NAIH (Hungary) - NAIH-1855-4/2022

From GDPRhub
Revision as of 13:55, 28 November 2022 by Lszabo (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=N...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
NAIH - NAIH-1855-4/2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(2) GDPR
Article 9(1) GDPR
Article 32(1)(a) GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Article 83 GDPR
Type: Investigation
Outcome: Violation Found
Started: 26.06.1921
Decided: 22.04.2021
Published: 22.04.2021
Fine: 3000000 HUF
Parties: Magyar Kétfarkú Kutya Párt, MKKP
National Case Number/Name: NAIH-1855-4/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Laszlo Szabo

Data of activists and sympathisers of a political party leaked from Google docs. It did not inform the DPA on measures taken, including data subject notification. The DPA levied a fine, ordered notification of data subjects and security measures.

English Summary

Facts

A political party used Google docs to store data of sympathisers and addressees of mailings in Excel files. The files were leaked and made publicly available, the link of the files also being published in an article on a political portal. Given that a large number of data subjects and special categories of data were concerned, the DPA (NAIH) conducted an inspection and found that the security of the processing was not sufficiently ensured by the controller. The controller also did not respond to the demand of the authority to indicate the measures taken to secure the data and to notify the data subjects.

Holding

1) A) The Controller has not respected Article 32, paragraph (1), point (a) and(b) and paragraph (2) of that article of Regulation (EU) 2016/679, the protection of natural persons in respect of processing of personal data and the) free movement of such data, and repealing Directive 95/46/EC (hereinafter: General Data Protection Regulation) in not applying data security proportionate to the risks of storing data of party sympathisers and activists. B) The Controller has infringed Article 5(2) of the General Data Protection Regulation, as despite repeated requests from the Authority, it has not fully demonstrated how it has taken measures to reduce the risks of the personal data breach. 2) Instructs the Controller to demonstrate to the Authority in accordance with Article 5(2) of the General Data Protection Regulation (GDPR), when and in what form and with what content it informed the data subjects of the personal data breach, in accordance with Article 34 GDPR. B) inform the Authority of how it adapted the data processing affected by the incident to apply data security measures proportionate to the risk. 3) Due to the above infringement, the Client shall be obliged within 30 days from the date of the finalisation of the present decision to pay a fine of 3 000 000 HUF, i.e. three million forints 4) Orders the final decision to be published including the Customer’s identification data .

Comment

Google being a US company played no role in the decision. The DPA found, however, that Google docs is not secure enough for special categories of personal data. The party is in fact a non-conventional player in the political landscape, making more jokes than having a serious programme.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-1855-4/2022 Subject: ex officio decision
History: NAIH-8855/2021 data protection authority
                                                                 in procedure



                                    H A T A R O Z A T



The National Data Protection and Freedom of Information Authority (hereinafter: the Authority) is the Hungarian
Kétfarkú Kutya Párt (headquarters: 1071 Budapest, Damjanich utca 26/b 3/1. ) (hereinafter:
Customer) on June 26, 2021 electronically 2A4E89072FB4FDC9D79327FA37F01AD
in connection with the notification of a data protection incident made on identification number July 14, 2021.
on December 2, 2021 due to the circumstances revealed during the official inspection initiated on
in official data protection proceedings initiated ex officio


    1) establishes that

       a) The customer has violated the handling of the personal data of natural persons
           regarding its protection and the free flow of such data, as well as a
           Regulation (EU) 2016/679 on the repeal of Directive 95/46/EC (the

           hereinafter: General Data Protection Regulation) Article 32(1) and its a)-b)
           points, as well as paragraph (2) of this article, when he did not apply the
           data security commensurate with the risks of storing the data of party sympathizers and activists
           measures.



       b) Customer has violated Article 5 (2) of the General Data Protection Regulation, as a
           Despite repeated calls from the authorities, he did not fully confirm what it was like
           has taken measures to reduce the risks of a data protection incident.

    2) Instructs the Customer to


        a) with regard to Article 5 (2) of the General Data Protection Regulation, he certifies that a
           To the authority that the data protection incident information of the affected parties is
           in accordance with Article 34 of the General Data Protection Regulation, when, in what form and
           he did it with content.


        b) inform the Authority about how the data involved in the incident is managed
           transformed in order to ensure data security commensurate with the risks
           apply measures.

    3) Due to the above violation, the Customer shall, on the 30th from the date of this decision becoming final,
       within days


                              3,000,000 HUF, i.e. three million forints

                           obligates you to pay a data protection fine;

                                                                                              1

……………………………………………………………………………………………………………………
 1055 Budapest Tel.: +36 1 391-1400 ugyfelszolgalat@naih.hu
 Falk Miksautca9-11. Fax: +36 1 391-1410 www.naih.hu 4) Orders the final decision to be published by publishing the Customer's identification data
       disclosure.

The fine according to point 3) above is settled by the Authority for the collection of centralized revenues

HUF account (10032000-01040425-00000000 Centralized direct debit account IBAN: HU83
1003 2000 0104 0425 0000 0000) must be paid by bank transfer. When transferring the amount a
NAIH-1855/2022 FEES. number must be referred to.

If the Customer does not fulfill his obligation to pay the fine within the deadline, he is in default
must pay an allowance. The amount of the late fee is the legal interest, which is due to the delay
is the same as the central bank base rate valid on the first day of the relevant calendar semester. The delay

allowance is the forint account for the collection of centralized revenues of the Authority (10032000-
01040425-00000000 Centralized direct debit account) must be paid.

Non-fulfilment of the instruction according to point 2) and the fine and late fee according to point 3)
in case of non-payment, the Authority orders the execution of the decision, the fine and the late fee.

There is no place for administrative appeals against this decision, but it is subject to notification

Within 30 days with a letter of claim addressed to the Capital Court in a public administrative case
can be attacked. The letter of claim must be submitted electronically to the Authority in charge of the case
forwards it to the court together with its documents. The request to hold the hearing must be indicated in the statement of claim
must For those who do not receive a full personal tax exemption, the administrative court fee is 30
HUF 000, the lawsuit is subject to the right to record the levy. In the proceedings before the Metropolitan Court, the legal
representation is mandatory.



                                         JUSTIFICATION


I. History and clarification of the facts

1) On June 26, 2021, the Customer electronically 2A4E89072FB4FDC9D79327FA37F01AD

filed an incident report with the Authority for data protection concerning its data management on the identification number
regarding an incident he became aware of that day.

In the incident report, the Customer communicated the following to the Authority:

On June 26, 2021, the customer was informed that a total of six Excel files with the extension .xlsx -
which were previously managed by the Customer - directly, accessible to anyone

made available via the link https://ufile.io/f/wn8iy. The link is https://kuruc.info/r/2/23220
article available via The files were:
    - Rósáné2 leaflet sending.xlsx
    - PARTY MEMBERS.xlsx
    - Country distribution.xlsx
    - MKKP campaign applicants 2018 (Responses).xlsx
    - MKKP Procurement Department.xlsx

    - at kimici (MKKP employees, subject areas).xlsx


                                                                                                 2 Based on the customer's notification, the tables list the names of their patron members and operational data
also include contact information (phone numbers, e-mail addresses,
residential addresses, identity card numbers). Based on the Customer's report in the data protection incident
approx. The personal data of 2,000 stakeholders were affected, including applicants for the 2018 election campaign

data, the exact data of the party's supporting members, the names of the party's internal coordinators and assistants, a
the list of the party's 2022 election candidates. The customer did not know clearly at the time of notification
determine whether the data leakage is an external act (e.g. hacker attack) or internal
result of leakage. After the incident, access to view the files is restricted to the
it was withdrawn from all but the co-chairs.

The customer did not inform the affected parties about the data protection incident at the time of notification, but the

plans in the future, as he deemed it "significant" in terms of risks. Information is planned
set the date as June 26, 2021.

2) On July 14, 2021, the Authority launched an official inspection of the incident report
for the purpose of assessing whether the Customer fully complied with the handling of the reported incident
to the provisions contained in the General Data Protection Regulation. The Authority NAIH-5885-2/2021.
sent an order clarifying the facts to the Customer on July 14, 2021 and its framework

asked him to provide data between The Customer responded to the order within the deadline.

According to the customer, the tables were protected by restricting access, they are Google Sheets
managed online as a table. Previously, access to the tables was granted to the party leader
for its officials and activists using a link. Disclosure of tables
after that, access was restricted to senior party officials. They used to be insured for that
access to the activists as well, since according to the party's internal principles they can hold it directly

the relationship with each other.

In connection with the analysis of the file access log, the Customer could not determine that
whether they were accessed by an unauthorized external attacker, or whether the disclosure of the files was internal
result of leakage.

As the legal basis for processing the data, the Customer is Article 9 (2) of the General Data Protection Regulation
point d) of paragraph The data is collected directly from the activists

collected between 2017-2018. The purpose of collecting and further processing the data is party political
in its activities with political activity given by activists participating of their own free will
there was contact in the context.

In addition to the above, the customer contacted the file-sharing site called ufile.io, which stores files, and e-
they requested the removal of the files by e-mail as well as by phone. Customer to the kuruc.info website
he did not live by solicitation. By the way, the files were only within 48 hours of posting

are publicly available and free to download. The customer finally stated that, as far as he knew, there were none
data of public interest or of public interest among personal data that has been made public.

3) The information referred to in the report was also checked by the acting member of the Authority
Website available via the link https://kuruc.info/r/2/230220. Available through the website
a press release relating to the activities of the reporting party. Referenced in the article
An additional web page will open via https://ufile.io/f/wn8ilink from where it is



                                                                                                 Excel files with the extension .xlsx referenced in 3 incident reports were available for direct download.
About the image and source code of the article and the website containing the files in .html format
backup, screenshots were also taken, and the databases were saved
in original .xlsx format. About saving the website and the files listed above separately in .sha
extension authentication files were created. These processes are regulated by Authority NAIH-5885-2/2021. no

documented in his memo.

The following personal data are included in the published tables:

     a) In Rósáné2 leaflet sending.xlsx file:

      Nature and description of personal data Number of data subjects


   The following personal data of members: transferor
  person's name, recipient's name, city
 name, where the leaflet would be distributed, 48
   name of city where the leaflets
  will be collected, address where the flyers will be collected,
    the person receiving the flyers is on the phone

                 availability


       b) PARTY MEMBERS.xlsx file:

      Nature and description of personal data Number of data subjects



           on the "supporter member list" tab

   Registration number of supporting members, complete
 name, national individual constituency, address, 509
  identity card number, phone number,

  decision number and date, card number,
 date of application, date of membership, withdrawal
              fact, remark




                "2022" tab

   Registration number of supporting members, complete
 name, national individual constituency, address, 476
 ID card number, phone number, e-
    e-mail address, date of membership, whether the
 phone number, willingness to be active and
 location, activity description, comment





                                                                                               4 on the "Members" tab

membership number, full name, application date, 35
   date of decision, from when you have to pay,

               from when you paid


   On the "Wrongly notified members" tab

   serial number, full name, telephone, e-mail address, 60
 entry date, decision date, from when

                 you have to pay


   "if he was a passivist, he would go here" tab

    serial number, full name, national individual

 constituency, address, identity card 20
  number, telephone number, e-mail address, date


           on the "card numbers" tab
                                                                   495
 card number, full name, number of orders



              on the "to do" tab
                                                                    12
     full name, e-mail address, telephone number



              on the "envelope" tab

 full name, address, in some cases notification number 52
                     title



               On the "Sheet7" tab

 full name, national individual constituency, 27
address, identity card number, e-mail address,
                phone number,








                                                                                               5 c) Country distribution.xlsx file:

      Nature and description of personal data Number of data subjects

          "OEVK with map" tab


 name of candidate, name of assistant, name of coordinator, e- 117
  email address, phone number, Facebook profile link


          On the "Divided by country" tab

                                                                    56
    admin name, county coordinator name,
         name of election coordinator

               On the "Sheet7" tab
                                                                    57
                  candidate name



       d) MKKP campaign applicants 2018 (Responses).xlsx file:

      Nature and description of personal data Number of data subjects


     name, e-mail address, phone number, "where
would you campaign", "what can you help with?", "other 417
                   help"


       e) MKKP Procurement Department.xlsx file:


In the table, asset purchases are entered, with the name of the project manager, in a total of 6 cases
by entering an e-mail address and telephone number.

       f) in kimici (MKKP employees tasks, responsibilities).xlsx file:

The file lists the tasks of the party's 17 members (marked only by nicknames in several places).
included. The file also contains the Country distribution.xlsx table and the data in it

also on a separate ear.

4) After that, the Authority NAIH-5885-5/2021. for new data provision by order with file number
summoned the Customer by post on August 31, 2021, which was confirmed by the return receipt
according to the Customer's representative at its registered office on September 20, 2021. By the Authority
despite the set ten-day response deadline, no response to the order has been received to date.


Due to the lack of response, the Authority repeatedly invited the Client to make a statement NAIH-5885-
6/2021. with order no. on October 25, 2021. This order is sent to the Authority's Customer representative -



                                                                                               6, in view of the reply previously received from the Customer - delivered electronically, which was delivered by a
received on November 3, 2021 based on download confirmation. Five days prescribed by the Authority
despite the response deadline, no response to the order has been received to date.

5) Repeated failure to respond, further clarification of the facts and the general in the case

further alleged violation by the Customer of the obligations contained in the data protection decree
on the right to informational self-determination and freedom of information due to its necessary investigation
CXII of 2011 Act (hereinafter: Infotv.) with regard to Section 60 (1), the Authority 2021.
on December 2, decided to initiate official data protection proceedings.

On the initiation of the official data protection procedure, the Authority notified the Client NAIH-8855-1/2021.
the defaulter notified him by order with file number, and requested additional data from him

with regard to answers and further clarification of the circumstances of data management. Customer representative
received the order electronically based on the download certificate on December 6, 2021, and on
to this day he has also not responded.

In view of the above, the Authority NAIH-1855-1/2022. on January 27, 2022, with order no
due to non-response for the third time, a procedural fine of HUF 350,000 was imposed on the Customer by the
CL of 2016 on general administrative regulations. Act (hereinafter: Act) § 77

based on the fact that the lack of answers necessary to reveal the facts significantly hinders the
Authority's activities, thus the full disclosure of the facts in the case. The Authority also
He called on the client to immediately comply with the provisions of the previous order.

The customer downloads the order imposing the procedural fine and the repeated notice through his office portal
based on a certificate, he received it on January 28, 2021, but still did not respond to it, the procedural
did not pay the fine or take legal action against it within the stipulated 30-day deadline

not too much. The Authority also sends the order imposing the procedural fine by registered mail
sent it to the Customer's address, but the shipment was returned with a "not searched for" mark
on February 18, 2022.

II. Applicable legal provisions

Based on Article 2 (1) of the General Data Protection Regulation, affected by the data protection incident
the general data protection regulation shall be applied to data management.


Article 4, point 12 of the General Data Protection Regulation defines what constitutes data protection
incident, based on this, "data protection incident": a security breach that affects the transmitted,
accidental or unlawful destruction of stored or otherwise managed personal data,
loss, alteration, unauthorized disclosure or unauthorized access to them
results in access.


According to Article 9 (1) of the General Data Protection Regulation, racial or ethnic origin,
referring to political opinion, religious or worldview beliefs or trade union membership
personal data, as well as genetic data, unique identification of natural persons
targeting biometric data, health data and sexual life of natural persons
or sexual orientation is prohibited.





                                                                                                   7Article 5 (2) of the General Data Protection Regulation defines "accountability
principle", according to which the data controller is responsible, contained in Article 5 (1) of the regulation
for compliance with its principles and must be able to demonstrate this compliance.

Pursuant to Article 32 (1) of the General Data Protection Regulation, the data controller and

data processor the state of science and technology and the costs of implementation, as well as that
nature, scope, circumstances and purposes of data management, as well as the rights of natural persons and
taking into account the risks of variable probability and severity reported to his freedoms
implements appropriate technical and organizational measures to ensure that the risk
guarantees the appropriate level of data security. The decree includes, among other things, Article 32.
on the basis of Article (1) point b), the systems used to manage personal data and
ensuring the continuous confidentiality of services.


According to Article 32 (2) of the General Data Protection Regulation, security is adequate
when determining the level of
risks, which are in particular personal data transmitted, stored or otherwise handled
accidental or illegal destruction, loss, alteration, unauthorized
result from its disclosure or unauthorized access to them.


According to Article 33 (1) of the General Data Protection Regulation, a data protection incident is defined as
controller without undue delay and, if possible, no later than 72 hours after it is
a data protection incident has come to his attention, he is notified by the competent supervisory authority based on Article 55
authority, unless the data protection incident probably does not entail a risk a
regarding the rights and freedoms of natural persons. If the notification is not made 72
within an hour, the reasons justifying the delay must also be attached.


According to paragraphs (1)-(2) of Article 34 of the General Data Protection Regulation, if the data protection incident
is likely to pose a high risk to the rights and freedoms of natural persons
view, the data controller informs the data subject without undue delay of the data protection
incident. It must be clearly and clearly explained in the information given to the person concerned
the nature of the data protection incident, and at least Article 33(3)(b), (c) and (d) must be disclosed
information and measures mentioned in



CXII of 2011 on the right to information self-determination and freedom of information. law
(hereinafter: Infotv.) According to Section 2 (2) of the general data protection decree there
shall be applied with the additions contained in the specified provisions.

The Akr. On the basis of § 99, the authority - within the framework of its powers - checks the legislation
compliance with the provisions contained, as well as the fulfillment of the provisions of the enforceable decision.


The Akr. Based on point a) of paragraph (1) of § 101, if the authority finds a violation during the official inspection
experiences, initiates the official procedure. Infotv. Section 38 (3) and Section 60 (1).
based on Infotv. personal data within the scope of duties according to § 38, subsections (2) and (2a).
in order to enforce the right to data protection, it conducts official data protection proceedings ex officio.






                                                                                                8 The Infotv. Based on point a) of section 61 (1), the Authority in sections (2) and (4) of section 2
in connection with specific data management operations in the general data protection regulation
may apply specific legal consequences.

Based on points b) and i) of Article 58 (2) of the General Data Protection Regulation, the supervisory

authority, acting in its corrective powers, condemns the data manager or data processor if
its data management activities violated the provisions of the decree and Article 83
appropriately imposes an administrative fine, depending on the circumstances of the given case, e
in addition to or instead of the measures mentioned in paragraph

According to Article 83(5)(e) of the General Data Protection Regulation, Article 58(1)
in the case of non-compliance with the provisions on provision of access

up to EUR 20,000,000 or, in the case of businesses, the entire previous financial year
an administrative fine of up to 4% of its annual world market turnover can be imposed,
with the higher of the two amounts being imposed.

In addition to the decision, the Ákr. Sections 80 and 81 shall apply.

III. Decision


    1. Findings related to the security of data management

Pursuant to Article 32 (1) of the General Data Protection Regulation, the data controller is science
and the state of technology and implementation costs, as well as the nature and scope of data management,
its circumstances and purposes, as well as the rights and freedoms of natural persons,
appropriate technical and

implements organizational measures to ensure that the level of risk is appropriate
guarantees level data security. The regulation includes, among other things, Article 32 (1) b)
point, the systems and services used to manage personal data are continuous
ensuring its confidentiality.

According to Article 32 (2) of the General Data Protection Regulation, security is adequate
when determining the level of
risks, which are especially transmitted personal data to unauthorized public

they result from making or unauthorized access to them.

According to the Authority's opinion, the data processing affected by the incident, i.e. the members of the political party,
personal data of sympathizers and activists (e.g. identification data, contact details, with party
related activities) is considered high risk. This is because it is common
Recital (75) of the Data Protection Regulation refers to data management during which political
data that can be associated with an opinion is treated as fundamentally risky. With this

in this context, it also considers it risky if data management results in discrimination
may arise, and also if the data management covers a large number of stakeholders. Finally, such data
management, of which identity theft or identity abuse (such
in this case, the identification data in the tables, such as: name, address, telephone number, e-mail
address, identity card number, Facebook profile link) may also be risky
considered by these provisions of the decree.




                                                                                               9 According to the Authority's opinion, a total of six items in the published table
the handling of the data of data subjects is considered high risk according to the General Data Protection Regulation
based on the above regulations. Individually, very easily, based on the range of data in the table
various tasks that sympathize with the party during its operation can become identifiable

the handling of the contact information of the parties involved together with the names and party affiliation
because of Violation of the confidentiality of data involves high risks for those concerned
regarding his private sphere, since he belongs to a political organization - even if it may be from the past
- definitely reflects the political opinion of the given person.

Data relating to political opinion is Article 9 (1) of the General Data Protection Regulation

belong to a special category of personal data. The highlighting of these data is a
under the general concept of personal data, it is justified by the fact that such information is the data subject
they relate to more sensitive aspects of his life, therefore their disclosure is unauthorized
knowledge of it can be particularly harmful for the person concerned. This data is illegal
its treatment can negatively affect the individual's reputation, private and family life, it is disadvantageous
may be a cause or reason for discrimination against the person concerned.


Finally, the risks of data management are also increased by the fact that a large number of data subjects, more than 2,000, are personal
data were processed together in the tables.

The responsibility of the data controller, i.e. in this case the Customer, is to comply with Article 32 (1)-(2) of the General Data Protection Regulation
based on paragraphs that based on the nature, circumstances, purposes and risks of data processing, a
according to the state of science and technology, implement appropriate level of data security measures

finally. Among other things, these data security measures must guarantee that a
managed personal data should preferably not be made public without authorization, or should not be related to them
can be accessed without authorization.

Based on the judgment of the Authority, identification data and political opinion that can be linked to the data subjects
management of reflective data within the framework of Google Sheets, a free online service

in the form in which it was realized in the present case, it does not meet the high risk
the level of data security commensurate with the risks presented by data management.

Google Sheets is a free, web-based spreadsheet program offered by Google
It is part of the Google Docs Editors package. The application allows users to
create and edit files online while collaborating with others in real time
with users. Modifications can be tracked by the user using the modification display

with version history. The position of the editor has an editor-specific color and cursor
highlighted, and an authorization system controls what users can do. THE
documents can be shared, opened and edited by several users at the same time. THE
changes are automatically saved to Google's servers and the system
automatically preserves version history so previous changes can be viewed and
they can be restored. The files can be exported in different formats to the user's local
                                                              1
to your computer, for example in PDF and Office Open XML formats.


1 See: - https://www.google.hu/intl/hu/sheets/about/;
      - https://en.wikipedia.org/wiki/Google_Sheets




                                                                                              10Managing the large number of special personal data contained in the tables is in itself very difficult
it entails serious risks for the privacy of those concerned. The Customer is the high risk
in connection with data management, access to the tables was granted to the party's leading officials and
for its activists with the help of a link, since according to the party's internal principles, the activists can also directly
they can keep in touch with each other. In this way, even thousands of stakeholders could access the tables

online at once with a simple link, without any other restrictions. Because Google
Users can simply export and save files from the Sheets online service
to your local computer, therefore such a large number of access any other authorization control (e.g
password access to the table) in the case of provision without, it is very likely that
the occurrence that even unauthorized persons have access to the data, or that
a person entitled to it in advance sends it to others as well, or brings them himself
public. Nor to apply encryption to preserve the confidentiality of files

took place.

Without the application of additional appropriate control measures, it cannot be done by science and
from the point of view of the state of technology, it is sufficient to guarantee that it is very loose
personal data handled under access measures should not be exposed sooner or later
public. The present is an example of the consequences of the lack of stronger security measures
also a data protection incident in the case.


Only in connection with the analysis of the file access log, the Customer could not establish that
whether they were accessed by an unauthorized external attacker, or if the files were made public
is it the result of an internal leak.

In the opinion of the Authority, if the Client stores the files in some internal, appropriate way
with encryption and traceable access control (e.g. with password protection

authorization management and internal logging) would have been handled in a system (e.g. dedicated server), so
the data protection incident that is the subject of the report was also much less likely to follow
and the circumstances of its occurrence would have been easier to reconstruct.

Based on the above, the Authority determines that the Client is appropriate and proportionate to the risks
by data processing in the absence of data security measures, violated the general
Article 32, paragraph (1) and points a)-b) of the data protection regulation, as well as (2) of this article
paragraph.


    2. Measures taken in connection with the handling of the data protection incident that occurred

Based on Article 4, point 12 of the General Data Protection Regulation, a data protection incident is considered a
breach of security, which is the unauthorized disclosure of the processed personal data or related to them
results in unauthorized access. From the point of view of the concept, it is the same as the security event
relationship can be considered a key element. An event involving personal data is only that

cases are considered data protection incidents if it can be caused by some kind of security breach
connected, this is the root cause and there is a causal relationship between the two. The safety
damage may result from the security measures used to protect personal data
incomplete, inadequate, possibly out of date, or due to their complete absence.

In the given case, the security breach was caused by the Customer not using the appropriate equipment
technical and organizational measures regarding the data of party sympathizers



                                                                                              11 in order to preserve its confidentiality (see the provisions of point III/1 of the decision). Appropriate
in the absence of security measures, therefore also the personal data of supporters and members
containing tables, were removed from the
from its management and made public by unknown persons on the Internet.


According to Article 33 (1) of the General Data Protection Regulation, a data protection incident is defined as
controller without undue delay and, if possible, no later than 72 hours after it is
becomes aware of a data protection incident, must report it to the supervisory authority. The incident
reporting can only be omitted if the incident probably does not involve risk a
regarding the rights and freedoms of natural persons. Assessing the risks associated with the incident
it is the responsibility of the data controller.


Sensitive and accurate data that is classified as special personal data involved in the incident
occurring during inclusive data management due to damage to security measures
a data protection incident is considered high risk. This is because of political activity
after the disclosure of the relevant data, the data controller's influence on their fate is complete
out of your control. Further confidentiality of the data management is not possible in full
guarantee in the future.


The client bears the risks related to their further fate due to the avoidance of data management
cannot take completely eliminating measures, the data – where appropriate illegal –
can no longer fully reduce the risks associated with its further treatment. The file sharing site
(in this case: https://ufile.io)'s subsequent request to delete the data reduces the
risks that the Customer took during incident management.

The Authority is also a factor that further increases the risks posed by the data protection incident

considers that access protection for the tables containing the special data of the data subjects (e.g.
could be accessed without a password), with just a link. Adequate data security
the application of measures would have reduced the risk of special data
third parties should not get to know me without authorization and they should not be made public.

The publication of the special data in comparison with the circumstances of the incident is the Authority
in his opinion, resulted in a high-risk data protection incident.


Based on the above, the Authority considers the data protection incident to be high risk
can be considered, therefore, if the data controller becomes aware of such a case, it must be reported
report to the supervisory authority based on Article 33 (1) of the General Data Protection Regulation
authority.

In view of the above, the Authority concludes that the data controller has complied with the general requirements
incident notification based on Article 33 (1) of the Data Protection Regulation

obligation, so no violation of law was established in this regard.

    3. Findings related to the principle of accountability

Article 5 (2) of the General Data Protection Regulation defines "accountability
principle", according to which the data controller is responsible, contained in Article 5 (1) of the regulation
for compliance with its principles and must be able to demonstrate this compliance.



                                                                                               12 The Authority initiated an official inspection and then an official procedure in connection with the incident report
tried several times to inform the Customer about exactly what it was like
took measures to manage the incident and reduce the risks for those involved
however, despite the Customer's knowledge, he did not receive any answers regarding these.


Therefore, the customer did not prove to the Authority, despite repeated requests to provide data,
what exactly measures were taken in relation to the handling of the data protection incident
in order for the data management carried out by it to comply with the regulation from the point of view of the case
relevant regulations. Among other things, the Authority expected confirmation from the Client that it is
how did you transform the data management involved in the incident, so that in the future with the risks
apply proportionate data security measures to avoid a similar incident in the future

order (Article 32 of the General Data Protection Regulation), and that the persons concerned are subject to the high
in relation to a data protection incident with risk, how and with what content you were informed (general
Article 34 of the Data Protection Regulation).

Due to the lack of confirmation by the Client, the Authority cannot therefore establish that
Will the customer's data security measures in the future correspond to a level commensurate with the risks,
furthermore, what measures he took in connection with informing those concerned about the incident

Customer.

Due to the reluctance of the data controller, which can be blamed on him, the Authority also does not know the merits
to control the circumstances related to the handling of personal data, and this is also
leads to a serious reduction in the level of protection provided by the general data protection regulation, which
ultimately, it puts those concerned in a vulnerable position.


Since the Client did not prove to the Authority that the regulation is relevant despite repeated requests
measures taken to comply with its regulations, and therefore violated the general
Article 5 (2) of the Data Protection Regulation.

    4. The applied sanction and its justification

During the clarification of the facts, the Authority established that the Customer violated the general
data protection regulation

    - Article 32, paragraph (1) and its points a)-b) and paragraph (2),
    - Paragraph 2 of Article 5.

The Authority examined whether the imposition of a data protection fine against the Customer is justified. E
in the scope of the Authority, Article 83 (2) of the GDPR and Infotv. 75/A. it was considered based on §
all the circumstances of the case.


In view of this, the Authority informs Infotv. Based on point a) of § 61, subsection (1), in the relevant part
decided in accordance with the provisions, and in this decision, the Client to pay a data protection fine
obliged.


When imposing the fine, the Authority took into account the following factors:




                                                                                              13 When establishing the necessity of imposing a fine, the Authority considered the violations
aggravating, mitigating and other circumstances as follows:

Aggravating circumstances:


    - Data security deficiencies affected the personal data of a large number of stakeholders. [general
       Article 83 (2) point a) of the Data Protection Regulation]

    - The data security gaps arose in connection with data management where special,
       political opinion data were handled together with contact data. On this
       illegal handling of data can negatively affect an individual's reputation, private and
       family life, may be a cause or reason for discrimination against the person concerned,

       moreover, it may also lead to misuse of personal identity. [general data protection
       Article 83 (2) point (g) of the Decree]

    - The Authority regards the established data security deficiencies as a systemic problem
       considers the incident to be not a one-time security deficiency or injury, but
       can be traced back to the illegal handling of entire databases. [general data protection
       Regulation Article 83(2)(a) and (d)]


    - The Client did not cooperate with the Authority during the investigation of the case. THE
       multiple requests for data provision verified by the Customer and procedural fines
       despite this, he did not respond to the Authority's orders clarifying the facts. The Authority did not know that
       fully verify that the risks reported to the stakeholders are appropriate
       has it been reduced? [general data protection regulation Article 83 (2) point f)]


    - When determining the amount of the fine, the Authority took into account that the Customer
       violation committed by, thus Article 5 (2) of the General Data Protection Regulation
       violation is the higher maximum amount according to Article 83 (5) of the regulation
       is considered a violation of the fine category.

Extenuating circumstances:

    - During the procedure, the Authority did not come to the attention of any information that would indicate

       that the affected parties would have suffered any specific disadvantage or damage as a result of the infringement.
       [General Data Protection Regulation Article 83 (2) point a)]

    - The Authority took into account that the Client had not previously established the
       violation of the law related to the management of personal data. [83 of the General Data Protection Regulation.
       Article (2) point (e)]


Other circumstances taken into account:

    - The Authority on the violation of the Client according to Article 33 of the General Data Protection Regulation
       found out based on his incident report. The Authority condemns this behavior - since a
       did not go beyond complying with legal obligations - specifically as a mitigating circumstance
       did not appreciate it. [general data protection regulation Article 83 (2) point h)].




                                                                                                 14 - Based on the circumstances of the case and the Customer's statement, the Customer decided the risks
       a technological solution guaranteeing data security that is inadequate from the point of view of
       in addition to its application. However, the Authority could not verify it with the Client later
       not because of its operation, but because of the reasons for choosing the technology
       row, and whether the Customer has performed a preliminary risk analysis in this regard. The

       the intentional or thoughtless nature of the data security breach is therefore expressed by the Authority
       he could not evaluate it as an aggravating or mitigating circumstance. Not together with the Customer
       on the other hand, he evaluated its operation under the aggravating circumstances. [general data protection
       Regulation Article 83 (2) point b]

The Authority is responsible for general data protection when making a decision on the legal consequences
did not consider points c), i), j) and k) of Article 83 (2) of the Decree to be relevant.


The Authority is Infotv. Based on points a), b) and c) of Section 61 (2), the Customer is responsible for the decision
ordered the publication of his identification data, as it is
affects a wide range of persons, that is, through the activities of the Authority's public service organization
brought in connection, and also because of the involvement of special data, the public is the infringement
is also justified by its material weight.


    ARC. Other questions

The competence of the Authority is set by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is
covers the entire territory of the country.

The Akr. § 112, and § 116, paragraph (1), and § 114, paragraph (1) with the decision

on the other hand, there is room for legal redress through a public administrative lawsuit.

The rules of the administrative trial are set out in Act I of 2017 on the Administrative Procedure
hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority
the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. § 13, subsection (3) a)
Based on point aa), the Metropolitan Court is exclusively competent. The Kp. Section 27, paragraph (1).
Based on point b), legal representation is mandatory in a lawsuit within the jurisdiction of the court. The Kp. Section 39

(6) of the submission of the claim for the administrative act to take effect
does not have a deferral effect.

The Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, the electronic one is applicable
CCXXII of 2015 on the general rules of administration and trust services. law (a
hereinafter: E-administration act) according to § 9, paragraph (1), point b) of the customer's legal representative
obliged to maintain electronic contact.


The time and place of submitting the statement of claim is set by Kp. It is defined by § 39, paragraph (1). THE
information on the possibility of a request to hold a hearing in Kp. Paragraphs (1)-(2) of § 77
is based on.

The amount of the fee for the administrative lawsuit is determined by Act XCIII of 1990 on fees. law
(hereinafter: Itv.) 45/A. Section (1) defines. It is from the advance payment of the fee

Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the party initiating the procedure.



                                                                                                15Acr. According to § 132, if the obligee does not comply with the obligation contained in the final decision of the authority
fulfilled, it is enforceable. The Authority's decision in Art. according to § 82, paragraph (1) with the communication
becomes permanent. The Akr. Pursuant to § 133, enforcement - if it is a law or government decree
does not provide otherwise - it is ordered by the decision-making authority. The Akr. Pursuant to § 134 of

enforcement - if it is local in the case of a law, government decree or municipal authority
the municipal decree does not provide otherwise - it is carried out by the state tax authority. Infotv.
Pursuant to § 60, paragraph (7), a specified action included in the Authority's decision
an obligation to perform, to engage in certain conduct, to tolerate or to cease
regarding the implementation of the decision, the Authority undertakes.

Budapest, April 22, 2022.




                                                               Dr. Attila Péterfalvi
                                                                     president

                                                               c. professor




































                                                                                                16