NAIH (Hungary) - NAIH-1091-10/2022 (NAIH-6936/2021)

From GDPRhub
Revision as of 12:35, 14 December 2022 by Kk (talk | contribs) (rewrote the facts to give a better understanding of the decision - the decision mentioned two data subjects, not one, added more details to the holding and relevant GDPR violations; changed short summary to better reflect the content of the decision, holding was generally well-written but would recommend a deeper study of the decision in the future)
NAIH - NAIH-1091-10/2022.(NAIH-6936/2021)
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(2) GDPR
Article 6(1) GDPR
Article 7(1) GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 15(1) GDPR
Article 17(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 04.03.2019
Decided: 11.07.2022
Published: 11.07.2022
Fine: 500.000 HUF
Parties: Infotv
National Case Number/Name: NAIH-1091-10/2022.(NAIH-6936/2021)
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Vilma Margarit

The Hungarian DPA imposed a €1,228 fine on a hotel booking service for sending direct marketing emails without a valid legal basis and not complying with data subject rights under Articles 12, 15, 17 and 21(2) GDPR.

English Summary

Facts

Two data subjects received unsolicited commercial emails from a hotel booking website (the controller). They objected to the processing of their personal data for direct marketing purposes and requested their email address to be deleted form the controller's register. However, the controller did not comply with the request and continued sending unsolicited emails. The same happened to the second data subject. Additionally, one of the data subjects submitted an access request to the controller but did not receive a response.

Both data subjects filed a complaint with the Hungarian DPA. The DPA initiated an investigation, trying to contact the controller several times. After not receiving any reply, the DPA started sanctioning proceedings.

During the proceedings, the controller argued that it was not aware of the data protection aspect of its activity and only considered it "simple advertising". Moreover, the controller stated that it had given instructions to delete the data from the mailing list, but an error occurred, as a result of which the personal data was still in the register. Furthermore, according to the controller, once the error was remedied, the data subjects were orally informed by a phonecall about the deletion of their data.

Holding

The DPA held that the controller provided misleading information in its privacy policy. Although the controller claimed that the legal basis for processing personal data in relation to newsletters and marketing was consent under Article 6(1)(a) GDPR, the privacy policy mentioned the legitimate interest of the controller. Hence, it confused the data subjects, as to which legal basis was actually used. Moreover, the privacy policy did not expressly mention the purposes of processing personal data. Therefore, the DPA found a violation of Article 12(1) GDPR as the data subjects were not clearly informed of the purposes and the legal basis for processing.

Additionally, the DPA established a violation of Article 6(1) GDPR because the consent given by the data subjects was not informed since the controller provided conflicting information about the legal basis. Furthermore, the consent was not obtained separately for every specific purpose as there were no separate checkboxes for data marketing purposes.

The DPA also held that the controller did not have proof of consent, violating Article 7(1) GDPR. The controller also violated Article 5(2) GDPR as it never sent to the DPA the requested proves of consent or an assessment of balancing the legitimate interests at stake.

The DPA emphasised that data processing for marketing purposes is of a special nature. The DPA referred to Article 21(2) GDPR, according to which the data subject can at any time object to personal data processing for direct marketing purposes. In such cases, the controller has no discretion, but must delete the personal data (Article 17(1)(c) GDPR).

Regarding the access request made by one of the data subjects, the DPA found a violation of Article 15 GDPR as the controller never responded to the request.

For the above-discussed violations, the Hungarian DPA fined the controller HUF 500,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-1091-10/2022.
History: NAIH-6936/2021. Subject: decision establishing a violation of law
F
H A T A R O Z A T
The National Data Protection and Freedom of Information Authority (hereinafter: the Authority) [...]-
(hereinafter referred to as: Customer) for marketing data processing and exercise of stakeholder rights
practice regarding the fulfillment of the personal data of natural persons
regarding its protection and the free flow of such data, as well as a
of Regulation 2016/679 (EU) on the repeal of Directive 95/46/EC (hereinafter:
GDPR and General Data Protection Regulation) - 25.05.2018-01.09.2021. in the period between
the following decision in the data protection official procedure initiated ex officio to examine its compliance
bring
I.1. The Authority believes that the Customer has violated:
- Paragraph 1 of Article 6 of the GDPR, as it was handled without a legal basis for direct business acquisition purposes
personal data,
- Article 7 (1) of the GDPR and Article 5 (2) of the GDPR, as he could not
to certify the processing of the personal data of the data subjects for the purpose of direct business acquisition
his consent, nor his legitimate interest in data management,
- Article 12 (1) of the GDPR, as it did not provide transparent and understandable information,
- Article 15 (1) and Article 17 (1) of the GDPR, Article 12 (1) - (4) of the GDPR
paragraph, as he did not fulfill the prescribed deadline, or only because of the procedure
data subjects to delete personal data processed for the purpose of direct business acquisition
requests […] (e-mail address: […]; hereinafter: Data Subject 1) and […] (e-mail address: [...] ; the
hereinafter: in the case of Data Subject 2), and not to Data Subject 2's access request
answered.
I.2. The Authority obliges the Customer to:
- provide written information to the Data Subjects by fulfilling their data subject requests
in context, furthermore
- its data management operations are brought into line with the general data protection regulation
with its provisions by transforming its direct business acquisition practices and
on the basis of a suitable legal basis and the relevant rules of the General Data Protection Regulation
it manages them by keeping them, furthermore
- give clear information to those concerned before obtaining e-mail addresses, and
knowing this, ask for their express consent to the processing of data for marketing purposes,
if you manage them based on consent.
I.3. The Authority is the Client ex officio due to the illegal data processing it has carried out
HUF 500,000, i.e. five hundred thousand HUF2
data protection fine
obliged to pay.
I.2. - I.3. the Customer from taking the measure to fulfill the obligation according to point
must be submitted in writing within 15 days of the
certify to the Authority. In case of non-fulfillment of the obligation, the Authority shall issue a decision
implementation.
The data protection fine is the governing action for the initiation of the administrative lawsuit
within 15 days after the expiration of the deadline or, in the case of an administrative lawsuit, after the court's decision a
Authority's centralized revenue collection target settlement HUF account (10032000-
01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000
0000) must be paid in favor of When transferring the amount, NAIH-1091/2022. FINE. must count
refer to.
If the Customer does not fulfill his obligation to pay the fine within the deadline, he is in default
must pay an allowance. The amount of the late fee is the legal interest, which is due to the delay
is the same as the central bank base rate valid on the first day of the relevant calendar semester. The fine and the
in case of non-payment of late payment, the Authority orders the execution of the decision.
There is no place for an administrative appeal against the decision, but it is subject to notification
Within 30 days with a letter of claim addressed to the Capital Court in a public administrative case
can be attacked. The statement of claim must be submitted to the Authority, electronically1, which is the case
forwards it to the court together with its documents. The request to hold the hearing must be indicated in the statement of claim
must For those who do not benefit from the full personal tax exemption, the administrative court fee
HUF 30,000, the lawsuit is subject to the right to record the levy. In the proceedings before the Metropolitan Court, the legal
representation is mandatory.
I N D O C O L A S
I. Procedure of the procedure
I.1. Based on the complaints of the interested parties, NAIH/2020/147. and NAIH/2019/7264. it is on account
Article 57 (1) point f) of the General Data Protection Regulation and information self-determination
CXII of 2011 on law and freedom of information. Act (hereinafter: Infotv.) § 38
Based on point a) of paragraph (3), an investigation procedure was initiated before the Authority.
I.2. The Authority is Infotv. Based on § 55 (1) point ab) NAIH/2020/1247. and the
NAIH/2020/147. closed its investigation procedures, and Infotv. Based on § 60, paragraph (1).
ex officio initiated a data protection official procedure against the Customer.
I.3. At the request of the Authority, the Client shall submit NAIH-6936-1/2021., NAIH-6936-3/2021. and the NAIH
1091-1/2022. in order no. he was invited to make a statement in order to clarify the facts
I.4. The Authority NAIH-1091-1/2022. 150,000 HUF procedural fine in order no
obliged the Client to pay, and also invited him to make a statement, since the Authority NAIH-
6936-1/2021. to call no., and NAIH-6936-3/2021. to his repeated call no
answering questions essential to the discovery of data management conditions
missed it. The Customer is obliged to pay the procedural fine and make a statement
complied with the Authority's deadline extension request NAIH-1091-3/2022.
rejected by order no.
I.5. The Authority NAIH/2020/147. No. and NAIH/2019/7264. investigation cases no
1 The NAIH_KO1 form is used to initiate the administrative lawsuit: NAIH KO1 form (16.09.2019) The
form can be filled out using the general form filling program (ÁNYK program). 3
2016 CL on the general administrative procedure for its complainants. law (a
hereinafter: Ákr.) based on paragraph (1) of § 10, client legal status was granted by NAIH-1091-2/2022.
and NAIH-1091-8/2022. in his orders No. and called them to declare and
they can exercise their right to inspect documents. The complainants involved as clients the orders of the Authority
received, but did not make a statement within the specified deadline.
II. Clarification of facts
II.1. History
II.1.1. NAIH/2020/147. investigation case no
The Authority received a complaint on October 4, 2019, in which [...] (email address: [...] ; the
hereinafter: Data subject 1) objected to the processing of the Customer's data, since on March 12, 2019
submitted a request to the [...] e-mail address to delete the [...] e-mail address and all its data from the
From the customer's register, because Data Subject 1 did not consent to data management. Your request is
However, the customer did not comply and continued to send unsolicited emails to the e-mail address of Data Subject 1.
The Data Subject forwarded 1 copy to the Authority to the Customer on March 12, 2019
sent stakeholder request.
The Authority in the case of Article 57 (1) point f) of the General Data Protection Regulation and
Infotv. NAIH/2019/7219 initiated an investigation procedure based on the request based on point a) of paragraph (3) of § 38.
number in connection with the Customer's data processing for marketing purposes.
NAIH/2020/1247. contacted the Customer with call no., which call the Customer made
according to the proof of the receipt, it was received by its authorized representative on January 31, 2020. Given that
that the Client did not respond to the Authority's call, and therefore the Authority again to make a statement
called the Customer. The Customer is authorized to call the Authority again by the receipt
according to his testimony, he received it on May 12, 2020, but did not respond to that Authority.
II.1.2. NAIH/2019/7264. investigation case no
In parallel with the above investigation procedure, NAIH/2019/7264 before the Authority. investigation on number
proceedings have been initiated against the Customer pursuant to Article 57 (1) Paragraph f) of the General Data Protection Regulation
point and Infotv. Based on § 38, paragraph (3), point a), since [….] (e-mail address: [...] ; the
hereinafter: Data subject 2) also objected to the Client's data management.
Data Subject 2 based on his right of access - electronically, in his letter sent to […]
requested information from the Customer in connection with the processed personal data, and also requested a
deletion of personal data on 20.03.2019. day after receiving a direct marketing e-mail
12/03/2019 on the day of To date, Data Subject 2 has not responded to requests submitted on the basis of his data subject rights
received a response from the Customer, however, despite his cancellation request, 10.03.2019, 10.2019. on day 07,
then on May 11, 2020 and October 31, 2020, you received another direct marketing e-mail
from the Customer.
In connection with the above, the Authority first - with reference to Infotv. Section 54, subsection (1) a)
and point c) - NAIH/2020/147/2. contacted the Customer with call no
the Customer's representative received it on January 10, 2020, as evidenced by the receipt.
Given that the Client did not respond to the Authority's call, the Authority a
NAIH/2020/1247/4. in invitation no. (repeated invitation) he was again asked to make a statement,
which repeated call is authorized by the Customer as evidenced by the receipt May 2020
It was received on the 12th, but the Customer did not respond to that either.
II.1.3. Closing investigative cases, initiating official data protection proceedings4
Considering that the Client is the Authority NAIH/2020/1247. and NAIH/2020/147. test no
he did not respond to his calls in his proceedings, and for this reason it was assumed that he was
its data processing continues to harm Data Subject 1 and Data Subject 2 (hereinafter collectively: Data Subjects),
also the rights of other data subjects specified in the General Data Protection Regulation, and a
contained in the notifications made it likely that the General Data Protection Regulation was violated, a
Authority is Infotv. Based on § 55 (1) point ab) NAIH/2020/1247. and NAIH/2020/147.
closed its investigation procedures (hereinafter: previous investigation cases) and Infotv. 60.
On September 1, 2021, on the basis of paragraph (1) of §
of its general data management practices for the purpose of obtaining direct business with the Customer and
concerning the examination of the fulfillment of stakeholder requests.
II.2. At the request of the Authority, the Client - NAIH-6936-1/2021. No. and NAIH-6936-3/2021.
in its responses to orders no. - provided the following information:
For all bookings, the Customer requests that the guest request a price quote electronically
for the period for which you wish to book accommodation. With the Stakeholders being aware of this
the accommodation was booked electronically, - according to the Customer's point of view - at the same time
have accepted that the Customer has received their e-mails, thus their e-mails
accessed his address, and thus entered the "data bank" of the electronic mail program. Because of this
the Data Subjects received from the hotel circular, at the end of which, according to the Customer's statement
in all cases, it is written that if you do not wish to receive circulars from the Customer, please let us know and it will be deleted
from the register. In this regard, the Authority found that this is a contradiction
in background investigation cases attached by the concerned parties and sent to them by the customer
with the contents of the letters, because there was no indication in the letter of how they could have the
their personal data to the Data Subjects.
The Customer also referred to the fact that the Data Subjects via the Customer's website
they visited the Customer's hotel and booked through it, therefore it is general
terms and conditions (T&C) were accepted.
The Customer's executive stated that he had given instructions to delete the unsubscribers a
from the mailing list, however, for some reason this was not available for the concerned parties, probably the
Due to the lack of labor due to the COVID-19 epidemic, therefore to delete the personal data of the Data Subjects
did not take place. When the Customer's activity was restarted, the omission was corrected and deleted
Your personal data from your records.
The Customer disputes that it handled the personal data of the Data Subjects for direct business purposes.
In his opinion, the mail program automatically saves those electronic
the mailing address of those who have already sent an electronic mail to them is not considered data processing,
not even a database. If the Authority still considers this to be data processing, then it is
in this case, no data other than the electronic mail address is stored.
The Customer stated that he does not conduct marketing activities over the phone.
The Customer also made the observation that, in his opinion, since the procedure is the Data Subjects
was initiated based on his notification, therefore it cannot be considered a procedure initiated ex officio. Other offices
they do not initiate ex officio proceedings upon request or based on a report.
The Client attached the following to the Authority's request:
- the text of 2 circular emails containing offers operated by the Customer
for booking accommodation in a hotel, related care and health care
services. The e-mails also contain the price of the services, as well as 2 e-mails
in the case of unsubscribing from e-mail, you can read the information at the bottom of the letter
in connection.5
- General Terms and Conditions for the year 2021 attached by the customer, which is the 20
there are provisions related to data protection in point "Protection of consumer interests,
under the heading "data protection".
II.3. Point 4 of the data management information on the Customer's website [...] contained the following
in the examined period, in connection with data processing for marketing purposes, the "newsletter
data management related to subscription" under the heading:
"Our company keeps in touch with its guests by means of a newsletter, to whom it is recommended
informs about its services, news and promotions related to its operation.
Controller of personal data: [...] Kft.
Purpose of data management: maintaining contact with potential hotel guests
Legal basis for data management: the consent of the data subject - Article 6 (1) point a) GDPR.
Designation of the legitimate interest: business-related with partners and hotel guests
maintenance and development
Scope of processed personal data: name, e-mail address
Duration of data management: our company manages e-mail addresses until you unsubscribe from the newsletter.
[...]"
II.5. The Authority NAIH-1091-1/2022. in order no., the Customer is fined HUF 150,000
obliged him to pay, and also repeatedly called him to make a statement in view of the fact that
The customer, with his behavior, is required to cooperate and provide data in the Ákr. and the GDPR
breached its obligation, as it did not provide full information despite repeated calls from the Authority
information.
In response to the above order of the Authority, the Client's legal representative stated the following:
Due to a misinterpretation due to incomplete knowledge of data protection concepts, the executive is wrong
made a statement about data management for the purpose of acquiring business. The Customer actually sent the
a letter explaining promotions to hotel guests, which, however, was not considered prohibited
for data management. The customer will delete the objectionable paragraph of the General Terms and Conditions.
The Customer was not aware of the data protection aspect of his activity, the legal basis is "that
they considered it a simple advertising activity'. The persons concerned gave it when checking in to the hotel
and their e-mail address after a verbal question about whether they can send them information about promotions
information notices. The e-mail addresses are in the mandatory hotel records
are included, a separate list of them has not been prepared. If the guest makes a reservation on the hotel's website
room, so the e-mail address is recorded in the inbox.
In the examined period, approx. The Customer sent 600 letters to hotel guests.
The Customer attached the program used for correspondence, its name and information about it
stated that for reasons unknown to him the e-mail addresses stored there were deleted from the system.
According to the Customer's statement, the Customer informed Data Subject 1 orally about the cancellation, who
he took note.
The Customer also verbally informed Data Subject 2 about the deletion.
The Customer was unable to prove with documents that the Data Subjects were guests of his hotel,
since the relevant data was deleted from its records for technical reasons.
III. Applicable legal regulations
Based on Article 2 (1) of the GDPR, the GDPR is required for data management in this case
apply. 6
Infotv. Pursuant to Article 55, Paragraph (1), the Authority shall initiate the investigation ex officio or
within two months from the date of receipt of the notification
ab) closes the investigation and initiates a data protection official procedure according to § 60.
Infotv. Enforcement of the right to the protection of personal data based on Section 60 (1).
in order to do so, the Authority initiates an official data protection procedure at the request of the data subject and
may initiate official data protection proceedings ex officio.
For data management under the scope of the GDPR, Infotv. According to Section 2 (2) of the GDPR, there
shall be applied with the additions contained in the specified provisions.
Pursuant to GDPR Article 4, point 1, "personal data": identified or identifiable natural
any information relating to a person ("data subject"); the natural person who
directly or indirectly, in particular an identifier such as name, number,
location data, online identifier or physical, physiological, genetic,
one or more factors related to your intellectual, economic, cultural or social identity
can be identified based on;
According to Article 4, point 2 of the GDPR, "data management": on personal data or data files
any action or actions performed by automated or non-automated means
totality, such as the collection, recording, organization, segmentation, storage, transformation or
change, query, insight, use, communication, transmission, distribution or otherwise
by way of making it available, coordination or connection, limitation,
deletion or destruction;
According to GDPR Article 4, point 7, "data controller": the natural or legal person, public authority
body, agency or any other body that determines the purposes of personal data management and
determines its assets independently or together with others; if the purposes and means of data management
determined by EU or Member State law, to designate the data controller or the data controller
relevant special aspects may also be determined by EU or member state law;
Based on GDPR Article 4, point 11, "data subject's consent": voluntary of the data subject's will,
specific and clear declaration based on adequate information by the data subject
indicates by a statement or by an act clearly expressing the confirmation that
gives his consent to the processing of his personal data;
Based on recital (44) of the GDPR, data processing is considered lawful if
it is necessary in the context of a contract or intention to enter into a contract.
Based on recital (47) of the GDPR, the data controller - including the data controller
to whom the personal data may be disclosed - or the legitimate interest of a third party is a legal basis
may create for data management, provided that the interests, fundamental rights and freedoms of the data subject are not
have priority, taking into account the data subject based on his relationship with the data controller
reasonable expectations. Such a legitimate interest can be discussed, for example, when it is relevant and
there is an appropriate relationship between the data subject and the data controller, for example in cases where
the data subject is a client of the data controller or is employed by it. The existence of a legitimate interest
in order to establish that, it is necessary to carefully examine, among other things, that it is
concerned at the time of collection of personal data and whether it can count in connection with it
reasonable that data management may take place for the given purpose. The interests of the person concerned and fundamental
rights may take precedence over the interest of the data controller if the personal data is such
it is handled in circumstances in which the persons concerned do not matter further
for data management. Since it is the task of the legislator to define in legislation that the public authority
bodies, on what legal basis can I process personal data, the legitimate interest of the data controller
a supporting legal basis cannot be used by public authorities in the performance of their duties
for data management. Personal data for the purpose of fraud prevention absolutely 7
its necessary processing is also considered the legitimate interest of the data controller concerned. Personal data
its handling for the purpose of obtaining direct business can also be considered based on a legitimate interest.
Pursuant to Article 5 (1) point a) of the GDPR, the processing of personal data is lawful and
must be carried out fairly and in a transparent manner for the data subject ("legality,
fair procedure and transparency');
Pursuant to Article 5 (1) point b) of the GDPR, the collection of personal data is only defined,
be done for a clear and legitimate purpose, and they should not be treated in conflict with these purposes
in a negotiable manner; in accordance with Article 89 (1) does not qualify as the original purpose
incompatible for the purpose of archiving in the public interest, scientific and historical research
further data processing for purposes or for statistical purposes ("target binding");
Based on Article 5 (2) of the GDPR, the data controller is responsible for paragraph (1).
for compliance and must be able to demonstrate this compliance ("accountability").
On the basis of Article 6 (1) of the GDPR, personal data is processed only when and to the extent that it is
legal if at least one of the following is met:
a) the data subject has given his consent to the processing of his personal data for one or more specific purposes
for its treatment;
b) data management is necessary for the performance of a contract in which the data subject is one of the parties,
or to take steps at the request of the data subject prior to the conclusion of the contract
required;
c) data management is necessary to fulfill the legal obligation of the data controller;
d) the data processing is for the vital interests of the data subject or another natural person
necessary for its protection;
e) data processing is in the public interest or the data controller is authorized by a public authority
necessary for the execution of a task performed in the context of its exercise;
f) data management to enforce the legitimate interests of the data controller or a third party
necessary, unless the interests of the data subject take precedence over these interests
or fundamental rights and freedoms that require the protection of personal data,
especially if a child is involved.
Pursuant to Article 7 (1) of the GDPR, if data processing is based on consent, it
data controller must be able to prove that the data subject's personal data
contributed to its treatment.
Based on Article 12 (1) – (4) of the GDPR:
(1) The data controller shall take appropriate measures in order to ensure that the data subject a
all the information referred to in Articles 13 and 14 regarding the management of personal data
and 15-22. and each information according to Article 34 is concise, transparent, comprehensible and easy
provide it in an accessible form, clearly and comprehensibly worded, especially a
for any information addressed to children. Information in writing or otherwise
- including, where applicable, the electronic route - must be provided. Oral at the request of the person concerned
information can also be provided, provided that the identity of the person concerned has been verified in another way.
(2) The data controller facilitates the relevant 15-22. the exercise of his rights according to art. Article 11 (2)
in the cases referred to in paragraph 15-22, the data controller is the person concerned. to exercise his rights according to art
may not refuse to fulfill your request, unless you prove that the person concerned
cannot be identified.
(3) The data controller without undue delay, but in any case from the receipt of the request
informs the person concerned within one month of the 15-22. following a request according to art
on measures taken. If necessary, taking into account the complexity of the request and the
number of applications, this deadline can be extended by another two months. The deadline
request for an extension by the data controller indicating the reasons for the delay
informs the person concerned within one month of receipt. If the data subject is electronic
submitted the application via e-mail, the information must be provided electronically if possible, 8
unless the data subject requests otherwise.
(4) If the data controller does not take measures following the data subject's request, without delay, but
informs the person concerned no later than one month from the date of receipt of the request
about the reasons for the failure to take action, as well as about the fact that the person concerned can submit a complaint to a
with a supervisory authority, and can exercise his right to judicial redress.
Based on Article 15 (1) of the GDPR, the data subject is entitled to request from the data controller
receive feedback on whether your personal data is being processed,
and if such data processing is in progress, you are entitled to access personal data and
get access to the following information:
a) the purposes of data management;
b) categories of personal data concerned;
c) recipients or categories of recipients with whom or with which the personal data
communicated or will be communicated, including in particular to recipients in third countries, or
international organizations;
d) where appropriate, the planned period of storage of personal data, or if this is not the case
possible aspects of determining this period;
e) the data subject's right to request personal data relating to him from the data controller
rectification, deletion or restriction of processing and may object to such personal data
against treatment;
f) the right to submit a complaint addressed to a supervisory authority;
g) if the data were not collected from the data subject, everything about their source is available
information;
Based on Article 17 (1) of the GDPR, the data subject is entitled to request that the data controller
delete the personal data concerning him without undue delay, and the data controller
is obliged to provide the personal data concerning the data subject without undue delay
delete if any of the following reasons apply:
a) the personal data are no longer needed for the purpose for which they were collected or otherwise
treated in a manner;
b) the data subject withdraws it pursuant to point a) of Article 6 (1) or point a) of Article 9 (2)
pursuant to point 1, the consent that forms the basis of the data management, and the data management does not have
other legal basis;
c) the data subject objects to the data processing on the basis of Article 21 (1), and there is no
an overriding legitimate reason for data processing, or the data subject is Article 21 (2).
objects to data processing based on;
d) personal data were handled unlawfully;
e) the personal data is legal as prescribed by EU or member state law applicable to the data controller
must be deleted to fulfill an obligation;
f) to collect personal data with the information society referred to in paragraph 1 of Article 8
took place in connection with the offering of related services.
Based on Article 17 (3) of the GDPR, paragraphs (1) and (2) do not apply if
data management is necessary:
[…]
b) EU or Member State law applicable to the data controller, which prescribes the processing of personal data
fulfillment of the obligation according to, or in the public interest or public authority entrusted to the data controller
for the purpose of performing a task performed in the context of exercising a driver's license;
[…]
Based on Article 21 (1) of the GDPR, the data subject is entitled to, with his own situation
object at any time to your personal data for reasons related to Article 6 (1) e)
or against its processing based on point f), including profiling based on the aforementioned provisions
too. In this case, the data controller may no longer process the personal data, unless it is
the data controller proves that the data processing is justified by compelling legitimate reasons,
which take precedence over the interests, rights and freedoms of the data subject, or
which are related to the submission, enforcement or defense of legal claims.9
Pursuant to Article 21 (4) of the GDPR, the right referred to in paragraphs (1) and (2) shall be exercised no later than
during the first contact with the data subject, the attention of the data subject must be specifically drawn to this
relevant information must be displayed clearly and separately from all other information.
According to Article 77 (1) of the GDPR, all data subjects have the right to file a complaint
with a supervisory authority, if, in the opinion of the data subject, the personal data relating to him/her
handling violates the GDPR.
Article 58(2)(b), (d) and (i) of the GDPR: Within the corrective powers of the supervisory authority
acting as:
b) condemns the data manager or the data processor if its data management activities
violated the provisions of this regulation;
d) instructs the data manager or the data processor that its data management operations - where applicable
in a specified manner and within a specified period of time - is brought into line with this regulation
with its provisions;
i) imposes an administrative fine in accordance with Article 83, depending on the circumstances of the given case
in addition to or instead of the measures mentioned in this paragraph;
Infotv. According to § 38, paragraph (2), the Authority is responsible for the protection of personal data,
and the right to access data of public interest and public interest
control and promotion of its validity, as well as personal data within the European Union
facilitating its free flow. According to paragraph (2a) of the same § in the GDPR, the supervisory
tasks and powers established for the authority under the jurisdiction of Hungary
in terms of legal entities, as defined in the GDPR and this law, the Authority
practice.
Infotv. According to Section 60 (1), enforcement of the right to the protection of personal data
in order to do so, the Authority may initiate an official data protection procedure ex officio.
Infotv. According to § 61, paragraph (1), point a), it was made in the official data protection procedure
in its decision, the Authority issued Infotv. Data management defined in paragraph (2) of § 2
in connection with operations, you can apply the legal consequences defined in the GDPR.
In the absence of a different provision of the GDPR, the data protection authority procedure initiated upon the request is
CL of 2016 on general administrative regulations. Act (hereinafter: Act)
provisions shall be applied with the deviations specified in Infotv.
The Akr. Based on Section 10 (1), the customer is a natural or legal person, other
organization whose right or legitimate interest is directly affected by the case, to whom
the official register contains data, or who (which) is subject to official control
pulled
The Akr. Based on § 80, subsection (1), the decision is a decision or an order. The authority - the (4)
with the exception specified in paragraph - makes a decision on the merits of the case, during the procedure
made other decisions orders.
Infotv. 75/A. pursuant to § 83 (2)-(6) of the General Data Protection Regulation, the Authority
exercises its powers in accordance with the principle of proportionality,
especially with the fact that you are in the law regarding the handling of personal data
The regulations defined in the mandatory legal act of the European Union are being implemented for the first time
in case of violation, to remedy the violation with Article 58 of the General Data Protection Regulation
in accordance with - takes action primarily with the warning of the data manager or data processor.
Infotv. On the basis of § 71, paragraph (2), the Authority legally obtained a document during its procedures,
data or other means of proof can be used in other proceedings.
ARC. Decision of the Authority10
During the clarification of the facts, the Authority referred the previous cases to Infotv. Based on § 71, paragraph (2).
used as evidence.
IV.1. The Customer's activity and quality of data management
According to the company registry, the Customer's main activity is hotel services, other
its activities include holiday, other temporary services, restaurants and mobile catering.
The Authority established that in the case concerned with the investigated data management, the above mentioned
in connection with its activities, the Customer independently determines the purpose and means of data management
determines, therefore, based on Article 4, point 7 of the GDPR, it is an independent data controller.
IV.2. Electronic mail address as personal data and its storage as data management
Pursuant to Article 4, point 1 of the GDPR, the electronic mail address in relation to a private individual
is considered personal data. Based on Article 4, point 2 of the GDPR, personal data is considered data processing
any operation or set of operations performed on data, i.e. by the Customer storing,
uses it, sends circular emails to the given address, performs data management.
IV.3. Data processing for the purpose of direct business acquisition and its legal basis
IV.3.1. Informing stakeholders
If the personal data concerning the data subject is collected from the data subject, the data controller has a
fair and transparent data management at the time of obtaining personal data
in order to provide data subjects with detailed information pursuant to Article 13 (1) of the GDPR
of what is written in paragraph
Recital (39) of the GDPR and Article 5 (1) point a) of the GDPR stipulate that the
information on data management must be transparent, in an appropriate manner
must be made available to those concerned (e.g. on the website of the data controller), taking into account the chosen
to possible additional conditions of legal bases.
Article 12 of the GDPR defines the formal requirements that must be observed
be the data controllers when they enable and ensure the exercise of data subject rights, including
prior information of those concerned. Based on this, the data controllers can manage personal data
all relevant information in a concise, transparent, understandable and easily accessible form,
they must provide clearly and comprehensibly. This must be made available to those concerned in an appropriate manner
for (e.g. on the data controller's website), taking into account the possible legal grounds chosen
additional conditions. The Customer referred to the General Terms and Conditions being read by the Data Subjects and accepted
away, so they also consented to the processing of their personal data.
Adopted by the Data Protection Working Group established on the basis of Article 29 of Directive 95/46/EC, a
Guidelines on transparency facilitating the application and interpretation of GDPR (a
hereinafter: Guidelines) to the data controllers as required by the GDPR
they must provide it in a "concise, transparent, comprehensible and easily accessible" manner. "This information
must be clearly separated from other information not related to data protection,
for example, from contractual provisions or general terms and conditions.” (Guidelines 8.
point)
The "easily accessible" criterion is met if the data controller is
According to the guidelines, if you place the information on the website in such a way that the person concerned has it
you don't have to search and, for example, "Privacy", "Privacy notice" or "Privacy
can be accessed with one click under the heading "declaration". (Point 11 of the Guidelines)
It must also meet the requirement of transparent information in that regard
to the data controller that the purpose and legal basis of the processing of personal data is in the information sheet11
be clearly defined, so avoid 'abstract' or 'ambiguous'
use of expressions.
According to the Authority's findings, the General Terms and Conditions referred to by the Customer in relation to data management
it did not and does not contain provisions, as - as the name suggests - it is
it is about general terms and conditions.
The Customer's website contained its data management information sheet, which was examined by the Authority,
and found that in relation to newsletters, in connection with data management, there are two
also mentions a separate legal basis, points a) and f) of Article 6 (1) of the GDPR. Article 6 (1) of the GDPR
point a) of the paragraph was expressly referred to by the Customer, and the legitimate interest was also indicated,
not specifically as a legal basis, but his legitimate interest ("with partners, hotel guests
established business-related maintenance and development") he named. However, this is not the case
is acceptable, because if you perform data processing with reference to GDPR Article 6 (1) point a),
then it is unnecessary and at the same time misleading to refer to a legitimate interest. The Customer must choose a
of two legal bases, given that each legal basis requires different conditions
as explained above. If the Customer is the start of data management
designates a legal basis before, then the entire data management process must be consistent with it
adjust, which in this case means that it is legitimate for data processing based on consent
reference to interest is not acceptable.
The purpose indicated by the Customer was not properly established either, as it was not for sending a newsletter
the goal is to "keep in touch with potential hotel guests", but information is current
about offers, so direct business acquisition is the actual goal.
By the fact that the Client did not provide clear information regarding the purpose and legal basis, the Authority
in his opinion, the Customer violated Article 12 (1) of the GDPR, as he did not give
clear information neither in the GTC he refers to, nor in the data management policy on his website
by way of information.
IV.3.2. Data subject consent and legitimate interest as the legal basis for data management
Article 6 (1) of the GDPR regulates the legal grounds, including the data subject
consent and legitimate interest.
IV.3.2.1. Data processing for the purpose of direct business acquisition is with the consent of those concerned, so a
It can also be carried out on the basis of point a) of Article 6, paragraph (1) of the GDPR.
In the case of data processing for marketing purposes based on Article 6 (1) point a) of the GDPR, it is essential
condition based on Article 4, point 11 of the GDPR, that the data subjects have adequate information
provide for the granting of consent in connection with the data management conditions
before making their related decision, and also clearly declare the
their contribution. The fact that those concerned must have adequate information
means that the information given to them must be clear and unambiguous, and a
information must have content in accordance with Article 13 of the GDPR. The additional requirement,
that the persons concerned must clearly declare their consent means that
it must be specific, so it must be for data processing related to a specific purpose
apply. III.3.2. due to point 11 of Article 4 of the GDPR, the condition that a
consent must be based on adequate information could not be enforced, because the legal basis
the Client provided conflicting information to those concerned.
The Customer did not comment on whether the subscription to the newsletter had any consequences
with an advantage, as it denied data processing for marketing purposes at the beginning of the procedure, despite the fact that
the data management information on its website specifically provides for this as well. Later, the Customer
In the briefing given to the Authority by his legal representative, he admitted that "[…] He really sent a
Ltd. a letter describing special offers to old and satisfied hotel guests,...[…]". 12
The Authority notes that the Data Protection Act established under Article 29 of Directive 95/46/EC
The guidelines issued under the number WP259 adopted by the working group are strict
imposes requirements for the exercise of free will, therefore if subscribing to the newsletter
provides some advantage, the extent of that advantage must be examined individually
influences volunteering. The granting of the benefit cannot be limited in any way by those concerned
your rights under GDPR (opt-out, right to erasure). So this means that promotions are not
they can be addressed exclusively to subscribers to the newsletter.
The Authority further established that on the interface where the reservation could be submitted, it
despite the fact that the data management information indicated the legal basis of the consent for marketing purposes
in connection with data management, did not place a separate checkbox for direct marketing purposes
for data management, even though this is an independent purpose, and consent must be obtained separately for each purpose.
Based on the above, the Authority therefore established that Article 6 (1) point a) of the GDPR
legal basis does not exist, as there is no consent pursuant to Article 4, Clause 11 of the GDPR
For the customer's data management for the purpose of obtaining direct business.
IV.3.2.2. In addition to Article 6 (1) point a) of the GDPR, the Customer also has a legitimate interest on its website
referred to in point 4 as follows:
“[…]
Legal basis for data management: the consent of the data subject - Article 6 (1) point a) GDPR.
Designation of legitimate interest: business relationships established with partners and hotel guests
maintenance and development
[...]"
However, the Client did not refer to the above in his statement sent to the Authority, and a
Despite the authority's express request, it did not specify a legal basis for data processing for marketing purposes
context, since he initially disputed that he was conducting such data management, only the Authority repeatedly
the Client's legal representative acknowledged it in his statement sent to his request.
It can be evaluated as a contradiction in the Customer's statement when he referred to the fact that
those concerned provided their relevant e-mail address when checking in to the hotel
after a verbal question as to whether they can send them notifications about promotions, and then
cited that the email addresses are in "mandatory hotel records".
Based on this, one of the data processing companies indicated data management for the purpose of direct business acquisition
purpose, and then referred to the fact that e-mails are included in mandatory records
addresses, so fulfilling the preservation obligation would be the other goal, however
he did not even indicate the legislation regarding records. Another contradiction is that it is also about
stated that the Customer finally deleted the e-mail addresses and that all e-mail addresses were deleted
from its records, so this contradicts the possible retention obligation. If
the Customer would really have an obligation to keep e-mail addresses, then
you can manage those e-mail addresses only in order to fulfill your retention obligation,
for the purpose of obtaining direct business, i.e. for the purpose of sending newsletters, if the Customer
You do not know your consent according to GDPR, or your legitimate interest in this regard
verify, and in these cases, not even if the Customer requests that the
hereinafter newsletters.
If it performs data processing for the direct purpose of obtaining business with reference to a legitimate interest, it is
Customer, in that case based on the preamble paragraph (47) of the GDPR, with a consideration of interests
must be supported. The Customer's website also refers to the legitimate interest, which may be acceptable
in possession of a consideration of interests, but the Customer did not attach it, nor did it refer to it
to that. The data controller is responsible for the legality of the data management it carries out. Article 6 (1) of the GDPR
arising from the nature of the legal basis according to point f) of the paragraph, to the data controller who has a legitimate interest
refers to, you must be able to indicate precisely that it is the processing of specific personal data
which is the legitimate interest of the data controller and why is it necessary in view of this interest 13
data management, you must at the same time verify and prove that the person concerned has priority
against his legitimate interest and his right to the protection of personal data.
In this context, the Authority emphasizes that data management is for marketing purposes
of a special nature. This is referred to in Article 21 (2) of the GDPR, according to which the data subject can at any time
may object to the processing of personal data relating to him for the purpose of direct business acquisition
against, and if you have done so, then the personal data can no longer be processed for this purpose. In such cases
therefore, the data controller has no discretion as to whether to delete the personal data
data or not, against the processing of which the data subject objected.
IV.3.2.1. and IV.3.2.2. points, the Authority determined that it was handled illegally
the Client violated the GDPR with the personal data of the Data Subjects and other guests
Paragraph 1 of Article 6, because consent according to Article 4, point 11 of the GDPR was not verified by the
He did not substantiate his legitimate interest with the authorities, nor with a consideration of interests.
IV.3.3. Principle of accountability, lack of proof of consent and legitimate interest
An essential condition for the legality of data management is that it has an appropriate legal basis
be.
Article 6 of the GDPR provides for the possible legal bases for processing personal data, i.e
on the cases when a data management can be legal, as long as it is general data protection
complies with the other provisions of the Decree, such a legal basis may be - among others - the person concerned
contribution.
The GDPR does not contain any restrictions on the form of consent, only that
requirements for its validity - voluntary, specific, appropriate information
based on a clear declaration of intent with which the affected statement or confirmation
by means of an unmistakably expressive act, he indicates that he gives his consent to the personal information concerning him
to manage data - define.
Based on Article 7 (1) of the GDPR, if data processing is based on consent, it
data controller must be able to prove that the data subject's personal data
contributed to treatment.
Therefore, if the legal basis of the data management is according to Article 6 (1) point a) of the GDPR
consent, the data controller must be able to prove that he has obtained valid consent
from the data subject, the data subject has given his consent to the data management.
Despite the Authority's express invitation, the Client did not attach a document which
would support that the data subjects gave their consent to the data management, so with this
violated Article 7 (1) of the GDPR.
With reference to the application of Article 6 (1) point f) of the GDPR, i.e. the legitimate interest
the condition for data processing is that the Customer prioritizes its legitimate interests in accordance with the GDPR (47)
in accordance with the preamble paragraph, it is justified by a consideration of interests. However, the Customer is
did not forward his assessment of interests to the Authority, thereby violating Article 5 (2) of the GDPR
paragraph, i.e. the principle of "accountability".
IV.3.4. Fulfilling stakeholder requests
IV.3.4.1. Deletion of personal data and objection to the processing of personal data
In the case of data processing pursuant to Article 6 (1) point f) of the GDPR, the data subject is subject to Article 21 (2) of the GDPR
you can exercise your right according to paragraph 6 of the GDPR.
and in the case of data processing on the legal basis according to Article (1) point a), the data subject
you can withdraw your consent to data management. 14
In the investigation procedures prior to the official procedure, the Stakeholders stated that
objected to the processing of their personal data and wanted to unsubscribe from the newsletters. This
supported by attached documents. The Data Subjects' unsubscribe from the newsletter is
The client did not doubt it either, he admitted this in the official data protection procedure to the Authority
in the statement sent.
The data controller responds to data subject requests as a general rule based on paragraphs (1)-(3) of Article 12 of the GDPR
is obliged to provide transparent and comprehensible information within one month, or to fulfill them, or a
in case of non-performance, to provide information on the reason for the non-performance.
Based on Article 12 (4) of the GDPR, if the data controller does not take measures, the data subject
following your request, without delay, but no later than one from the date of receipt of the request
informs the person concerned about the reasons for not taking the measure within a month, as well as that
the person concerned can file a complaint with a supervisory authority and seek legal remedies
with his right.
According to the Customer's statement, the Customer is in a situation due to the COVID-19 (coronavirus) epidemic
probably did not respond due to an administrative error.
Pursuant to Article 4, point 7 of the GDPR, a data controller is a natural or legal person […] that a
determines the purposes and means of processing personal data independently or together with others
[…]2.
According to the Authority's point of view, the argument regarding an administrative error does not exempt it
Customer from data controller responsibility, given that pursuant to Article 4, Clause 7 of the GDPR
the Customer is considered a data controller. The Customer is the one who organizes the data management process and
creates its conditions. The most important characteristic of the data manager is that it is meaningful
has decision-making authority and is responsible for all data management, that
for the fulfillment of the obligation laid down in the general data protection regulation. In those cases,
when a specific natural person is appointed to ensure the data protection principles
compliance or to process personal data, this person will not be a data controller,
but acts on behalf of the legal entity (company or public body) which
in its capacity as a data controller, remains responsible in the event of a violation of the principles.
The Customer stated that, after his default, he complied with the Data Subjects' request and deleted
electronic mail addresses. However, the Client does not, despite the Authority's express request
attached the document that would support this statement, i.e. that it is
In accordance with Article 12 of the GDPR, data subjects were informed about the fulfillment of their data subject request. THE
In the statement sent to the authorities, the Customer only referred to the fact that the Data Subject 1
"spoken", however, this does not comply with GDPR Article 12 (1) and GDPR Article 5 (2)
of the provisions of paragraph 2, and he did not even mention the Data Subject 2.
Based on GDPR Article 17 (1) points b), c), d), the Customer is obliged to provide the e-mail
to delete their addresses based on the request of the data subjects, as they must be deleted even if they are revoked
their consent, or in the case of an e-mail address managed with reference to a legitimate interest, objects to it
and there is no overriding legal reason for data processing, and even then it is personal
data was handled illegally. In the present case, the Authority established that the Customer
handled the e-mail addresses of the data subjects illegally and without legal basis, therefore Article 17 point d) of the GDPR
there is an obligation to delete based on Given that the Data Subjects have indicated that they are not
they want to receive newsletters in the future, so based on this they automatically had to do it
would have the Customer cancel it.
2GDPR Article 4.7 "data controller": the natural or legal person, public authority, agency or any other body that
determines the purposes and means of processing personal data independently or together with others; if the purposes of data management and
its means are determined by EU or member state law, the data controller or the special data controller designation
aspects can also be determined by EU or member state law; 15
Due to the above, the Authority determined that the Customer violated Article 12 (1) - (4) of the GDPR
paragraph, as it did not comply with the deletion request of the Data Subjects. The Customer is only the data protection
deleted the personal data processed for marketing purposes after the initiation of the official procedure, so a
in this case, following the submission of data subject requests requiring automatic deletion
also managed (stored and used) personal data for a long time. Furthermore, no
proved that after the deletion took place, he notified the Data Subjects of this in writing, only
sent a statement about it.
IV.3.4.2. Access request
According to the documents of the investigation process initiated by Data Subject 2, Data Subject 2 also submitted an access request
submitted to the Customer on 20.03.2019. on the day of Subject to the request submitted on the basis of the data subject's right
2 did not receive a response from the Customer.
Based on Article 15 (1) of the GDPR, the data subjects are entitled to request information about their personal data
about the circumstances of its treatment, thus their personal data based on Article 15 (1) point g).
also about its source.
Despite the Authority's express request, the Customer did not make a statement submitted by Data Subject 2
about the non-fulfillment of his access request, the reason for it, and he did not substantiate it either
the Customer acknowledges that he has fulfilled this request, despite the fact that Article 5 (2) of the GDPR
would be obliged to do so based on the principle of accountability.
For data subject requests, including access requests in accordance with the GDPR, the data controller shall comply with Article 12 of the GDPR.
based on paragraphs (1)-(3) of Article, as a general rule, it must be transparent and understandable within one month
to provide information and fulfill them, or in case of non-fulfilment, the fulfillment
to provide information on the reason for the absence.
Given that the Customer did not prove that the Data Subject 2's access request
fulfilled, therefore the Authority found that it also violated the GDPR in this context
the provisions of Article 12 (1) – (4).
IV.3.5. According to the Customer's observation, there would have been no reason to initiate this procedure,
or it should have been terminated after deleting the Data Subjects' personal data.
Considering that the Client is the Authority NAIH/2020/1247. and NAIH/2020/147. test no
he did not respond to his calls in his proceedings, and for this reason it could be assumed that he was
data processing may still violate the provisions of the General Data Protection Regulation for Data Subjects
rights, and the reports contained violations of the General Data Protection Regulation
made it probable, the Authority is Infotv. Based on § 55 (1) point ab) NAIH/2020/1247.
and NAIH/2020/147. closed its investigation procedures, and Infotv. Based on § 60, paragraph (1).
ex officio initiated a data protection official procedure against the Client for direct business acquisition
investigation of its general data management practices and the fulfillment of data subject requests
tangentially.
Regarding the above, the Authority refers the Client to NAIH-6936-1/2021. he also informed in his order no
there he also highlighted that in order to move the official data protection procedure, Infotv. § 55, paragraph (1).
point ab) and Infotv. It took place on the basis of § 60, paragraph (1).
The history of the official data protection procedure initiated ex officio was therefore started on the basis of the reports
was an investigation procedure, which ended unsuccessfully due to the Customer's lack of cooperation.
Neither Ákr. nor Infotv. does not contain a provision that the procedure by the Customer
must be terminated for the reason cited.
IV.4. Legal consequences
The Authority condemns the Customer based on Article 58 (2) point b) of the GDPR, because
violated:
- Article 6 (1) of the GDPR, 16
- Article 5 (2) of the GDPR,
- Article 7 (1) of the GDPR,
- Paragraphs (1) – (4) of Article 12 of the GDPR and
- Article 15 (1) and Article 17 (1) of the GDPR.
Above all, the Authority took into account that the violations committed by the Customer are GDPR
According to points a) and b) of Article 83, paragraph (5), belonging to the higher fine category
are considered a violation of law.
When imposing the fine, the Authority took into account the following aggravating factors:
- Violation related to the lack of information, as well as the related legal basis
data management without is related to the Customer's data management practices and has been in place for a long time,
since the Client's violation of rights towards the Stakeholders is the stakeholder requests sent in 2019
existed since, and the information on the Customer's website, as well as the Customer
based on his statement, it can be established that he did not change his practice in the meantime, and
according to the Customer's statement, approx. He sent 600 letters during the examined period
hotel guests. (Article 83 (2) point a) of the General Data Protection Regulation).
- The Customer did not show cooperative behavior in the official data protection procedure
neither during, because, despite the Authority's express request, not all statements were made - a
from the point of view of clarifying the facts - about an important circumstance with which the facts
made it difficult to clarify, so several invitations had to be sent to him. (general
Article 83 (2) point (f) of the Data Protection Regulation
When imposing the fine, the Authority took into account the following mitigating factors:
- Condemning the Customer for violating the general data protection regulation
did not take place. (General Data Protection Regulation Article 83 (2) points e) and i)
- The Authority considered the sign as a mitigating circumstance when imposing the fine,
that the Authority exceeded Infotv during the procedure. According to paragraph (1) of § 60/A
administrative deadline of one hundred and fifty days. (GDPR Article 83 (2) point k)
Based on the nature of the violation - the violation of the principles of data management - the fine that can be imposed is the maximum
its limit is EUR 20,000,000 based on Article 83 (5) point a) of the General Data Protection Regulation,
or a maximum of 4% of the total world market turnover of the previous financial year. (general data protection
Regulation Article 83 (5) point a)
Based on the Customer's 2021 profit and loss statement, its profit before tax was HUF 5,942,000.
The Authority, when determining the amount of the fine imposed, in addition to the special purpose of prevention
it was also mindful of the general preventive goal to be achieved with the fine, with which - the Client is newer
in addition to refraining from infringement - the data management practices of all market participants a
wants to achieve its movement in the direction of legality. Namely, the appropriate designation of the legal basis
and its verification, as well as the enforcement of stakeholder rights, is a fundamental requirement, which is
data controllers must in all cases properly certify, and their exercise must be done in advance
to help them.
A. Other questions
The competence of the Authority is set by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is
covers the territory of the entire country. 17
The Akr. § 112, § 116, paragraph (1) and § 114, paragraph (1)
there is room for legal remedy against the decision and the order through a public administrative lawsuit.
* * *
The rules of the administrative trial are set out in Act I of 2017 on the Administrative Procedure
hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority
the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. § 13, subsection (3) a)
Based on point aa), the Metropolitan Court is exclusively competent. The Kp. Section 27 (1)
legal representation is mandatory in a lawsuit falling within the jurisdiction of the court based on paragraph b).
The Kp. According to paragraph (6) of § 39, the submission of a claim is an administrative act
does not have the effect of postponing its entry into force.
The Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, it is applicable
of 2015 on the general rules of electronic administration and trust services
CCXXII. Act (hereinafter: E-Administration Act) according to Section 9 (1) point b) the customer
legal representative is obliged to maintain electronic contact.
The place and time of submitting the statement of claim is set by Kp. It is defined by § 39, paragraph (1). THE
information on the possibility of a request to hold a hearing in Kp. Paragraphs (1) - (2) of § 77
is based on. The amount of the fee for the administrative lawsuit is determined by Act XCIII of 1990 on fees. law
(hereinafter: Itv.) 45/A. Section (1) defines. It is from the advance payment of the fee
Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the party initiating the procedure.
If the Customer does not adequately certify the fulfillment of the prescribed obligation, the Authority shall
considers that the obligation has not been fulfilled within the deadline. The Akr. According to § 132, if a
the obligee has not complied with the obligation contained in the final decision of the authority, it can be enforced.
The Authority's decision in Art. According to § 82, paragraph (1), it becomes final with the communication. The Akr.
Pursuant to § 133, enforcement - unless otherwise provided by law or government decree
- ordered by the decision-making authority. The Akr. Pursuant to § 134, the execution - if it is a law,
government decree or, in the case of municipal authority, a local government decree otherwise
does not have - the state tax authority undertakes. Infotv. Based on § 60, paragraph (7) a
To carry out a specific act included in the authority's decision, specified
the decision regarding the obligation to conduct, tolerate or stop
its implementation is undertaken by the Authority.
dated: Budapest, according to the electronic signature
Dr. Attila Péterfalvi
president
c. university teacher