendant, in the applicant's view, to destroy the data unlawfully
processed.
(97) It follows from the above that the Respondent did not provide information on the processing
in accordance with the General Data Protection Regulation, which the Respondent confirmed
by acknowledging that the information notice needs to be amended.
(98) The right to prior information under Article 13 of the General Data Protection Regulation
requires data controllers to provide data subjects with adequate information about the way
and circumstances in which their personal data are processed. This right is intended to make
data subjects aware that the controller intends to process personal data relating to them. On
the other hand, it enables data subjects to assess the potential impact of the envisaged
processing on their privacy and the other risks and dangers involved. Finally, the information
provided will enable individuals to exercise their right to informational self-determination. The
primary purpose of the right to prior information is to enforce the principle of transparency. It
is through this right that data subjects can find out about the envisaged processing. However,
it is also closely linked to the requirement of due process and the principle of accountability.
Article 13(1) to (2) of the General Data Protection Regulation contains the information that
controllers must provide to data subjects. Considering that the information notice for the
period under examination was based on the information under the Infotv. in force in 2016,
including the information on the legal basis under the Infotv. at that time, it can be concluded
that the Respondent failed to provide information in accordance with the General Data
Protection Regulation, in breach of Article 13(1) to (2) of the General Data Protection
Regulation.
(99) However, the Authority is of the view that all the purposes of processing indicated in the
Applicant's statement - and partly in its 2016 privacy policy - are legitimate, i.e. the legitimate
purpose of the Applicant to use the name and email address of the data subject to inform
about the status of the delivery of the ordered product, to request feedback in the form of a
questionnaire on the quality of service and to inform data subjects about the so-called [...] as
a discount.
(100) The Authority also considers it acceptable for the future that the Respondent should base the
processing of the contested processing operations related to status messages on a legal
basis under Article 6(1)(b) of the General Data Protection Regulation.
(101) The contractual legal basis is applicable because recipients are also covered by the
provisions of the General Terms and Conditions applied by the Respondent, for example, the
provisions on the receipt and return of mail. According to the Respondent's declaration, the
focus of its service is on the addressees, pursuant to Clause 4 of the GTC, according to
which the Respondent undertakes to deliver the consignments ordered by the addressee, to
organise the delivery and to deliver the parcel to the addressee. The sending of e-mails for
the traceability of the postal consignment is necessary for the contractual performance of
both the service provided by the Respondent and the contract between the online shop and
the addressee, and for the Respondent to fulfil its obligations to the addressee under the
GTC. In the Authority's view, the processing provides the data subject with information in the
context of the performance of the main subject matter of the contract, the receipt of the
goods, which directly affects the performance of the specific contract and the data subject
can reasonably expect the processing to take place, and the GTC expressly so provide, so
that the contractual legal basis applies to this processing.
(102) In the context of the request to fill in a questionnaire on customer satisfaction and the related
processing, it should be noted that the use of personal data - name, e-mail address - for
these other purposes - so-called further processing - is not in accordance with the general
25
However, the Respondent is not legally obliged to send an e-mail inviting the Respondent to
evaluate the service and to fill in a questionnaire, and this particular letter does not serve the
purpose of electronic tracking of the mailing, therefore the information contained in the letter
is incorrect. In view of this, it is necessary to modify the e-mails of [...] and the information
contained in the e-mails.
(108) With regard to the information on [...] and the processing of data subjects' names and e-mail
addresses for this purpose, the Authority has also reviewed the assessment of the criteria set
out by the data subject under Article 6(4) of the General Data Protection Regulation. On this
basis, the Authority is of the view that, in view of the fact that with [...] the data subject can
also send a package at a discount via the Respondent's network, the information about [...] -
contrary to the Respondent's view, an information aimed at promoting the Respondent's
service - therefore constitutes economic advertising within the meaning of the General Data
Protection Regulation. Article 3(d). In the Authority's view, this message is not directly related
to the performance of the contract and the sending of the related status messages, the
original purpose of the processing, but is an additional, independent and not strictly related,
direct marketing communication - and use of personal data - to promote the use of the
service of the Applicant, which, on the basis of the information available on the Applicant's
website, the data subject may receive not (only) in relation to the performance of the service,
but through three other means: by registration, as a registered member by inviting friends
and acquaintances and as a registered member during special promotions organised by the
Respondent. Consequently, the purpose of the processing of the personal data processed in
relation to [...] is therefore separate from the information on delivery, which also serves the
performance of the contract, and is not compatible with the processing purpose of the
information on delivery as a separate processing for direct marketing purposes. Moreover, in
the context of the contractual legal basis, the provision of the service is the main subject
matter of the contract, the data subject reasonably expects that his data will be processed in
this context, so that the contractual legal basis is only applicable to the use of the service, not
to the sending of commercial communications.
(109) Given that the communication of information about [...] as a direct marketing communication
is incompatible with the original purpose of the processing, the Respondent must have a
legal basis to send such messages.
(110) Although according to the Respondent, the processing of the information on [...] has a
negligible impact on the data subject and also benefits the data subject, the Authority is of
the view that the provisions on processing other than for the purpose of the information
should not apply to the Respondent, but that this processing can be carried out on the basis
of a proper legal basis by means of a separate, independent processing purpose.
(111) Moreover, the data processing related to the information about [...] is not, as in the period
under review, currently included in the privacy notice as a letter with direct marketing content,
no information about it is visible or known to the data subjects. In view of this, it is necessary
to amend the data management information of the Respondent.
(112) In view of this, the Applicant is prohibited by Article 6(1)(b) of the General Data Protection
Regulation from processing the name and e-mail address of the Applicant in the context of
the provision of information on [...], and the Authority therefore prohibits the processing of
this personal data of the Applicant by the Applicant on this legal basis.
IV.2. The Applicant's complaint to the Respondent
(113) The Applicant also objected to the fact that the Respondent did not reply to the request for
information submitted by the Applicant in November 2021.
22nd day at 12:13 pm, in response to a complaint sent by a contact person to the email address [...].
26
(114) In this letter, the Applicant objected to the [...] letters, as in its view the letters contained
unsolicited direct marketing content and it did not consent to the sending of such letters, and
in its view the Applicant did not even provide the opportunity to unsubscribe. In its complaint,
the Applicant also complained that the [...] letter was also contrary to the legal provision
referred to in the letter. For all these reasons, the Applicant requested that the Respondent
cease its mailing practices which it considered to be unlawful.
(115) According to the Respondent's statement, due to a configuration error in its IT system, it did
not detect the emails sent to the email address [...], including the specific request of the
Applicant. However, the Respondent's position with regard to the Applicant's letter of 22
November 2021 is that it does not constitute an exercise of a right of the data subject within
the meaning of Articles 15 to 21 of the General Data Protection Regulation in that the data
subject did not indicate any rights that he or she wished to exercise against the Respondent.
(116) According to the Respondent's declaration, the Applicant did not request access to its
personal data, did not request their rectification, erasure or restriction, nor did it submit a
request for data portability. The Applicant's request can at most be considered as an exercise
of the right to object, but its letter as a whole shows that it is in fact complaining about the
alleged failure of the Respondent to comply with its obligations as data controller under
Articles 5-6 of the General Data Protection Regulation. However, the Applicant has not put
forward the 'grounds relating to its own situation' as required by Article 21(1) of the GDPR
and the Authority's case law as a condition for this exercise of the data subject's rights.
(117) The Authority, having reviewed the letter of the Applicant, found that it objected to the
general practices of the Applicant, as stated by the Respondent, and that it challenged the
Applicant's failure to comply with its obligations as data controller, without seeking to enforce
any specific data subject rights under Articles 15-21 of the GDPR.
(118) Therefore, the Authority concludes that the Respondent has not infringed the Applicant's right
to be heard and rejects this part of the application.
(119) However, the Authority draws the Respondent's attention to the fact that even if the
submission made by the Respondent was not a request to exercise the right of data subjects
under Articles 15-21 of the GDPR, the Respondent must establish a procedure so that a
configuration error does not prevent it from responding to other privacy-related
correspondence. The Authority therefore considers it appropriate that, as a result of the
present procedure, the Respondent has reviewed the process and procedures for the
management of the [...] e-mail address and account, as a result of which it has discontinued
this e-mail account and will in future receive requests from data subjects in relation to its
processing through the customer service form and the Respondent's central e-mail address
[...].
(120) In addition, the Authority considers it an appropriate measure that the Respondent, by February
2022
25. day, replied to the Complainant's complaint, a copy of which was also sent to the
Authority to demonstrate that it had fulfilled its obligation to reply to the Complainant on a
non-concerned legal matter.
V. I n t e r n a t i o n o f t h e r e s e a r c h s
(121) The Authority has found, on the basis of Article 58(2)(b) of the GDPR, that the Respondent
used the name and e-mail address of the Respondent and other data subjects in the period
under investigation in breach of Article 5(1)(a) of the GDPR, in violation of the principles of
legality, fairness and transparency, in the context of the [...]
27
to send status messages in connection with correspondence and to measure customer
satisfaction and to provide information about [...].
(122) The Authority also found, on the basis of Article 58(2)(b) of the GDPR, that the Respondent
had infringed Article 13(1) to (2) of the GDPR by failing to provide adequate information on its
processing to the Respondent and to other data subjects.
(123) The Authority has instructed the Respondent, pursuant to Article 58(2)(d) of the General Data
Protection Regulation, to base its processing of data relating to [...] on an appropriate legal
basis and to provide appropriate information to data subjects about its processing. The
Authority also prohibited the processing of the name and e-mail address of the applicant and
other data subjects in connection with the provision of information on [...], in the absence of a
legal basis.
(124) The Authority has assessed whether it is justified to impose a data protection fine on the
Applicant. In this context, the Authority has considered all the circumstances of the case on
the basis of Article 83(2) of the GDPR and Article 75/A of the InfoPrivacy Act and concluded
that, in the case of the infringements found in the present procedure, a warning is neither
proportionate nor a dissuasive sanction and therefore a fine is necessary. The Authority
imposed the data protection fine specifically on the Applicant - Respondent, but not on other
data subjects.
(125) In determining the amount of the fine, the Authority first of all took into account that the
infringements committed by the Respondent constitute infringements falling under the higher
category of fines pursuant to Article 83(5)(b) of the GDPR.
(126) In determining the amount of the fine, the Authority took into account as aggravating
circumstances that
- the use of personal data in violation of the principles of legality, fairness and
transparency, involving between 35,000 and 210,000 natural persons per month,
taking into account the data provided by the Respondent, for the period between the
fourth quarter of 2021 and February 2022. If only the two thresholds are taken as a
basis, the Authority estimates that the total number of natural persons concerned
during the period under examination, i.e. from the introduction of the processing in the
fourth quarter of 2021 until 27 January 2022, ranges from 175,000 to 1,050,000, i.e. a
large number of natural persons [Article 83(2)(a) of the GDPR];
- this unlawful processing by the Respondent is systemic, since, according to the
statements and evidence submitted by the Respondent, it did not only concern the
Respondent as an isolated case, but was a general processing practice [Article
83(2)(a) of the GDPR];
- the core business of the Respondent described above includes data management,
which it carries out on a large scale on a daily basis. On its website3 it has installed
more than 1,000 parcel machines and delivered more than 20 million parcels in the 8
years since it started providing its service. Consequently, it can be expected that the
Respondent carries out the processing activities at issue in this case with adequate
knowledge of data protection and in compliance with data protection requirements
[Article 83(2)(a) and (k) of the General Data Protection Regulation].
3 [...]
28
(127) In determining the amount of the fine, the Authority took into account as mitigating
circumstances that
- no special categories of data are processed [Article 83 of the General Data Protection
Regulation
(2)(a)];
- the infringements committed by the Respondent resulted from its negligence, its
failure to carry out the necessary review of the processing in the light of the
application of the General Data Protection Regulation and its misclassification of the
processing in the context of the information on [...] [Article 83(2)(b) of the General
Data Protection Regulation];
- the Respondent has not yet been sanctioned for breach of the General Data
Protection Regulation and no further complaints have been received in relation to this
processing following the sending of the million emails [Article 83(2) of the General
Data Protection Regulation
point (e)];
- the Respondent has reviewed its processing of the data at issue in the present case
during the procedure [Article 83(2)(f) of the GDPR];
- as a result of the procedure, the Respondent has taken measures to ensure lawful
processing and has amended the title and content of the [...] letters and has amended
its privacy notice [Article 83(2)(f) GDPR];
- the Authority has significantly exceeded the time limit for its administration [General Data
Protection Regulation
Article 83(2)(k)].
(128) The Authority did not consider Article 83(2)(c), (d), (g), (h), (i) and (j) of the General Data
Protection Regulation relevant in determining the data protection fine imposed on the
(j), as they cannot be interpreted in the context of this case.
(129) The Respondent's net sales revenue for 2022 was in the order of HUF 4,200 million, so the
data protection fine imposed is remote compared to the maximum fine that can be imposed.
VI. Other issues:
(130) The competence of the Authority is defined in Paragraphs (2) and (2a) of Article 38 of the
Infot Act, and its competence extends to the whole territory of the country.
(131) The Authority's present decision is based on Articles 80-81 of the General Civil Code and
Article 61(1) of the Information Act. The decision becomes final upon notification pursuant to
Article 82(1) of the General Civil Code. Pursuant to § 112 and § 116(1) and (4)(d) and §
114(1) of the General Civil Procedure Code, the decision may be appealed against by means
of an administrative procedure.
* * *
(132) According to Section 135 of the General Civil Code, the debtor is liable to pay default interest
at the statutory rate if he fails to pay the money on time.
(133) Pursuant to Section 6:48 (1) of Act V of 2013 on the Civil Code, in the event of a default in
the payment of money, the debtor shall pay interest on arrears at the base rate of the central
bank in force on the first day of the calendar half-year in which the default occurred, starting
from the date of default.
(134) The rules of administrative proceedings are set out in Act I of 2017 on the Code of
Administrative Procedure (hereinafter referred to as the "Code"). The Kp. Pursuant to Section
12 (1) of the Administrative Procedure Act, administrative proceedings against a decision of
the Authority fall within the jurisdiction of the courts. Article 13 (3)
29
a) point (aa), the Metropolitan Court of Budapest shall have exclusive jurisdiction. Article 27.
(1) legal representation is mandatory in disputes over which the court has exclusive
jurisdiction, in accordance with paragraph 1(b). In the case of a court of law with jurisdiction
in the case of a court of law, the legal representation shall be limited to the court of law.
According to Article 39(6), the filing of a statement of claim does not have suspensory effect
on the effectiveness of the administrative act.
(135) Pursuant to Section 29 (1) of the Code of Civil Procedure and, with regard to this, Section
604 of Act CXXX of 2016 on the Code of Civil Procedure, applicable pursuant to Section 9
(1) b) of the Act on the Protection of the Client's Rights in Civil Matters, the legal
representative of the client is obliged to communicate electronically.
(136) The time and place for lodging the application shall be determined by the Kp. Article 39(1).
Information on the possibility of requesting a hearing is given in the notice of the Court of First
Instance of the European Communities, Kp. 77(1) to (2).
(137) The amount of the fee for administrative proceedings is determined by Section 45/A (1) of
Act XCIII of 1990 on Fees (hereinafter: Itv.). Exemption from the advance payment of the fee
is provided for in the provisions of the Act. Article 59(1) and Article 62(1)(h) of the Act
exempts the party initiating the proceedings from the payment of the fee.
(138) If the Applicant fails to provide adequate proof of the fulfilment of the obligations and the
obligation to pay the money, the Authority will consider that the Applicant has failed to fulfil its
obligations within the time limit. Pursuant to Article 132 of the General Tax Code, if the
Applicant has not complied with the obligations contained in the Authority's final decision, the
latter is enforceable. The Authority's decision is based on Article 82 of the General Civil
Code.
(1) shall become final upon notification. Pursuant to Section 133 of the General
Administrative Procedure Act, enforcement is ordered by the authority issuing the decision,
unless otherwise provided by law or government decree. Pursuant to Section 134 of the
General Tax Code, enforcement is ordered by the State Tax Authority, unless otherwise
provided by law, government decree or local government ordinance in a municipal authority
case. Pursuant to Section 61(7) of the Information Act, the enforcement of a decision to
perform a specific act, to engage in a specific conduct, to tolerate or to cease a specific
conduct, as contained in a decision of the Authority, is carried out by the Authority.
(139) In the course of the procedure, the Authority exceeded the one hundred and fifty-day time
limit for the administration of the case pursuant to Section 60/A (1) of the Infotv., and
therefore, pursuant to Section 51 (b) of the General Administrative Procedure Act, it shall pay
the Applicant HUF 10,000 by bank transfer or postal order, at the Applicant's option.
Budapest, 29 April 2024.
Dr habil. Attila Péterfalvi
President
c. university professor