NAIH (Hungary) - NAIH-2801-17-2022 (NAIH-8701/2021)
NAIH - NAIH-2801-17-2022 (NAIH-8701/2021) | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 13(1) GDPR Article 13(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 16.11.2021 |
Decided: | 08.08.2022 |
Published: | 08.08.2022 |
Fine: | 300000 HUF |
Parties: | n/a |
National Case Number/Name: | NAIH-2801-17-2022 (NAIH-8701/2021) |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | Abel Kaszian |
The Hungarian DPA ruled that audio recording during installation works is unlawful and fined the controller 700 EUR for violating the principles of purpose limitation, data minimisation and for not providing the data subjects with information.
English Summary
Facts
On 31 March 2021, the Hungarian Data Protection Authority (NAIH) received a complaint concerning a sound recording made during certain construction and installation works at the data subject's residence.
On 29 March 2021, the controller’s employee recorded a voice recording on his mobile phone during the repair work at the data subject's home, which he did not inform the data subject about beforehand. The data subject contacted the controller by telephone with his complaint and was informed that the worksheet contained information about the voice recording. On 29 March 2021, the data subject requested the worksheet and the name and contact details of the controller’s DPO by email, but received no reply. The data subject also indicated that there was no information on the controller’s website about audio recording.
An investigation was launched during which the DPA addressed a request to the controller for clarification of the facts. The controller’s reply letter was received by the DPA on 13 July 2021 and contained the following observations.
The audio recording related to the performance of installation works by the controller is made on a case-by-case basis, based on an individual decision of the managing director, the purpose of which is to protect the interests of the customers, especially the elderly customers. A further objective is to hold employees accountable for the proper information provided. Voice recording is not standard practice, but is carried out on a risk-based basis. Ad hoc voice recording has been used since January 2021, at the discretion of the managing director. The controller has indicated the legal basis for the processing under Article 6(1)(a) GDPR (consent of the data subject) and Article 6(1)(d) GDPR (vital interests of the data subject or other natural person). According to the controller, no audio recording was made of the data subject, as any recording can only be made based the instructions of the managing director of the company and this was not done at or in connection with the data subject’s address. The data subject also requested the audio recording and the worksheet, but it was not provided by the controller.
The controller stated that the purpose of making the occasional audio recording was to properly document what was said at the installation site during the installation work. Indeed, in many cases, the clients – in most cases elderly persons – claimed afterwards that they had not been properly informed about, for example, the cost of the installation or materials, the duration of the work, or that they did not remember it as it was actually clarified. Despite the fact that this information is recorded in the worksheet, some clients questioned the accuracy and truthfulness of the information provided by the technician who visited the site.
In view of this, the controller decided that in individual cases the installing employee should make an audio recording of what was said during the installation, in order to provide adequate proof that the information was given or, if necessary, to hold the employee liable if the client's complaint proved to be genuine.
In both cases where a recording was made, the managing director considered the need to make an audio recording on the basis of all the circumstances of the situation (such as the way in which the request was made and the consultation prior to the work on site, the nature of the work, the perceived age of the person using the service, the suggestion or request of the installer after the work had started that a recording should be made).
Holding
Article 5 GDPR sets out the main principles that must be considered when processing personal data and that must be consistently applied in the processing. It follows from the accountability requirement of Article 5(2) GDPR that the controller is responsible for compliance with the data protection principles and must be able to demonstrate such compliance. On this basis, the controller must document and record the processing in such a way that its lawfulness can be demonstrated. The principle of purpose limitation under Article 5(1)(b) GDPR implies that personal data may only be processed for specified, explicit and legitimate purposes.
In the DPA's view, the audio recordings may be suitable to achieve the stated objectives, but these objectives ought to be replaced by a worksheet completed by the installer and signed jointly by the installer and the customer, a copy of which is also provided to the customer, thus proving that what happened during the installation is acknowledged as true by both parties. On this basis, it is not necessary to make an audio recording as there are other ways to achieve the objectives. Moreover, it is not proportionate to record what is said during the installation work, given the unpredictable length of the installation work and the fact that it is not possible to determine in advance what the content of the conversation will be, so that information which is completely unrelated to the purpose of the processing may be recorded. Moreover, there is also a possibility to unnecessarily monitor employees.
According to the controller’s statements, in the altogether two cases where the controller made an audio recording, it considered, prior to making the recording, the options that might be suitable for achieving the purpose it was seeking to achieve and considered that the processing of the audio recording complied with the legal and regulatory requirements for processing based on legitimate interests. However, no legitimate interest test was carried out before the processing started.
The DPA also found the breach of the purpose limitation and data minimisation principles, that, notwithstanding the fact that the controller did not carry out an interest test, the controller could not lawfully base its processing on a legitimate interest – and no other legal basis – in the absence of a legitimate purpose and interest and unnecessary processing, and therefore breached Article 6(1) GDPR.
A further requirement for lawful processing is that data subjects are provided with adequate, transparent and easily understandable information about the processing. Article 13(1) GDPR and Article 13(2) GDPR set out the processing circumstances and information that the controller must provide to data subjects. GDPR does not specify the form of the information, but the DPA recommends the written form for the reason that, also in line with the principle of accountability, it is for the controller to prove and certify that the information – prior to the notification – has been provided. According to the controller’s statement, on the occasion of the two audio recordings, the information was provided orally at the site of the installation work and the worksheet also contained a short written information, stating “I further consent to the on-site technicians making audio, visual and video recordings of the works”. In relation to this information, it can be concluded that it does not contain any information on the processing of the data, which would constitute a breach by the controller of Article 13(1) GDPR and Article 13(2) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH-2801-17/2022. Subject: decision establishing a violation of law (NAIH-8701/2021.) DECISION The National Data Protection and Freedom of Information Authority (hereinafter: Authority) is […] Represented by Law Firm (headquarters: […]; acting attorney: [...]; company gate: [...]) (headquarters: [...], company registration number: [...]; hereinafter: installation work carried out by the Customer). during the recording practice, natural persons a on the protection of personal data in terms of processing and that such data is free (EU) 2016/679 on the flow and repeal of Directive 95/46/EC regulation (hereinafter: general data protection regulation). in connection with compliance with the following in the data protection official procedure initiated ex officio makes decisions: 1. The Authority determines that the Customer has violated it - Article 5(1)(b) of the General Data Protection Regulation; - Article 5(1)(c) of the General Data Protection Regulation; - Article 6 (1) of the General Data Protection Regulation; - Article 5 (2) of the General Data Protection Regulation; - Paragraphs (1)-(2) of Article 13 of the General Data Protection Regulation. 2. The Authority due to the violations established in point 1 300,000 HUF, i.e. three hundred thousand forints data protection fine obliges the Customer to pay. 3. The Authority also terminates the seizure ordered in the procedure. * * * The data protection fine shall be paid within 30 days of this decision becoming final Authority's centralized revenue collection target settlement HUF account (10032000- 01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000) must be paid. When transferring the amount, NAIH-2801/2022. FINE. for number must be referred to. If the Customer does not comply with the obligation to pay a data protection fine within the deadline, a you must pay a late fee to the above account number. The amount of the late fee is the legal one interest, which is the central bank interest valid on the first day of the calendar semester affected by the delay equal to the base interest rate. In the event of non-payment of the data protection fine and late fee, the Authority orders a implementation of the decision. ................................................... ................................................... ................................................... ................................................... ................................................... .............. Falk Miksa utca 9-11 Fax: +36 1 391-14100 www.naih.hualat@naih.hu 2 There is no place for administrative appeal against this decision, but from the announcement within 30 days from the date of issue, with a letter of claim addressed to the Capital Tribunal can be challenged in a lawsuit. The claim must be submitted to the Authority electronically, which forwards it to the court together with the case documents. The request for the holding of the trial is submitted by the must be indicated in the application. For those who do not receive full personal tax exemption the fee for the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to record the fee. The capital city Legal representation is mandatory in court proceedings. JUSTIFICATION I. Procedure of the procedure 1. On March 31, 2021, a notification was received by the Authority, according to which […] (residential address: […]; the hereinafter: the complainant) complained against the Customer regarding the installation work carried out in his apartment in connection with the audio recording that took place in the meantime. The whistleblower explained that on March 29, 2021, the Customer's employee during which he made a sound recording with his mobile phone, about which the informant was not informed in advance informed him. He contacted the Customer by phone with his complaint, where he was informed that that the worksheet contains the information about the audio recording. The notifier March 29, 2021- I asked to send the worksheet and the Customer's data protection via e-mail the name and contact information of his agent, but he did not receive a response to his request. THE the whistleblower indicated that there is no audio recording on the Customer's website either 2 information. In the case, point f) of Article 57 (1) of the General Data Protection Ordinance, respectively CXII of 2011 on information self-determination and freedom of information. law (hereinafter: Infotv.) based on point a) of paragraph (3) of § 38. NAIH-3853/2021. An investigation was launched on file number, during which the Authority dated June 15, 2021, NAIH-3853- 4/2021. in his letter with file number, he addressed the Client with a request to clarify the facts in order to The Customer's response letter was received by the Authority on July 13, 2021, and the included: 2. Audio recording related to the installation work carried out by the Customer it is made on the basis of a case-by-case, unique executive decision, the purpose of which is to protect the interests of customers, mainly for elderly customers. Another goal is to hold the information accountable colleagues. Audio recording is not a general practice, it is done on a random basis. Occasional audio recording has been used since January 2021 based on the decision of the executive. The Customer's legal basis for data management is Article 6 (1) of the General Data Protection Regulation according to point a) (the consent of the person concerned), as well as point d) (the person concerned or other natural vital interest of a person) was marked. The Client did not send internal regulations or internal procedures for managing recordings regarding, but briefly gave the following answers to the Authority's questions: the executive decides on the hiring, the manager instructs the employees to do so, and only hires 1 The NAIH_K01 form is used to initiate the administrative lawsuit: NAIH_K01 form (September 16, 2019) The form can be filled out using the general form filling program (ÁNYK program). The form is available from the following link: https://www.naih.hu/kozig-hatarozat-birosagi-felulvizsgalata 2 Download time: 2021.04.21.erelo.hu/adatkezelesi-tajekoztato/ 3 may be prepared by the person entrusted by the executive with this, at the time determined by him, or in quantity. The manager transfers the recording to a laptop and deletes it from the audio recording device. THE retention period: the warranty period has expired, i.e. 6 months, after which the manager deletes the recording from a laptop. The audio recording device is a dictaphone, and the audio recording device is an offline one laptop in mode that is password protected and known only to the executive. On the basis of the Customer's statement, before the audio recording is made, orally and in writing they inform the affected parties, as well as inform them that they have the right to do so at any time delete the audio recording. Based on the Customer's statement, no audio recording was made of the whistleblower, only that it can only be prepared on a case-by-case executive order, and this was not done at the above address. When asked why they did not respond to the whistleblower's electronic inquiry, that is The customer stated that he did not receive a letter from the whistleblower at his e-mail address. 3. Based on the answers sent, the Authority considered the audio recording justified overview of general practice in official data protection proceedings, since made it likely that in connection with the management of personal data, persons presumably a violation of rights has occurred or there is a direct threat of it affecting a wide range of fines may be imposed based on the provisions of the General Data Protection Regulation. At the same time, the Authority will consider the whistleblower's individual complaint - including the one sent by him non-response to electronic inquiries and requests for worksheets - the NAIH- 3853/2021. investigated in the investigation procedure started under no. Therefore, the present procedure is individual not the subject of a complaint. The Authority is Infotv. In view of Section 71 (2) in this official data protection procedure was used as evidence by the preceding NAIH-3853/2021. investigation procedure was initiated legally obtained documents and data, as the Customer was informed about this dated 26 November 2021, NAIH-8701-1/2021. file number, initiating proceedings in its execution. II. Clarification of the facts 1. The Authority dated November 26, 2021, NAIH-8701-1/2021. with order no notified the Customer of the initiation of the official data protection procedure and to make a statement called, and also CL of 2016 on general public administrative order. law (a hereinafter: Ákr.) based on § 108, paragraph (1), ordered by the Customer in NAIH-3853/2021. stored on a laptop in offline mode referred to in the investigation procedure started at no reservation of audio recordings. The reason for the seizure was that if the audio recordings stored by the Customer were to be deleted would avoid receiving an order ordering the initiation of data protection official proceedings after, this would endanger the success of clarifying the facts. 2. The Customer appointed a legal representative in the data protection official procedure. In its letter dated December 16, 2021, the Customer stated that the Authority after your inquiry sent in the investigation procedure, the investigation and the present its data management practices affected by official data protection proceedings, and thereafter stopped the recording of audio recordings during installation work. According to his statement at the same time, before the termination, audio recordings were made twice which recordings were also deleted during the review. 4 According to his statement, 31 people worked for the Customer at that time, of which 15 were mechanics. Every month on average, 140-150 installation jobs take place. The Customer's goal in making the audio recording is was to properly document it during the installation work at the installation site what was said. In many cases, his clients – in most cases elderly people – afterwards they claimed that they did not receive adequate information, for example, about the installation or that about the cost of materials, the duration of the work, or not how they remembered it actually said. Even though this information is also recorded on the worksheet cost, some of the customers questioned the on-site mechanic the veracity of your information. In view of this, the Customer decided that in individual cases a have the installer make an audio recording of what was said during the installation, in an appropriate way can prove that the information has been provided or, where applicable, can hold the employee, should the customer's complaint prove to be true. In both cases, when recording was made, based on all the circumstances of the situation (such as the inquiry and the on-site method of consultation prior to work, the nature of the work, the person using the service estimated age, the mechanic's proposal and request for recording after the start of the work about its necessity) the manager considered the necessity of making the audio recording. At the request of the Authority, the Customer sends on electronic media all the, a recorded audio recording to the Authority upon receipt of the order, the Customer stated that due to the previous deletion of the two audio recordings, he cannot fulfill this request. According to the Customer's statement, it was also presented in the previous investigation procedure in the statement, he incorrectly indicated the legal basis for data management, and not general data protection wanted to refer to point d) of Article 6 (1) of the Decree, but to point f) because in his opinion, according to what was previously presented, they were said during the installation work had a legitimate interest in its recording. 3. NAIH-2801-2/2022 of the Authority dated February 9, 2022. additional facts with case file no for its clarification order, the Customer stated in its letter dated February 28, 2022 that in the two cases where he made audio recordings, he considered them before recording them the possibilities that may be suitable for the realization of the goal he wants to achieve, and deemed that the data processing related to the recording of the audio was lawful legal and official requirements for interest-based data management. However, he did not prepare a balance of interests test before starting data management. According to the Customer's statement, he had previously marked it incorrectly on the worksheet the legal basis for data processing, and not the consent of the data subject, is considered appropriate for data processing its legal basis, but its legitimate interest. According to the Customer's statement, the recording was regulated in the following way its procedure, it did not have any other internal regulations in this connection: "Regulation: - audio recording is made based on executive decision - the manager instructs the employee - recording can only be made by the employee entrusted with it, by the manager at a specified time and in a specified quantity - the manager transfers the recording to a laptop and deletes it from the audio recording device - at the end of the warranty period, which is six months, the manager deletes the recording from the laptop." Furthermore, according to the Customer's statement, "during the making of the two audio recordings a information was given verbally at the site of the installation work, or in writing on the worksheet 5 short information was also included - although unfortunately not in an adequate way - about recording about the possibility." The brief information on the worksheet is as follows: "I also agree that on site the mechanics should make sound, picture and video recordings in connection with the works." During the review of the data management, the Customer came to the conclusion that the information was not adequate its form and content, and, among other things, terminated the examined practice with regard to this. Regarding the seizure, the Customer stated that it had already been ordered by the Authority at the time of the seizure, it did not store any audio recording that was the subject of the investigation would have been recorded in connection with data management. There have been two such recordings before was prepared, however, they were already during the previous investigation procedure of the Authority, on June 15, 2021 deleted it after my request, as no legitimate purpose justified the further preservation of recordings. Dated 26 November 2021 by the Authority, NAIH-8701- 1/2021. at the time of receipt of his order with file number, none was available nor audio recording, therefore the Customer could not fulfill his obligation to reserve. The manager irretrievably deleted the audio recordings in question from his own laptop, etc the recordings were not stored on the device, and the exact time of deletion was not recorded. 4. The documents of the investigation procedure available to the Authority also contain the following The contact details of the employee performing installation work at the reporting party, as stated by the customer. Given that the repair worker has the most accurate information About the audio recording practice carried out by the customer during installation work, the Authority considered it justified to summon him for a personal hearing as a witness to its headquarters. The repair worker (hereinafter: witness) at the Authority's headquarters on May 5, 2022 submitted that he has been working at his current job, at the Client, since August 2020, and this time never once did he receive an instruction from his employer to make an audio recording of the about works, he was not aware that there was such practice at the employer. The witness according to his statement, no general instructions regarding the recording of audio they received, to the best of his knowledge, the employer has not drawn up a policy on this. Account detailer to make it, they used to take a photo to show that the work done was used the quantity and quality of materials can be verified. In this case, the photograph is taken in all cases represents the work done. Commission contract / worksheet used by the Customer in relation to its provision, according to which: "I also agree that on the spot a mechanics to make sound, image and video recordings in connection with the works" it stated that this provision only applies to these objects representing the completed works made - applies to recordings. The witness also testified that he did not make a sound recording on any occasion during works. 5. On June 14, 2022, the Client attended a document review at the Authority's headquarters, during which he got acquainted with all the documents of the procedure, including those prepared from the hearing of the Witness protocol, and the preceding NAIH-3853/2021. was started and used in the present procedure investigation procedure documents. III. Applicable legal provisions Based on Article 2 (1) of the General Data Protection Regulation, the general data protection regulation must be applied to the automated processing of personal data in whole or in part 6 processing, as well as those personal data in a non-automated manner which are part of a registration system or which they want to make it part of a registration system. Infotv. Pursuant to § 2, paragraph (2), the general data protection regulation is indicated there shall be applied with the additions specified in the provisions. Infotv. According to § 38, paragraph (2), the Authority is responsible for the protection of personal data, and the right to access data of public interest and public interest control and promotion of the validity of personal data in the European Union facilitating its free flow within. Infotv. Based on Section 38 (2a) of the General Data Protection Regulation, the supervisory tasks and powers established for the authority under the jurisdiction of Hungary in the general data protection regulation and this law with regard to legal entities belonging to is exercised by the Authority as specified. Infotv. Pursuant to § 38, paragraph (3) point b), according to § 38, paragraphs (2) and (2a) within the scope of his duties, as defined in this law, in particular at the request of the data subject and conducts a data protection official procedure ex officio. Infotv. According to Section 60 (1), enforcement of the right to the protection of personal data in order to do so, the Authority initiates an official data protection procedure at the request of the data subject and may initiate official data protection proceedings ex officio. The Akr. On the basis of § 103, paragraph (1) of this law in ex officio proceedings its provisions on initiated procedures shall be applied with the exceptions contained in this chapter. In the absence of a different provision of the General Data Protection Regulation, the application was initiated for official data protection procedure, Art. provisions shall be applied in Infotv with certain deviations. Pursuant to Article 4, point 1 of the General Data Protection Regulation: ""personal data": identified or any information relating to an identifiable natural person (“data subject”); the natural person who, directly or indirectly, in particular, can be identified an identifier such as name, number, location data, online identifier or a physical, physiological, genetic, intellectual, economic, cultural or social natural person can be identified based on one or more factors relating to its identity." According to Article 4, point 2 of the General Data Protection Regulation: ""data management": the personal any performed on data or data files in an automated or non-automated manner operation or a set of operations, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, transmission of communication, by means of distribution or other means of making available, coordination or connection, restriction, deletion or destruction." Based on Article 4, point 7 of the General Data Protection Regulation: ""data controller": the natural or legal person, public authority, agency or any other body that a the purposes and means of processing personal data independently or together with others define; if the purposes and means of data management are determined by EU or member state law and, the data manager or the special aspects regarding the designation of the data manager it can also be determined by EU or member state law." Pursuant to Article 5 (1) b) and c) of the General Data Protection Regulation: "The personal data: 7 […] b) should be collected only for specific, clear and legal purposes, and should not be processed in a manner inconsistent with these purposes; in accordance with Article 89 (1). is not considered incompatible with the original purpose for the purpose of archiving in the public interest, further data management for scientific and historical research purposes or for statistical purposes ("goal-boundness"); c) they must be appropriate and relevant for the purposes of data management, and a they must be limited to what is necessary ("data sparing"); […].” According to Article 5 (2) of the General Data Protection Regulation: "The data controller is responsible for (1) for compliance with paragraph and must also be able to demonstrate this compliance ("accountability")." Based on points a), d) and f) of Article 6 (1) of the General Data Protection Regulation: "The personal the processing of data is only legal if and to the extent that at least the following one of the following is fulfilled: a) the data subject has given his consent to the processing of his personal data for one or more specific purposes for its treatment; […]; d) the data processing is for the vital interests of the data subject or another natural person necessary for its protection; [...]; f) data management to enforce the legitimate interests of the data controller or a third party necessary, unless the interests of the person concerned take precedence over these interests interests or fundamental rights and freedoms that make personal data protection necessary, especially if a child is involved. Point f) of the first subparagraph does not apply to the performance of their duties by public authorities for data management during Pursuant to Article 13 (1)-(2) of the General Data Protection Regulation: "(1) If the data subject relevant personal data are collected from the data subject, the data controller is the personal data provides the following information to the data subject at the time of its acquisition all of them: a) the identity and contact details of the data controller and, if any, the representative of the data controller; b) contact details of the data protection officer, if any; c) the purpose of the planned processing of personal data and the legal basis of data processing; d) in the case of data management based on point f) of paragraph (1) of Article 6, the data controller or legitimate interests of third parties; e) where appropriate, recipients of personal data, or categories of recipients, if any; f) where appropriate, the fact that the data controller is in a third country or international organization wishes to forward the personal data to, and the Commission the existence or absence of its conformity decision, or in Article 46, Article 47 or in the case of data transfer referred to in the second subparagraph of Article 49 (1) a indicating appropriate and suitable guarantees, as well as obtaining a copy of them reference to the means or their availability. (2) In addition to the information mentioned in paragraph (1), the data controller is the personal data at the time of acquisition, in order to be fair and transparent provides data management, informs the data subject of the following additional information: a) on the period of storage of personal data, or if this is not possible, this period aspects of its definition; b) the data subject's right to request from the data controller the personal data relating to him access to data, their correction, deletion or restriction of processing, and may object to the processing of such personal data, as well as the data subject about your right to data portability; 8 c) based on point a) of Article 6 (1) or point a) of Article 9 (2) in the case of data processing, the right to withdraw consent at any time, which does not affect the data processing carried out on the basis of consent before the withdrawal legality; d) on the right to submit a complaint to the supervisory authority; e) that the provision of personal data is a legal or contractual obligation is a basis or a prerequisite for concluding a contract, as well as whether the person concerned is obliged to a provide personal data, as well as what possible consequences this may have failure to provide data; f) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including also profiling, and at least in these cases to the applied logic and that comprehensible information regarding the significance of such data management and what are the expected consequences for the person concerned." According to Article 58(2)(b) and (f) of the General Data Protection Regulation: "The supervisory acting within the authority's corrective powers: [...]; b) condemns the data manager or the data processor if its data management activities violated the provisions of this regulation; […]; i) imposes an administrative fine in accordance with Article 83, depending on the circumstances of the given case depending, in addition to or instead of the measures mentioned in this paragraph; and […].” Based on Article 77 (1) of the General Data Protection Regulation, other administrative or without prejudice to judicial remedies, all interested parties are entitled to file a complaint with a supervisory authority - in particular your usual place of residence, place of work or in the Member State where the alleged infringement took place - if, according to the judgment of the data subject, the the processing of relevant personal data violates this regulation. Pursuant to Article 83 (2) and (5) of the General Data Protection Regulation: "[…] (2) The administrative fines, depending on the circumstances of the given case, are subject to Article 58 (2) must be imposed in addition to or instead of the measures mentioned in points a)-h) and j) of paragraph When deciding whether it is necessary to impose an administrative fine or a sufficiently in each case when determining the amount of the administrative fine the following should be taken into account: a) the nature, severity and duration of the infringement, taking into account the data management in question nature, scope or purpose, as well as the number of persons affected by the infringement, as well as the the extent of the damage they have suffered; b) the intentional or negligent nature of the infringement; c) mitigating the damage suffered by the data controller or the data processor any action taken in order to; d) the degree of responsibility of the data manager or data processor, taking into account the a technical and organizational measures undertaken on the basis of Articles 25 and 32; e) relevant violations previously committed by the data controller or data processor; f) with the supervisory authority to remedy the violation and the possible negative effects of the violation extent of cooperation to mitigate; g) categories of personal data affected by the infringement; h) the manner in which the supervisory authority became aware of the violation, in particular, whether the data controller or the data processor reported the violation and, if so, how with detail; i) if against the relevant data manager or data processor previously - in the same a subject - one of the measures mentioned in Article 58 (2) was ordered, a compliance with said measures; 9 j) whether the data manager or the data processor has complied with Article 40 to approved codes of conduct or approved certification under Article 42 for mechanisms; as well as k) other aggravating or mitigating factors relevant to the circumstances of the case, for example, financial gain as a direct or indirect consequence of the infringement or avoided loss. […] (5) Violation of the following provisions - in accordance with paragraph (2) - at most 20 with an administrative fine of EUR 000,000 or, in the case of businesses, the previous one shall be subject to an amount of no more than 4% of the total annual world market turnover of a financial year, by imposing the higher of the two amounts: a) the principles of data management - including the conditions of consent - of Articles 5, 6, 7 and 9 appropriately; b) the rights of the data subjects in Articles 12–22. in accordance with Article; c) personal data for a recipient in a third country or an international organization 44–49. in accordance with Article; d) IX. obligations according to the law of the Member States adopted on the basis of chapter; e) the instruction of the supervisory authority according to Article 58 (2), and data management temporary or permanent restriction or suspension of data flow failure to comply with its notice or access in violation of Article 58 (1). failure to provide. [...]" Infotv. According to § 71, paragraph (2): "The Authority lawfully acquired during its procedures document, data or other means of proof can be used in other proceedings." Infotv. 75/A. on the basis of §: "The Authority is the General Data Protection Regulation Article 83 (2)-(6) exercises its powers in accordance with the principle of proportionality, especially with the fact that you are in the law regarding the handling of personal data The regulations defined in the mandatory legal act of the European Union are being implemented for the first time in case of violation, to remedy the violation - with Article 58 of the General Data Protection Regulation in accordance - primarily by warning the data manager or data processor." Section 9 (2) of Act I of 2012 on the Labor Code (hereinafter: Act) pursuant to: "The employee's right to privacy can be restricted if the restriction is a for a reason directly related to the purpose of the employment relationship, it is absolutely necessary and the goal proportional to its achievement. About the way, conditions and expected limitation of the right to privacy its duration, and the circumstances supporting its necessity and proportionality a the employee must be informed in writing in advance." Mt. 11/A. According to § (1): "The employee is related to the employment relationship behavior can be controlled. In this context, the employer also provides a technical device may apply, the employee will be informed of this in advance in writing." Based on point a) of § 42, paragraph (2) of the Mt.: "Based on the employment contract, the employee is obliged to perform work under the direction of the employer" Pursuant to points b) and c) of Section 52 (1) of the Labor Code: "The employee is obliged […] b) during working hours - for the purpose of work, in a state capable of working - the employer to be available c) his work personally, with the expertise and care that can generally be expected, a perform according to the rules, regulations, instructions and customs applicable to your work, […].” 10 The Akr. According to § 109, paragraph (1), point a): shall be terminated if the reason for ordering it has ceased to exist." ARC. Decision Based on the definitions of the General Data Protection Regulation, the natural person voice, as well as the audio recording of the data subject's personal data, on the personal data and any operation performed is considered data management. IV.1. Purpose and necessity of data management Article 5 of the General Data Protection Regulation contains the main principles that a must be taken into account when handling personal data, and which are constantly must apply during data management. Article 5 (2) of the General Data Protection Regulation pursuant to the requirement of accountability according to para for compliance with data protection principles and must be able to comply for verification. Based on this, the data controller is obliged to document and record the data management, so that its legality can be proven afterwards. Purpose-bound according to Article 5(1)(b) of the General Data Protection Regulation following the principle of data management, the management of personal data is only defined and clear and may be done for a legitimate purpose. According to the Customer's statements, by making the audio recording, on the one hand, the interests of the customers are protected, furthermore, the aim was to properly document the installation work during the installation said on the spot, as in many cases the typically elderly customers do so afterwards they claimed that they did not receive adequate information about, for example, installation or materials about the cost, the duration of the work, or they did not remember it as it really was was said. Even though this information is also recorded on the worksheet, it is some customers questioned the information provided by the on-site mechanic its authenticity. According to the Customer's opinion, based on the audio recordings, the Customer knows in an appropriate way prove that the information has been given, or, where appropriate, can hold the employee, should the customer's complaint prove to be true. According to the Authority's point of view, audio recordings may be suitable for the purposes referred to to achieve, however, these goals can be replaced by the one completed by the mechanic and by the mechanic and the customer jointly signed worksheet, a copy of which is also provided to the client, thus confirming that both parties recognize what happened during the installation as real. Based on this making a voice recording is not necessary, as there is another way to achieve the goals. Besides it is not even proportionate to record what was said during the installation work, taking into account the length of the installation work that cannot be determined in advance, and the fact that in advance it is also not possible to determine the content of the conversation, that is given in this case, information may be recorded that is completely unrelated to the purpose of data management they are independent. In addition, in relation to the referred data management purpose, it can be established that it actually also means checking the employees. Section 52. (1) point c) of the Labor Code stipulates that the employee is obliged to perform his work in the to perform according to the rules, regulations, instructions and customs applicable to his work, and Mt. 11/A. On the basis of § (1), the employer may also check the employee a in connection with your employment relationship, even with a technical device, but this is not necessary, the recording and storage of another person's voice and what is said is disproportionate, a according to the Authority's point of view, it cannot be reconciled with the referred data management purpose. 11 According to the statements submitted by the Client, this only happened in two cases in practice audio recording, and according to the Witness' testimony, he never once received instructions to do so from his employer to make audio recordings of work, and he was unaware that that there is such practice at the employer. However, in addition to the two specific cases, the content of the worksheet, according to which the affected person is one contributes to the fact that the installers on site provide audio, video and to make a video recording, supports that this data management was a common practice. The same follows from the text of the regulation cited by the Client, according to which "executives a sound recording is made based on a decision - the manager instructs the employee - recording can only be made by the employee entrusted with it, by the manager at a specified time and in a specified quantity - the manager transfers the recording to a laptop and deletes it from the audio recording device - at the end of the warranty period, which is six months, the manager deletes the recording from the laptop." In addition to all of this, the Customer himself acknowledged NAIH-3853/2021. investigation started in the procedure that audio recordings are made on a random basis based on the executive's decision, and then according to the statement submitted in the data protection official procedure - to the procedure of the Authority - reviewed its data management practice and decided to terminate it, since, in his opinion, it does not meet the goal it wants to achieve, and it also did not fully comply in full compliance with the applicable data protection legislation and official requirements. That's why it is According to the customer's statement, he is investigating the possibilities in any way he can effectively, but in accordance with the applicable legal provisions and the affected parties to fully respect your right to the protection of personal data the goal he wants to achieve. Compared to these statements of the Client, the Witness stated differently that was not aware that the Customer was conducting data management practices in accordance with the present case, no means that other employees besides him (a total of 31 people worked for the Client, of which 15 were mechanics) would not have been instructed to make an audio recording. Itself the Customer as a data controller has acknowledged the implementation of the data management practice. At the same time, in the stage of the official procedure, he knew of only two specific cases, the making of audio recordings away. The Authority, because of all this, and also because according to the worksheet "works the making of sound, image and video recordings in connection" is not clear from the wording the exact purpose of the data management, through which the information about the data management appropriate, establishes that the Customer is not clear, not for a specifically defined purpose recorded the voices of customers during installation work, thereby violating the general Article 5 (1) point b) of the Data Protection Regulation. The Authority also establishes Article 5 (1) paragraph c) of the General Data Protection Regulation also the principle of data saving according to point, considering that the voice of the employees a its recording is not necessarily necessary due to the reasons explained above to verify that it is indeed whether the necessary information about the work was given to the clients or not. 12 IV.2. The legal basis of data management and the principle of accountability 1. An additional requirement for the legality of data management is that the data management is general it may be referred to a legal basis according to Article 6 (1) of the Data Protection Regulation beer. The Client uses NAIH-3853/2021 as the legal basis for data management. investigation started referred to in the procedure according to Article 6 (1) point a) of the General Data Protection Regulation the legal basis of consent and his vital interest according to point d) of Article 6, paragraph 1, however, in the official data protection procedure, he clarified what the Customer submitted and according to his statement, the legal basis for data management is Article 6 (1) of the General Data Protection Regulation legitimate interest according to point f) of paragraph The Authority therefore belongs to the legal basis of the legitimate interest checked compliance. The legal basis of legitimate interest can be legally invoked if the data controller is the data controller - or a third party - is necessary to assert its legitimate interest, unless such is the case the interests or fundamental rights of the data subject take precedence over interests and freedoms. The legitimate interest must really exist and actually exist (that is, it cannot be fictitious or assumed). According to Article 5 (2) of the General Data Protection Regulation in view of the principle of accountability, it is recommended that the data controller record them in writing cases that establish your legitimate interest. The facts recorded in writing are convincing they can serve as evidence of the existence of a legitimate interest. The legitimate interest its existence and the need for data management must be re-evaluated at regular intervals. It is essential that the data controller has an interest assessment to refer to the legal basis of the legitimate interest must finish. Carrying out the interest assessment involves a multi-step process, which During interest of the data subject, affected fundamental right, and finally based on the weighting, it must be determined, whether personal data can be processed. If as a result of the consideration of interests it can be established that the legitimate interest of the data controller precedes the personal data of the data subjects your right to protection, data processing can be continued on this legal basis. It is due to the applicable legal provisions and the principle of accountability the data controller must prove that the data management it carries out is compatible with with the principle of purpose-bound data management and the outcome of the interest assessment, the data controller is justified resulted in the primacy of his interest. According to the Customer's statements, in the two cases when the Customer made a voice recording, before recording, he considered the options that are the goal he wants to achieve they may be suitable for implementation, and he considered that by making the audio recording related data management corresponds to the data management based on legitimate interest legal and official requirements. However, he did not prepare a balance of interests test before the start of data management. The Authority, taking into account the present decision IV.1. to the point in which he established the goal the violation of the principle of bound data management and data saving, it also states that - regardless of whether the Customer did not carry out an interest assessment - legitimate purpose and interest, and, in the absence of unnecessary data processing, on the legal basis of legitimate interest - and other legal basis - nor could the Client legally base its data management, and as a result, it violated it Article 6 (1) of the General Data Protection Regulation. 2. Regarding the lack of consideration of interests, the Authority draws attention to the fact that based on the principle of accountability according to Article 5 (2) of the General Data Protection Regulation 13 during the entire process of data management, the data controller must implement this data management operations to enable compliance with data protection rules to prove it. The principle of accountability, so not only in general, at the process level can be interpreted, all specific data management activities, a specific stakeholder also applies to the management of your personal data. The data controller is responsible for the legality of the data management it carries out. General data protection due to the nature of the legal basis according to Article 6 (1) point f) of the Decree a data controller that refers to this legal basis must be able to accurately indicate that a the processing of specific personal data is based on the legitimate interest of the data controller, and on this in view of the interest, why data management is necessary, and at the same time be able to verify and prove it it must take precedence over the legitimate interest of the data subject for the protection of personal data against his right. In this case, the legal basis indicated as the legal basis for data management and the data management based on it before the start of practice, the need for data management is in the interests of the affected parties in the absence of a verifiable, written comparison, the Customer has violated the general accountability defined in Article 5 (2) of the Data Protection Regulation is a basic principle requirement as well. IV.3. Information on data management An additional requirement of legal data management is that the data subjects are appropriate, transparent and receive easily understandable information about data management. About that, it is the following must be taken into account: Paragraphs (1)-(2) of Article 13 of the General Data Protection Regulation define them data management conditions, information about which the data controller must inform those concerned. The form of information is not defined by the General Data Protection Regulation, however, the Authority recommends the written form for the reason that - accountability following from its principle - the data controller must prove and justify the - preliminary - the occurrence of information. According to the Customer's statement, "at the time of making the two audio recordings, the information a it was spoken orally at the site of the installation work, and it was also written on the worksheet brief information - although unfortunately not in an appropriate way - about the possibility of recording." The brief information on the worksheet is as follows: "I also agree that on site the mechanics should make sound, picture and video recordings in connection with the works." In relation to this information, it can be stated that it does not contain data management no information with which the Customer has violated Article 13 of the General Data Protection Regulation. (1)-(2) of Article Regarding the possible verbal information, the Authority notes that it is general Article 5 (2) of the Data Protection Regulation expressly places the burden of proof on the data controller also determines whether the data subject has been adequately informed. The the general data protection regulation does not exclude the possibility of verbal information, however in the event of a conflicting statement by the concerned party, in the absence of adequate provability, the doubtful situation the Authority as a general rule based on Article 5 (2) of the General Data Protection Regulation evaluates it at the expense of the data controller. 14 IV.4. Cancellation of reservation The Authority dated November 26, 2021, NAIH-8701-1/2021. in the order with file no the Akr. Ordered on the basis of Section 108 (1) of the offline mode referred to by the Customer seizure of audio recordings stored on a laptop. The reason for the seizure was that if the audio recordings stored by the Customer were to be deleted would avoid receiving an order ordering the initiation of data protection official proceedings after, this would endanger the success of clarifying the facts. In relation to the seizure, the Customer stated that the Customer has already been ordered by the Authority at the time of the ordered seizure, he did not store any audio recordings that were the ones under investigation would have been recorded in connection with data management. There have been two such recordings before was prepared, however, they were already during the previous investigation procedure of the Authority, on June 15, 2021 it was canceled by the Customer after his inquiry dated 1st, as it was not justified by any legitimate purpose further preservation of recordings. Therefore, the Authority dated November 26, 2021, NAIH-870- 1/2021. at the time of receipt of his order with file number, none was available nor audio recording, therefore the Customer could not fulfill his obligation to reserve. The manager irretrievably deleted the audio recordings in question from his own laptop, etc the Customer did not store the recordings on the device, and the Customer does not know the exact time of deletion recorded it. The reason for the seizure was thereby eliminated, and since the Authority made a decision on the merits of the case, the Authority is the Akr. On the basis of point a) of § 109, paragraph (1), the seizure is terminated. V. Legal Consequences 1. The Authority is the IV of this decision. based on what is written in point of the general data protection regulation Article 58 (2) point b) states that the Customer has violated the general data protection Article 5(1)(b) and (c), Article 6, Article 5(2) and the Paragraphs (1)-(2) of Article 13. Given that the Customer has terminated the objectionable data management practice, the Authority does not oblige the Customer to take action. 2. The Authority also examined whether a data protection fine against the Customer was justified imposition. In this context, the Authority is in accordance with Article 83 (2) of the General Data Protection Regulation and the Infotv. 75/A. based on §, considered all the circumstances of the case and established that a in the case of violations discovered during this procedure, the warning is neither proportionate nor not is a deterrent sanction, therefore a fine must be imposed. When determining the amount of the fine, the Authority first of all took into account that the violation committed by the Customer is Article 83 (5) b) of the General Data Protection Regulation according to point 1, it is classified as a violation belonging to the category of higher fines. The Authority also took into account that data management with the Customer is hierarchical also affected employees in a relationship [General Data Protection Regulation Article 83 (2) paragraph point k)], and that the personal data affected by the violation are the voice of the persons concerned does not belong to the special category of personal data [general data protection decree 83. Article (2) point (g)]. The Authority as an aggravating circumstance when determining the amount of the data protection fine took into account that 15 - the Customer violated several provisions of the general data protection regulation [general data protection regulation Article 83 (2) point a)]; - the violations committed by the Customer result from gross negligence, since it It did not even occur to the customer what the data management practices used by him were has implications for the privacy of its employees and customers [general Article 83 (2) point b) of the Data Protection Regulation]. The Authority as a mitigating circumstance when determining the amount of the data protection fine took into account that - the Client following the inquiry sent by the Authority in the investigation procedure of the Authority reviewed by the investigation or the person concerned by this data protection authority procedure data management, and subsequently stopped the recording of audio recordings in the installation in the course of works, as a result of the Authority's procedures, the Client decided that terminates the practice it also classifies as illegal [general data protection Regulation Article 83 (2) points d) and f)]; - to condemn the Customer for violating the general data protection regulation did not take place [General Data Protection Regulation Article 83 (2) point e)]; - the Authority exceeded the administrative deadline [General Data Protection Regulation Article 83 (2) paragraph (k)]. When determining the data protection fine imposed on the Customer, the Authority does not considered relevant Article 83 (2) c), h), i) and j) of the General Data Protection Regulation circumstances according to point, as they cannot be interpreted in relation to the specific case. The net sales revenue of the Customer in 2021 was HUF 130 million, so the the imposed data protection fine is far from the maximum fine that can be imposed. VI. Other questions: The competence of the Authority is set by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is covers the entire territory of the country. This decision of the Authority is based on Art. 80-81. § and Infotv. It is based on paragraph (1) of § 61. THE decision of the Akr. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. § 112, and § 116, paragraph (1) and (4), point d), and on the basis of § 114, paragraph (1) a decision can be appealed through an administrative lawsuit. * * * The Akr. According to § 135, the debtor is in arrears corresponding to the legal interest he is obliged to pay a supplement if he does not fulfill his obligation to pay money within the deadline. Act V of 2013 on the Civil Code 6:48 Based on paragraph (1) of § in the case of monetary debt, the obligee, starting from the date of default, a equal to the central bank base rate valid on the first day of the calendar semester affected by the delay is obliged to pay late interest. The rules of the administrative trial are set out in Act I of 2017 on the Administrative Procedure hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13, paragraph (3). Based on subparagraph a) of point a), the Metropolitan Court is exclusively competent. The Kp. Section 27 According to point b) of paragraph (1) in a legal dispute in which the court exclusively 16 competent, legal representation is mandatory. The Kp. According to § 39, paragraph (6), the statement of claim its submission does not have the effect of postponing the entry into force of the administrative act. The Kp. Paragraph (1) of Section 29 and, in view of this, CXXX of 2016 on the Code of Civil Procedure. applicable according to § 604 of the Act, electronic administration and trust services CCXXII of 2015 on its general rules. according to § 9 (1) point b) of the Act, the the client's legal representative is obliged to maintain electronic contact. The time and place of submitting the statement of claim is set by Kp. It is defined by § 39, paragraph (1). THE information on the possibility of a request to hold a hearing in Kp. Paragraphs (1)-(2) of § 77 is based on. The amount of the fee for the administrative lawsuit is determined by Act XCIII of 1990 on fees. law (hereinafter: Itv.) 45/A. Section (1) defines. From the advance payment of the fee the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the person initiating the procedure half. If the Customer does not adequately certify the fulfillment of the required payment obligation, a The authority considers that the obligation was not fulfilled within the deadline. The Akr. § 132 according to, if the Customer has not complied with the obligations contained in the Authority's final decision, is enforceable. The Authority's decision in Art. according to § 82, paragraph (1) with the communication becomes permanent. The Akr. Pursuant to § 133, enforcement - if you are a law government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. 134. pursuant to § the execution - if it is a law, government decree or municipal authority the local government decree does not provide otherwise - the state tax authority undertakes. Dated: Budapest, August 8, 2022. Dr. Attila Péterfalvi president c. professor