NAIH (Hungary) - NAIH-2501-10/2022

From GDPRhub
Revision as of 19:29, 27 November 2022 by Abel.kaszian (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=N...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
NAIH - NAIH-2501-10/2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1) GDPR
Article 12(1) GDPR
Article 13 GDPR
Act CXIX of 1995 on the processing of name and address data for research and direct marketing
Type: Investigation
Outcome: Violation Found
Started: 26.11.2021
Decided: 12.09.2022
Published: 12.09.2022
Fine: 73500 EUR
Parties: Magyar Éremkibocsátó Kft.
National Case Number/Name: NAIH-2501-10/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH homepage (in HU)
Initial Contributor: Abel Kaszian

A Hungarian company was fined €73,500 for using consent as general authorization to use personal data for any purposes and for failing to properly inform data subjects about separate processing purposes, including Google and Facebook advertisements.

English Summary

Facts

The controller is a limited liability company in Hungary and also part of the Samlerhuset Group, an international group of companies based in Amsterdam. The products it sells are different versions of commemorative and historical coins, with a specific focus on Hungarian history. The controller acquires the data of its customers as follows: they can place an order by filling in a form received as part of advertising materials via postal mail. This data includes name, address, phone number, e-mail address.

Since July 2020, the DPA received several complaints from data subjects concerning the processing of their data by the controller and objecting to its data processing practices. In most cases, the controller created a user account (profile) with the personal data provided during the purchase or ordering process and only provided information afterwards. The DPA therefore carried out a test registration on the website of the controller and analyzed the text of the privacy notices on the website and in the postal mail. On the basis of this information, the DPA suspected an infringement of GDPR and launched an investigation.

In the DPA’s investigation, the controller provided the following information on its data processing processes: potential new customers receive a promotional mailing by post. In the controller's view, this does not constitute direct marketing under the Hungarian Act CXIX of 1995 on the processing of name and address data for research and direct marketing. This is because the advertising material is sent to the data subjects together with a newspaper to which they have subscribed under a contract with another separate company, thus the controller does not contact data subjects directly by itself. Data subjects so contacted may then contact the controller online, by phone or by post, in case they would like to order coins.

In the online shopping process, the information on data processing is linked at the end of the order. The controller emphasized that the online registration does not involve the processing of any more personal data than a purchase without registration. It was also possible to order products by phone or by post, without registering an online account. The data subjects gave their consent by signing the order form in writing for postal orders, verbally for phone orders and by ticking a specific checkbox for online orders.

The controller also informed the DPA that for the purpose of targeted advertising on Facebook and Google social media platforms, the controller manually selected – without automated decision-making – a group of its customers with an e-mail address for whom the given advertisement may be relevant. This list of addresses was hashed and uploaded to the Facebook and Google advertising systems for the display of the advertisement to data subjects whose email address hash matched an element of the uploaded hash list.

The controller further stressed that it finds data protection highly important, therefore it employed a dedicated data protection officer (DPO) as well.

Holding

The DPA found that, on the form sent out by the controller, the information was provided in very small print, so barely legible. When requesting consent, the provided information indicated only the identity of the controller and the very general purpose to send “further favorable offers” to the data subject. It also stated that the processing is unlimited in time and scope, and that its duration is until consent is withdrawn. It referred to the privacy notice part of the controller’s website for further information. A more specific purpose limitation and other information under Article 13 GDPR, as well as the fact of data transfer abroad, were completely missing.

The DPA stated that Article 13 GDPR only provides the bare minimum content, with the provision that other and all case-specific information is necessary for transparency and informed choice. On the forms of the controller, the mandatory and non-mandatory data were indicated with a small asterisk that is almost illegible. Thus, the average data subject was not given clear and easily accessible information. It was not possible to indicate if the data subject did not wish to provide the phone number and e-mail address for the purpose of direct contact and only wished to provide them for the purpose of facilitating the follow-up of the order. Individual purposes and individual contact methods were not separated on the postal form.

Over the phone – if the data subjects shared that they did not have an internet connection – a list of data processors was read out to them. In this case, it was not possible either to choose whether the data subject wished to consent to be contacted only by certain means, e.g. by post only, by phone only, by e-mail only, or by any combination of these. As in the case of postal communications, no information was provided to the data subject by phone about other forms of processing than those mentioned above, such as Google and Facebook targeted advertising.

For online orders, the data subject had easy access to the online information at the homepage of the controller, which contained information on data processing related to direct marketing. However, the DPA also found that it was not possible to give specific, separate consent to the sending of an e-mail message or to the processing of data related to Google and Facebook targeted online advertising when ordering online. The DPA noted that the operations of these service providers are directly investigated by DPAs in other Member States. However, it noted that the absence of any meaningful information on the use of these opaque and complex services in itself raises a serious validity issue in relation to consent.

With regard to the legal basis for consent, the DPA stressed that consent is not intended to be a general authorization for the controller to process any personal data without restriction at any time and for any reason, irrespective of other legal conditions. It can only be valid if it is requested for specific, separately identifiable purposes, and is preceded by appropriate information that puts the data subject in a position to make an informed choice as to whether to give consent. Article 12(1) GDPR explicitly requires the controller to be result-oriented, i.e. to provide the data subject with the assistance necessary to enable him or her to exercise all his or her data subject rights in an informed manner.

In the DPA's view, it is not the responsibility of the data subject to obtain the information from another source, it should be readily and reasonably available to him or her at the time of the request for consent. The DPA concluded it is rare that a data subject seeks online information on data processing before placing an order by post or phone, also it is not expected by GDPR. There may be a large number of data subjects who do not have access to the internet or who cannot easily search for information online during or before placing a postal or phone order. The controller has an active obligation to provide the information to the data subject in a way that is adapted to the communication channel currently used.

As the controller designs and sends a form in the form and quantity of its choice, attached to a newspaper or read out by phone to potential new customers, it is possible and expected from the controller to provide information essential for data management through all channels.

The DPA found that the controller had not fulfilled its obligation to specify a specific purpose. The purpose of processing contact data cannot be an intangible and limitless purpose such as receiving “further favorable offers”.

The DPA further stated that the controller did not substantiate its claim of having a DPO with a copy of the confirmation from the online DPO notification system and there is currently no DPO under the name of the controller in the database operated by the DPA, which is searchable online by anyone. The DPA noted that, if there was a technical reason beyond the control of the controller for which the entry was not made, it could have been detected and corrected by the controller in the last 4 years since the introduction of the GDPR, if it really considers data protection to be of high importance.

In overall, the DPA found that the processing was explicitly for profit, with the usages of small print, not easily accessible information, implementing a common poor business practice that was and is problematic even before the GDPR. The lack of adequate information puts the data subject in a position where he or she cannot even know and exercise his or her rights, and therefore often such breaches of GDPR will not even be known.

The DPA instructed the controller to modify its data processing practices in relation to direct marketing in order to properly separate specific purposes, obtaining the consent of data subjects, and providing them with adequate prior information in an appropriate manner and form. Also, to delete contact personal data where valid consent could not be found.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

File number: NAIH-2501-10/2022 Subject: decision
History case number: NAIH-8700/2021





                                      DECISION




The National Data Protection and Freedom of Information Authority (hereinafter: Authority)
On November 26, 2021, Magyar initiated an official data protection procedure
opposite Éremkibocsátó Kft. (headquarters: 1054 Budapest, Szabadság tér 7; the
hereinafter: Client) the processing of personal data of natural persons
regarding its protection and the free flow of such data, as well as 95/46/EC
Directive 2016/679/EU on repealing the directive (hereinafter: general

investigation of suspected violations of the provisions of the data protection decree), in particular
considering the source, purpose and
its legal basis, the legality of its data transfers, and the enforcement of the data subject's rights
subject. The Authority makes the following decisions in the above official data protection procedure:

I. The Authority determines that the Client provided adequate prior information, specifically
contact personal data processed in the absence of a specific purpose and a valid legal basis

in relation to thousands of stakeholders, and thus violated the general
lawful, transparent data management according to Article 5 (1) point a) of the Data Protection Regulation
principle, the purpose-related principle according to Article 5 (1) point b), Article 12 (1)
paragraph and Article 13 of the obligation to provide prior information, as well as
in the absence of valid consent due to the above, Article 6 (1) of the General Data Protection Regulation
paragraph and paragraph 2 of Article 7.


II. The Authority based on Article 58 (2) point d) of the General Data Protection Regulation
ex officio instructs the Customer to modify it as such by acquiring direct business
related postal and telephone data management practices to comply with the general
of the data protection regulation, i.e. indicate a corresponding specific goal or goals, the data subjects
obtain your consent by providing the appropriate amount and form of prior information
and delete the contact personal data currently processed for the above purpose to which a
as above, could not be valid in accordance with the General Data Protection Regulation

to obtain consent, or for other purposes with other legal grounds (e.g. contractual contact)
in the case of usability, instead of deleting, do not handle it with valid consent
contact data for direct business acquisition purposes. Informational self-determination
CXII of 2011 on law and freedom of information. Act (hereinafter: Infotv.) 61.
The deadline for filing an action to challenge the decision based on paragraph (6) of §
until its expiration, or in the event of an administrative lawsuit, until the final decision of the court in dispute
data affected by data management cannot be deleted or destroyed.


III. The Authority ex officio the Customer due to the above data protection violations

                          HUF 30,000,000, i.e. thirty million forints
                                    data protection fine

                                  obliged to pay. 2





The above II. the fulfillment of the obligation prescribed by the Customer towards this decision
must be in writing within 30 days of the expiration of the legal remedy deadline - the supporting document
together with the presentation of evidence - to prove it to the Authority. Data management exclusively

in addition to defining the appropriate scope of data, for real and specific purposes, a valid legal basis,
as well as data subject rights - including, but not limited to, prior information -
it can be continued with proof of adequate insurance, otherwise the Customer has a
must prove the termination of the data management in question to the Authority within the above deadline.


The above III. fine according to point 30 days from the date of this decision becoming final
within the forint settlement account of the Authority for the collection of centralized revenues
(10032000-01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000
0104 0425 0000 0000) must be paid. When transferring the amount, "NAIH-642/2022
FINE.” number must be referred to.


If the Customer does not fulfill his obligation to pay the fine within the deadline, he is in default
is obliged to pay a penalty. The rate of penalty is the legal interest, which is
is the same as the central bank base rate valid on the first day of the relevant calendar semester.

Non-payment of the fine and late fee, as well as the above IV. obligation according to point
in case of non-compliance, the Authority orders the implementation of the decision.


There is no place for administrative appeal against the decision, but only from the announcement
within 30 days from the date of issue, with a letter of claim addressed to the Capital Tribunal
can be challenged in a lawsuit. The claim must be submitted to the Authority electronically, which
forwards it to the court together with the case documents. The request for the holding of the trial is submitted by the
must be indicated in the application. For those who do not receive full personal tax exemption

the fee for the judicial review procedure is HUF 30,000, the lawsuit is subject to the right to record the fee. THE
Legal representation is mandatory in proceedings before the Metropolitan Court.

Infotv. Pursuant to § 61, subsection (2), point a), the Authority publishes this decision a
Authority website.




                                       JUSTIFICATION

I. Procedure and clarification of the facts


1. History matters

1.1. NAIH/2020/5802 to the Authority on July 28, 2020. an announcement was received at
based on which the whistleblower objected to the Customer's data management practices. According to the announcement, it is
The customer creates a user account with the personal data provided by the notifier during the purchase

registered, and the Customer subsequently provided information about this fact.

1.2. The Authority CL. 2016 on the general public administrative order. law (a
hereinafter: Ákr.) based on paragraph (1) of § 68, on October 8, 2020, the
You completed a test registration on the website www.eremkibocsato.hu (hereinafter: Website).
The Authority reports on this fact in Art. On the basis of § 68, paragraph (2), he subsequently informed the Customer



1 The NAIH_K01 form is used to initiate an administrative lawsuit: NAIH_K01 form (16.09.2019) The form is
can be filled out using a general form filling program (ÁNYK program). 3





bearing in mind that in case of prior notice, the Customer would have had the opportunity to a
To modify content available on the website prior to test registration.

1.3. In addition, the Authority noticed ex officio that letters sent by the Customer by post
data management information provided in connection with this is likely to be considered infringing.


1.4. Based on the above, the Authority considered it justified to initiate an official inspection ex officio
in order to verify that the data management practices used by the Customer
does it comply with the requirements of the general data protection regulation, so the NAIH
1320-4/2021. the data protection authority control informed the Customer in its order no
about its initiation and called him several times to provide a written statement in order to clarify the facts
information on the questions asked in them.


1.5. The Authority, in accordance with Article 5 and Article 6 (1) of the General Data Protection Regulation,
and due to the presumed violation of Articles 12, 13 and 14, the official control
closed, and on November 26, 2021, the Ákr. ex officio on the basis of point a) of § 101, paragraph (1).
initiated this official data protection procedure.

1.6. Infotv. On the basis of § 71, paragraph (2), the official knowledge of the Authority is considered to be

In relation to the client, the facts and findings contained in the following documents are:
In previous procedures related to the customer, the following arose:

(i) Notice No. NAIH/2018/795/4/V of the Authority from the Authority's filing system.

(ii) From the Authority's filing system, repeated Authority No. NAIH/2019/2181/2
       prompting.


(iii) From the Authority's filing system, the Authority's investigation No. NAIH/2019/2181/5
       termination decision.

(iv) Data provision No. NAIH-1320-5/2021 from the Authority's filing system is provided to the Customer
       and its annexes 1 - 7/A,B.


1.7. In notice No. NAIH/2018/795/4/V, the Authority stated that the Customer
did not unlawfully delete the personal data of a data subject, and the data subject did not respond to the deletion
at his request, and therefore called on the Customer to comply with the data subject's deletion request or a
for the appropriate justification of the refusal and for informing the person concerned about it.

1.8. In repeated notice No. NAIH/2019/2181/2, the Authority stated that
the Customer did not fully comply with notice No. NAIH/2018/795/4/V, therefore the

Authority called on the Customer to make arrangements with the debt collector's data processor
on the complete deletion of the data subject's personal data, since there is no outstanding debt on this
data management is illegal.

1.9. The Authority in the decision terminating investigation No. NAIH/2019/2181/5
determined that the data related to the non-existing claim was deleted by the Customer, a
it handles the remaining data on the basis of legal obligations, thus giving rise to the continuation of the investigation

in the absence of taxing circumstances, the Authority terminated the investigation.

1.10. During the provision of data under NAIH-1320-5/2021, dated February 22, 2021, the
The customer made the following statements relevant to the decision and attached documents: 4





(i) New customers will be mailed promotional mail that does not qualify
       of 2008 on the basic conditions and certain limitations of economic advertising activity.
       year XLVIII Act (hereinafter: Grtv.) direct according to § 6, paragraph (1).
       for acquiring business, since the subscriber involved the advertising material with another company
       it is received along with the newspaper subscribed to based on the concluded contract, in addition, the Customer does not

       contacts the affected parties directly.

(ii) The information is the data provision no. 2. attached, the materials sent
       copy of no. 3 are found in the appendix.

(iii) The script used during the telephone order is data provision no. 4.
       can be found in the appendix.


(iv) The online shopping process is described in data provision no. 5. annex
       is included, and the screenshots of the webshop are included in the data service 6/A-B. s.
       annexes, and the data management is linked at the end of the order
       information.

(v) The process of online shopping is described in data provision 7/A-B. s. presented in its appendices.


(vi) Products can be ordered by phone or by mail without registering an online account
       to your order.

(vii) Online registration is required to complete the order, no more personal registration is required
       processing of data as purchasing without registration would entail, in this regard it is
       online data management information 1.3. and 1.4. point contains information.


(viii) Data provision no. 8 annex to the Customer's data management register
       a copy of data processing in connection with product orders.

(ix) The data subject gives his consent to the communication material in case of mail order
       in writing by signing the attached order coupon, or verbally in the case of phone orders,
       in the case of an online order, enter it by ticking a separate check-box.


(x) The Customer does not process personal data based on the Customer's legitimate interests.

(xi) From May 25, 2018 until the date of data provision, the Customer has received 647 deletion requests
       replied within the deadline.

(xii) Skarbnica Narodowa Sp. z.o.o. (seat: Aleja Jana Pawla II 19, 00-854 Warsaw,

       Poland; hereinafter: Company 1) and Samlerhuset Group B.V. (head office:
       Landdrostdreef 100, 1314 SK Almere, The Netherlands; hereinafter: Company 2)
       perform database management activities for the Customer in terms of data management
       in accordance with point 2 of the information sheet and belong to the Customer's company group.

(xiii) For the purpose of targeted advertising on Facebook and Google social media platforms
       The customer manually - without automated decision-making - selects a list of the e-

       of a group of customers with e-mail addresses for whom the given ad is intended
       may be relevant, and this e-mail address list is uploaded by Facebook and Google based on the hash principle
       in its advertising system to display the ad to those concerned for whom it is
       the hash of your e-mail address matches an element of the uploaded hash list. 5





(xiv) Data provision no. 2 "text of data management information" according to Annex
       The content of the text is as follows: "With my signature, I declare that the Magyar
       Éremkibocsátó Kft.'s policy is available at www.eremkibocsato.hu/adatkezeles
       I have read and accepted it, I acknowledge that my data is marked there
       for the purpose and duration of Magyar Éremkibocsátó Kft. (1054 Budapest, Szabadság tér 7.,

       Bank Center Office Building, Citi Tower, 7th floor, www.eremkibocsato.hu) is managed by Direct
       text of marketing consent: ☐ Yes, I give my consent for additional benefits
       to receive offers as long as I do not indicate my intention to the contrary over the phone,
       by e-mail or at the given postal address.".

(xv) Data provision no. 2 in its annex, the Client declared to the Authority that

       Entering the e-mail address and phone number is not mandatory, but this does not apply to the above
       part of information.

(xvi) Data provision no. 2 according to its annex, to existing customers with the invoice
       the following data management by means of a combined marketing offer (double invoice).
       provides information: "If you do not have a need for our new products in the future
       for information, please let us know if you wish to unsubscribe

       adatkezeles@eremkibocsato.hu e-mail, or Magyar Éremkibocsátó Kft.
       (1519 Budapest Pf.: 341) at its postal address or at the telephone number 06 80 888 889.".

(xvii) Data provision no. 2 according to its annex, other advertising mailings (Delivery
       Offer, Direct Mail, Target Group Mailing, Passive Customer Mailing) data management
       the text of the information is as follows: "With my signature/order, I declare that a
       Magyar Éremkibocsátó Kft. is available on the website www.eremkibocsato.hu/aszf General

       I have read and accept its Terms and Conditions, as well as acknowledge and
       I accept that Magyar Éremkibocsátó Kft. and its partners a
       The regulations that I am familiar with are available on the website www.eremkibocsato.hu/adatkezeles
       my data will be used as indicated there. If in the future
       does not claim information about our news, offers, etc
       If you wish to unsubscribe, please send an e-mail to adatkezeles@eremkibocsato.hu
       or at the postal address of Magyar Éremkibocsátó Kft. (1519 Budapest Pf.: 341) or

       on the phone number 06 80 888 889.".

(xviii) Data provision no. 3 annex (sample advertising offer attached to an invoice)
       existing customers received the following information along with the product:
       "If in the future you do not have a claim related to our new products and offers
       for information, please indicate your intention to unsubscribe
       adatkezeles@eremkibocsato.hu e-mail, or Magyar Éremkibocsátó Kft.

       (1519 Budapest Pf.: 341) at its postal address or at the telephone number 06 80 888 889.".

(xix) Data provision no. 3 in the samples for existing customers according to the Annex
       for the order of the new product, for the validity of the order
       the required signature also means the consent of the interested party is given later
       for direct inquiries according to the information with the same text as above, none
       it is possible to order in such a way that the person concerned does not contribute to the subsequent direct

       for searching.

(xx) Data provision no. 3 sample for new customers according to Annex a
       data required for ordering (name, address, telephone number, e-mail address) a
       to order, and in this connection it is mandatory to indicate it with an asterisk character
       data, which are name and address. The star is extremely large, barely visible. There is no 6





       it is possible to indicate, if the person concerned, the telephone number and e-mail address data of the direct
       you don't want to enter it for the purpose of inquiry and only the order is easier
       would provide these for tracking.

(xxi) Data provision no. 3 according to the annex, the sample for new customers is separate

       contains a check-box for giving the consent of the affected person later directly
       search, the text of which is the following in small, barely legible font size: "☐
       Yes, I give my consent to receive further favorable offers as long as
       until I indicate my intention to the contrary by phone, e-mail or by the specified post
       at address. [date, signature, Attention! Your order is invalid without your signature.]
       With my signature, I declare that Magyar Éremkibocsátó Kft. a

       I have read the regulations available at www.eremkibocsato.hu/adatkezeles and
       I have accepted, I acknowledge that my data will be used for the purpose indicated there and
       for a period of time, Magyar Éremkibocsátó Kft. (1054 Budapest, Szabadság tér 7., Bank
       Center Office Building, Citi Tower, 7th floor, www.eremkibocsato.hu).

(xxii) Data provision no. 4 according to its annex, in the case of a telephone inquiry, it is
       the text of the data management information is as follows: "Regarding your order,

       data controller Magyar Éremkibocsátó Kft. and a
       Information available on the website https://www.eremkibocsato.hu/adatkezeles
       partners manage your personal data. The purpose of data management is the Hungarian Medal Issuer
       Fulfilling orders given to Kft., maintaining contact with customers,
       complaint handling, webshop operation, and possible claims
       validation. With data management, especially with your rights
       you can request further information on any of the following contact details:

       Mailing address: 1519 Budapest, Pf. 341; E-mail address: adatkezeles@eremkibocsato.hu,
       phone number: 0680-888-889; text of consent: You consent to a
       Magyar Éremkibocsátó Kft. also uses the provided contact information to make it unique
       with its offers and news through direct business acquisition by mail, telephone or electronic means
       can be found on the website https://www.eremkibocsato.hu/adatkezeles
       as stated in the information sheet? Consent is voluntary and can be withdrawn at any time
       on any of the contact details just described.".


(xxiii) Data provision no. 4 in its annex, the Customer stated that if the affected
       who was called on the phone says that he does not have internet or cannot watch it
       the list of data processors, then the administrator will read it to the data processors
       list.

(xxiv) Data provision no. 5 online order based on its attachment and is required for that

       during registration, data management consent can be given with separate check boxes
       both simultaneously and separately for each channel (mail, telephone, e-mail)
       regarding, and the data management information on the home page of the website
       It is available from the "Data management" menu item.


2. This official data protection procedure


2.1. In this data protection official procedure, the Customer, upon request of the Authority, 2021.
In his reply letter received on December 17, sent to NAIH-8700-2/2021, the following
made statements relevant to the decision: 7





(i) Source of personal data used for data management for direct business acquisition
       the person concerned, its purpose is direct business acquisition, direct marketing activity, its legal basis is
       according to Article 6 (1) point a) of the general data protection regulation concerned
       consent, data processing lasts until the withdrawal of consent.


(ii) Data subjects give their consent to data management by postal order
       by signing the coupon in writing, in the case of phone orders orally, online
       in the case of an order, it is specified by checking a separate checkbox.

(iii) The personal data used for direct business acquisition includes the data of the previous purchase, i.e
       name, address, telephone number and e-mail address of the person concerned.


(iv) Those concerned about data management in the order process, the consent
       will be informed in advance of the date of February 22, 2021 (NAIH-1320-5/2021
       filed under no. 1.1. according to point and 2-7/A-B annexes.

(v) Those concerned exercise their rights by post, by telephone, via the Customer's website, or e-
       they can practice by email.


(vi) The Customer properly ensures the rights of stakeholders, in this context the Customer a
       It cooperates with authorities, for example, the investigation No. NAIH/2019/2181 is also
       terminated after their cooperation.

(vii) The Customer complies with the principle of built-in and default data protection in its processes
       properly designed to ensure that they comply with the relevant legislation
       compliance and data security.


(viii) The Customer considers data protection to be of the utmost importance, therefore a separate data protection policy
       employs an official, which was announced by the Authority on August 28, 2018
       for.

(ix) Since May 25, 2018, the Client has received hundreds of data deletion requests from stakeholders
       in connection with which the Customer answered within the deadline, without any complaints from stakeholders

       and settled. 200 per month on average in connection with the Customer's direct marketing materials
       requests are received, which the Customer fulfills.

(x) In 2018, the Authority carried out an official inspection in connection with a data protection incident and it
       It was closed by decision on January 18, 2019, as the Customer did the necessary
       steps to deal with the incident (notification, police report, etc.).


(xi) The net sales revenue of the Customer in 2020 was HUF 2,332,576,000.

(xii) 8 of the application filed by the Client to the Company 2 under the number NAIH-1320-5/2021.
       forwarded by the data subjects as described in the data management register according to Annex
       your personal data. The legal basis for data transfers is the same as data management
       with its legal basis.


(xiii) The Customer maintains NAIH-1320/2021 unchanged. official case number started
       statements made during the inspection.

(xiv) For the Customer's statements no. 1. according to the data management register attached as an attachment
       The legal basis for data processing related to direct business acquisition is the general data subject
       consent according to Article 6 (1) point a) of the Data Protection Regulation. 8






2.2. In this data protection official procedure, the Customer, upon request of the Authority, 2022.
In his reply letter received on February 24, sent under number NAIH-2501-3/2022, the following
made statements relevant to the decision:


(i) Data is transmitted to the Company 2 as a data processor, both the Customer and it
       On behalf of other companies belonging to the Customer's company group, however, by the Customer
       transmitted data will not be transmitted to other members of the company group, that is
       the purpose of data transfer is exclusively database management tasks by Company 2
       supply to facilitate the operation of the Customer.

(ii) The following types of data in the customer database operated by Company 2

       can be found: contact details, details of current and previous orders,
       customer service communication and in connection with visiting the Customer's website
       generated data.

(iii) The Customer does not forward personal data to third parties for the purpose of
       so that they can contact the stakeholders with their own offers.


(iv) Company 1, as a data processor, monitors the debts of the affected customers, thereby
       reports to the Customer, for example, if a certain amount is exceeded,
       and performs invoicing tasks related to lost shipments.

2.3. The Akr. Pursuant to § 76, the Authority is the Client after the completion of the proof procedure
invited him to make a statement and indicated that the Customer is entitled to document inspection
view the case documents. At the request of the Authority, the Client on April 26, 2022, the present

to the procedure documents - including note No. NAIH-2501-2/2022 on February 11, 2022
in copy I.1.6, made part of this procedure. documents according to point - he inspected them, but not about them
requested a copy. After that, the Customer is free from the inspection of documents specified by the Authority
did not make a new statement within the 15-day deadline.

2.4. The Authority noticed ex officio that the official https://e-beszamolo.im.gov.hu is public
based on the latest electronic report found on the portal, the Customer's net for 2021

its sales revenue was HUF 2,214,700,000 (published: 30.05.2022).


II. Legal provisions applicable in the case


According to recital (74) of the General Data Protection Regulation, personal data

processing of any kind by the data controller or on behalf of the data controller
the authority and responsibility of the data controller must be regulated. The data controller
must be obliged, in particular, to implement appropriate and effective measures,
and to be able to prove that the data management activities are general
they comply with the data protection regulation, and the effectiveness of the measures applied is the same
level required by the general data protection regulation. These measures are data management
its nature, scope, circumstances and purposes, as well as natural persons

it must be made taking into account the risk to your rights and freedoms.

According to recital (171) of the General Data Protection Regulation, the general
data protection regulation repeals directive 95/46/EC. General data protection
data processing started before the date of application of the regulation is governed by the general data protection
Within two years from the date of entry into force of the Decree, Article 9 must be harmonized





with the general data protection regulation. If the data management is according to Directive 95/46/EC
is based on consent and the data subject meets the conditions set out in the General Data Protection Regulation
has given his consent in accordance with the
that the data controller also after the date of application of the general data protection regulation
continue data processing. Decisions taken by the Commission on the basis of Directive 95/46/EC,

and the licenses issued by the supervisory authorities remain in force as long as
until they are amended, replaced or repealed.

According to Article 2 (1) of the General Data Protection Regulation, the general data protection
regulation must be applied to personal data in part or in whole in an automated manner
processing, as well as the non-automated processing of data that
are part of a registration system or which are a registration system

want to be part of.

Pursuant to Article 4, point 7 of the General Data Protection Regulation, "data controller" is the natural or
legal entity, public authority, agency or any other body that is personal
determines the purposes and means of data management independently or together with others. If that
the purposes and means of data management are determined by EU or member state law, the data manager
or special considerations for the appointment of the data controller by the EU or the Member States

can also be determined by law

Pursuant to Article 4, point 11 of the General Data Protection Regulation, it is "the consent of the data subject".
of the will of the person concerned, based on voluntary, specific and adequate information and clear
declaration by which the relevant statement or confirmation is unambiguously expressed
indicates by action that he gives his consent to the processing of his personal data.


According to Article 5 (1) point a) of the General Data Protection Regulation, personal data
must be handled legally and fairly, as well as in a transparent manner for the data subject
carry out ("legality, due process and transparency").

According to Article 5 (1) point b) of the General Data Protection Regulation, personal data
should only be collected for specific, clear and legitimate purposes and should not be processed
in a manner inconsistent with these purposes; in accordance with Article 89 (1).

is not considered incompatible with the original purpose for the purpose of archiving in the public interest,
further data management for scientific and historical research purposes or for statistical purposes
("goal-boundness").

According to Article 6 (1) of the General Data Protection Regulation, personal may be legal
processing data if at least one of the following is met:


 a) the data subject has given his consent to his personal data for one or more specific purposes
       for its treatment;

 b) data management is necessary for the fulfillment of a contract in which the data subject is
       one of the parties, or at the request of the data subject prior to the conclusion of the contract
       necessary to take steps;


 c) data management is necessary to fulfill the legal obligation of the data controller;

 d) data management is vital for the data subject or another natural person
       necessary to protect your interests; 10





 e) data processing is in the public interest or the data controller is authorized by a public authority
       necessary for the execution of a task performed in the context of its exercise;

 f) data processing is for the legitimate interests of the data controller or a third party
       necessary for its enforcement, unless priority is given to these interests

       enjoy the interests or fundamental rights and freedoms of the data subject which
       they require the protection of personal data, especially if the person concerned is a child.

According to Article 7 (2) of the General Data Protection Regulation, if the consent of the data subject
given in the context of a written statement that also applies to other matters, a
request for consent in a way that is clearly distinguishable from these other cases
must be presented in an understandable and easily accessible form, with clear and simple language. The

any part of such statement containing the consent of the affected party which violates the
General Data Protection Regulation does not have binding force.

Based on Article 12 (1) of the General Data Protection Regulation, the data controller is compliant
takes measures in order to allow the data subject to process personal data
all relevant information mentioned in Articles 13 and 14 and Articles 15-22 and Article 34
according to each information is concise, transparent, comprehensible and easily accessible

provide it in a clear and comprehensible form, especially to children
for any information received.

Based on Article 13 (1) and (2) of the General Data Protection Regulation, if the personal
data were obtained from the data subject, the data controller makes the data available to the data subject
following information:


 a) the identity of the data controller and, if any, the representative of the data controller and
       your contact information;

 b) contact details of the data protection officer, if any;

 c) the purpose of the planned processing of personal data and the legal basis of data processing;


 d) in point f) of Article 6 (1) of the General Data Protection Regulation
       in the case of data management based on the legitimate interests of the data controller or a third party;

 e) where applicable, recipients of personal data, and categories of recipients, if any
       such;

 f) where appropriate, the fact that the data controller is in a third country or international

       organization wishes to forward the personal data to, and the Commission
       the existence or absence of a compliance decision, or general data protection
       regulation in Article 46, Article 47 or Article 49 (1) second
       in the case of data transfer referred to in subsection, the appropriate and suitable guarantees
       designation, as well as the methods for obtaining a copy of them or that
       reference to their availability;


 g) on the duration of storage of personal data, or if this is not possible, on this
       aspects of determining the duration;

 h) on the data subject's right to request from the data controller the personal data relating to him
       access to data, their correction, deletion or management 11





       limitation and may object to the processing of such personal data, as well as the
       about the data subject's right to data portability;

 i) or in point a) of Article 6 (1) of the General Data Protection Regulation
       in the case of data management based on point a) of Article 9 (2) a

       right to withdraw consent at any time, which does not affect
       the legality of the data processing carried out on the basis of consent prior to withdrawal;

 j) on the right to submit a complaint to the supervisory authority;

 k) that the provision of personal data is legal or contractual
       whether it is based on an obligation or a prerequisite for concluding a contract, and whether it is

       whether the data subject is obliged to provide personal data, and how it is possible
       failure to provide data may have consequences;

 l) mentioned in paragraphs (1) and (4) of Article 22 of the General Data Protection Regulation
       the fact of automated decision-making, including profiling, as well as at least
       in these cases it is understandable for and regarding the applied logic
       information about the significance of such data management and for the data subject

       what are the expected consequences.

Based on Article 13(4) of the General Data Protection Regulation, Article 13(1)-(3)
it does not have to be applied if and to what extent the data subject already has the information.

For data management under the scope of the General Data Protection Regulation, Infotv. Section 2 (2)
according to paragraph of the general data protection regulation in the provisions indicated there

must be used with included additions.

Infotv. Validation of the right to the protection of personal data based on § 60, paragraph (1).
in order to do so, the Authority initiates an official data protection procedure at the request of the data subject and
may initiate official data protection proceedings ex officio.

Infotv. According to § 61, paragraph (1), point a), it was made in the official data protection procedure

in its decision, the Authority issued Infotv. Data management defined in paragraph (2) of § 2
in connection with operations defined in the general data protection regulation
may apply legal consequences.

Infotv. Pursuant to § 71, paragraph (2), the Authority lawfully acquired during its procedures
can use documents, data or other means of proof in other proceedings.


Infotv. 75/A. Based on § 83 of the General Data Protection Regulation, Article 83 (2)–(6)
exercises its powers in accordance with the principle of proportionality,
especially with the fact that you are in the legislation regarding the handling of personal data
The regulations defined in the mandatory legal act of the European Union are being implemented for the first time
in case of violation, to remedy the violation - with Article 58 of the General Data Protection Regulation
in accordance with - takes action primarily with the warning of the data manager or data processor.


It is ordered by the Authority based on Article 58 (2) point d) of the General Data Protection Regulation
the data manager or the data processor to perform its data management operations - where applicable
in a specified manner and within a specified time - is harmonized by the general
with the provisions of the data protection regulation. 12





On the basis of Article 58 (2) point i) of the General Data Protection Regulation, the Authority has the 83.
imposes an administrative fine in accordance with Article, depending on the circumstances of the given case
in addition to or instead of the measures mentioned in this paragraph.

Based on Article 83 (1) of the General Data Protection Regulation, all supervisory

authority ensures that paragraphs (4), (5), (6) of the general data protection regulation
due to the said violation, each of the administrative fines imposed on the basis of this article
should be effective, proportionate and dissuasive.

According to Article 83 (2) of the General Data Protection Regulation, administrative fines
depending on the circumstances of the given case, Article 58 (2) of the General Data Protection Regulation
must be imposed in addition to or instead of the measures mentioned in points a)-h) and j) of paragraph

When deciding whether it is necessary to impose an administrative fine or a
sufficiently in each case when determining the amount of the administrative fine
the following should be taken into account:

 a) the nature, severity and duration of the infringement, taking into account the one in question
       the nature, scope or purpose of data management, as well as the number of data subjects whom the
       affected by the infringement, as well as the extent of the damage suffered by them;


 b) the intentional or negligent nature of the infringement;

 c) damage suffered by data subjects on the part of the data controller or data processor
       any measures taken to mitigate;

 d) the extent of the responsibility of the data controller or data processor, taking into account the

       technical performed by him on the basis of Articles 25 and 32 of the General Data Protection Regulation
       and organizational measures;

 e) relevant violations previously committed by the data controller or data processor;

 f) the remedy of the violation with the supervisory authority and the possible negative nature of the violation
       extent of cooperation to mitigate its effects;


 g) categories of personal data affected by the infringement;

 h) the manner in which the supervisory authority became aware of the violation, in particular
       whether the data controller or the data processor has reported the violation, and if so
       yes, in what detail;


 i) if against the relevant data manager or data processor earlier - in the same
       in the subject matter - ordered Article 58 (2) of the General Data Protection Regulation
               one of the measures mentioned in paragraph
       compliance with measures;

 j) whether the data manager or the data processor considered himself to be the general
       for approved codes of conduct pursuant to Article 40 of the Data Protection Ordinance or

       approved certification according to Article 42 of the General Data Protection Regulation
       for mechanisms; as well as

 k) other aggravating or mitigating factors relevant to the circumstances of the case,
       for example, financial acquired as a direct or indirect consequence of the infringement
       profit or avoided loss. 13






In the absence of a different provision of the General Data Protection Regulation, the application was initiated
for official data protection procedure, Art. provisions shall be applied in Infotv

with certain deviations.

Grtv. According to paragraph (1) of § 6, unless a separate law provides otherwise, advertising
by directly contacting a natural person as an advertising recipient (a
hereinafter: direct business acquisition), so especially electronic correspondence or with it

through another equivalent individual means of communication - defined in paragraph (4).
with an exception - it can only be disclosed if the recipient of the advertisement is clearly informed in advance
and specifically contributed.

Grtv. According to paragraph (4) of § 6, the addressee of advertising mail is a natural person such as a
for the recipient of advertising through direct business acquisition, the recipient is preliminary and explicit

it can be sent even without your consent, but the advertiser and the advertising service provider are obliged
to ensure that the recipient of the advertisement can send the advertisement at any time free of charge and without restriction
can prohibit without. In the event of a ban, direct advertising to the person concerned
can no longer be sent through business acquisition.



III. Decision

1. The data controller and data processors

1.1. According to the established facts, the Customer brought the examined direct himself
decisions related to data management for the purpose of acquiring business, it was not determined by others

purpose and means of data management.

1.2. No evidence has emerged that the Customer is other than its data processors
would have forwarded it to a third party through data management for the purpose of direct business acquisition
processed personal data in connection with, no other data controller could be identified.


1.3. Based on the above, in the case of all data processing examined in this case, it is
the obligee of all data management obligations related to data management is general
Based on Article 4, Point 7 of the Data Protection Regulation, the Customer.

2. Provided in connection with personal data related to direct business acquisition

information for each connection method

2.1. Since the source of personal data is new customers, the Authority is primarily new customers
investigated the acquisition of his data, as the legality of this and the then determined
conditions also determine subsequent data management. Already in progress for existing customers
during data processing, the validity of the data subject's consent prior to the consent

information is also basically defined. Illegally obtained personal data
in the future, its handling will not be by itself with subsequent information and references
behavior is legal if the information is not followed by active, specifically consent
an act aimed at granting. Article 4 Article 11 and Article 7 of the General Data Protection Regulation
(2) and the European Data Protection Board 5/2020 regarding consent
Based on paragraph 81 of its guidelines, consent cannot be obtained with the same a

with an act, such as consent to a contract (in this case, signing the order

25/2020 Guidelines on consent pursuant to Regulation (EU) 2016/679, date of adoption: May 4, 2020, (hereinafter:
5/2020 Guidelines), availability: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_hu.pdf 14






by existing customers). Because of all this, the Authority investigated in more detail that a
how personal data was obtained for new customers. For existing customers
apart from the order, there was no other stakeholder declaration, so the validity of the consent is the new one
developed in the same way as customers.


2.2. Information provided in case of mail order

2.2.1. By mail, on many occasions, a significant number of people who cannot be precisely determined are involved

receive advertising materials in addition to your newspaper subscription arising from other legal relationships, and on this
The Customer can place an order by filling in the form received as part of the advertising materials
to its products.

2.2.2. The information on the Customer's form is in extremely small letters, barely legible
                                                                                      3
is happening. When requesting consent, the information is provided exclusively to the person of the data controller, the
very general purpose for the Customer to send "favorable offers" to the concerned subject and
the legal basis of the consent, the revocability of the consent and
indicates its management until withdrawal and the availability of further information online. THE

more specific goal determination, and others according to Article 13 of the General Data Protection Regulation
provision of information with sufficient specificity and data management
a foreigner is fundamentally necessary for its transparency, but not obvious to those involved
the fact of data transmission is also completely absent.


2.2.3. Article 13 of the General Data Protection Regulation only defines minimum content, i.e
in the case of individual data management, it is necessary to provide all information that is
necessary for transparency and a considered decision. Mandatory and non-mandatory
Mandatory data in connection with the order, not marketing

they were indicated in the section on data management and with a small star that almost
it is illegible, so the average person concerned is not clear and easily accessible
information when requesting consent. It is not possible to indicate if the affected phone number is
and e-mail address data for the purpose of direct inquiry, and only a

for easier tracking of the order, would you enter these, each goal and each
contact methods are not separated on the postal form.

2.3. Information provided when ordering by phone


2.3.1. By telephone, the above III.2.2. problems explained in subsection arise with the
with the addition that if the person concerned does not have an internet connection, their statement
according to, then the list of data processors will also be read to them (general data protection
Regulation Article 13 (1) point (e)), and in relation to marketing data management a

goal definition is more specific than the postal text, not so meaningless ("contributes
in order for [the Customer] to use the provided contact information also because it is unique
with its offers and news through direct business acquisition by mail, telephone or electronic means
search for it”).


2.3.2. However, even in the case of telephone consent, it is not possible to choose, if only one
the interested party wishes to contribute to the inquiry in the following ways, e.g. you are only by post, only by phone
by e-mail only or by indicating any combination of these.




Article 13, paragraph (1) point (a) of the 3rd General Data Protection Regulation
4 General Data Protection Regulation Article 13 (1) point (c).
Article 13 (2) point (c) of the General Data Protection Regulation
General Data Protection Regulation Article 13 (1) (b), (e), (2) (b), (d), (e), (f) 15





2.3.3. As with postal information, it is not the same in the case of telephone information
providing information to the data subject about other data management methods apart from the above, for example
Google and Facebook targeted advertising using the e-mail address, but not an e-mail message
through targeted website advertising.


2.4. Information provided when ordering online

2.4.1. In the case of an online order, unlike the above, the phone number and e-mail address are mandatory
data to be provided, but consent can be given separately for each inquiry method
give.

2.4.2. However, the wording "electronically" is too broad a term, it is by e-mail

in addition to the request, any other - not visible to the affected person in advance, even future - relational
it may also include a form to which the person concerned may not necessarily wish to do so
contribute in any form chosen by the Customer.

2.4.3. There is no option to send an e-mail message or be targeted online by Google and Facebook
to separately consent to the processing of data related to advertisements, even though they are very different and
data processing affecting the privacy of the affected person to a significantly different extent. Google, Facebook

and the transparency and data protection issues of similar mass automated advertising systems
it is not investigated by the Authority, but by the competent data protection authorities of foreign Member States, that is
not the subject of this proceeding. However, the above is still dubious and difficult to understand
the lack of any meaningful information about the use of services is serious in itself
raises a validity problem with the consent requested by the Client from the data subjects
in connection.


2.4.4. In the case of online ordering, unlike the above, the person concerned can easily access a
www.eremkibocsato.hu/adatkezeles for online information, which is for direct marketing
contains information related to related data management.

2.4.5. The Authority provides online information only for data processing related to direct marketing
closely related to the subject of the present proceedings, not everything there
with regard to listed data management. Given that apart from online orders it is

stakeholders cannot simply access this information through the channel
on which the non-online order is made, therefore the content of the online information is the present decision
was largely irrelevant.


3. Obligation to provide appropriate information


3.1. According to Article 12 (1) of the General Data Protection Regulation, the Customer is considered independent
the obligation of the data controller to take appropriate measures to ensure that
concerning the processing of personal data for those concerned, referred to in Articles 13 and 14
all information and 15-22. and each information according to Article 34 is concise,
in a transparent, comprehensible and easily accessible form, in a clear and understandable way
provide it formulated.


3.2. The system of appropriate information in the general data protection regulation serves to
so that the data subject can be aware of which personal data, which data controller and
for which purpose, how you will handle it. This is essential to be in a position to
to be able to meaningfully exercise its stakeholder rights. 16





3.3. There is a significant risk involved in the extensive and large number of contributors
by processing the personal data of data subject no
in context. For this reason, there is an increased expectation of information. Adequate information
in its absence, by definition, the data subject is not in a position to properly exercise his rights
practice and make a real contribution to something you are not fully aware of. The

Recital (74) of the General Data Protection Regulation and Article 24 (1).
and on the basis of Article 25 (1), the data controller is responsible for the rights of data subjects
must meet expectations commensurate with its reported risk.

3.4. Data management based on point a) of Article 6 (1) of the General Data Protection Regulation
based on Article 4, point 11 of the General Data Protection Regulation, not only the data management
beginning, but before obtaining consent, the data controller is obliged to

to provide information on the basis of which informed consent can be given.

3.5. In relation to the legal basis of data subject consent according to the General Data Protection Regulation
it is important to emphasize that it does not mean that the data controller is subject to other legal obligations
applies as a general authority regardless of conditions that at any time and
can handle any personal data without limits for any reason. For data management
stakeholder consent can only be valid if it is for specific purpose(s) - per purpose

can be specified separately - they ask, and before that they provide adequate information, which in such a situation
brings the data subject to be able to make an appropriate decision about giving consent, and
complies with all other validity conditions prescribed in the General Data Protection Regulation
requirement. Article 12 (1) of the General Data Protection Regulation specifically
imposes a performance obligation on the data controller, i.e. the data subject needs such help
provide, so that all stakeholders can exercise their rights in an informed manner.


3.6. As explained above, the obligation to provide information is not a mere "paperwork"
is an obligation in the General Data Protection Regulation. Everything contained in the preamble,
all the articles of the General Data Protection Regulation require the data manager to achieve results
in determining its obligations, not just a specified minimum effort
confirmation by the data controller. The purpose of the information is to put you in such a situation
data subject to be in the appropriate decision-making position by exercising the data subject's rights
in connection.




4. Lack of adequate information

4.1. Based on Article 12 (1) of the General Data Protection Regulation, it is not enough if it is
data controller signs with the data subject a statement that from another source, the data controller

became familiar with the data management before knowing its existence and intention to enter into a contract
related information. It is not the responsibility of the data subject to provide information from other sources
acquisition, it can be easily and reasonably expected during the given consent request
should be available. It is rare to be affected by mail or telephone orders
you seek online data management information beforehand, and this is not your obligation. The client
acknowledged in his statements regarding the telephone script, there may be a number of stakeholders who
does not have internet access or is not easily able to post or telephone

to search for information on the Internet during or before ordering. Because this cannot be known
which exists for data subjects, based on Article 12 (1) of the General Data Protection Regulation
The customer has an active obligation to make the information available to the data subject in such a way
which is adapted to the currently used communication channel. 5/2020
Paragraph 62 of the guidelines also states that if the data controller does not provide access
information, the user's control over the data becomes apparent, and the 17





consent becomes an invalid basis for data management. Ease of access is essential
its requirement is also confirmed by paragraphs 66 and 67 of Directive 5/2020. 5/2020
Based on paragraph 69 of the guidelines, it is possible in the case of information provided electronically
typically use multi-level information. This option is basically not available for the postal route
its nature can be interpreted, access to additional information is a disproportionate time investment

would cause and it is impractical to base the information on this.

4.2. Because the Customer creates the form and quantity of his choice
out and send it attached to a newspaper, or read it over the phone to your new customers, that is
basic information from the point of view of data management (for example, in the case of a postal route, the more specific,
destination indicated on the phone) and the separate consent per destination and connection method
ensuring the possibility not only during online data management, but on all channels

possible and expected from the Customer. Other provisions of the general data protection regulation
in relation to the legal basis of consent, Article 6 (1) of the General Data Protection Regulation
point a) of paragraph also highlights the possibility of contributing by specific purpose
necessity. This does not preclude the provision of an option by means of which all
it is possible to contribute to a specified goal at the same time, but there must be an option in addition to this
to give separate consent for certain purposes.


4.3. Article 4, point 11, Article 7, paragraph 2 of the General Data Protection Regulation, and 5/2020
Paragraph 90 of the guidelines also confirms that the data subject's consent is a legal basis
in the case of its application, the consent of the data subject must always be obtained before that
the data controller would start the personal data management for which you have consented
need. 5/2020 Guideline regarding information regarding consent
Paragraph 63 also highlights that it concerns consent based on information
the consequence of not complying with the requirements is that the consent

will be invalid and the controller may violate Article 6 of the General Data Protection Regulation.

4.4. Based on paragraph 64 of Directive 5/2020, in order for the consent to be informed
be based on, the person concerned must be informed of certain things that are crucial for decision-making
about elements. Therefore, the European Data Protection Board considers that valid consent
at least the following information is required:


 (i) the identity of the data controller - this has been fulfilled;

 (ii) the purpose of each data processing operation for which consent is requested - this is a
       not suitable as above;

 (iii) what type of data is collected and used - this was not fulfilled, a
       on the management of shopping habits data for marketing purposes and profiling based on this

       no information is sent by post or telephone;

 (iv) the existence of the right to withdraw consent - this has been fulfilled;

 (v) where applicable, to use the data for automated decision-making
       relevant information in accordance with point c) of Article 22 (2) - this is present
       is not applicable in this case, although there is no information by mail or telephone that this is the case

       does not happen, and manual sorting is done based on shopping habits;

 (vi) the compliance decision for data transmissions and described in Article 46
       possible risks arising from the lack of adequate guarantees - this is not the case in this case
       guide, no information about this has arisen. 18





4.5. The above list also explicitly indicates that it is based on Article 13 of the General Data Protection Regulation
only a minimum requirement, but in addition it is necessary to provide all information,
which may be important in the decision of a typical person concerned, for example to go abroad (also within the European Union)
large-scale and regular transmission of data, or for targeted advertisements
use (with the possibility of a separate contribution). These elements were also missing the postal and

from telephone information.

4.6. Based on what was explained above, the Customer did not fulfill the legal requirements in a significant part
expectations for personal data collected in connection with postal and telephone orders
during processing for the purpose of obtaining direct business, and in the case of online orders a
for the concreteness of consent, the term "electronically" needs to be clarified, which is not
meets the requirement of adequate information. In addition, it is outside the e-mail address provided

other way, e.g. Targeted direct advertising on the Google and Facebook advertising systems
a separate consent would be required to request personal data in any way
during its collection.

4.7. Based on any of the legal grounds of Article 6 (1) of the General Data Protection Regulation
in the case of data management, the General Data Protection Regulation is also required for all carriers
comply with its provision, in this case with special regard, but not exclusively to the general

obligations according to Article 13 of the Data Protection Regulation.

4.8. The exception according to Article 13 (4) of the General Data Protection Regulation does not apply a
in this case, a general contractual conditional statement in fine print is not enough
write it down to the data controller in order to be relieved of all responsibility, instead of writing it down
you should provide substantial evidence that the new customer is affected by mail and telephone
in case of ordering by road, they will at least receive information about the essential elements.



5. Purpose-bound data management

5.1. The data subject is based on Article 6 (1) point a) of the General Data Protection Regulation
you can give informed consent to the processing of your personal data for specific purposes.
However, for this to be valid, the consent must comply with general data protection

other generally applicable rules of the regulation, such as the general data protection regulation
Data management principles according to Article 5 (1) and (2) and the concept according to Article 4, point 11
conditions indicated in the definition, as well as Article 7 of the General Data Protection Regulation
restrictions according to

5.2. The principles in Article 5 (1) of the General Data Protection Regulation are not limited to that
they serve to make theoretical findings with the implementation of data management

in connection. These principles cover specific obligations that can be held accountable
in specific cases on the data controllers.

5.3. According to Article 5 (1) point b) of the General Data Protection Regulation, the personal
data may only be collected for specific, clear and legitimate purposes, and not
may be treated in a manner inconsistent with these goals. For this reason, data management
also indicating the sufficiently specific goal during planning and informing the stakeholders

a prerequisite for legal data management. This interpretation is reinforced, among other things, by the general
Article 6(1)(a) and Article 7(2) of the data protection regulation, since based on these
a declaration of consent by the data subject that is not sufficiently specific and
contributes to known data management to an adequate extent in such a way that it can be separated
you can consent separately to data management. It's obviously completely unrelated
inquiry through different channels (post, telephone, e-mail, targeted online advertising), 19





they can be continued completely independently of each other, they are inseparable
illegal. Based on Article 4, point 11 of the General Data Protection Regulation, the data subject
your consent is appropriate for data management with a too general purpose and not determined in time
not valid in the absence of information. In the absence of valid consent, no data processing
corresponds to the legal basis according to Article 6 (1) point a) of the General Data Protection Regulation,

and the existence of another legal basis cannot be established based on the facts.

5.4. The Customer's obligation to determine the above specific goal - the disclosed facts
and III.2.-III.4 above. taking into account the points explained - he did not fulfill it. The relational
the purpose of processing data cannot be an intangible and limitless goal such as
"receiving further favorable offers". Direct business acquisition is an umbrella term that
it is necessary to mark its specific implementation as a goal, e.g. own or third party

sending advertisements about products on a given channel or specific channels. Separately
important things that are different from the usual and not reasonably expected by the stakeholders should be highlighted
circumstances, for example the foreign data processor and its clear, concise, easy to understand
role during data management.


6. Lack of legal compliance of data management


6.1. III.2-III.5 above. based on the points explained, the Customer has violated the general
providing information in accordance with Article 12 (1) and Article 13 of the Data Protection Regulation
obligation, therefore it could not have a valid legal basis for direct business acquisition
related data management. Based on this and as explained above, the Customer
violated Article 5 (1) points a) and b) and 6 of the General Data Protection Regulation.
(1) and (2) of Article 7. The Authority is the Client directly

its data management outside of business acquisition and the general completeness of its online information is present
did not examine it in the procedure.


7. Evaluation of the Customer's other statements regarding data management

7.1. The Customer referred to the fact that the rights of the stakeholders are adequately ensured in this context

the Customer cooperates with the Authority, for example, investigation No. NAIH/2019/2181 is also
terminated after their cooperation. In this context, the Authority highlights that NAIH/2019/2181
No. NAIH/2018/795/V, and the Customer did not fulfill the
in full the notice of the Authority with case file number NAIH/2018/795/4/V, therefore repeated
notice became necessary with file number NAIH/2019/2181/2. The test is repeated
notice was terminated after execution by the Customer, as only this, or
it is possible to initiate a data protection official procedure at the end of the investigation, and by the Customer

after fulfillment, it was not justified to initiate the data protection official procedure on that individual
in case of cancellation. This cannot be evaluated in favor of the Customer in this procedure and is general
data management before the data protection decree came into effect is not relevant anyway. Also not relevant
from the point of view of the present procedure, that the Authority during a separate data protection incident procedure that
determined that the Customer had taken appropriate measures to deal with the incident, since
it cannot be evaluated in favor of the Customer, only the Customer's failure to do so would be evaluated
at his expense according to judicial practice. The fact that a data protection incident occurred at the Customer is the reason

regardless of its management, it is not a positive event in terms of the Customer's data management, so it is
It cannot be taken into account in a positive way requested by the customer.

7.2. The Customer referred to the built-in and default data protection of its processes
in accordance with its principle, it was designed in such a way that they ensure the relevant legislation
compliance and data security. However, this statement is by no means 20





supported it, and based on the revealed facts, it is related to direct business acquisition
in relation to data management, it is significant in relation to the legal basis and information to the data subject

there were deficiencies that comply with Article 25 of the General Data Protection Regulation
design is questioned. Based on Article 5 (2) of the General Data Protection Regulation e
round, the Authority evaluated the doubt at the Customer's expense.

7.3. The Customer referred to the fact that he considers data protection to be of the utmost importance, for this reason separately

employs a data protection officer, which was announced by the Authority on August 28, 2018
for. The Customer did not substantiate the above claim by the online data protection officer
with a copy of confirmation from the reporting system, and it cannot be found at the moment
Under the name of a customer, a data protection officer operated by the Authority, by anyone online
searchable database. Although this notification obligation is not the subject of this procedure, a

Based on the above and Article 5 (2) of the General Data Protection Regulation, the doubt in this context
the Authority assessed it at the Customer's expense, therefore the Customer was not even aware of this statement
due process to be considered as supporting evidence. The Authority in this round
notes that if, for technical reasons not attributable to the Customer, the
registration, the Customer could have noticed and corrected it in the almost 4 years that have passed since then, if
really considers data protection to be of utmost importance.


7.4. In relation to the Customer's direct marketing materials, according to his statements, on average monthly
200 inquiries are received and you are constantly trying to expand your marketing database, for example
by sending advertisements to newspaper subscribers. Based on this, the examined data management is precisely not
can be determined, but the fundamental right to the protection of personal data of a significant number of affected persons

affected, and the number of those affected is constantly increasing. In this context, the Authority emphasizes that the no
transparent data management that is not adequately known by the stakeholders is not only principled, but
in a practical way, it violates the basic right of the data subjects to the protection of personal data.

7.5. The Customer referred to the mailing of its advertising materials attached to newspapers

sending is not considered Grtv. of inquiries for the purpose of direct business acquisition according to § 6 (1). This
is not relevant in the present procedure, as the Authority complies with the general data protection regulation
compliance, including the use of the collected contact data for that purpose
examined the legality of the fact that the Client is ordering from him for the purpose of obtaining direct business
will contact those involved later. This is the legality of obtaining consent
also depends on its legality and is independent of when the Customer obtained the consent,

whereas, based on recital (171) of the General Data Protection Regulation, May 25, 2018
must comply with the General Data Protection Regulation or request a new consent. THE
During the authority's procedure, the Grtv. but according to the general data protection regulation
consent conditions must be met.



ARC. Legal consequences

1. The Authority complies with Article 58 (2) point i) and Article 83 (2) of the General Data Protection Regulation
may impose a data protection fine instead of or in addition to the other measures.

There is no doubt that in case of violation of the general data protection regulation, the general
to oblige the data controller based on Article 58 (2) point d) of the Data Protection Regulation
necessary to bring data management into line with the general data protection regulation.
The Authority considered that the usual 30
days are sufficient, as they must be applied in the future. In addition, the Authority is
in accordance with the governing judicial practice, in such a case, the imposition of a fine is


7https://www.naih.hu/index.php/adatvedelmi-tisztviselo-bejelento-reszentrum
8https://dpo-online.naih.hu/DPO/Search 21





among the aspects listed in Article 83 (2) of the General Data Protection Regulation
presents what was taken into account in the justification of the decision.

2. On the question of whether the imposition of a data protection fine is justified, the Authority
made a decision based on statutory discretion, taking into account Infotv. Section 61 (1)

to paragraph a), Infotv. 75/A. 83 of the General Data Protection Regulation.
(2) and Article 58 (2) of the General Data Protection Regulation. THE
Based on the authority's assessment, the conviction in itself is disproportionate and dissuasive
would be a sanction, therefore imposing a fine on the Customer's income and the significant
- with distribution related to magazine subscriptions, potentially in the hundreds of thousands - no
data subject, as well as the direct marketing nature of the data management. In this case, personal
data protection - which is the responsibility of the Authority - the imposition of fines detailed below

based on the totality of circumstances, it cannot be achieved without imposing a data protection fine. THE
the imposition of fines serves both special and general prevention, for the sake of which
the decision is also published on the website of the Authority.

3. When determining the amount of the fine, the Authority first identified that a
Article 83, paragraph 5, point (a) of the General Data Protection Regulation
provides, the maximum fine that can be imposed on this basis is EUR 20,000,000, or the enterprises

in the case of no more than 4% of the total annual world market turnover of the previous financial year
amount. Converting 4% of EUR 20,000,000 to HUF is approximately HUF 8,000,000,000
means The net sales revenue of the Customer's sales is for the latest available year 2021
according to data, it was HUF 2,214,700,000. Based on all this, the legal maximum of the fine is present
in case HUF 88,588,000.

4. When determining the amount of the data protection fine, the Authority uses the following aggravating factor

circumstances were taken into account:

   (i) It represents an overall increased risk for the protection of the personal data of the data subjects
   his right is that the above IV.2. on the basis of what was also explained in point, the violation is serious
   is considered, the above III.7.4. according to point, the personal data of a significant number of stakeholders is long
   over a period of time has been and continues to be managed with the direct aim of acquiring business,
   the number of which is constantly increasing, and the email address data is Google and Facebook

   also its use based on insufficiently transparent information for targeted advertising
   takes place, which in itself carries significant risks for personal data
   regarding the right to protection (General Data Protection Regulation Article 83 (2)
   paragraph a) point).

   (ii) At a minimum, there is gross negligence because, as described in the decision, no
   the Client provided relevant and non-transparent information for years
   in a way that caused a significant informational disadvantage to those concerned (general
   Article 83 (2) point b) of the Data Protection Regulation.

   (iii) Undertaken by the Customer on the basis of Articles 25 and 32 of the General Data Protection Regulation
   technical and organizational measures were insufficient, which the measures present

   is supported by its ineffectiveness established in the decision (general data protection
   Article 83 (2) point (d) of the Decree).

   (iv) The data management is specifically aimed at profit-making, small print, not easy
   with accessible information, implements an old bad practice that already is
   it was also problematic in the time before the General Data Protection Regulation and it still is. THE
   the lack of adequate information puts the person concerned in such a situation that he does not even know his rights
   learn about and practice, because of this often such violations will not even be known in the 22nd





   Before the Authority, if it does not come under the Authority's purview due to other individual complaints. (general
   Article 83 (2) point (k) of the Data Protection Regulation.

5. When determining the amount of the data protection fine, the Authority uses the following mitigating factor
circumstances were taken into account:

   (i) The persons concerned did not suffer direct financial damage due to the infringement (general

   Article 83 (2) point a) of the Data Protection Regulation.

   (ii) Contact personal data is not considered sensitive data (general
   Article 83 (2) point (g) of the Data Protection Regulation.

   (iii) The Authority exceeded the administrative deadline (Article 83 (2) of the General Data Protection Regulation)
   paragraph k) point).

6. When determining the amount of the data protection fine, the following circumstances are the fine
their extent was neither aggravated nor alleviated, they have a neutral effect for the following reasons
they were:

   (i) The Customer did not recognize the breach of law, and therefore did not take any mitigation measures
   done (General Data Protection Regulation Article 83 (2) point c)).

   (ii) The Authority has not yet determined general data protection against the Customer
   violation of the regulation in a data protection official case, however, the general data protection
   there was such a finding in the period before the regulation became applicable
   (case files NAIH/2018/795/4/V and NAIH/2019/2181/2) and a data protection incident also occurred in

   At the Customer, so in this regard, the Customer's data management cannot be said to be problem-free
   (General Data Protection Regulation Article 83 (2) point (e)).

   (iii) The Client cooperated with the Authority during the procedure, however, this is judicial practice
   and, based on the Authority's practice, its legal obligation, it could be absent
   aggravating circumstance (Article 83 (2) point f) of the General Data Protection Regulation).

   (iv) The Authority initiated ex officio proceedings against the Client based on a stakeholder complaint
   detected the likelihood of the unlawful nature of the data management practice, which
   the result was the present procedure (Article 83 (2) of the General Data Protection Regulation).
   (h) point).

8. Based on the above and all the circumstances of the case, the Authority is in accordance with the relevant part
considered the imposition of a data protection fine in the amount proportionate and deterrent

with regard to both special and general prevention, which amount significantly a
is below the maximum fine. In other cases, this amount is based on individual circumstances
may be significantly different, it does not bind the Authority in other matters.


A. Other questions


1. Infotv. According to § 38, paragraph (2), the Authority is responsible for the protection of personal data,
and the right to access data of public interest and public interest
control and promotion of the validity of personal data in the European Union
facilitating its free flow within. Infotv. According to Section 38 (2a), the general
tasks and powers established for the supervisory authority in the data protection decree
general data protection for legal entities under the jurisdiction of Hungary
is exercised by the Authority as defined in the decree and this law. The Authority

its jurisdiction covers the entire territory of Hungary. 23






2. The Art. Based on Section 112, Paragraph (1), Section 114, Paragraph (1) and Section 116, Paragraph (1), the
a decision can be appealed through an administrative lawsuit.

                                              * * *

3. The rules of the administrative procedure are laid down in Act I of 2017 on the Administrative Procedure
hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority
the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13, paragraph (3).
Based on point a) subpoint aa), the Metropolitan Court is exclusively competent. The Kp. Section 27 (1)
according to paragraph 1, legal representation is mandatory in administrative proceedings before the tribunal. The Kp.
According to paragraph (6) of § 39, the submission of a claim is an administrative act
does not have the effect of postponing its entry into force.


4. The Kp. Paragraph (1) of Section 29 and, in view of this, CXXX of 2016 on the Code of Civil Procedure.
applicable according to § 604 of the Act, electronic administration and trust services
CCXXII of 2015 on its general rules. according to § 9 (1) point b) of the Act, the
the client's legal representative is obliged to maintain electronic contact. The submission of the statement of claim
time and place of Kp. It is defined by § 39, paragraph (1). Request to hold the hearing
information about the possibility of the Kp. It is based on paragraphs (1)-(2) of § 77.


5. The amount of the fee for the administrative lawsuit is determined by the XCIII of 1990 on fees. law
(hereinafter: Itv.) 45/A. Section (1) defines. From the advance payment of the fee
the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the person initiating the procedure
half.

6. If the Customer does not adequately certify the fulfillment of the prescribed obligations, the Authority

considers that the obligations have not been fulfilled within the deadline. The Akr. According to § 132, if
the Customer did not comply with the obligation contained in the Authority's final decision, that is
can be executed. The Authority's decision in Art. according to § 82, paragraph (1) with the communication
becomes permanent. The Akr. Pursuant to § 133, enforcement - if you are a law
government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. 134.
pursuant to § the execution - if it is a law, government decree or municipal authority
the local government decree does not provide otherwise - the state tax authority

undertakes. Infotv. Based on § 61, paragraph (7), contained in the Authority's decision,
to carry out a specific act, to perform a specific behavior, to tolerate or
regarding the obligation to stop, the Authority will implement the decision
undertakes.

dated: Budapest, September 12, 2022.
                                                                Dr. Attila Péterfalvi

                                                                       president
                                                                 c. professor