NAIH (Hungary) - NAIH-2501-10/2022
NAIH - NAIH-2501-10/2022 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 6(1) GDPR Article 12(1) GDPR Article 13 GDPR Act CXIX of 1995 on the processing of name and address data for research and direct marketing |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 26.11.2021 |
Decided: | 12.09.2022 |
Published: | 12.09.2022 |
Fine: | 73500 EUR |
Parties: | Magyar Éremkibocsátó Kft. |
National Case Number/Name: | NAIH-2501-10/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | NAIH homepage (in HU) |
Initial Contributor: | Abel Kaszian |
A Hungarian company was fined €73,500 for using consent as general authorization to use personal data for any purposes and for failing to properly inform data subjects about separate processing purposes, including Google and Facebook advertisements.
English Summary
Facts
The controller is a limited liability company in Hungary and also part of the Samlerhuset Group, an international group of companies based in Amsterdam. The products it sells are different versions of commemorative and historical coins, with a specific focus on Hungarian history. The controller acquires the data of its customers as follows: they can place an order by filling in a form received as part of advertising materials via postal mail. This data includes name, address, phone number, e-mail address.
Since July 2020, the DPA received several complaints from data subjects concerning the processing of their data by the controller and objecting to its data processing practices. In most cases, the controller created a user account (profile) with the personal data provided during the purchase or ordering process and only provided information afterwards. The DPA therefore carried out a test registration on the website of the controller and analyzed the text of the privacy notices on the website and in the postal mail. On the basis of this information, the DPA suspected an infringement of GDPR and launched an investigation.
In the DPA’s investigation, the controller provided the following information on its data processing processes: potential new customers receive a promotional mailing by post. In the controller's view, this does not constitute direct marketing under the Hungarian Act CXIX of 1995 on the processing of name and address data for research and direct marketing. This is because the advertising material is sent to the data subjects together with a newspaper to which they have subscribed under a contract with another separate company, thus the controller does not contact data subjects directly by itself. Data subjects so contacted may then contact the controller online, by phone or by post, in case they would like to order coins.
In the online shopping process, the information on data processing is linked at the end of the order. The controller emphasized that the online registration does not involve the processing of any more personal data than a purchase without registration. It was also possible to order products by phone or by post, without registering an online account. The data subjects gave their consent by signing the order form in writing for postal orders, verbally for phone orders and by ticking a specific checkbox for online orders.
The controller also informed the DPA that for the purpose of targeted advertising on Facebook and Google social media platforms, the controller manually selected – without automated decision-making – a group of its customers with an e-mail address for whom the given advertisement may be relevant. This list of addresses was hashed and uploaded to the Facebook and Google advertising systems for the display of the advertisement to data subjects whose email address hash matched an element of the uploaded hash list.
The controller further stressed that it finds data protection highly important, therefore it employed a dedicated data protection officer (DPO) as well.
Holding
The DPA found that, on the form sent out by the controller, the information was provided in very small print, so barely legible. When requesting consent, the provided information indicated only the identity of the controller and the very general purpose to send “further favorable offers” to the data subject. It also stated that the processing is unlimited in time and scope, and that its duration is until consent is withdrawn. It referred to the privacy notice part of the controller’s website for further information. A more specific purpose limitation and other information under Article 13 GDPR, as well as the fact of data transfer abroad, were completely missing.
The DPA stated that Article 13 GDPR only provides the bare minimum content, with the provision that other and all case-specific information is necessary for transparency and informed choice. On the forms of the controller, the mandatory and non-mandatory data were indicated with a small asterisk that is almost illegible. Thus, the average data subject was not given clear and easily accessible information. It was not possible to indicate if the data subject did not wish to provide the phone number and e-mail address for the purpose of direct contact and only wished to provide them for the purpose of facilitating the follow-up of the order. Individual purposes and individual contact methods were not separated on the postal form.
Over the phone – if the data subjects shared that they did not have an internet connection – a list of data processors was read out to them. In this case, it was not possible either to choose whether the data subject wished to consent to be contacted only by certain means, e.g. by post only, by phone only, by e-mail only, or by any combination of these. As in the case of postal communications, no information was provided to the data subject by phone about other forms of processing than those mentioned above, such as Google and Facebook targeted advertising.
For online orders, the data subject had easy access to the online information at the homepage of the controller, which contained information on data processing related to direct marketing. However, the DPA also found that it was not possible to give specific, separate consent to the sending of an e-mail message or to the processing of data related to Google and Facebook targeted online advertising when ordering online. The DPA noted that the operations of these service providers are directly investigated by DPAs in other Member States. However, it noted that the absence of any meaningful information on the use of these opaque and complex services in itself raises a serious validity issue in relation to consent.
With regard to the legal basis for consent, the DPA stressed that consent is not intended to be a general authorization for the controller to process any personal data without restriction at any time and for any reason, irrespective of other legal conditions. It can only be valid if it is requested for specific, separately identifiable purposes, and is preceded by appropriate information that puts the data subject in a position to make an informed choice as to whether to give consent. Article 12(1) GDPR explicitly requires the controller to be result-oriented, i.e. to provide the data subject with the assistance necessary to enable him or her to exercise all his or her data subject rights in an informed manner.
In the DPA's view, it is not the responsibility of the data subject to obtain the information from another source, it should be readily and reasonably available to him or her at the time of the request for consent. The DPA concluded it is rare that a data subject seeks online information on data processing before placing an order by post or phone, also it is not expected by GDPR. There may be a large number of data subjects who do not have access to the internet or who cannot easily search for information online during or before placing a postal or phone order. The controller has an active obligation to provide the information to the data subject in a way that is adapted to the communication channel currently used.
As the controller designs and sends a form in the form and quantity of its choice, attached to a newspaper or read out by phone to potential new customers, it is possible and expected from the controller to provide information essential for data management through all channels.
The DPA found that the controller had not fulfilled its obligation to specify a specific purpose. The purpose of processing contact data cannot be an intangible and limitless purpose such as receiving “further favorable offers”.
The DPA further stated that the controller did not substantiate its claim of having a DPO with a copy of the confirmation from the online DPO notification system and there is currently no DPO under the name of the controller in the database operated by the DPA, which is searchable online by anyone. The DPA noted that, if there was a technical reason beyond the control of the controller for which the entry was not made, it could have been detected and corrected by the controller in the last 4 years since the introduction of the GDPR, if it really considers data protection to be of high importance.
In overall, the DPA found that the processing was explicitly for profit, with the usages of small print, not easily accessible information, implementing a common poor business practice that was and is problematic even before the GDPR. The lack of adequate information puts the data subject in a position where he or she cannot even know and exercise his or her rights, and therefore often such breaches of GDPR will not even be known.
The DPA instructed the controller to modify its data processing practices in relation to direct marketing in order to properly separate specific purposes, obtaining the consent of data subjects, and providing them with adequate prior information in an appropriate manner and form. Also, to delete contact personal data where valid consent could not be found.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
File number: NAIH-2501-10/2022 Subject: decision History case number: NAIH-8700/2021 DECISION The National Data Protection and Freedom of Information Authority (hereinafter: Authority) On November 26, 2021, Magyar initiated an official data protection procedure opposite Éremkibocsátó Kft. (headquarters: 1054 Budapest, Szabadság tér 7; the hereinafter: Client) the processing of personal data of natural persons regarding its protection and the free flow of such data, as well as 95/46/EC Directive 2016/679/EU on repealing the directive (hereinafter: general investigation of suspected violations of the provisions of the data protection decree), in particular considering the source, purpose and its legal basis, the legality of its data transfers, and the enforcement of the data subject's rights subject. The Authority makes the following decisions in the above official data protection procedure: I. The Authority determines that the Client provided adequate prior information, specifically contact personal data processed in the absence of a specific purpose and a valid legal basis in relation to thousands of stakeholders, and thus violated the general lawful, transparent data management according to Article 5 (1) point a) of the Data Protection Regulation principle, the purpose-related principle according to Article 5 (1) point b), Article 12 (1) paragraph and Article 13 of the obligation to provide prior information, as well as in the absence of valid consent due to the above, Article 6 (1) of the General Data Protection Regulation paragraph and paragraph 2 of Article 7. II. The Authority based on Article 58 (2) point d) of the General Data Protection Regulation ex officio instructs the Customer to modify it as such by acquiring direct business related postal and telephone data management practices to comply with the general of the data protection regulation, i.e. indicate a corresponding specific goal or goals, the data subjects obtain your consent by providing the appropriate amount and form of prior information and delete the contact personal data currently processed for the above purpose to which a as above, could not be valid in accordance with the General Data Protection Regulation to obtain consent, or for other purposes with other legal grounds (e.g. contractual contact) in the case of usability, instead of deleting, do not handle it with valid consent contact data for direct business acquisition purposes. Informational self-determination CXII of 2011 on law and freedom of information. Act (hereinafter: Infotv.) 61. The deadline for filing an action to challenge the decision based on paragraph (6) of § until its expiration, or in the event of an administrative lawsuit, until the final decision of the court in dispute data affected by data management cannot be deleted or destroyed. III. The Authority ex officio the Customer due to the above data protection violations HUF 30,000,000, i.e. thirty million forints data protection fine obliged to pay. 2 The above II. the fulfillment of the obligation prescribed by the Customer towards this decision must be in writing within 30 days of the expiration of the legal remedy deadline - the supporting document together with the presentation of evidence - to prove it to the Authority. Data management exclusively in addition to defining the appropriate scope of data, for real and specific purposes, a valid legal basis, as well as data subject rights - including, but not limited to, prior information - it can be continued with proof of adequate insurance, otherwise the Customer has a must prove the termination of the data management in question to the Authority within the above deadline. The above III. fine according to point 30 days from the date of this decision becoming final within the forint settlement account of the Authority for the collection of centralized revenues (10032000-01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000) must be paid. When transferring the amount, "NAIH-642/2022 FINE.” number must be referred to. If the Customer does not fulfill his obligation to pay the fine within the deadline, he is in default is obliged to pay a penalty. The rate of penalty is the legal interest, which is is the same as the central bank base rate valid on the first day of the relevant calendar semester. Non-payment of the fine and late fee, as well as the above IV. obligation according to point in case of non-compliance, the Authority orders the implementation of the decision. There is no place for administrative appeal against the decision, but only from the announcement within 30 days from the date of issue, with a letter of claim addressed to the Capital Tribunal can be challenged in a lawsuit. The claim must be submitted to the Authority electronically, which forwards it to the court together with the case documents. The request for the holding of the trial is submitted by the must be indicated in the application. For those who do not receive full personal tax exemption the fee for the judicial review procedure is HUF 30,000, the lawsuit is subject to the right to record the fee. THE Legal representation is mandatory in proceedings before the Metropolitan Court. Infotv. Pursuant to § 61, subsection (2), point a), the Authority publishes this decision a Authority website. JUSTIFICATION I. Procedure and clarification of the facts 1. History matters 1.1. NAIH/2020/5802 to the Authority on July 28, 2020. an announcement was received at based on which the whistleblower objected to the Customer's data management practices. According to the announcement, it is The customer creates a user account with the personal data provided by the notifier during the purchase registered, and the Customer subsequently provided information about this fact. 1.2. The Authority CL. 2016 on the general public administrative order. law (a hereinafter: Ákr.) based on paragraph (1) of § 68, on October 8, 2020, the You completed a test registration on the website www.eremkibocsato.hu (hereinafter: Website). The Authority reports on this fact in Art. On the basis of § 68, paragraph (2), he subsequently informed the Customer 1 The NAIH_K01 form is used to initiate an administrative lawsuit: NAIH_K01 form (16.09.2019) The form is can be filled out using a general form filling program (ÁNYK program). 3 bearing in mind that in case of prior notice, the Customer would have had the opportunity to a To modify content available on the website prior to test registration. 1.3. In addition, the Authority noticed ex officio that letters sent by the Customer by post data management information provided in connection with this is likely to be considered infringing. 1.4. Based on the above, the Authority considered it justified to initiate an official inspection ex officio in order to verify that the data management practices used by the Customer does it comply with the requirements of the general data protection regulation, so the NAIH 1320-4/2021. the data protection authority control informed the Customer in its order no about its initiation and called him several times to provide a written statement in order to clarify the facts information on the questions asked in them. 1.5. The Authority, in accordance with Article 5 and Article 6 (1) of the General Data Protection Regulation, and due to the presumed violation of Articles 12, 13 and 14, the official control closed, and on November 26, 2021, the Ákr. ex officio on the basis of point a) of § 101, paragraph (1). initiated this official data protection procedure. 1.6. Infotv. On the basis of § 71, paragraph (2), the official knowledge of the Authority is considered to be In relation to the client, the facts and findings contained in the following documents are: In previous procedures related to the customer, the following arose: (i) Notice No. NAIH/2018/795/4/V of the Authority from the Authority's filing system. (ii) From the Authority's filing system, repeated Authority No. NAIH/2019/2181/2 prompting. (iii) From the Authority's filing system, the Authority's investigation No. NAIH/2019/2181/5 termination decision. (iv) Data provision No. NAIH-1320-5/2021 from the Authority's filing system is provided to the Customer and its annexes 1 - 7/A,B. 1.7. In notice No. NAIH/2018/795/4/V, the Authority stated that the Customer did not unlawfully delete the personal data of a data subject, and the data subject did not respond to the deletion at his request, and therefore called on the Customer to comply with the data subject's deletion request or a for the appropriate justification of the refusal and for informing the person concerned about it. 1.8. In repeated notice No. NAIH/2019/2181/2, the Authority stated that the Customer did not fully comply with notice No. NAIH/2018/795/4/V, therefore the Authority called on the Customer to make arrangements with the debt collector's data processor on the complete deletion of the data subject's personal data, since there is no outstanding debt on this data management is illegal. 1.9. The Authority in the decision terminating investigation No. NAIH/2019/2181/5 determined that the data related to the non-existing claim was deleted by the Customer, a it handles the remaining data on the basis of legal obligations, thus giving rise to the continuation of the investigation in the absence of taxing circumstances, the Authority terminated the investigation. 1.10. During the provision of data under NAIH-1320-5/2021, dated February 22, 2021, the The customer made the following statements relevant to the decision and attached documents: 4 (i) New customers will be mailed promotional mail that does not qualify of 2008 on the basic conditions and certain limitations of economic advertising activity. year XLVIII Act (hereinafter: Grtv.) direct according to § 6, paragraph (1). for acquiring business, since the subscriber involved the advertising material with another company it is received along with the newspaper subscribed to based on the concluded contract, in addition, the Customer does not contacts the affected parties directly. (ii) The information is the data provision no. 2. attached, the materials sent copy of no. 3 are found in the appendix. (iii) The script used during the telephone order is data provision no. 4. can be found in the appendix. (iv) The online shopping process is described in data provision no. 5. annex is included, and the screenshots of the webshop are included in the data service 6/A-B. s. annexes, and the data management is linked at the end of the order information. (v) The process of online shopping is described in data provision 7/A-B. s. presented in its appendices. (vi) Products can be ordered by phone or by mail without registering an online account to your order. (vii) Online registration is required to complete the order, no more personal registration is required processing of data as purchasing without registration would entail, in this regard it is online data management information 1.3. and 1.4. point contains information. (viii) Data provision no. 8 annex to the Customer's data management register a copy of data processing in connection with product orders. (ix) The data subject gives his consent to the communication material in case of mail order in writing by signing the attached order coupon, or verbally in the case of phone orders, in the case of an online order, enter it by ticking a separate check-box. (x) The Customer does not process personal data based on the Customer's legitimate interests. (xi) From May 25, 2018 until the date of data provision, the Customer has received 647 deletion requests replied within the deadline. (xii) Skarbnica Narodowa Sp. z.o.o. (seat: Aleja Jana Pawla II 19, 00-854 Warsaw, Poland; hereinafter: Company 1) and Samlerhuset Group B.V. (head office: Landdrostdreef 100, 1314 SK Almere, The Netherlands; hereinafter: Company 2) perform database management activities for the Customer in terms of data management in accordance with point 2 of the information sheet and belong to the Customer's company group. (xiii) For the purpose of targeted advertising on Facebook and Google social media platforms The customer manually - without automated decision-making - selects a list of the e- of a group of customers with e-mail addresses for whom the given ad is intended may be relevant, and this e-mail address list is uploaded by Facebook and Google based on the hash principle in its advertising system to display the ad to those concerned for whom it is the hash of your e-mail address matches an element of the uploaded hash list. 5 (xiv) Data provision no. 2 "text of data management information" according to Annex The content of the text is as follows: "With my signature, I declare that the Magyar Éremkibocsátó Kft.'s policy is available at www.eremkibocsato.hu/adatkezeles I have read and accepted it, I acknowledge that my data is marked there for the purpose and duration of Magyar Éremkibocsátó Kft. (1054 Budapest, Szabadság tér 7., Bank Center Office Building, Citi Tower, 7th floor, www.eremkibocsato.hu) is managed by Direct text of marketing consent: ☐ Yes, I give my consent for additional benefits to receive offers as long as I do not indicate my intention to the contrary over the phone, by e-mail or at the given postal address.". (xv) Data provision no. 2 in its annex, the Client declared to the Authority that Entering the e-mail address and phone number is not mandatory, but this does not apply to the above part of information. (xvi) Data provision no. 2 according to its annex, to existing customers with the invoice the following data management by means of a combined marketing offer (double invoice). provides information: "If you do not have a need for our new products in the future for information, please let us know if you wish to unsubscribe adatkezeles@eremkibocsato.hu e-mail, or Magyar Éremkibocsátó Kft. (1519 Budapest Pf.: 341) at its postal address or at the telephone number 06 80 888 889.". (xvii) Data provision no. 2 according to its annex, other advertising mailings (Delivery Offer, Direct Mail, Target Group Mailing, Passive Customer Mailing) data management the text of the information is as follows: "With my signature/order, I declare that a Magyar Éremkibocsátó Kft. is available on the website www.eremkibocsato.hu/aszf General I have read and accept its Terms and Conditions, as well as acknowledge and I accept that Magyar Éremkibocsátó Kft. and its partners a The regulations that I am familiar with are available on the website www.eremkibocsato.hu/adatkezeles my data will be used as indicated there. If in the future does not claim information about our news, offers, etc If you wish to unsubscribe, please send an e-mail to adatkezeles@eremkibocsato.hu or at the postal address of Magyar Éremkibocsátó Kft. (1519 Budapest Pf.: 341) or on the phone number 06 80 888 889.". (xviii) Data provision no. 3 annex (sample advertising offer attached to an invoice) existing customers received the following information along with the product: "If in the future you do not have a claim related to our new products and offers for information, please indicate your intention to unsubscribe adatkezeles@eremkibocsato.hu e-mail, or Magyar Éremkibocsátó Kft. (1519 Budapest Pf.: 341) at its postal address or at the telephone number 06 80 888 889.". (xix) Data provision no. 3 in the samples for existing customers according to the Annex for the order of the new product, for the validity of the order the required signature also means the consent of the interested party is given later for direct inquiries according to the information with the same text as above, none it is possible to order in such a way that the person concerned does not contribute to the subsequent direct for searching. (xx) Data provision no. 3 sample for new customers according to Annex a data required for ordering (name, address, telephone number, e-mail address) a to order, and in this connection it is mandatory to indicate it with an asterisk character data, which are name and address. The star is extremely large, barely visible. There is no 6 it is possible to indicate, if the person concerned, the telephone number and e-mail address data of the direct you don't want to enter it for the purpose of inquiry and only the order is easier would provide these for tracking. (xxi) Data provision no. 3 according to the annex, the sample for new customers is separate contains a check-box for giving the consent of the affected person later directly search, the text of which is the following in small, barely legible font size: "☐ Yes, I give my consent to receive further favorable offers as long as until I indicate my intention to the contrary by phone, e-mail or by the specified post at address. [date, signature, Attention! Your order is invalid without your signature.] With my signature, I declare that Magyar Éremkibocsátó Kft. a I have read the regulations available at www.eremkibocsato.hu/adatkezeles and I have accepted, I acknowledge that my data will be used for the purpose indicated there and for a period of time, Magyar Éremkibocsátó Kft. (1054 Budapest, Szabadság tér 7., Bank Center Office Building, Citi Tower, 7th floor, www.eremkibocsato.hu). (xxii) Data provision no. 4 according to its annex, in the case of a telephone inquiry, it is the text of the data management information is as follows: "Regarding your order, data controller Magyar Éremkibocsátó Kft. and a Information available on the website https://www.eremkibocsato.hu/adatkezeles partners manage your personal data. The purpose of data management is the Hungarian Medal Issuer Fulfilling orders given to Kft., maintaining contact with customers, complaint handling, webshop operation, and possible claims validation. With data management, especially with your rights you can request further information on any of the following contact details: Mailing address: 1519 Budapest, Pf. 341; E-mail address: adatkezeles@eremkibocsato.hu, phone number: 0680-888-889; text of consent: You consent to a Magyar Éremkibocsátó Kft. also uses the provided contact information to make it unique with its offers and news through direct business acquisition by mail, telephone or electronic means can be found on the website https://www.eremkibocsato.hu/adatkezeles as stated in the information sheet? Consent is voluntary and can be withdrawn at any time on any of the contact details just described.". (xxiii) Data provision no. 4 in its annex, the Customer stated that if the affected who was called on the phone says that he does not have internet or cannot watch it the list of data processors, then the administrator will read it to the data processors list. (xxiv) Data provision no. 5 online order based on its attachment and is required for that during registration, data management consent can be given with separate check boxes both simultaneously and separately for each channel (mail, telephone, e-mail) regarding, and the data management information on the home page of the website It is available from the "Data management" menu item. 2. This official data protection procedure 2.1. In this data protection official procedure, the Customer, upon request of the Authority, 2021. In his reply letter received on December 17, sent to NAIH-8700-2/2021, the following made statements relevant to the decision: 7 (i) Source of personal data used for data management for direct business acquisition the person concerned, its purpose is direct business acquisition, direct marketing activity, its legal basis is according to Article 6 (1) point a) of the general data protection regulation concerned consent, data processing lasts until the withdrawal of consent. (ii) Data subjects give their consent to data management by postal order by signing the coupon in writing, in the case of phone orders orally, online in the case of an order, it is specified by checking a separate checkbox. (iii) The personal data used for direct business acquisition includes the data of the previous purchase, i.e name, address, telephone number and e-mail address of the person concerned. (iv) Those concerned about data management in the order process, the consent will be informed in advance of the date of February 22, 2021 (NAIH-1320-5/2021 filed under no. 1.1. according to point and 2-7/A-B annexes. (v) Those concerned exercise their rights by post, by telephone, via the Customer's website, or e- they can practice by email. (vi) The Customer properly ensures the rights of stakeholders, in this context the Customer a It cooperates with authorities, for example, the investigation No. NAIH/2019/2181 is also terminated after their cooperation. (vii) The Customer complies with the principle of built-in and default data protection in its processes properly designed to ensure that they comply with the relevant legislation compliance and data security. (viii) The Customer considers data protection to be of the utmost importance, therefore a separate data protection policy employs an official, which was announced by the Authority on August 28, 2018 for. (ix) Since May 25, 2018, the Client has received hundreds of data deletion requests from stakeholders in connection with which the Customer answered within the deadline, without any complaints from stakeholders and settled. 200 per month on average in connection with the Customer's direct marketing materials requests are received, which the Customer fulfills. (x) In 2018, the Authority carried out an official inspection in connection with a data protection incident and it It was closed by decision on January 18, 2019, as the Customer did the necessary steps to deal with the incident (notification, police report, etc.). (xi) The net sales revenue of the Customer in 2020 was HUF 2,332,576,000. (xii) 8 of the application filed by the Client to the Company 2 under the number NAIH-1320-5/2021. forwarded by the data subjects as described in the data management register according to Annex your personal data. The legal basis for data transfers is the same as data management with its legal basis. (xiii) The Customer maintains NAIH-1320/2021 unchanged. official case number started statements made during the inspection. (xiv) For the Customer's statements no. 1. according to the data management register attached as an attachment The legal basis for data processing related to direct business acquisition is the general data subject consent according to Article 6 (1) point a) of the Data Protection Regulation. 8 2.2. In this data protection official procedure, the Customer, upon request of the Authority, 2022. In his reply letter received on February 24, sent under number NAIH-2501-3/2022, the following made statements relevant to the decision: (i) Data is transmitted to the Company 2 as a data processor, both the Customer and it On behalf of other companies belonging to the Customer's company group, however, by the Customer transmitted data will not be transmitted to other members of the company group, that is the purpose of data transfer is exclusively database management tasks by Company 2 supply to facilitate the operation of the Customer. (ii) The following types of data in the customer database operated by Company 2 can be found: contact details, details of current and previous orders, customer service communication and in connection with visiting the Customer's website generated data. (iii) The Customer does not forward personal data to third parties for the purpose of so that they can contact the stakeholders with their own offers. (iv) Company 1, as a data processor, monitors the debts of the affected customers, thereby reports to the Customer, for example, if a certain amount is exceeded, and performs invoicing tasks related to lost shipments. 2.3. The Akr. Pursuant to § 76, the Authority is the Client after the completion of the proof procedure invited him to make a statement and indicated that the Customer is entitled to document inspection view the case documents. At the request of the Authority, the Client on April 26, 2022, the present to the procedure documents - including note No. NAIH-2501-2/2022 on February 11, 2022 in copy I.1.6, made part of this procedure. documents according to point - he inspected them, but not about them requested a copy. After that, the Customer is free from the inspection of documents specified by the Authority did not make a new statement within the 15-day deadline. 2.4. The Authority noticed ex officio that the official https://e-beszamolo.im.gov.hu is public based on the latest electronic report found on the portal, the Customer's net for 2021 its sales revenue was HUF 2,214,700,000 (published: 30.05.2022). II. Legal provisions applicable in the case According to recital (74) of the General Data Protection Regulation, personal data processing of any kind by the data controller or on behalf of the data controller the authority and responsibility of the data controller must be regulated. The data controller must be obliged, in particular, to implement appropriate and effective measures, and to be able to prove that the data management activities are general they comply with the data protection regulation, and the effectiveness of the measures applied is the same level required by the general data protection regulation. These measures are data management its nature, scope, circumstances and purposes, as well as natural persons it must be made taking into account the risk to your rights and freedoms. According to recital (171) of the General Data Protection Regulation, the general data protection regulation repeals directive 95/46/EC. General data protection data processing started before the date of application of the regulation is governed by the general data protection Within two years from the date of entry into force of the Decree, Article 9 must be harmonized with the general data protection regulation. If the data management is according to Directive 95/46/EC is based on consent and the data subject meets the conditions set out in the General Data Protection Regulation has given his consent in accordance with the that the data controller also after the date of application of the general data protection regulation continue data processing. Decisions taken by the Commission on the basis of Directive 95/46/EC, and the licenses issued by the supervisory authorities remain in force as long as until they are amended, replaced or repealed. According to Article 2 (1) of the General Data Protection Regulation, the general data protection regulation must be applied to personal data in part or in whole in an automated manner processing, as well as the non-automated processing of data that are part of a registration system or which are a registration system want to be part of. Pursuant to Article 4, point 7 of the General Data Protection Regulation, "data controller" is the natural or legal entity, public authority, agency or any other body that is personal determines the purposes and means of data management independently or together with others. If that the purposes and means of data management are determined by EU or member state law, the data manager or special considerations for the appointment of the data controller by the EU or the Member States can also be determined by law Pursuant to Article 4, point 11 of the General Data Protection Regulation, it is "the consent of the data subject". of the will of the person concerned, based on voluntary, specific and adequate information and clear declaration by which the relevant statement or confirmation is unambiguously expressed indicates by action that he gives his consent to the processing of his personal data. According to Article 5 (1) point a) of the General Data Protection Regulation, personal data must be handled legally and fairly, as well as in a transparent manner for the data subject carry out ("legality, due process and transparency"). According to Article 5 (1) point b) of the General Data Protection Regulation, personal data should only be collected for specific, clear and legitimate purposes and should not be processed in a manner inconsistent with these purposes; in accordance with Article 89 (1). is not considered incompatible with the original purpose for the purpose of archiving in the public interest, further data management for scientific and historical research purposes or for statistical purposes ("goal-boundness"). According to Article 6 (1) of the General Data Protection Regulation, personal may be legal processing data if at least one of the following is met: a) the data subject has given his consent to his personal data for one or more specific purposes for its treatment; b) data management is necessary for the fulfillment of a contract in which the data subject is one of the parties, or at the request of the data subject prior to the conclusion of the contract necessary to take steps; c) data management is necessary to fulfill the legal obligation of the data controller; d) data management is vital for the data subject or another natural person necessary to protect your interests; 10 e) data processing is in the public interest or the data controller is authorized by a public authority necessary for the execution of a task performed in the context of its exercise; f) data processing is for the legitimate interests of the data controller or a third party necessary for its enforcement, unless priority is given to these interests enjoy the interests or fundamental rights and freedoms of the data subject which they require the protection of personal data, especially if the person concerned is a child. According to Article 7 (2) of the General Data Protection Regulation, if the consent of the data subject given in the context of a written statement that also applies to other matters, a request for consent in a way that is clearly distinguishable from these other cases must be presented in an understandable and easily accessible form, with clear and simple language. The any part of such statement containing the consent of the affected party which violates the General Data Protection Regulation does not have binding force. Based on Article 12 (1) of the General Data Protection Regulation, the data controller is compliant takes measures in order to allow the data subject to process personal data all relevant information mentioned in Articles 13 and 14 and Articles 15-22 and Article 34 according to each information is concise, transparent, comprehensible and easily accessible provide it in a clear and comprehensible form, especially to children for any information received. Based on Article 13 (1) and (2) of the General Data Protection Regulation, if the personal data were obtained from the data subject, the data controller makes the data available to the data subject following information: a) the identity of the data controller and, if any, the representative of the data controller and your contact information; b) contact details of the data protection officer, if any; c) the purpose of the planned processing of personal data and the legal basis of data processing; d) in point f) of Article 6 (1) of the General Data Protection Regulation in the case of data management based on the legitimate interests of the data controller or a third party; e) where applicable, recipients of personal data, and categories of recipients, if any such; f) where appropriate, the fact that the data controller is in a third country or international organization wishes to forward the personal data to, and the Commission the existence or absence of a compliance decision, or general data protection regulation in Article 46, Article 47 or Article 49 (1) second in the case of data transfer referred to in subsection, the appropriate and suitable guarantees designation, as well as the methods for obtaining a copy of them or that reference to their availability; g) on the duration of storage of personal data, or if this is not possible, on this aspects of determining the duration; h) on the data subject's right to request from the data controller the personal data relating to him access to data, their correction, deletion or management 11 limitation and may object to the processing of such personal data, as well as the about the data subject's right to data portability; i) or in point a) of Article 6 (1) of the General Data Protection Regulation in the case of data management based on point a) of Article 9 (2) a right to withdraw consent at any time, which does not affect the legality of the data processing carried out on the basis of consent prior to withdrawal; j) on the right to submit a complaint to the supervisory authority; k) that the provision of personal data is legal or contractual whether it is based on an obligation or a prerequisite for concluding a contract, and whether it is whether the data subject is obliged to provide personal data, and how it is possible failure to provide data may have consequences; l) mentioned in paragraphs (1) and (4) of Article 22 of the General Data Protection Regulation the fact of automated decision-making, including profiling, as well as at least in these cases it is understandable for and regarding the applied logic information about the significance of such data management and for the data subject what are the expected consequences. Based on Article 13(4) of the General Data Protection Regulation, Article 13(1)-(3) it does not have to be applied if and to what extent the data subject already has the information. For data management under the scope of the General Data Protection Regulation, Infotv. Section 2 (2) according to paragraph of the general data protection regulation in the provisions indicated there must be used with included additions. Infotv. Validation of the right to the protection of personal data based on § 60, paragraph (1). in order to do so, the Authority initiates an official data protection procedure at the request of the data subject and may initiate official data protection proceedings ex officio. Infotv. According to § 61, paragraph (1), point a), it was made in the official data protection procedure in its decision, the Authority issued Infotv. Data management defined in paragraph (2) of § 2 in connection with operations defined in the general data protection regulation may apply legal consequences. Infotv. Pursuant to § 71, paragraph (2), the Authority lawfully acquired during its procedures can use documents, data or other means of proof in other proceedings. Infotv. 75/A. Based on § 83 of the General Data Protection Regulation, Article 83 (2)–(6) exercises its powers in accordance with the principle of proportionality, especially with the fact that you are in the legislation regarding the handling of personal data The regulations defined in the mandatory legal act of the European Union are being implemented for the first time in case of violation, to remedy the violation - with Article 58 of the General Data Protection Regulation in accordance with - takes action primarily with the warning of the data manager or data processor. It is ordered by the Authority based on Article 58 (2) point d) of the General Data Protection Regulation the data manager or the data processor to perform its data management operations - where applicable in a specified manner and within a specified time - is harmonized by the general with the provisions of the data protection regulation. 12 On the basis of Article 58 (2) point i) of the General Data Protection Regulation, the Authority has the 83. imposes an administrative fine in accordance with Article, depending on the circumstances of the given case in addition to or instead of the measures mentioned in this paragraph. Based on Article 83 (1) of the General Data Protection Regulation, all supervisory authority ensures that paragraphs (4), (5), (6) of the general data protection regulation due to the said violation, each of the administrative fines imposed on the basis of this article should be effective, proportionate and dissuasive. According to Article 83 (2) of the General Data Protection Regulation, administrative fines depending on the circumstances of the given case, Article 58 (2) of the General Data Protection Regulation must be imposed in addition to or instead of the measures mentioned in points a)-h) and j) of paragraph When deciding whether it is necessary to impose an administrative fine or a sufficiently in each case when determining the amount of the administrative fine the following should be taken into account: a) the nature, severity and duration of the infringement, taking into account the one in question the nature, scope or purpose of data management, as well as the number of data subjects whom the affected by the infringement, as well as the extent of the damage suffered by them; b) the intentional or negligent nature of the infringement; c) damage suffered by data subjects on the part of the data controller or data processor any measures taken to mitigate; d) the extent of the responsibility of the data controller or data processor, taking into account the technical performed by him on the basis of Articles 25 and 32 of the General Data Protection Regulation and organizational measures; e) relevant violations previously committed by the data controller or data processor; f) the remedy of the violation with the supervisory authority and the possible negative nature of the violation extent of cooperation to mitigate its effects; g) categories of personal data affected by the infringement; h) the manner in which the supervisory authority became aware of the violation, in particular whether the data controller or the data processor has reported the violation, and if so yes, in what detail; i) if against the relevant data manager or data processor earlier - in the same in the subject matter - ordered Article 58 (2) of the General Data Protection Regulation one of the measures mentioned in paragraph compliance with measures; j) whether the data manager or the data processor considered himself to be the general for approved codes of conduct pursuant to Article 40 of the Data Protection Ordinance or approved certification according to Article 42 of the General Data Protection Regulation for mechanisms; as well as k) other aggravating or mitigating factors relevant to the circumstances of the case, for example, financial acquired as a direct or indirect consequence of the infringement profit or avoided loss. 13 In the absence of a different provision of the General Data Protection Regulation, the application was initiated for official data protection procedure, Art. provisions shall be applied in Infotv with certain deviations. Grtv. According to paragraph (1) of § 6, unless a separate law provides otherwise, advertising by directly contacting a natural person as an advertising recipient (a hereinafter: direct business acquisition), so especially electronic correspondence or with it through another equivalent individual means of communication - defined in paragraph (4). with an exception - it can only be disclosed if the recipient of the advertisement is clearly informed in advance and specifically contributed. Grtv. According to paragraph (4) of § 6, the addressee of advertising mail is a natural person such as a for the recipient of advertising through direct business acquisition, the recipient is preliminary and explicit it can be sent even without your consent, but the advertiser and the advertising service provider are obliged to ensure that the recipient of the advertisement can send the advertisement at any time free of charge and without restriction can prohibit without. In the event of a ban, direct advertising to the person concerned can no longer be sent through business acquisition. III. Decision 1. The data controller and data processors 1.1. According to the established facts, the Customer brought the examined direct himself decisions related to data management for the purpose of acquiring business, it was not determined by others purpose and means of data management. 1.2. No evidence has emerged that the Customer is other than its data processors would have forwarded it to a third party through data management for the purpose of direct business acquisition processed personal data in connection with, no other data controller could be identified. 1.3. Based on the above, in the case of all data processing examined in this case, it is the obligee of all data management obligations related to data management is general Based on Article 4, Point 7 of the Data Protection Regulation, the Customer. 2. Provided in connection with personal data related to direct business acquisition information for each connection method 2.1. Since the source of personal data is new customers, the Authority is primarily new customers investigated the acquisition of his data, as the legality of this and the then determined conditions also determine subsequent data management. Already in progress for existing customers during data processing, the validity of the data subject's consent prior to the consent information is also basically defined. Illegally obtained personal data in the future, its handling will not be by itself with subsequent information and references behavior is legal if the information is not followed by active, specifically consent an act aimed at granting. Article 4 Article 11 and Article 7 of the General Data Protection Regulation (2) and the European Data Protection Board 5/2020 regarding consent Based on paragraph 81 of its guidelines, consent cannot be obtained with the same a with an act, such as consent to a contract (in this case, signing the order 25/2020 Guidelines on consent pursuant to Regulation (EU) 2016/679, date of adoption: May 4, 2020, (hereinafter: 5/2020 Guidelines), availability: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_hu.pdf 14 by existing customers). Because of all this, the Authority investigated in more detail that a how personal data was obtained for new customers. For existing customers apart from the order, there was no other stakeholder declaration, so the validity of the consent is the new one developed in the same way as customers. 2.2. Information provided in case of mail order 2.2.1. By mail, on many occasions, a significant number of people who cannot be precisely determined are involved receive advertising materials in addition to your newspaper subscription arising from other legal relationships, and on this The Customer can place an order by filling in the form received as part of the advertising materials to its products. 2.2.2. The information on the Customer's form is in extremely small letters, barely legible 3 is happening. When requesting consent, the information is provided exclusively to the person of the data controller, the very general purpose for the Customer to send "favorable offers" to the concerned subject and the legal basis of the consent, the revocability of the consent and indicates its management until withdrawal and the availability of further information online. THE more specific goal determination, and others according to Article 13 of the General Data Protection Regulation provision of information with sufficient specificity and data management a foreigner is fundamentally necessary for its transparency, but not obvious to those involved the fact of data transmission is also completely absent. 2.2.3. Article 13 of the General Data Protection Regulation only defines minimum content, i.e in the case of individual data management, it is necessary to provide all information that is necessary for transparency and a considered decision. Mandatory and non-mandatory Mandatory data in connection with the order, not marketing they were indicated in the section on data management and with a small star that almost it is illegible, so the average person concerned is not clear and easily accessible information when requesting consent. It is not possible to indicate if the affected phone number is and e-mail address data for the purpose of direct inquiry, and only a for easier tracking of the order, would you enter these, each goal and each contact methods are not separated on the postal form. 2.3. Information provided when ordering by phone 2.3.1. By telephone, the above III.2.2. problems explained in subsection arise with the with the addition that if the person concerned does not have an internet connection, their statement according to, then the list of data processors will also be read to them (general data protection Regulation Article 13 (1) point (e)), and in relation to marketing data management a goal definition is more specific than the postal text, not so meaningless ("contributes in order for [the Customer] to use the provided contact information also because it is unique with its offers and news through direct business acquisition by mail, telephone or electronic means search for it”). 2.3.2. However, even in the case of telephone consent, it is not possible to choose, if only one the interested party wishes to contribute to the inquiry in the following ways, e.g. you are only by post, only by phone by e-mail only or by indicating any combination of these. Article 13, paragraph (1) point (a) of the 3rd General Data Protection Regulation 4 General Data Protection Regulation Article 13 (1) point (c). Article 13 (2) point (c) of the General Data Protection Regulation General Data Protection Regulation Article 13 (1) (b), (e), (2) (b), (d), (e), (f) 15 2.3.3. As with postal information, it is not the same in the case of telephone information providing information to the data subject about other data management methods apart from the above, for example Google and Facebook targeted advertising using the e-mail address, but not an e-mail message through targeted website advertising. 2.4. Information provided when ordering online 2.4.1. In the case of an online order, unlike the above, the phone number and e-mail address are mandatory data to be provided, but consent can be given separately for each inquiry method give. 2.4.2. However, the wording "electronically" is too broad a term, it is by e-mail in addition to the request, any other - not visible to the affected person in advance, even future - relational it may also include a form to which the person concerned may not necessarily wish to do so contribute in any form chosen by the Customer. 2.4.3. There is no option to send an e-mail message or be targeted online by Google and Facebook to separately consent to the processing of data related to advertisements, even though they are very different and data processing affecting the privacy of the affected person to a significantly different extent. Google, Facebook and the transparency and data protection issues of similar mass automated advertising systems it is not investigated by the Authority, but by the competent data protection authorities of foreign Member States, that is not the subject of this proceeding. However, the above is still dubious and difficult to understand the lack of any meaningful information about the use of services is serious in itself raises a validity problem with the consent requested by the Client from the data subjects in connection. 2.4.4. In the case of online ordering, unlike the above, the person concerned can easily access a www.eremkibocsato.hu/adatkezeles for online information, which is for direct marketing contains information related to related data management. 2.4.5. The Authority provides online information only for data processing related to direct marketing closely related to the subject of the present proceedings, not everything there with regard to listed data management. Given that apart from online orders it is stakeholders cannot simply access this information through the channel on which the non-online order is made, therefore the content of the online information is the present decision was largely irrelevant. 3. Obligation to provide appropriate information 3.1. According to Article 12 (1) of the General Data Protection Regulation, the Customer is considered independent the obligation of the data controller to take appropriate measures to ensure that concerning the processing of personal data for those concerned, referred to in Articles 13 and 14 all information and 15-22. and each information according to Article 34 is concise, in a transparent, comprehensible and easily accessible form, in a clear and understandable way provide it formulated. 3.2. The system of appropriate information in the general data protection regulation serves to so that the data subject can be aware of which personal data, which data controller and for which purpose, how you will handle it. This is essential to be in a position to to be able to meaningfully exercise its stakeholder rights. 16 3.3. There is a significant risk involved in the extensive and large number of contributors by processing the personal data of data subject no in context. For this reason, there is an increased expectation of information. Adequate information in its absence, by definition, the data subject is not in a position to properly exercise his rights practice and make a real contribution to something you are not fully aware of. The Recital (74) of the General Data Protection Regulation and Article 24 (1). and on the basis of Article 25 (1), the data controller is responsible for the rights of data subjects must meet expectations commensurate with its reported risk. 3.4. Data management based on point a) of Article 6 (1) of the General Data Protection Regulation based on Article 4, point 11 of the General Data Protection Regulation, not only the data management beginning, but before obtaining consent, the data controller is obliged to to provide information on the basis of which informed consent can be given. 3.5. In relation to the legal basis of data subject consent according to the General Data Protection Regulation it is important to emphasize that it does not mean that the data controller is subject to other legal obligations applies as a general authority regardless of conditions that at any time and can handle any personal data without limits for any reason. For data management stakeholder consent can only be valid if it is for specific purpose(s) - per purpose can be specified separately - they ask, and before that they provide adequate information, which in such a situation brings the data subject to be able to make an appropriate decision about giving consent, and complies with all other validity conditions prescribed in the General Data Protection Regulation requirement. Article 12 (1) of the General Data Protection Regulation specifically imposes a performance obligation on the data controller, i.e. the data subject needs such help provide, so that all stakeholders can exercise their rights in an informed manner. 3.6. As explained above, the obligation to provide information is not a mere "paperwork" is an obligation in the General Data Protection Regulation. Everything contained in the preamble, all the articles of the General Data Protection Regulation require the data manager to achieve results in determining its obligations, not just a specified minimum effort confirmation by the data controller. The purpose of the information is to put you in such a situation data subject to be in the appropriate decision-making position by exercising the data subject's rights in connection. 4. Lack of adequate information 4.1. Based on Article 12 (1) of the General Data Protection Regulation, it is not enough if it is data controller signs with the data subject a statement that from another source, the data controller became familiar with the data management before knowing its existence and intention to enter into a contract related information. It is not the responsibility of the data subject to provide information from other sources acquisition, it can be easily and reasonably expected during the given consent request should be available. It is rare to be affected by mail or telephone orders you seek online data management information beforehand, and this is not your obligation. The client acknowledged in his statements regarding the telephone script, there may be a number of stakeholders who does not have internet access or is not easily able to post or telephone to search for information on the Internet during or before ordering. Because this cannot be known which exists for data subjects, based on Article 12 (1) of the General Data Protection Regulation The customer has an active obligation to make the information available to the data subject in such a way which is adapted to the currently used communication channel. 5/2020 Paragraph 62 of the guidelines also states that if the data controller does not provide access information, the user's control over the data becomes apparent, and the 17 consent becomes an invalid basis for data management. Ease of access is essential its requirement is also confirmed by paragraphs 66 and 67 of Directive 5/2020. 5/2020 Based on paragraph 69 of the guidelines, it is possible in the case of information provided electronically typically use multi-level information. This option is basically not available for the postal route its nature can be interpreted, access to additional information is a disproportionate time investment would cause and it is impractical to base the information on this. 4.2. Because the Customer creates the form and quantity of his choice out and send it attached to a newspaper, or read it over the phone to your new customers, that is basic information from the point of view of data management (for example, in the case of a postal route, the more specific, destination indicated on the phone) and the separate consent per destination and connection method ensuring the possibility not only during online data management, but on all channels possible and expected from the Customer. Other provisions of the general data protection regulation in relation to the legal basis of consent, Article 6 (1) of the General Data Protection Regulation point a) of paragraph also highlights the possibility of contributing by specific purpose necessity. This does not preclude the provision of an option by means of which all it is possible to contribute to a specified goal at the same time, but there must be an option in addition to this to give separate consent for certain purposes. 4.3. Article 4, point 11, Article 7, paragraph 2 of the General Data Protection Regulation, and 5/2020 Paragraph 90 of the guidelines also confirms that the data subject's consent is a legal basis in the case of its application, the consent of the data subject must always be obtained before that the data controller would start the personal data management for which you have consented need. 5/2020 Guideline regarding information regarding consent Paragraph 63 also highlights that it concerns consent based on information the consequence of not complying with the requirements is that the consent will be invalid and the controller may violate Article 6 of the General Data Protection Regulation. 4.4. Based on paragraph 64 of Directive 5/2020, in order for the consent to be informed be based on, the person concerned must be informed of certain things that are crucial for decision-making about elements. Therefore, the European Data Protection Board considers that valid consent at least the following information is required: (i) the identity of the data controller - this has been fulfilled; (ii) the purpose of each data processing operation for which consent is requested - this is a not suitable as above; (iii) what type of data is collected and used - this was not fulfilled, a on the management of shopping habits data for marketing purposes and profiling based on this no information is sent by post or telephone; (iv) the existence of the right to withdraw consent - this has been fulfilled; (v) where applicable, to use the data for automated decision-making relevant information in accordance with point c) of Article 22 (2) - this is present is not applicable in this case, although there is no information by mail or telephone that this is the case does not happen, and manual sorting is done based on shopping habits; (vi) the compliance decision for data transmissions and described in Article 46 possible risks arising from the lack of adequate guarantees - this is not the case in this case guide, no information about this has arisen. 18 4.5. The above list also explicitly indicates that it is based on Article 13 of the General Data Protection Regulation only a minimum requirement, but in addition it is necessary to provide all information, which may be important in the decision of a typical person concerned, for example to go abroad (also within the European Union) large-scale and regular transmission of data, or for targeted advertisements use (with the possibility of a separate contribution). These elements were also missing the postal and from telephone information. 4.6. Based on what was explained above, the Customer did not fulfill the legal requirements in a significant part expectations for personal data collected in connection with postal and telephone orders during processing for the purpose of obtaining direct business, and in the case of online orders a for the concreteness of consent, the term "electronically" needs to be clarified, which is not meets the requirement of adequate information. In addition, it is outside the e-mail address provided other way, e.g. Targeted direct advertising on the Google and Facebook advertising systems a separate consent would be required to request personal data in any way during its collection. 4.7. Based on any of the legal grounds of Article 6 (1) of the General Data Protection Regulation in the case of data management, the General Data Protection Regulation is also required for all carriers comply with its provision, in this case with special regard, but not exclusively to the general obligations according to Article 13 of the Data Protection Regulation. 4.8. The exception according to Article 13 (4) of the General Data Protection Regulation does not apply a in this case, a general contractual conditional statement in fine print is not enough write it down to the data controller in order to be relieved of all responsibility, instead of writing it down you should provide substantial evidence that the new customer is affected by mail and telephone in case of ordering by road, they will at least receive information about the essential elements. 5. Purpose-bound data management 5.1. The data subject is based on Article 6 (1) point a) of the General Data Protection Regulation you can give informed consent to the processing of your personal data for specific purposes. However, for this to be valid, the consent must comply with general data protection other generally applicable rules of the regulation, such as the general data protection regulation Data management principles according to Article 5 (1) and (2) and the concept according to Article 4, point 11 conditions indicated in the definition, as well as Article 7 of the General Data Protection Regulation restrictions according to 5.2. The principles in Article 5 (1) of the General Data Protection Regulation are not limited to that they serve to make theoretical findings with the implementation of data management in connection. These principles cover specific obligations that can be held accountable in specific cases on the data controllers. 5.3. According to Article 5 (1) point b) of the General Data Protection Regulation, the personal data may only be collected for specific, clear and legitimate purposes, and not may be treated in a manner inconsistent with these goals. For this reason, data management also indicating the sufficiently specific goal during planning and informing the stakeholders a prerequisite for legal data management. This interpretation is reinforced, among other things, by the general Article 6(1)(a) and Article 7(2) of the data protection regulation, since based on these a declaration of consent by the data subject that is not sufficiently specific and contributes to known data management to an adequate extent in such a way that it can be separated you can consent separately to data management. It's obviously completely unrelated inquiry through different channels (post, telephone, e-mail, targeted online advertising), 19 they can be continued completely independently of each other, they are inseparable illegal. Based on Article 4, point 11 of the General Data Protection Regulation, the data subject your consent is appropriate for data management with a too general purpose and not determined in time not valid in the absence of information. In the absence of valid consent, no data processing corresponds to the legal basis according to Article 6 (1) point a) of the General Data Protection Regulation, and the existence of another legal basis cannot be established based on the facts. 5.4. The Customer's obligation to determine the above specific goal - the disclosed facts and III.2.-III.4 above. taking into account the points explained - he did not fulfill it. The relational the purpose of processing data cannot be an intangible and limitless goal such as "receiving further favorable offers". Direct business acquisition is an umbrella term that it is necessary to mark its specific implementation as a goal, e.g. own or third party sending advertisements about products on a given channel or specific channels. Separately important things that are different from the usual and not reasonably expected by the stakeholders should be highlighted circumstances, for example the foreign data processor and its clear, concise, easy to understand role during data management. 6. Lack of legal compliance of data management 6.1. III.2-III.5 above. based on the points explained, the Customer has violated the general providing information in accordance with Article 12 (1) and Article 13 of the Data Protection Regulation obligation, therefore it could not have a valid legal basis for direct business acquisition related data management. Based on this and as explained above, the Customer violated Article 5 (1) points a) and b) and 6 of the General Data Protection Regulation. (1) and (2) of Article 7. The Authority is the Client directly its data management outside of business acquisition and the general completeness of its online information is present did not examine it in the procedure. 7. Evaluation of the Customer's other statements regarding data management 7.1. The Customer referred to the fact that the rights of the stakeholders are adequately ensured in this context the Customer cooperates with the Authority, for example, investigation No. NAIH/2019/2181 is also terminated after their cooperation. In this context, the Authority highlights that NAIH/2019/2181 No. NAIH/2018/795/V, and the Customer did not fulfill the in full the notice of the Authority with case file number NAIH/2018/795/4/V, therefore repeated notice became necessary with file number NAIH/2019/2181/2. The test is repeated notice was terminated after execution by the Customer, as only this, or it is possible to initiate a data protection official procedure at the end of the investigation, and by the Customer after fulfillment, it was not justified to initiate the data protection official procedure on that individual in case of cancellation. This cannot be evaluated in favor of the Customer in this procedure and is general data management before the data protection decree came into effect is not relevant anyway. Also not relevant from the point of view of the present procedure, that the Authority during a separate data protection incident procedure that determined that the Customer had taken appropriate measures to deal with the incident, since it cannot be evaluated in favor of the Customer, only the Customer's failure to do so would be evaluated at his expense according to judicial practice. The fact that a data protection incident occurred at the Customer is the reason regardless of its management, it is not a positive event in terms of the Customer's data management, so it is It cannot be taken into account in a positive way requested by the customer. 7.2. The Customer referred to the built-in and default data protection of its processes in accordance with its principle, it was designed in such a way that they ensure the relevant legislation compliance and data security. However, this statement is by no means 20 supported it, and based on the revealed facts, it is related to direct business acquisition in relation to data management, it is significant in relation to the legal basis and information to the data subject there were deficiencies that comply with Article 25 of the General Data Protection Regulation design is questioned. Based on Article 5 (2) of the General Data Protection Regulation e round, the Authority evaluated the doubt at the Customer's expense. 7.3. The Customer referred to the fact that he considers data protection to be of the utmost importance, for this reason separately employs a data protection officer, which was announced by the Authority on August 28, 2018 for. The Customer did not substantiate the above claim by the online data protection officer with a copy of confirmation from the reporting system, and it cannot be found at the moment Under the name of a customer, a data protection officer operated by the Authority, by anyone online searchable database. Although this notification obligation is not the subject of this procedure, a Based on the above and Article 5 (2) of the General Data Protection Regulation, the doubt in this context the Authority assessed it at the Customer's expense, therefore the Customer was not even aware of this statement due process to be considered as supporting evidence. The Authority in this round notes that if, for technical reasons not attributable to the Customer, the registration, the Customer could have noticed and corrected it in the almost 4 years that have passed since then, if really considers data protection to be of utmost importance. 7.4. In relation to the Customer's direct marketing materials, according to his statements, on average monthly 200 inquiries are received and you are constantly trying to expand your marketing database, for example by sending advertisements to newspaper subscribers. Based on this, the examined data management is precisely not can be determined, but the fundamental right to the protection of personal data of a significant number of affected persons affected, and the number of those affected is constantly increasing. In this context, the Authority emphasizes that the no transparent data management that is not adequately known by the stakeholders is not only principled, but in a practical way, it violates the basic right of the data subjects to the protection of personal data. 7.5. The Customer referred to the mailing of its advertising materials attached to newspapers sending is not considered Grtv. of inquiries for the purpose of direct business acquisition according to § 6 (1). This is not relevant in the present procedure, as the Authority complies with the general data protection regulation compliance, including the use of the collected contact data for that purpose examined the legality of the fact that the Client is ordering from him for the purpose of obtaining direct business will contact those involved later. This is the legality of obtaining consent also depends on its legality and is independent of when the Customer obtained the consent, whereas, based on recital (171) of the General Data Protection Regulation, May 25, 2018 must comply with the General Data Protection Regulation or request a new consent. THE During the authority's procedure, the Grtv. but according to the general data protection regulation consent conditions must be met. ARC. Legal consequences 1. The Authority complies with Article 58 (2) point i) and Article 83 (2) of the General Data Protection Regulation may impose a data protection fine instead of or in addition to the other measures. There is no doubt that in case of violation of the general data protection regulation, the general to oblige the data controller based on Article 58 (2) point d) of the Data Protection Regulation necessary to bring data management into line with the general data protection regulation. The Authority considered that the usual 30 days are sufficient, as they must be applied in the future. In addition, the Authority is in accordance with the governing judicial practice, in such a case, the imposition of a fine is 7https://www.naih.hu/index.php/adatvedelmi-tisztviselo-bejelento-reszentrum 8https://dpo-online.naih.hu/DPO/Search 21 among the aspects listed in Article 83 (2) of the General Data Protection Regulation presents what was taken into account in the justification of the decision. 2. On the question of whether the imposition of a data protection fine is justified, the Authority made a decision based on statutory discretion, taking into account Infotv. Section 61 (1) to paragraph a), Infotv. 75/A. 83 of the General Data Protection Regulation. (2) and Article 58 (2) of the General Data Protection Regulation. THE Based on the authority's assessment, the conviction in itself is disproportionate and dissuasive would be a sanction, therefore imposing a fine on the Customer's income and the significant - with distribution related to magazine subscriptions, potentially in the hundreds of thousands - no data subject, as well as the direct marketing nature of the data management. In this case, personal data protection - which is the responsibility of the Authority - the imposition of fines detailed below based on the totality of circumstances, it cannot be achieved without imposing a data protection fine. THE the imposition of fines serves both special and general prevention, for the sake of which the decision is also published on the website of the Authority. 3. When determining the amount of the fine, the Authority first identified that a Article 83, paragraph 5, point (a) of the General Data Protection Regulation provides, the maximum fine that can be imposed on this basis is EUR 20,000,000, or the enterprises in the case of no more than 4% of the total annual world market turnover of the previous financial year amount. Converting 4% of EUR 20,000,000 to HUF is approximately HUF 8,000,000,000 means The net sales revenue of the Customer's sales is for the latest available year 2021 according to data, it was HUF 2,214,700,000. Based on all this, the legal maximum of the fine is present in case HUF 88,588,000. 4. When determining the amount of the data protection fine, the Authority uses the following aggravating factor circumstances were taken into account: (i) It represents an overall increased risk for the protection of the personal data of the data subjects his right is that the above IV.2. on the basis of what was also explained in point, the violation is serious is considered, the above III.7.4. according to point, the personal data of a significant number of stakeholders is long over a period of time has been and continues to be managed with the direct aim of acquiring business, the number of which is constantly increasing, and the email address data is Google and Facebook also its use based on insufficiently transparent information for targeted advertising takes place, which in itself carries significant risks for personal data regarding the right to protection (General Data Protection Regulation Article 83 (2) paragraph a) point). (ii) At a minimum, there is gross negligence because, as described in the decision, no the Client provided relevant and non-transparent information for years in a way that caused a significant informational disadvantage to those concerned (general Article 83 (2) point b) of the Data Protection Regulation. (iii) Undertaken by the Customer on the basis of Articles 25 and 32 of the General Data Protection Regulation technical and organizational measures were insufficient, which the measures present is supported by its ineffectiveness established in the decision (general data protection Article 83 (2) point (d) of the Decree). (iv) The data management is specifically aimed at profit-making, small print, not easy with accessible information, implements an old bad practice that already is it was also problematic in the time before the General Data Protection Regulation and it still is. THE the lack of adequate information puts the person concerned in such a situation that he does not even know his rights learn about and practice, because of this often such violations will not even be known in the 22nd Before the Authority, if it does not come under the Authority's purview due to other individual complaints. (general Article 83 (2) point (k) of the Data Protection Regulation. 5. When determining the amount of the data protection fine, the Authority uses the following mitigating factor circumstances were taken into account: (i) The persons concerned did not suffer direct financial damage due to the infringement (general Article 83 (2) point a) of the Data Protection Regulation. (ii) Contact personal data is not considered sensitive data (general Article 83 (2) point (g) of the Data Protection Regulation. (iii) The Authority exceeded the administrative deadline (Article 83 (2) of the General Data Protection Regulation) paragraph k) point). 6. When determining the amount of the data protection fine, the following circumstances are the fine their extent was neither aggravated nor alleviated, they have a neutral effect for the following reasons they were: (i) The Customer did not recognize the breach of law, and therefore did not take any mitigation measures done (General Data Protection Regulation Article 83 (2) point c)). (ii) The Authority has not yet determined general data protection against the Customer violation of the regulation in a data protection official case, however, the general data protection there was such a finding in the period before the regulation became applicable (case files NAIH/2018/795/4/V and NAIH/2019/2181/2) and a data protection incident also occurred in At the Customer, so in this regard, the Customer's data management cannot be said to be problem-free (General Data Protection Regulation Article 83 (2) point (e)). (iii) The Client cooperated with the Authority during the procedure, however, this is judicial practice and, based on the Authority's practice, its legal obligation, it could be absent aggravating circumstance (Article 83 (2) point f) of the General Data Protection Regulation). (iv) The Authority initiated ex officio proceedings against the Client based on a stakeholder complaint detected the likelihood of the unlawful nature of the data management practice, which the result was the present procedure (Article 83 (2) of the General Data Protection Regulation). (h) point). 8. Based on the above and all the circumstances of the case, the Authority is in accordance with the relevant part considered the imposition of a data protection fine in the amount proportionate and deterrent with regard to both special and general prevention, which amount significantly a is below the maximum fine. In other cases, this amount is based on individual circumstances may be significantly different, it does not bind the Authority in other matters. A. Other questions 1. Infotv. According to § 38, paragraph (2), the Authority is responsible for the protection of personal data, and the right to access data of public interest and public interest control and promotion of the validity of personal data in the European Union facilitating its free flow within. Infotv. According to Section 38 (2a), the general tasks and powers established for the supervisory authority in the data protection decree general data protection for legal entities under the jurisdiction of Hungary is exercised by the Authority as defined in the decree and this law. The Authority its jurisdiction covers the entire territory of Hungary. 23 2. The Art. Based on Section 112, Paragraph (1), Section 114, Paragraph (1) and Section 116, Paragraph (1), the a decision can be appealed through an administrative lawsuit. * * * 3. The rules of the administrative procedure are laid down in Act I of 2017 on the Administrative Procedure hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13, paragraph (3). Based on point a) subpoint aa), the Metropolitan Court is exclusively competent. The Kp. Section 27 (1) according to paragraph 1, legal representation is mandatory in administrative proceedings before the tribunal. The Kp. According to paragraph (6) of § 39, the submission of a claim is an administrative act does not have the effect of postponing its entry into force. 4. The Kp. Paragraph (1) of Section 29 and, in view of this, CXXX of 2016 on the Code of Civil Procedure. applicable according to § 604 of the Act, electronic administration and trust services CCXXII of 2015 on its general rules. according to § 9 (1) point b) of the Act, the the client's legal representative is obliged to maintain electronic contact. The submission of the statement of claim time and place of Kp. It is defined by § 39, paragraph (1). Request to hold the hearing information about the possibility of the Kp. It is based on paragraphs (1)-(2) of § 77. 5. The amount of the fee for the administrative lawsuit is determined by the XCIII of 1990 on fees. law (hereinafter: Itv.) 45/A. Section (1) defines. From the advance payment of the fee the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the person initiating the procedure half. 6. If the Customer does not adequately certify the fulfillment of the prescribed obligations, the Authority considers that the obligations have not been fulfilled within the deadline. The Akr. According to § 132, if the Customer did not comply with the obligation contained in the Authority's final decision, that is can be executed. The Authority's decision in Art. according to § 82, paragraph (1) with the communication becomes permanent. The Akr. Pursuant to § 133, enforcement - if you are a law government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. 134. pursuant to § the execution - if it is a law, government decree or municipal authority the local government decree does not provide otherwise - the state tax authority undertakes. Infotv. Based on § 61, paragraph (7), contained in the Authority's decision, to carry out a specific act, to perform a specific behavior, to tolerate or regarding the obligation to stop, the Authority will implement the decision undertakes. dated: Budapest, September 12, 2022. Dr. Attila Péterfalvi president c. professor