NAIH (Hungary) - NAIH/4410-1/2023
NAIH - NAIH/4410-1/2023 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 6(1)(f) GDPR Article 13(1) GDPR Article 13(2) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 28.04.2023 |
Published: | |
Fine: | 50000 HUF |
Parties: | n/a |
National Case Number/Name: | NAIH/4410-1/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | NAIH (Hungary) (in HU) |
Initial Contributor: | n/a |
The Hungarian DPA found that a solarium studio could not rely on legitimate interests under Article 6(1)(f) GDPR when it had not applied a balancing of interests -test. Also, the studio was found to breach Articles 13(1) and (2) GDPR by only providing printed information on the processing at the studio's front desk.
English Summary
Facts
The Hungarian data protection authority initiated an ex officio investigation with regard to a solarium studio’s (the controller) processing operations through video surveillance. The controller claimed that it had a legal basis under Article 6(1)(f) GDPR for carrying out the camera surveillance on the premises in order to, inter alia, protect the property. However, despite the DPA’s multiple request, the controller did not provide any balancing of interests -test, nor did it make any statement to the authority of having any such document. Furthermore, the controller claimed that there were printed privacy notices available to the solarium studio’s customers at the front desk from a receptionist. With regard to its employees, the controller claimed that it had provided information on the processing operations orally and within the job descriptions. However, the controller did not provide evidence to the authority that would have supported those claims.
Holding
The DPA emphasised that a controller is required to make a prior written balancing of interests -test in order to rely on legitimate interests pursuant to Article 6(1)(f) GDPR. Due to the fact that the controller had not provided a balancing of interests –test, the DPA concluded that the controller could not rely on a legitimate interest as a legal basis required under Article 6(1) GDPR. Furthermore, the DPA noted that even if a balancing of interests -test had been applied, the processing as established would not have been justified by legitimate interests. The controller did not demonstrate the suitability for the purpose of the cameras in question, which was presumably the protection of property, nor their proportionality. The DPA viewed that, from a security point of view, other available solutions (e.g. lock, padlock, window bars, safe, alarm, motion detector, security guard, etc.) may in some cases provide more security than a camera-based data management. Since, according to the controller, the information on processing operations were only made available to the data subjects using the service on paper, on the spot, upon explicit request, the DPA found that no adequate information on the processing was available to the data subjects. Furthermore, the DPA noted that the controller had not demonstrated that the same information was provided to its employees. As a result of the investigation, the DPA found that the controller infringed Article 6(1) GDPR and Article 13(1)(2) GDPR. The controller was imposed with a fine of HUF 50,000 (approx. €130).
The angle views of the camera were installed in a way that e.g. the employee’s workstation was under constant surveillance, some cameras had a complete view of a tanning machine, and the customers using the service were unable to move out of the cameras view. The DPA also noted that the controller had not implemented masking of the area that were not relevant for the purpose of the surveillance or filtering of the observed part by IT means.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
File number: NAIH/4410-1/2023 Subject: decision and procedural fine Background: request for the release of NAIH/2866/2022 Administrator: (...) rejection order The National Data Protection and Freedom of Information Authority (hereinafter: Authority) is (…) (head office: (…), hereinafter: “Client” or “Company”) by (…) operating under (…) related to the cameras operated in the solarium studio (hereinafter: premises). of data management for natural persons regarding the management of personal data on the protection of data and the free flow of such data, as well as Directive 95/46/EC 2016/679 (EU) repealing Regulation (hereinafter: "GDPR" or "General Data Protection Regulation") launched ex officio to investigate its compliance makes the following decisions in its official data protection procedure. 1. In its decision, the Authority states that the examined data processing violated it 1.1. Article 6 (1) of the GDPR; 1.2. Paragraphs (1)-(2) of Article 13 of the GDPR. and condemns the Company for the violations established above. There is no place for administrative appeal against the decision, but from the announcement within 30 days from the date of issue, with a letter of claim addressed to the Capital Tribunal can be challenged in a lawsuit. The claim must be submitted to the Authority electronically, which forwards it to the court together with the case documents. A hearing can be held in the statement of claim to ask. For those who do not receive the full personal tax exemption, the administrative lawsuit the fee is HUF 30,000, the lawsuit is subject to the right to record fees. Before the Metropolitan Court legal representation is mandatory in the procedure. 2. In the order of the Authority, to waive or reduce the Company's procedural fine rejects the relevant request and at the same time calls on the Company that NAIH/2866-3/2022 Procedural fine in the amount of HUF 50,000 (i.e. fifty thousand forints) imposed in order with file number payment immediately, but at the latest from the date of receipt of this order Please do so within 15 working days. There is no place for an administrative appeal against the order, but it is subject to notification Within 30 days with a letter of claim addressed to the Capital Court in a public administrative case can be attacked. The claim must be submitted electronically to the Authority, which is forwards it to the court together with the case documents. A hearing can be requested in the statement of claim. For those who do not benefit from the full personal tax exemption, the administrative court fee HUF 30,000, the lawsuit is subject to the right to record the levy. In the proceedings before the Metropolitan Court legal representation is mandatory. *** In connection with point 2 above (procedural fine), the Authority provides the following information: The fine is the forint account of the Authority's centralized revenue collection target account (10032000-01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000) must be paid by bank transfer. When transferring the amount, the NAIH 4410/2023 FEES. number must be referred to. ……………………………………………………………………………………………… 1055 Budapest Tel.: +36 1 391-1400 ugyfelszolgalat@naih.hu Falk Miksa utca 9-11 Fax: +36 1 391-1410. (XII. 14.) MNB decree § 28 in point a) subpoint aa) (transfer), point b) subpoint bb) (cash payment) to a payment account), point c) (payment method without a payment account, in particular a cash transfer) can be in the form of listed payment methods. In fulfilling the obligation VI of the same regulation is applicable. chapter, with the proviso that it is not in the Authority's building possibility to pay the fine amount. If the Company does not fulfill its obligation to pay the fine within the deadline, must pay a late fee. The amount of the late fee is the legal interest, which is a it is the same as the central bank base rate valid on the first day of the calendar semester affected by the delay. The late fee is settled by the Authority for the purpose of collecting centralized revenues forint account (10032000-01040425-00000000 Centralized direct debit account) to pay. If the Company does not pay the procedural fine within the above deadline enough, the Authority orders the recovery of the fine and late fee and its execution to the tax authority. JUSTIFICATION I. Facts (1) To the Authority on 10.01.2019. on the day of, a notification was received, in which the notifier is the Company objected to data management with the cameras installed at the above location. Given that the investigation procedure initiated based on this did not include the facts can be revealed, the Authority 11.10.2021. started official proceedings ex officio on (NAIH/7643-1/2022). The order with file number NAIH/7643-1/2022 is issued by the Company 18.10.2021 received on the day There is a 15-day deadline for responding 02.11.2021 expired on 11.04.2021, but the Company did not respond until 04.11.2021. gave it on the day to the post office, the shipment to the Authority on 08.11.2021. arrived on (2) According to the Company's statement with file number NAIH/7643-2/2021, the Company complies with the GDPR Pursuant to point f) of Article 6 paragraph (1), a camera operator with a legitimate interest as a legal basis surveillance at the site to protect life, physical integrity, and personal freedom for the sake of, as well as for the purpose of property protection. Showing the angle of view of the 4 cameras the Company attached snapshots to its response. Based on these, one of the cameras is a It was directed to one of the company's workstations, one to and from the external entrance in connection with this, he partly monitored the public area, and two more were the solarium customer traffic it was directed to its open interior spaces. Camera images attached by the Company based on, covering an area that is not relevant to the purpose of the observation or a filtering of the observed part with IT tools (hereinafter: masking) was not set. The viewing angles of the camera system are also shown on the Company's site plan presented. From camera images and site plan submitted by the Company it could be established that some tanning machines and the doors leading to standing solariums were also included. According to the Company's claim, the solarium's customers receive a paper-based data management information sheet they could ask the person working at the reception desk; the Company informs employees was realized verbally and in job descriptions, however these statements the Company did not prove it with evidence. Stickers warning about the fact of camera data management were submitted by the Company based on photographs, however, the Company outside the front door and in the area of the site also placed inside. 2(3) In view of the Company's response, further clarification of the facts became necessary, therefore, the Authority NAIH/2866-1/2022. by post again with the order with file number he contacted the Company with his questions. The Authority is responsible for the response set a deadline of 15 days from the date of receipt. Delivery by Magyar Posta Zrt according to the certificate of the Authority NAIH/2866-1/2022. the Company's order with case file no 21.02.2022. received it, so the response deadline is 08.03.2022. fell on his day. THE Company's response to the Authority 28.03.2022. arrived by post on (4) NAIH/2866-2/2022. In its material response with file number, the Company informed the Authority that it no longer operates a solarium or anything else at the indicated address does not carry out any activities there. In addition, he stated in his answer that the Company has a website does not have The Company's response did not contain any additional information. For the answer the Company did not attach an attachment. To the questions asked in the Authority's referenced order the Company did not provide an answer, as part of this despite the Authority's request the Company did not present a balance of interests test, nor did it present a statement to that effect act to have such a document. The Company's answer is not about that either did not contain a statement or evidence that the cameraman data management would have ceased or the camera system would have been decommissioned. (5) On the day of receiving the reply, the Authority queried the Company's certificate of incorporation, in which (...) was still listed as the Company's location, so that a at the time of his answer, the Company's activities were included in the founding deed it was a place with permanent, independent business (operating) establishment. (6) In view of the above, the Authority, in its procedural order with file number NAIH/2866-3/2022 in addition to imposing a penalty, he repeatedly called the Company to clarify the facts. THE order based on the relevant delivery certificate, the Company issued the order on 26.04.2022. on the day of took over, but only on 02.06.2022. answered on the day (7) NAIH/2866-4/2022. In its material response with file number, the Company submitted that a does not operate any business or any other activity at the site referred to doesn't use it either. According to his statement, with several locations listed in his company certificate the same situation, only one location is actually used by those indicated there of. According to his claim, he has already dismantled the cameras previously operating at the site in question and removed it from the property. According to his statement, it is a personal tragedy, health problems and financial due to difficulties, the administrative burden, including the necessary company procedure, he can't do it permanently. In view of this, he requested a reduction of the procedural fine or release. The material declaration did not contain attached evidence or annexes, a Despite the authority's request, the Company did not present the balance of interests test nor did he make a relevant declaration that he had such a document. II. Applicable legal provisions (8) Infotv. According to paragraph (2) of § 2 General Data Protection Regulation as defined in the provisions indicated there must be applied with supplements. (9) Infotv. The right to the protection of personal data based on § 60, paragraph (1). in order to enforce it, the Authority may initiate official data protection proceedings ex officio. (10) In the absence of a different provision of the general data protection regulation, the request was initiated for official data protection procedure of 2016 on the general public administrative procedure 3 CL. Act (hereinafter: Act) shall be applied in Infotv with certain deviations. (11) In the ex officio proceedings, Art. its provisions on procedures initiated upon request shall be applied with the exceptions contained in §§ 103-104 of this law. (12) Pursuant to Article 4, point 1 of the GDPR, "personal data": identified or identifiable any information relating to a natural person ("data subject"); it is possible to identify the a a natural person who, directly or indirectly, in particular identifier such as name, number, location data, online identifier or a physical, physiological, genetic, intellectual, economic, cultural or natural person can be identified based on one or more factors related to his social identity. (13) Based on Article 4, point 2 of the GDPR, "data management": you are on personal data any operation performed on data files in an automated or non-automated manner or a set of operations, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, transmission of information, by means of distribution or other means of making available, coordination or connection, restriction, deletion or destruction. (14) According to Article 6 (1) of the GDPR: The processing of personal data is only legal if and to the extent that at least one of the following is met: a) the data subject has given his consent to the processing of his personal data for one or more specific purposes for its treatment; b) data management is necessary for the performance of a contract to which the data subject is a party party, or the steps taken at the request of the data subject prior to the conclusion of the contract necessary to do; c) data management is necessary to fulfill the legal obligation of the data controller; d) data management is vital for the data subject or another natural person necessary to protect your interests; e) data processing is in the public interest or the data controller is authorized by a public authority necessary for the execution of a task performed in the context of its exercise; f) data management to enforce the legitimate interests of the data controller or a third party necessary, unless the interests of the person concerned take precedence over these interests interests or fundamental rights and freedoms that make personal data protection necessary, especially if a child is involved. Point f) of the first subparagraph cannot be applied by public authorities in their tasks for data management during its provision. (15) Based on paragraphs (1)-(2) of Article 13 of the GDPR: (1) If personal data concerning the data subject is collected from the data subject, the data controller a at the time of obtaining personal data, provides the data subject with a all of the following information: a) the identity of the data controller and - if any - the data controller's representative and your contact information; b) contact details of the data protection officer, if any; c) the purpose of the planned processing of personal data and the legal basis of data processing; d) in the case of data management based on point f) of paragraph (1) of Article 6, the data controller or legitimate interests of third parties; e) where applicable, recipients of personal data, or categories of recipients, if any; f) where appropriate, the fact that the data controller is in a third country or international organization wishes to forward the personal data to, and the Commission 4 the existence or absence of a conformity decision, or in Article 46, Article 47 or the transfer of data referred to in the second subparagraph of Article 49 (1). indication of the appropriate and suitable guarantees, as well as their copies a reference to the means of obtaining it or their availability. (2) In addition to the information mentioned in paragraph (1), the data controller is the personal data at the time of acquisition, in order to be fair and transparent provides data management, informs the data subject of the following additional information: a) on the duration of storage of personal data, or if this is not possible, on this aspects of determining the duration; b) the data subject's right to request from the data controller the personal data relating to him access to data, their correction, deletion or restriction of processing, and may object to the processing of such personal data, as well as the data subject about your right to data portability; c) based on point a) of Article 6 (1) or point a) of Article 9 (2) in the case of data processing, it is for withdrawing consent at any time a right that does not affect data processing carried out on the basis of consent before withdrawal legality; d) on the right to submit a complaint to the supervisory authority; e) that the provision of personal data is legal or contractual whether it is based on an obligation or a prerequisite for concluding a contract, and whether it is whether the data subject is obliged to provide personal data, and how it is possible failure to provide data may have consequences; f) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including also profiling, and at least in these cases to the applied logic and that comprehensible information regarding the significance of such data management and what are the expected consequences for the person concerned. (16) Pursuant to Article 58 (2) point b) of the GDPR, the supervisory authority acting within its competence, condemns the data manager or the data processor if its data management activities violated the provisions of this regulation. III. Decision (17) III.1. In the case of camera data management, the legitimate interest of the data controller is typically 1 legal basis applied. The conceptual element of the legitimate interest is the discretion of the data controller obligation. The data controller is obliged to carry out a preliminary, written interest assessment test preparation in order to be able to refer to this legal basis. Legitimate interest is a legal basis it can be applied by the data controller if its application is based on the balancing of interests test is supported by its result (so the existence of the interest assessment test in itself does not sufficient). A test of interest balancing to identify different interests and those is built to balance. Within this framework, among other things, the the issue of necessity-proportionality and the reasonable expectations of those involved. These when considering it, it should be kept in mind that the interests of the stakeholders take precedence may enjoy against the interests of the data controller, and it should also be considered that it is at the start of data processing, can the data subjects reasonably expect that data controller manages their data for the given purpose. 1 GDPR Article 6 (1) point f): The processing of personal data is only lawful if and to the extent that at least f) data processing is necessary to assert the legitimate interests of the data controller or a third party, unless these interests are involved on the other hand, the interests or fundamental rights and freedoms of the data subject, which are personal data, take precedence their protection is necessary, especially if the child concerned is a child. Point f) of the first subparagraph does not apply to public authorities for data management carried out by bodies in the performance of their duties. 5(18) Despite repeated calls from the Authority, the Company does not carry out such an interest assessment test presented, so the legal basis of legitimate interest cannot legally be invoked. (19) At the same time, the data management is carried out in the established way, the submission of a balance of interests test no legitimate interest could have been substantiated with a legal basis. Attached by the Company based on photos and floor plan, in the camera monitoring the entrance door from the outside section also observed public space. The worker and his workstation were under constant surveillance so that the angle of view of this camera partially extended to a reclining solarium. One of the internal cameras was partially or completely in the field of view of several of them tanning machine or the door leading to stationary tanning beds. The user of the service those involved could not get out of their way, and masking for the cameras was not was set. (20) In relation to the cameras in question, the data management purpose - which is believed to be a it was asset protection - neither the ability to achieve it nor the proportionality was proven. Especially from an asset protection point of view, other available solutions (e.g. lock, padlock, window grill, safe, alarm, motion detector, security guard, etc.) is larger if applicable they can also mean security, like camera data management. Purpose of data management point of view, in the absence of a balance of interests test, it was not and is not supported it is likely that the camera system was one of the available solutions the most effective and, at the same time, the least burdensome solution for the privacy of those concerned. (21) Since, based on the Company's statement, data management information is only available locally, on paper based on the express request of the parties using the service accessible, adequate information about data management was not available to them. The Company also does not provide the same information to employees verified; according to his statement, this was verbal information and included in the job description was realized by means of information, but his claims about this were not supported by evidence supported it. (22) On the basis of the above, the Authority shall comply with Article 6 (1) of the GDPR and Article 13 (1) of the GDPR- (2) of the GDPR and Article 58 (2) point b) of the GDPR decided in accordance with the provisions of the ruling part (decision). (23) At the same time, according to its statement, the Company abandoned the investigated data management, i.e dismantled devices on site. (24) III.2. There was no clarification of the circumstances of data management in the investigation procedure possible, the Authority therefore decided to initiate the ex officio official procedure. Despite this, the Company's statements in the official procedure initiated ex officio were incomplete or delayed. Procedural fine against the Company was imposed in view of these antecedents, and thus the Authority is the authority in accordance with the provisions of section (order), for the waiver of the Company's procedural fine or decided to reject his request for mitigation. ARC. Other questions (25) The Art. § 112, subsections (1) and (2), point d) and § 116, subsections (1) and (3), respectively Based on § 114, paragraph (1), against both the decision and the order there is room for legal redress through an administrative lawsuit. *** (26) The rules of the administrative trial are set out in Article I of 2017 on the Code of Administrative Procedure. is determined by law (hereinafter: Law). The Kp. Based on Section 12 (1) a 6 An administrative lawsuit against an authority's decision falls under the jurisdiction of the court, a sued by Kp. On the basis of Section 13. (3) point a) point aa) the Capital Court exclusively competent. The Kp. On the basis of § 27 (1) point b), the tribunal legal representation is mandatory in a lawsuit within its jurisdiction. Cp. According to § 39, paragraph (6). - if the law does not provide otherwise - the administrative procedure for submitting the claim does not have the effect of postponing the entry into force of the act. (27) The Kp. Paragraph (1) of § 29 and, in view of this, the 2016 Code of Civil Procedure CXXX. Act (hereinafter: Pp.) is applicable according to § 604, the electronic CCXXII of 2015 on the general rules of administration and trust services. Act (hereinafter: E-Administration Act.) According to Section 9 (1) point b) the customer legal representative is obliged to maintain electronic contact. (28) The time and place of submitting the statement of claim is determined by Kp. It is defined by § 39, paragraph (1). The information about the simplified trial can be found in Kp. Paragraphs (1)-(2) of § 77 and § 124 It is based on paragraph (1) and (2) point c) and (5) respectively. The public administration the amount of the fee for the lawsuit is determined by Act XCIII of 1990 on fees. law (hereinafter: Itv.) 45/A. Section (1) defines. Regarding the advance payment of the fee, the Itv. Section 59 (1) and Section 62 (1) point h) exempt the procedure initiating party. (29) Infotv. According to § 38, paragraph (2), the Authority is responsible for personal data for its protection, as well as to learn about data of public interest and public in the public interest monitoring and facilitating the enforcement of the right, as well as personal data Facilitating its free movement within the European Union. Paragraph (2a) of the same § as established for the supervisory authority in the general data protection regulation tasks and powers of legal entities under the jurisdiction of Hungary with respect to those specified in the general data protection regulation and this law according to the Authority. The Authority's jurisdiction covers the entire territory of the country. Dated: Budapest, according to the electronic signature Dr. Habil. Attila Péterfalvi president c. professor 7