NAIH (Hungary) - NAIH-3932-5/2024
NAIH - NAIH-3932-5/2024 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 12(1) GDPR Article 13 GDPR Article 32 GDPR 16/A. § 1997. évi CLV. törvény a fogyasztóvédelemről |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 02.07.2024 |
Published: | |
Fine: | 80,000,000 HUF |
Parties: | ALDI MAGYARORSZÁG ÉLELMISZER Élelmiszer Kereskedelmi Betéti Társaság |
National Case Number/Name: | NAIH-3932-5/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | fb |
The DPA fined Aldi HUF 80,000,000 (€203,811) in connection to its age verification practices when selling alcohol. It found that data subjects could not easily access the privacy policy and that they could be asked for an ID when there was a doubt they could be under 18.
English Summary
Facts
The controller, a supermarket company, conducted verifications about the age of customers wanting to buy alcoholic beverages. In addition to asking for an ID card, in some shops the controller also recorded the date of birth of the data subjects, while in other shops it did not.
Moreover, according to the data subjects, the privacy policy was not provided to them. Therefore, they could not know which was the legal basis and the duration of the processing.
For these reasons, several data subjects filed a complaint with the DPA.
Holding
First, the DPA found that the data subjects were not able to have sufficient information about the processing at hand, since no sign was put in the controller’s shops. Moreover, the employees of the controller were not able to provide more information or indicate where to find the privacy policy. Furthermore, the DPA noted that the practices varied within the stores.
Therefore, the DPA held that the information provided by the controller was insufficient, not easily accessible and not transparent and found a violation of Article 5(1)(a), 12(1), 13(1) and 13(2) GDPR.
Secondly, the DPA noted that Article 16/A(4) of the Consumer Protection Act of 1997 (1997. évi CLV. Törvény a fogyasztóvédelemről) requires alcohol sellers to ask for an ID card only when they are in doubt that the buyer could be under 18 years old. When this doubt does not exist, like in the case of a 70-year-old man, this obligation does not apply. Therefore, the controller could not rely on Article 6(1)(c) GDPR.
As a consequence, the DPA found a violation of Article 6(1) GDPR.
Thirdly, the DPA found that recording the date of birth in the cash register system violated Article 5(1)(c) GDPR. Indeed, the DPA considered that there was a method of achieving the objective which was appropriate but less harmful to the data subjects and involved fewer processing operations.
Finally, the DPA held that the controller did not implement adequate measures to protect the personal data of data subjects in its stores since, for example, data subjects were required to state their date of birth aloud and other customers could hear it.
On these grounds, the DPA issued a fine of HUF 95,000,000 (€242,025), then lowered to HUF 80,000,000 (€203,811).
Moreover, it ordered the controller to provide
Comment
This decision is issued after an appeal by the controller before the Metropolitan Court of Justice (Fővárosi Törvényszéknek). The court found that the recording of date of birth did not constitute processing of personal data since this only piece of information cannot allow to identify a person. It confirmed the remainder.
The DPA took this judgement into account and lowered the amount of the fine from HUF 95,000,000 (€242,025) to HUF 80,000,000 (€203,811).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH-3932-5/2024 Subject: decision H A T A R O Z A T By the National Data Protection and Freedom of Information Authority (hereinafter: the Authority) ALDI HUNGARY FOOD Food Trade Deposit Company (head office: 2051 Biatorbágy, Mészárosok útja 2., company registration number: 13-06-058506; the hereinafter: Mandatory) in connection with the purchase of alcoholic beverages established in the summer of 2022 and thereafter, in the period until the decision with case number NAIH-3227-3/2023 becomes final the personal data of natural persons of the implemented data management practices regarding its protection and the free flow of such data, as well as a in Regulation 2016/679 (EU) repealing Directive 95/46/EC (the hereinafter: the general data protection regulation) compliance with the regulations in the official data protection procedure (main case) NAIH-3227-3/2023 annulling point 3 of the decision made in the case number (hereinafter: Decision) and a 105.K.701.548/2023/11 obligates the authority to a new procedure in this regard. on November 7, 2023 judgment of the Budapest court, delivered on 7 December 2023, and communicated to the Authority on 7 December 2023 ( hereinafter: Judgment) initiated ex officio under case number NAIH-3932/2024, in its repeated official data protection procedure, the Authority makes the following decisions: 1. Established in point 1 of the Resolution and upheld by the Metropolitan Court based on legal violations, taking into account the provisions of the Judgment; the Obliged Authority obligates ex officio within 30 days of this decision becoming final HUF 80,000,000, i.e. eighty million HUF to pay a data protection fine. 2. The Authority on information self-determination and freedom of information CXII of 2011 Act (hereinafter: Infotv.) based on point a) of § 61, paragraph (2). ex officio orders the identification data of the Obligor in its final decision disclosure by publication a) on the website of the Authority, furthermore b) on the opening page of the Obligor's website, clearly visible and easily accessible place, within 30 days of the decision becoming final, and there be available for at least 30 days. The Obligor is obliged to fulfill the obligation prescribed in point 2, sub-point b) of this decision must be in writing within 30 days of its becoming final - the supporting evidence along with its submission - certify it to the Authority. In case of non-fulfilment of the obligation prescribed in sub-point b) of point 2, the Authority shall order a implementation of the decision. No procedural costs were incurred in the procedure. There is no place for administrative appeal against this decision, but from the announcement within 30 days from the date of issue, with a letter of claim addressed to the Capital Tribunal can be challenged in a lawsuit. The claim must be submitted electronically to the Authority, which 1 The NAIH_K01 form is used to initiate an administrative lawsuit: NAIH_K01 form (16.09.2019) The form can be filled out using the general form filling program (ÁNYK program). .………………………………………………………………………………………………………………………………………… …………………….. 1055 Budapest Tel.: +36 1 391-1400 naih.hu/adatkezelesi-tajekoztatok Falk Miksa utca 9-11 KR ID: 429616918 ugyfelszolgalat@naih.hu 2 forwards it to the court together with the case documents. The request for the holding of the trial is submitted by the must be indicated in the application. For those who do not receive full personal tax exemption the fee for the judicial review procedure is HUF 30,000, the lawsuit is subject to the right to record fees. THE Legal representation is mandatory in proceedings before the Metropolitan Court. I N D O C O L A S I. History, basic case (1) The Authority has received several notifications regarding the compulsory purchase of alcoholic beverages regarding the new data management practice established in connection with In submissions they complained about significantly different data management practices in individual stores. THE according to the whistleblowers, they did not hand over data management information even upon request to those concerned, and neither did the cashiers, so the date of birth in connection with its recording, the legal basis and duration of the data management was not known. Whistleblowers based on his information, the Obligee's stores in several settlements also contain alcohol in the case of buying drinks - based on notification at the cash desk, according to other complaints by way of obligation to hand over an identity card - recorded the customer's birth certificate his time. According to another complaint, the cashier did not know the purpose of data recording and to provide information regarding its legal basis, and the regional manager indicated that to the store manager that the data of the identity card cannot be recorded necessary in the event that the buyer's legal age can be established in another way, customers were not informed of this fact. A whistleblower complained that he you are apparently over 70 years old, but you still had to prove your age. (2) Based on the above, on August 19, 2022, the Authority ex officio data protection authority initiated a procedure in order to check that the Obliger's alcohol content whether the data management practices established in connection with the purchase of drinks are adequate requirements contained in the general data protection regulation. (3) During the procedure, the Authority invited the Obligee to make a statement several times in order to clarify the facts; as well as on general administrative regulations 2016 CL. Act (hereinafter: Act), on-site without prior notice conducted inspections in two randomly selected stores of the Obligor. (4) March 30, 2023, adopted in the official data protection procedure initiated ex officio. In point 1 of the Decision dated offended him a) point a) of Article 5 (1) of the General Data Protection Regulation; b) point c) of Article 5 (1) of the General Data Protection Regulation; c) Article 6 (1) of the General Data Protection Regulation; d) Article 12 (1) of the General Data Protection Regulation; e) Paragraphs (1) and (2) of Article 13 of the General Data Protection Regulation; f) paragraphs (1) and (4) of Article 32 of the General Data Protection Regulation. (5) Transparency contained in Article 5 (1) point a) of the General Data Protection Regulation violation of the principle of on-site) was not available for those interested in purchasing alcoholic beverages the related data management established by the Obligor is transparent; it is essential those involved did not have the opportunity to learn about its circumstances, because it was not posted https://www.naih.hu/kozig-hatarozat-birosagi-felulvizsgalata 3 appropriate, containing essential information related to the actual data management data management information; and at the request of the stakeholders and representatives of the Authority a Obliged employees could not even verbally provide information on the related matter about the online availability of the data management information sheet or the data management is essential on its circumstances [see: Paragraph (129) of the Decision's justification]. (6) The principle of transparency was also violated by the fact that in the Obligor's stores, as well as the alcoholic beverages at the cash registers were also significantly different within each store actual related to verifying the age of persons intending to buy data management practice, accordingly, it was not transparent for those concerned data management concerning them [see: paragraph (134) of the justification of the Decision]. (7) Obliged by Art. Order on notification according to § 76 [NAIH-6989-16/2022 order no.] violated Article 5 (1) of the General Data Protection Regulation the principle of transparency according to paragraph a) of the data management realized by logging also by not ensuring the transparency of data management for those concerned for, since he did not provide information in the period between August 4 and 11, 2022 for those concerned in relation to data management; August 12 and 31, 2022 in the period between to those concerned on the Website (https://www.aldi.hu/hu/homepage.html) and the Ákr. 68-69. § during the inspection in his stores about the fact that all keys of the cash register is struck (and therefore, in the case of purchasing an alcoholic drink, the customers' date of birth is) was logged, and that these log files are for 180 days after recording were also stored, and for them the data processor used by the Obligor also has access; finally, that from September 1, 2022, the Ákr. according to § 76 up to the date of the order on notification, it has not been modified by the relevant Obligor data management information, and therefore still did not inform the data subjects above explained [see: paragraph (141) of the reasoning of the Decision]. (8) "easy "accessible" criterion was violated by the fact that the Obligor did not provide adequate measures in order to provide data management to the data subjects related information in an easily accessible manner in each store and make it available in the form [see: Paragraph (148) of the Decision's justification]. (9) The obligee violated paragraphs (1) and (2) of Article 13 of the General Data Protection Regulation, considering that the Obligor at the time of obtaining the personal data was not made available to the data subjects by Article 13 of the General Data Protection Regulation The information specified in paragraphs (1) – (2) is the data processing affected by the procedure in connection with [see: paragraph (157) of the justification of the Decision]. (10) The Obligor is the period between August 4, 2022 and August 31, 2022 Article 6 (1) of the General Data Protection Regulation has not been verified for processing the data of data subjects who have 18. in connection with reaching their age, the CLV of 1997 on consumer protection. law (a hereinafter: Fgytv.) 16/A. "doubt" as defined in paragraph (4) of Sec about whom - clearly visible to anyone given his old age - it was clear that they had reached the age of eighteen. Since e in connection with personnel, the Authority was also unable to identify the Obligee ex officio a legal position or individual decision concerning data management would create a relevant legal obligation, so the Obligor violated the general Article 6 (1) of the Data Protection Regulation [see: (165) of the reasons for the Decision paragraph]. 4 (11) Article 6 (1) of the General Data Protection Regulation was also violated by the fact that a The obligee wrongly imposes a legal burden on him in general, covering all customers identified this legal place and the legal norms governing it as an obligation - thus in particular, the general data protection decree and the Fgytv. - not properly applied, the applicability of the legal obligation applicable to it has been over-extended by entering personal data into the cash register system in the log files when recording, as Fgytv. 16/A. Paragraph (4) of § only the age credit it is awaiting proper proof, so it did not have an adequate legal basis for the recording. [see: paragraph (166) of the reasoning of the Decision] (12) The Fgytv. 16/A. Doubt in the case of purchasing an alcoholic beverage based on § (4). in this case, the customer must be asked to provide creditable proof of age (i.e. in in the event that it cannot be clearly established that the alcoholic beverage is to be purchased whether the intending person has reached the age of eighteen or not). The Obliged however, in the period between August 4, 2022 and August 31, 2022, Fgytv. 16/A. The phrase "in case of doubt" defined in paragraph (4) of §, statutory exceeding the provision, in addition to it in a general manner, in the Obligor's own words he prescribed "the development of its systematic use" in the position of shop assistant to buy each alcoholic beverage for its employees mandatory verification of the age of the intending person. By doing so, he offended the general also the principle of data saving contained in Article 5 (1) point c) of the data protection decree – which, regardless of the legal basis, must be taken into account during all data processing to the data controller - as it is in the case of customers who have obviously reached the age of 18 handled and recorded data not relevant to the purposes of data management in its system [see: paragraph (169) of the justification of the Decision]. (13) The general data protection regulation during the sales process of alcoholic beverages Based on the definition of Article 4, point 2, both to prove age inspection of a suitable identity card, both suitable for proof of age date of birth read from the ID or date of birth provided by the customer entering it into the cash register system, recording it and keeping it in its log files for 180 days its storage can be considered a data management operation. Over-view operations in general however, its mandatory provision was not absolutely necessary for the purpose that those concerned Must establish the age of 18. The Obligor thereby violated the contained in Article 5 (1) point c) of the General Data Protection Regulation the principle of data saving, because there is a suitable one to achieve the goal, however, the affected parties a method that is less harmful for him and involves fewer data management operations, so a processing of personal data was not limited to the necessary extent [see: the Decision paragraph (174) of its justification]. (14) Contained in paragraphs (1) and (4) of Article 32 of the General Data Protection Regulation data security requirements are violated by the fact that the Obligor's stores, as well as the stakeholders did not develop appropriate measures within some stores to protect your personal data; the procedure prescribed by the Obligor was not applied; as well as certain stakeholders in the case of the purchase of alcoholic beverages, the cashiers at his express request, he had to announce his birth clearly for others as well their date [see: paragraph (181) of the reasoning of the Decision]. (15) Due to the violations established in point 1 of the Resolution, the Authority shall amend Resolution 2. in point obliged the Obligor to a) aimed at verifying age in the case of purchasing alcoholic beverages its data management practices are brought into line with the general data protection regulation with its provisions, as well as Fgytv. 16/A. with paragraphs (1) and (4) of § 5 only when in doubt check the age of the buyers and during do not record data at the log file level either, and change the relevant data management information; b) display the data processing carried out there in each store according to Article 13 of the General Data Protection Regulation its effective data management information for those concerned in a clearly visible place, in an easily accessible form. (16) Based on the violations established in point 1 of the Decision, the Authority, the data management due to its illegality, in point 3 of the Decision, the Obligee was ex officio obliged to a HUF 95,000,000 within 30 days of the decision becoming final, i.e. to pay a HUF ninety-five million data protection fine. (17) The Authority, in point 4 of the Decision, Infotv. On the basis of point a) of paragraph (2) of § 61 ex officio ordered the identification data of the Obligor in its final Decision publicizing it by publishing it on the website of the Authority, and a On the opening page of the mandatory website, in a clearly visible and easily accessible place, a Within 30 days of the decision becoming final, and it should be available there at least for 30 days. (18) On April 26, 2023, the Obligor paid the Authority the amount of Decision 3. HUF 95,000,000 data protection fine imposed in point [see: NAIH-3227-4/2023 document with case number]. (19) Obligor in his statement received by the Authority on April 28, 2023 (NAIH-3227- declaration with case number 5/2023) submitted that he modified his practice, a "On April 14, 2023, the person requesting to enter the age was deleted from the cash register software software element". In his statement, the obligee also informed the Authority that that the data processing carried out in stores has been modified and published data management information on activities. (20) In the action addressed to the Metropolitan Court, the Obligor (as plaintiff) the Decision He requested the annulment of points 1, 3 and 4. (21) In its judgment (case number NAIH-3932-1/2024), the Capital Court referred to Decision 3. point, and the Authority (as a defendant) for a new procedure in this round obliged. In addition to this, the Capital Court rejected the claim. (22) According to paragraph [41] of the Justification of the Judgment, “[…] the court established that it is the defendant's decision regarding the preservation of the date of birth in the diary file a the legal basis of the violations established in point 1 of the provision, as well as the regarding the provision imposing a fine of HUF 95,000,000 on the plaintiff (point 3) illegal. In relation to point 3, the decision was made by Kp. Section 89, subsection (1) b) annulled it by applying point 1 and sent the defendant to a new procedure in this round obliged. In relation to the data management implemented with insight and input a the plaintiff did not dispute points 1 a) and c)-f) of the operative part of the decision, thus in this part, the court did not affect the decision, and the court referred to point 1 b) the legal basis of the infringement established in accordance with sub-section, as well as the decision to the public with regard to point 4 ordering the filing of the claim, the Kp. Section 88, paragraph (1), point a). rejected based on Taking into account all of this, point 1 of the decision annulment was not justified because the defendant is the plaintiff evaluated its data management as a unit and established a violation, and with the insight and in relation to data management implemented by input, 6 contained in point 1 a violation of provisions exists regardless of whether with respect to preservation the same findings were not legal.". (23) Based on paragraph [42] of the Justification of the Judgment, "In the repeated procedure, the defendant must make his decision taking into account that the plaintiff a did not commit during the preservation of the date of birth in the log file infringement. Again, you have to decide whether it is implemented with insight or input applicable due to violations established in connection with data management on legal consequences, with the fact that in the event of a fine, the amount of the violation it must be defined taking into account the narrower range of its scope; in the log file circumstances related to preservation should not be taken into account during the consideration and cannot be evaluated as an aggravating circumstance with the mandatory age verification (insight, entry) the longer period of the violation established in connection. The amount of the fine therefore, ignoring all these circumstances, it should be more proportionate.". (24) In view of the above [see: paragraphs (1) – (23) of the reasons for this decision] – the With the exception of point 3 of the Decision - the rest of the Decision became final. II. Repeated data protection official procedure (25) Based on the Judgment, the data protection authority repeated on December 7, 2023 proceedings have been initiated. (26) Neither the Authority nor the Obligor submitted any objections to the Judgment request for revision (see file number NAIH-3932-2/2024). (27) The Art. Officially known by the authority and public knowledge based on Section 62 (3). facts do not need to be proven. In view of this, in the case number NAIH-3227/2023, as well as the Document material created under case number NAIH-6989/2022 was officially approved by the Authority is considered a known fact. (28) In the order of the Authority, case number NAIH-3932-3/2024, sent through Cégkapu notified the Obligee about the repeated data protection official procedure; as well as informed the Obligor that, within the scope determined by the Judgment, the repeated can make a statement in the subject of official data protection proceedings. The Authority's order was issued by Mandatory Downloaded on March 5, 2024. (29) Mandatory declaration for order number NAIH-3932-3/2024 March 11, 2024. was received by the Authority in e-Paper (case number NAIH-3932-4/2024 statement). In his statement, the Obligor submitted that case number NAIH-3932-3/2024 in accordance with the provisions of the order, the Obligor did not submit a review request either against the Judgment, "for his part, he also sees that the case can be definitively closed as soon as possible kept in front of”. Based on the contents of the declaration, the Obligee "the main case is administrative and in the court stage, he presented the statements that the Fővárosi The Tribunal took into account, still unchanged, when reaching the Judgment maintains". (30) In its statement with case number NAIH-3932-4/2024, the Obligor requested that the present a decision to be made in a repeated data protection official procedure a The Authority shall form it in accordance with the provisions of the Justification of the Judgment (see: the Judgment Paragraphs [41] and [42] of his reasoning). The Obligor also requested that a Authority “when determining the amount of the fine, please take into account that since according to the Judgment, keeping the date of birth in a diary file does not qualify of data management, the duration of illegal behavior is also a fraction of the originally 7 established". The obligee also requested that the Authority from the reasons for the decision omit the "exact sum indication" of the Obligor's annual transaction number. (31) During this repeated data protection official procedure, the Authority in the Judgment he did not conduct a new evidentiary procedure beyond those specified, as well as new evidence were not used either. III. Applied legal sources (32) Based on Article 2 (1) of the General Data Protection Regulation according to the present case the general data protection regulation shall be applied to data management. (33) On the basis of Article 4, point 1 of the General Data Protection Regulation, personal data is identified or any information relating to an identifiable natural person (“data subject”); the natural person who directly or indirectly, in particular, can be identified an identifier such as a name, number, location data, online identifier or a physical, physiological, genetic, intellectual, economic, cultural or natural person can be identified based on one or more factors related to his social identity. (34) Based on Article 4, point 2 of the General Data Protection Regulation, data management is personal conducted on data or data files in an automated or non-automated manner any operation or set of operations, such as collecting, recording, organizing, segmentation, storage, transformation or change, query, insight, use, communication by means of transmission, distribution or otherwise making it available, alignment or linking, restriction, deletion or destruction. (35) According to Article 4, point 7 of the General Data Protection Regulation, a data controller is a natural person or legal person, public authority, agency or any other body that a purposes and means of processing personal data independently or together with others defines; if the purposes and means of data management are EU or member state law determine, the data controller or the particulars regarding the designation of the data controller aspects can also be determined by EU or member state law. (36) Pursuant to Article 31 of the General Data Protection Regulation, the data controller and data processor, as well as - if any - the data manager or the data processor during the execution of the tasks of its representative with the supervisory authority - its inquiry based on - cooperates. (37) Pursuant to Article 58, Paragraphs (1) – (2) of the General Data Protection Regulation: "(1) The supervisory authority, acting in its investigative capacity: a) instructs the data manager and the data processor, or, where applicable, the data manager or the representative of the data processor to perform its tasks provides necessary information; b) conducts investigations in the form of data protection audits; c) perform the certificates issued in accordance with Article 42 (7). review; d) notifies the data manager or the data processor assumed by this regulation of violation; e) receives access to its tasks from the data controller or data processor for all personal data and all information necessary for its performance; and f) the data controller is given access in accordance with EU or member state procedural law or to any premises of the data processor, including all data processing used equipment and tools. 8 (2) Acting within the supervisory authority's corrective powers: a) warns the data manager or the data processor that some planned its data management activities are likely to violate the provisions of this regulation; b) condemns the data manager or the data processor if its data management activities violated the provisions of this regulation; c) instructs the data controller or the data processor to fulfill e your request regarding the exercise of your rights according to the regulation; d) instructs the data manager or the data processor that its data management operations - given in a specified manner and within a specified time - harmonize e with the provisions of the decree; e) instructs the data controller to inform the data subject about the data protection incident; f) temporarily or permanently restricts data management, including data management also its prohibition; g) in accordance with Articles 16, 17 and 18, orders the personal correcting or deleting data, or restricting data management, as well as a In accordance with Article 17, paragraph (2) and Article 19, it is ordered by the addressees notification of this to whom or to whom the personal data has been disclosed; h) revokes the certificate or instructs the certification body to comply with Articles 42 and 43 to revoke a properly issued certificate, or is instructed by the certifier organization not to issue the certificate if the conditions for certification are no longer met are not fulfilled; i) imposes an administrative fine in accordance with Article 83, the given case depending on your circumstances, you are beyond the measures mentioned in this paragraph instead of them; and j) orders directed to a recipient in a third country or an international organization suspension of data flow." (38) Pursuant to Article 83 (1) – (5) of the General Data Protection Regulation: "(1) All supervisory authorities ensure that (4), (5), (6) of this decree due to the violation referred to in paragraph 1, the administrative penalty imposed under this article fines should be effective, proportionate and dissuasive in each case. (2) The administrative fines, depending on the circumstances of the given case, are subject to Article 58 (2) in addition to or instead of the measures mentioned in points a)-h) and j) of paragraph impose. When deciding whether it is necessary to impose an administrative fine, and when determining the amount of the administrative fine in each case due consideration shall be given to: a) the nature, severity and duration of the infringement, taking into account the one in question the nature, scope or purpose of data management, as well as the number of data subjects whom the affected by the infringement, as well as the extent of the damage suffered by them; b) the intentional or negligent nature of the infringement; c) damage suffered by data subjects on the part of the data controller or data processor any measures taken to mitigate; d) the degree of responsibility of the data manager or data processor, taking into account the technical and organizational measures undertaken by him on the basis of Articles 25 and 32 measures; e) relevant violations previously committed by the data controller or data processor; f) remedying the violation with the supervisory authority and the possible negative nature of the violation extent of cooperation to mitigate its effects; g) categories of personal data affected by the infringement; h) the manner in which the supervisory authority became aware of the violation is special taking into account whether the data manager or the data processor announced the infringement and, if so, in what detail; 9 i) if against the concerned data controller or data processor earlier - in the same in the subject - the measures referred to in Article 58 (2) were ordered one of them, compliance with the measures in question; j) whether the data manager or the data processor has complied with Article 40 to approved codes of conduct or approved certification under Article 42 for mechanisms; as well as k) other aggravating or mitigating factors relevant to the circumstances of the case factors, such as acquired as a direct or indirect consequence of the infringement financial gain or avoided loss. (3) If a data manager or data processor is the same data management operation with respect to related data management operations - you are intentional due to negligence - violates several provisions of this regulation, the full amount of the fine may not exceed the amount determined in the case of the most serious violation. (4) Violation of the following provisions - in accordance with paragraph (2) - at most with an administrative fine of EUR 10,000,000, or in the case of businesses with an amount of no more than 2% of the total annual world market turnover of the previous financial year vulnerable; of the two, the higher amount must be imposed: a) in terms of the data manager and the data processor, Articles 8, 11, 25-39, 42 and 43 obligations defined in Article; b) as defined in Articles 42 and 43 with regard to the certification body obligations; c) as defined in Article 41, Paragraph 4, with regard to the control organization liabilities; (5) Violation of the following provisions - in accordance with paragraph (2) - at most with an administrative fine of EUR 20,000,000, or in the case of businesses with an amount not exceeding 4% of the total annual world market turnover of the previous financial year should be punished, with the higher amount of the two being imposed: a) the principles of data management - including the conditions of consent - of Articles 5, 6, 7 and 9 properly; b) the rights of the data subjects 12-22. in accordance with Article; c) third country recipient or international organization for personal data 44-49. in accordance with Article; d) IX. obligations according to the law of the Member States adopted on the basis of chapter; e) the instruction of the supervisory authority according to Article 58 (2), or temporary or permanent limitation of data processing or data flow non-compliance with its suspension notice or Article 58 (1) failure to provide access in violation of paragraph (39) Infotv. Pursuant to Section 2 (2) of the General Data Protection Regulation, there shall be applied with the additions contained in the specified provisions. It's common data processing not covered by Article 2 (1) of the Data Protection Regulation regarding Infotv. With regard to paragraph (4) of § 2: "Personal data referred to in (2) and (3) for treatment not covered by paragraph a) in Article 4, II-VI, and VIII-IX of the general data protection regulation. chapter, as well as b) Sections III-V of this Act. and VI/A. In its chapter, in addition to § 3., 3., 4., 6., 11., 12., 13., 16., 17., 21., 23–24. point, paragraph (5) of § 4, § 5 (3)–(5), (7) and (8) paragraph, paragraph (2) of § 13, § 23, § 25, § 25/G. § (3), in paragraphs (4) and (6), 25/H. in paragraph (2) of § 25/M. § (2), the 25/N. § 51/A. (1) of § § 52–54. §, § 55 (1) and (2) in paragraph 56–60. in §, 60/A. (1)–(3) and (6) of § § 61 (1) in points a) and c) of paragraph 61, paragraphs (2) and (3) of § 61, paragraph (4) b) 10 and paragraphs (6)–(10), and 61/A–61/D. § 62-71. §-in, in Section 72, Sections (1)–(5) of Section 75 and Section 75/A. § and in Annex 1 certain provisions shall apply." (40) Infotv. Based on paragraphs (2) – (2a) of § 38: "(2) The Authority's task is to protect personal data, as well as the public interest and control of the enforcement of the right to access public data in the public interest and promotion, as well as the free flow of personal data within the European Union facilitating. (2a) Established for the supervisory authority in the general data protection regulation tasks and powers of legal entities under the jurisdiction of Hungary as defined in the general data protection regulation and this law is exercised by the Authority." (41) Infotv. According to § 60, paragraph (1), the right to the protection of personal data in order to enforce it, the Authority, at the request of the person concerned, data protection initiates official proceedings and can initiate official data protection proceedings ex officio. The for official data protection procedure, Art. rules must be applied in Infotv with specified additions and according to the general data protection regulation with differences. (42) Infotv. 60/A. § (1) in the official data protection procedure administrative deadline of one hundred and fifty days, which does not include the facts from the invitation to provide the data necessary for its clarification until its fulfillment spreading time. The Akr. Pursuant to § 103, paragraph (3), in ex officio proceedings, the only the duration of the suspension of the procedure is not included in the administrative deadline. The for the application of procedural deadlines, in other § 52 shall be applied. (43) Infotv. Based on § 61, paragraph (1): "(1) In the decision made in the official data protection procedure, the Authority a) with the data management operations specified in paragraphs (2) and (4) of § 2 in connection with the general data protection regulation may apply legal consequences, especially upon request or ex officio may order unlawfully processed personal data in the manner determined by it to be executed, or temporarily or permanently in other ways can limit data processing, b) with the data management operations defined in § 2, paragraph (3). in context ba) can establish the fact of unlawful processing of personal data, bb) can order the correction of personal data that does not correspond to reality, bc) may order the blocking or deletion of unlawfully processed personal data or destruction, bd) may prohibit the unlawful handling of personal data, be) may prohibit the transmission or transfer of personal data abroad, bf) may order the information of the data subject, if the data controller does so unlawfully omitted or denied, and bg) can impose fines, c) defined in Article 41 (1) of the General Data Protection Regulation general data protection against an organization performing control activities legal consequences defined in Article 41 (5) of the Decree can apply." 11 (44) Infotv. According to § 61, paragraph (2): "(2) The Authority may order in its decision - the data controller or the data processor disclosure by publishing your identification data, if a) the decision affects a wide range of persons, b) it was brought in connection with the activities of a body performing a public task, or c) the severity of the infringement justifies disclosure." (45) Infotv. Warning in the Authority's procedure based on Section 61 (3). its application is excluded if the Authority imposes a fine based on the regulations applicable to its consideration establishes the necessity of its imposition. (46) Infotv. Pursuant to § 61, paragraph (7), the implementation of the Authority's decision is a included in a decision, to carry out a specific act, defined in relation to an obligation to conduct, tolerate or cease a It is undertaken by an authority. In case of a final or administrative lawsuit, the Authority a illegal as determined in a final decision by an administrative court data affected by data management - the court, prosecutor's office or other authority is different in the absence of this provision - these data cannot be deleted or destroyed in the case of criminal proceedings or other official or judicial proceedings, the criminal proceedings from the start date of the criminal proceedings or with a final decision of the court until its completion by a non-final order, or by the prosecution or the investigative authority terminates proceedings that cannot be challenged with further legal remedies until its decision is made, and in the case of other official or judicial proceedings, this from the start date until the final or legally binding end. (47) Infotv. On the basis of § 71, paragraph (1), during the Authority's procedure - the to the extent and for the time necessary to conduct it - you can manage it all personally data, as well as secrets protected by law and secrets bound to the exercise of a profession qualified data that are related to the procedure and that are managed necessary for the successful completion of the procedure. (48) Infotv. According to § 71, paragraph (2), the Authority shall act lawfully during its procedures obtained document, data or other means of proof in other proceedings you can use it. (49) The Art. Based on Section 5 (1), the client can make a statement at any time during the procedure, you can comment. (50) The Art. Based on § 6, all participants in the procedure are obliged to act in good faith and to cooperate with other participants. No one's behavior can be directed by the authorities to deceive or to unjustifiably delay decision-making or execution. The good faith of the client and other participants in the procedure must be assumed in the procedure. The authority bears the burden of proving bad faith. (51) The Art. Based on paragraphs (1) - (2) of § 13, if the law does not require that the customer is personal proceedings, instead of his legal representative, or by him or his legal representative a person authorized by, and the client and his representative can also act together. Yogi the procedure of a person's legal representative is considered a personal procedure. (52) The Art. On the basis of § 14, the authorized representative has the right to represent - if it is a disposal register does not include - must certify. The power of attorney must be included in a public document or a private document with full evidential force or in a protocol must be said. If nothing else appears from the power of attorney, it is covered by procedure 12 for all related statements and actions. If the right of representation due to revocation, termination or the death of the client or authorized representative ceases, the termination of reporting to the authority against the authority, a it is effective against other customers from the moment it is communicated to them. (53) The Art. 27, the authority is the client and other participants in the procedure natural personal identification data and the type of business necessary for identification personal data specified in the regulatory law, and - if the law does not provide otherwise - essential for the successful conduct of the procedure processes other personal data as necessary. The authority ensures that the law secret protected by and other data protected by law (hereinafter together: protected data) should not be made public, should not come to the knowledge of an unauthorized person, and is protected the protection of data defined by law must also be ensured in the procedure of the authority. The authority in the course of its procedure to conduct it - defined by law manner and scope – manages the protected data that are related to its procedure, and the handling of which is necessary for the successful completion of the procedure. (54) The Art. Based on § 33, paragraph (1), the client at any stage of the procedure and its you can consult the document created during the procedure even after its completion. (55) The Art. On the basis of § 33, paragraph (4), during the inspection of the documents, the copy entitled to it, you can prepare an extract or - against the reimbursement of costs specified in a government decree - you can request a copy, which the authority will certify upon request. (56) The Art. Pursuant to § 34, it is not possible to inspect the draft decision. Unrecognizable and the document or a part of the document from which a conclusion can be drawn to protected data or to personal data that can be known by law specified conditions are not met, unless the data - not including the classified data - the lack of knowledge of it would prevent the person entitled to inspect the document from e in the exercise of his rights guaranteed by law. Based on the request, the authority is provides access to documents - even after the end of the procedure - or in an order rejects. (57) The Art. According to § 62, paragraph (3), it is officially known by the authority and is public knowledge facts do not need to be proven. (58) The Art. Based on the provisions of paragraphs (1) - (2) of § 77, the person whose obligation violates it through his own fault, the authority obliges him to reimburse the additional costs caused, and may be subject to procedural fines. The minimum amount of the procedural fine in each case ten thousand forints, the maximum amount - unless the law provides otherwise - five hundred thousand HUF in the case of a natural person, legal entity or other organization one million forints. (59) The Art. On the basis of § 103, paragraph (1), in ex officio proceedings, the Ákr. upon request the provisions relating to initiated procedures in the Acr. VII. with the deviations included in chapter must be applied. (60) The Art. On the basis of § 104, paragraph (1) point b), the authority in its area of competence initiates the procedure ex officio if ordered to do so by a court. (61) The Fgytv. 16/A. § (1) is prohibited under the age of eighteen for a person - with the exception of medicines that can only be issued on medical prescription - to sell or serve alcoholic beverages. 13 (62) The Fgytv. 16/A. According to paragraph (4) of § defined in paragraphs (1)–(3). in order to enforce the restriction, the company or its representative in case of doubt invites the consumer to provide creditable proof of age. Age is appropriate in the absence of proof, the sale or service of the product must be refused. ARC. Judgment (63) In its judgement, the Metropolitan Court of Appeal considered point 3 of the Decision Act I of 2017 on the Code of Procedure (hereinafter: Law) § 89 (1) paragraph b) annulled it on the basis of point and obliged the Authority to proceed with a new procedure in this regard. This moreover, the Metropolitan Court rejected the claim. (64) The Metropolitan Court explained in paragraph [27] of the Justification of the Judgment that the "the court found that after the purchase, in the given cash register, the entry as a result of a keystroke in the form of a string of numbers in the format "NNHHYYYYYY". a recorded and stored date of birth was not considered personal data because the data subject identification was no longer possible. The date of birth is all in this form together with keystrokes, any other data that can be associated with the data subject without, it was stored solely for the purpose of troubleshooting and not for the identification of the data subject. The number line of the date of birth recorded by keystroke during storage is not the customer, as a natural person, but made it possible to identify the purchase [...] From all this therefore, the preservation of the date of birth in the log file for 180 days was not implemented and data management". (65) Pursuant to paragraph [42] of the Justification of the Judgment, this repeated data protection in an official procedure, the Authority must make its decision taking into account that the Obligor "did not commit in the field of keeping the date of birth in the diary file infringement". (66) In its judgment, the Metropolitan Court also emphasized that (see: the Judgment Paragraph [41] of its justification), that the annulment of point 1 of the Decision is for that reason was not justified, because in that the Authority handled the Obligor's data as a unit evaluated and established a violation; and realized with insight and input with regard to data management, the provisions contained in point 1 of the Decision its violation exists regardless of whether the same with regard to preservation findings, according to the Metropolitan Court, "were not legal". (67) Pursuant to the above [see paragraphs (63) – (66) of the reasons for this decision] therefore, in view of all the circumstances of the case, the Metropolitan Court in its Judgment so decided that, contrary to the provisions of the Decision, "the date of birth in the diary file By keeping it for 180 days, the Obligee did not carry out data management". V. Legal Consequences V.1. Data protection fine (68) Pursuant to paragraph [42] of the Justification of the Judgment, the Authority should "Repeatedly decide is required in connection with the data management implemented with insight or input on the legal consequence applicable due to established violations, with the fact that in the case of imposing a fine, its amount is a narrower scope of the scope of the violation must be determined taking into account; related to retention in the log file circumstances should not be taken into account during the consideration and cannot be assessed as aggravating as a circumstance in connection with the mandatory age verification (inspection, entry) 14 a longer period of established infringement. The amount of the fine is therefore all this disregarding circumstances, it should be proportionally less.". (69) The Authority pursuant to Article 58(2)(i) and Article 83 of the General Data Protection Regulation (2) also imposes a data protection fine instead of or in addition to the other measures can impose. (70) In the matter of whether, in this repeated data protection official procedure, it is justified e the imposition of a data protection fine, the Authority has discretion based on the law decided acting in his authority, taking into account Infotv. § 61. Paragraph (1) point a), that is Infotv. 75/A. §, as well as Article 83 (2) of the General Data Protection Regulation and Article 58 (2) of the General Data Protection Regulation. The Authority considered it all the circumstances of the case, paying special attention to the provisions of the Judgment and established that in the present repeated data protection official procedure a warning and conviction are neither proportionate nor dissuasive in themselves would be a sanction, therefore the imposition of the fine is necessary in view of the Obligee's market situation, the general and national nature of the practice it introduced and the significant to the person concerned. In this case, the protection of personal data - which is the Authority task - no, based on the totality of the fine imposition circumstances detailed below is available without imposing a data protection fine. The imposition of fines is both special and it also serves general prevention, according to which the decision not only On the Authority's website, but on the opening page of the Obligor's website, clearly and easily is also published in an accessible place. (71) When determining the amount of the fine, the Authority took into account, above all, that the Metropolitan Court decided in its Judgment that “the date of birth keeping it in a log file for 180 days did not implement data management" (see: az Paragraph [27] of the Justification of the Judgment); the Obligee “the date of birth in the log file he did not commit a violation of the law during the preservation of the paragraph [42]). However, the Authority cannot dispense with the fact that in the Decision established additional, fundamental violations of the general data protection regulation Belonging to the category of fines with a higher amount according to Article 83, paragraph (5), point a). are considered violations of the law, based on this the maximum fine that can be imposed is EUR 20,000,000, and in the case of enterprises, the total annual world market turnover of the previous financial year an amount of up to 4%, the higher of the two must be imposed. (72) When determining the amount of the fine (95,000,000 HUF) imposed by the Authority in the Decision took into account the data for 2021, on the basis of which the Obligor's sales its net sales revenue in 2021 was HUF 315,282,601,000. At the same time, the Authority also took into account that, in comparison, the taxable profit of the Obligor is HUF 8,504,878,000 was this year [see paragraph (184) of the Decision's justification]. (73) During the determination of the fine in this repeated data protection official procedure in view of the period of existence of the violations, the Authority is the Obliger's 2021 business year taken into account. (74) Based on the 2021 data, it must be taken into account by the Authority Based on HUF 315,282,601,000, the legal maximum of the fine is in the case HUF 12,611,304,040. Compared to this, the HUF 80,000,000 included in this decision HUF data protection fine 0.025% of the net sales of the debtor's sales, i.e significantly below the maximum fine amount. 15 (75) When determining the amount of the data protection fine, the Authority uses the following mitigating factor circumstances were taken into account: - September 2022 employees employed as a mandatory store salesperson From day 1, customers will only be called in case of doubt about their age loan proof of eligibility in case of purchase of alcoholic beverages; what the Judgment Paragraph [39] of its justification also contains [Article 83 of the General Data Protection Regulation (2) point a)]; - The violation affected a narrow range of categories of personal data of the persons concerned, a recording was limited to the customers' date of birth [General Data Protection Regulation Article 83(2)(g)]; - The Authority assessed that the primary purpose of the measure introduced by the Obliger protection of persons under the age of eighteen (which the Judgment Paragraph [35] of its justification is also confirmed), the consumer protection law compliance with the regulations as fully as possible, there was no question about that information that the other was aimed at obtaining an unlawful advantage [general Article 83 (2) point k) of the Data Protection Regulation]. (76) When determining the amount of the data protection fine, the Authority takes into account the Judgment Also for paragraph [42] of his reasoning - he took the following aggravating circumstances taking into account: - Obliged - on the basis of paragraph [39] of the Justification of the Judgment, which is not contested by him - committed several legal violations and violated other fundamental provisions, therefore the Authority considered the nature of the violations to be of medium seriousness, to which it belongs evaluation based on paragraph [39] of the Reasoning of the Judgment not even like that it is unreasonable that the Obligor's practice of keeping it in the log file is "no was unlawful" [General Data Protection Regulation Article 83 (2) point a)]; - The number of those involved was significant, as stated in the Justification of the Judgment [33] also confirmed [Article 83 (2) of the General Data Protection Regulation point a)]; - The violations existed at the national level [see: (38) and Paragraphs (120)], were not ad hoc in that August 4, 2022 and In the period between August 31, 2022, the Obligor prescribed it in a general manner for the age of each person intending to buy alcoholic beverages mandatory inspection; as well as paragraphs [33] and [38] of the Justification of the Judgment confirmed [General Data Protection Regulation Article 83 (2) point a)]; - Data management operations are opaque for a longer period of time to those concerned were due to the fact that the information on data management was not easily accessible, incomplete information was provided to those concerned in several aspects; this is it Paragraph [32] of the Justification of the judgment also confirmed [general data protection Regulation Article 83 (2) point a)]; - As a result of the data management, certain data subjects who have reached the age of 18 are Obliged hindered in their right to contract (see: case number NAIH-6989-5/2022 minutes page 6; minutes of case number NAIH-6989-6/2022, page 6); what it is Paragraph [37] of the Justification of the judgment also confirms [general data protection decree Article 83(2)(a)]; - Based on several reports received against the Obligor, the Authority detected a The probability of the unlawful nature of the mandatory data management practices, which resulted in the ex officio proceeding under case number NAIH-6989/2022; this Judgment 16 It was also confirmed by paragraph [34] of its justification [general data protection decree 83. Article (2) point h)]. (77) When determining the amount of the data protection fine, the following circumstances – a As stated in paragraph (187) of the justification of the decision - the fine their extent was neither aggravated nor alleviated, they had a neutral effect: - After completing the proof procedure, the obligee put it on his website Effective from January 17, 2023, the investigated data management operations and fully describing the recipients - however, the mandatory age check is still unclear regarding - modified data management information, however, the date of the committed violation (August 4, 2022 - 31.), it is no longer possible to assess the mitigation of the damage of a measure taken in order to [general data protection regulation Article 83 (2) point c)]; - Mandatory after completion of the proof procedure on January 16 and 17, 2023 in the context of personal education, the revised data protection was introduced in the meantime documents with the regional managers, who were then given the task of to be replaced in all stores by January 31, 2023 at the latest data protection documents, however, the date of the breach (2022) in view of the period that has passed since August 4 - 31), the mitigating factor can no longer be evaluated as circumstances [General Data Protection Regulation Article 83 (2) point c]; - To establish a data protection violation by the Obligor, the general data protection due to violation of the regulation, it has already taken place twice, however, these infringements were evaluated by the Authority in this official data protection procedure did not consider it relevant in terms of data management [NAIH-987/2021 case number (previous case number: NAIH/2020/8690) and case number NAIH-1044/2021 (previous case number: NAIH/2020/2255) data protection investigation procedure] [general Article 83 (2) point (e) of the Data Protection Regulation]; - The Obligee cooperated with the Authority during the procedure, but this is a matter for the judge practice and legal obligation based on the practice of the Authority, its absence could be an aggravating circumstance. This is also stated in paragraph [36] of the Justification of the Judgment confirmed [General Data Protection Regulation Article 83 (2) point f)]. (78) The Authority, when determining the amount of the data protection fine, in the Decision originally 4 relievers; It took into account 6 aggravating and 4 neutral circumstances [see: paragraphs (185) – (187) of the justification of the Decision]. Reasoning for Judgment [42] Pursuant to paragraph no longer evaluated the longer duration of the infringement as an aggravating circumstance (which The justification for the decision was found in the 3rd indent of paragraph (186). in addition to the additional circumstances according to which the violations are on a national level existed, they were not random). Paragraph [42] of the Justification of the Judgment stated also that the Authority is “related to the preservation in the log file circumstances should not be taken into account during the consideration". In view of this, however, the during this repeated data protection authority procedure, the Authority is the data protection fine when determining its extent, it no longer took into account as a mitigating circumstance the It was evaluated in the 2nd indent of paragraph (185) of the justification of the decision circumstance on the basis of which, according to the Obligor's statement, the personal data in relation to the log files containing the protection measures proportionate to the risks applied [general data protection regulation Article 83 (2) point d)]. 17 (79) Considering paragraphs [30], [31] and [42] of the Justification of the Judgment, the Authority during the imposition of a fine in a repeated data protection official procedure a the amount of the fine, taking into account the narrower range of the scope of the violation determined; circumstances related to retention in the log file a did not take it into account during consideration; and did not assess it as an aggravating circumstance in connection with the mandatory age verification (inspection, input). a longer period of established infringement. However, the Authority cannot waive it from the fact that the Obligor - based on paragraph [39] of the Reasoning of the Judgment, neither by him disputed - committed several violations; violated several fundamental provisions; furthermore the number of those affected was significant; and the violations existed at the national level, they were not random. (80) The above [see: paragraphs (68) – (79) of the reasons for this decision] and the case based on all its circumstances, the Authority originally considered 6 in the Decision due to aggravating circumstances during the present repeated data protection official procedure 1 circumstance (longer duration of the violation) was no longer assessed as aggravating as a circumstance, so - even though not every violation can be of the same weight consider - the fine originally imposed by the Authority in the Decision (HUF 95,000,000) reducing its amount by roughly 1/6 (HUF 15,000,000) and thus decided to impose a data protection fine of HUF 80,000,000 in total. The present the amount of the data protection fine imposed in the decision - the Reasoning of the Judgment [42] taking into account the provisions of paragraph - it became proportionately less than a Fine originally imposed in a decision. (81) Based on the above and all the circumstances of the case, the Authority is the deciding party considered the imposition of a data protection fine in the amount of proportional and dissuasive effective both in terms of special and general prevention, which amount is still significantly below the maximum fine; at the same time a is proportional to the severity of violations, it is the sales data for 2021 in comparison, it cannot represent a disproportionate financial burden for the Obligor. In other cases, this amount may be significantly different based on individual circumstances, does not bind the Authority in other matters. (82) On April 26, 2023, the obligee paid to the Authority in point 3 of the Decision imposed a HUF 95,000,000 data protection fine [see: file number NAIH-3227-4/2023]. In view of this, the Authority acts ex officio in the Decision and in this decision payment of the difference in the data protection fine to the Obligor repayment. (83) In view of the period of existence of the violations, as well as the fact that the Authority has a When making a decision, you did not have to apply the European Data Protection Act Administrative fines for the board according to the general data protection regulation 04/2022 on its calculation. guidelines no. (hereinafter: Guidelines), thus the Authority also omits it during the current repeated data protection official procedure the use of reserved items. At the same time, the Authority notes that the Guidelines if applied in the present case, the amount of the data protection fine is significant would exceed the amount of the fine contained in both the Decision and this Decision. V.2. Publication of the decision (84) Pursuant to paragraph [42] of the Reasoning of the Judgment, the Authority "Repeatedly decides is necessary in connection with the data management implemented with insight or input on the legal consequence applicable due to established violations". 18 (85) Infotv. Pursuant to § 61, paragraph (2): "The Authority may order in its decision - that by publishing the identification data of the data manager or the data processor - disclosure if a) the decision affects a wide range of persons, b) it was brought in connection with the activities of a body performing a public task, or c) the seriousness of the infringement justifies disclosure." (86) In point 4 of the Decision, the Authority referred to Infotv. On the basis of point a) of paragraph (2) of § 61 ex officio ordered the identification data of the Obligor in its final Decision publicizing it by publishing it on the website of the Authority, and a On the opening page of the mandatory website, in a clearly visible and easily accessible place, a It must be available at least within 30 days of the decision becoming final for 30 days. (87) Based on the provisions of paragraph [40] of the Justification of the Judgment, the final Decision – Obligatory and on the website of the Authority in connection with its order, the Capital Court established that the Authority e specifically provided by Infotv. It was founded on point a) of paragraph (2) of § 61, which was clearly stated in point 4 of the operative part of the Decision and the Decision also in paragraph (194) of its justification. The Authority is the disclosure not by the weight of the infringement, but by the fact that the Decision affected a wide range of people. With attention to the fact that the Obligor a objectionable data management practices on a general basis, nationally, for all stores comprehensively ordered, i.e. the challenged practice during the investigation period, all he ordered it to be used in the case of a person buying an alcoholic drink, without a doubt it can be established that the Decision affected a wide range of persons. In itself e due to circumstances, the Authority is Infotv. could order it on the basis of point a) of paragraph (2) of § 61 publication of the Decision. (88) On the basis of the above, the Metropolitan Court made the Decision public with regard to point 4 of the order, the Obligor's claim is submitted to Kp. Section 88, paragraph (1), point a). rejected based on (see paragraph [41] of the Justification of the Judgment). (89) Considering that the Obligor - based on paragraph [39] of the Justification of the Judgment not even disputed by him - he committed several violations of law, several principled provisions as well violated, the Authority considered the nature of the violations to be moderately serious, which its assessment as such was not even based on paragraph [39] of the Justification of the Judgment it is unreasonable that the Obligor's practice of keeping it in the log file "was not illegal". The number of people involved was significant, the violations are all the Obliger they existed on a national level covering his business and were not of an ad hoc nature, and a a wide range of natural persons were affected. (90) Since the decision made in this repeated data protection official procedure is closely related to the Decision, to be evaluated together with the above considering [see: paragraphs (84) – (89) of the justification of this decision] – a Similar to the decision - the Authority is Infotv. On the basis of point a) of paragraph (2) of § 61 ordered ex officio in the present repeated data protection official procedure final decision by publishing the Obligor's identification data not only on the Authority's own website, but also on the Obligor's website on the opening page of its website, in a clearly visible and easily accessible place, the present for at least 30 days from the decision becoming final in duration. 19 VI. Other questions (91) The competence of the Authority is defined by Infotv. It is defined by paragraphs (2) and (2a) of § 38, its jurisdiction covers the entire territory of the country. (92) This decision of the Authority is based on Art. §§ 80-81 and Infotv. It is based on paragraph (1) of § 61. The decision of the Ákr. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. 112. against the decision based on § a, § 114, paragraph (1), and § 116, paragraph (1) there is room for legal redress through an administrative lawsuit. (93) The rules of administrative proceedings are set out in Kp. determine. The Kp. Based on § 12, paragraph (1). the administrative lawsuit against the Authority's decision falls within the competence of the courts, a sued by Kp. On the basis of § 13. paragraph (3) point a) point aa) the Metropolitan Court exclusively competent. The Kp. According to § 27, subsection (1), point b) in a legal dispute, in which the court has exclusive jurisdiction, legal representation is mandatory. The Kp. Section 39 According to paragraph (6), the submission of the claim is an administrative act does not have the effect of postponing its entry into force. (94) The Kp. Paragraph (1) of § 29 and, in view of this, the 2016 Code of Civil Procedure CXXX. is applicable according to § 604 of the Act, electronic administration and confidential CCXXII of 2015 on the general rules of services. Act § 9 paragraph (1). b), the client's legal representative is obliged to maintain electronic contact. (95) The time and place of filing a claim against the Authority's decision is set out in Kp. Section 39 (1) is defined. About the possibility of a request to hold the hearing information from Kp. It is based on paragraphs (1) – (2) of § 77. The fee for the administrative lawsuit XCIII of 1990 on the levy. Act (hereinafter: Itv.) 45/A. § (1) is determined by paragraph From the advance payment of the tax, the Itv. Section 59 (1) paragraph and point h) of § 62 paragraph (1) exempt the person who initiated the procedure. (96) If the Obligor does not adequately certify the fulfillment of the prescribed obligation, a The authority considers that the obligation was not fulfilled within the deadline. The Akr. § 132. according to, if the obligee did not comply with the obligation contained in the final decision of the authority enough, it is enforceable. The Akr. Pursuant to § 133, paragraph (1), the execution – if unless otherwise provided by law or government decree - the decision-making authority orders. The Akr. Pursuant to paragraph (1) of § 134, enforcement - if it is a law, government decree or local government decree in the case of municipal authorities does not provide otherwise - it is undertaken by the state tax authority. Infotv. Section 61 (7) based on paragraph 1, the implementation of the Authority's decision was included in the decision, to carry out a specific act, to perform a specific behavior, to tolerate or in relation to the obligation to stop, the Authority undertakes. Budapest, according to the electronic signature and time stamp Dr. Habil. Attila Péterfalvi president, c. university teacher