NAIH (Hungary) - NAIH/2020/3479
NAIH - NAIH/2020/3479 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(1)(d) GDPR Article 16 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 18.11.2020 |
Published: | |
Fine: | 28 EUR |
Parties: | n/a |
National Case Number/Name: | NAIH/2020/3479 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | n/a |
The Hungarian DPA (NAIH) issued a fine of €28 on a controller for failing to meet an administrative deadline to rectify the data subject's outdated email address.
English Summary
Facts
A complainant argued that he continued to receive a newsletter from a controller to an old e-mail address despite numerous attempts to rectify his data. According to the complainant, even when his address had been changed manually by an employer of the controller, he continued to receive the newsletter to the older one.
Dispute
Holding
The DPA stated that the controller infringed Article 16 of the GDPR, as he did not comply with the complainant's request. However, given that that the e-mail address has been corrected as a result of the proceedings, no further measure is required. Additionally, given that the rights of the data subject are closely linked to data protection principles, the DPA concluded ex officio that the controller violated the principle of accuracy under Article 5 (1) (d) of the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case No: NAIH / 2020/3479 / Subject: Decision granting the application Administrator: […] DECISION The National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority) […] to the applicant (hereinafter: the Applicant) […] (hereinafter: the Applicant) against the Infringement of the applicant's right to rectify his personal data and unsolicited newsletters initiated an official procedure following his request of 16 April 2020, in which case the Authority has taken a decision on the Applicant grant his request, and I. finds that the Applicant has violated the Applicant's natural persons a protection of personal data and the protection of such data and repealing Directive 95/46 / EC the right of rectification under Article 16 of the Regulation (hereinafter referred to as the General Data Protection Regulation) and at the same time, the Authority finds of its own motion that it has infringed the general rule the principle of accuracy under Article 5 (1) (d) of the Data Protection Regulation. Due to the above violation, the Authority will inform the Applicant - by another data protection violation. in determining the legal consequences of the present infringement as a precedent will be taken into account with increased weight - will be warned. EXECUTION II. Given that it has exceeded the administrative deadline, the Authority considers that HUF 10,000, ie ten thousand forints to the Applicant - according to his / her choice to be indicated in writing - pay by bank transfer or postal order. * * * There is no administrative remedy against this decision, but it is from notification within 30 days of the application to the Metropolitan Court in an administrative lawsuit can be challenged. The application must be submitted to the Authority, electronically, which is the case forward it to the court together with its documents. Those who do not benefit from full personal exemption The fee for the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to record material fees. The Capital In proceedings before the General Court, legal representation is mandatory. A II. There is no place for an independent appeal against the order under point 1, only on the merits of the case may be challenged in an appeal against a decision taken. 1 The administrative lawsuit is initiated by the form NAIH_K01: Form NAIH_K01 (16.09.2019) The form is the general can be filled in using a form filling program (ÁNYK program). 1 I N D O K O L Á S I. Procedure and clarification of the facts The Applicant submitted a notification to the Applicant on 20 February 2020 in which complained that he had rewritten his e-mail address several days before his submission to the operated Internet subscriber interface, after which continued to receive mail from the old e-mail address. The Applicant sent on February 21, 2020, referring to the Applicant's notification In its reply, it provided information that it had changed its previous e-mail address in its system To the e-mail address provided by the applicant. The Applicant nevertheless continues - March 2020 Also on 16 and 20 March 2020 - received a newsletter from the Applicant to his previous e-mail address. In view of all this, the Applicant, in its application submitted on 16 April 2020, requested a Authority, and at the same time the National Media and Communications Authority, to initiate proceedings against the Applicant for rectification of his personal data infringement of their rights and the receipt of unsolicited newsletters. Act CXII of 2011 on the right to information self-determination and freedom of information. law (hereinafter: the Information Act) the right to the protection of personal data pursuant to Section 60 (1) before the Authority at the request of the data protection authority proceedings have been initiated. Following the Authority's call for rectification, the Applicant arrived on 5 June 2020 in its submission, it stated that between 1 January 2020 and 19 February 2020 changed his e-mail address on the Applicant's online subscriber interface during the period, and submitted that the "Confirmation" in the "Confirm New Email Address - Reminder" email clicked on the button to arrive in your inbox on February 21, 2020. In its order to initiate the data protection authority procedure, the Authority notified the Applicant and called for a statement and disclosure in order to clarify the facts. Based on the Applicant's statement, the Applicant initiated the e-mail on February 16, 2020 address change on the Applicant's online subscriber interface. The Applicant submitted that in such a case validating email to the new email address of the customer initiating the change will be sent in order for the Applicant to verify the email address provided correctness. After clicking on the confirmation, the Applicant will be automatically rewritten e-mail address in your systems. The Applicant stated that the Applicant on February 16, 2020, and the reminder The Applicant also failed to re-send the confirmation on 21 February 2020 so that, subject to no modification, the Applicant's old e-mail the newsletter received by the Applicant in his complaint of 20 February 2020. The Applicant submitted that in view of the contents of the Applicant's complaint, the Applicant on 21 February 2020, his employee manually changed the Applicant's e-mail address, which however, due to an administrative error, the so-called campaign management system so that the Applicant again received newsletters to his old e-mail address. 2The Applicant stated that the Authority had received an order for clarification of the facts on 8 July 2020, the so-called campaign management system also modified the Applicant's email address, so no later newsletters will be sent to the old email address. In its order, the Authority invited the Applicant to make another statement, to which the its reply was received by the Authority on 5 August 2020. The Applicant emphasized that validation is necessary to protect customers, as so that no third party modification can be made on behalf of the subscriber to the subscriber's knowledge without. The Applicant stated that the confirmation was made by the Applicant on 21 February 2020 he cannot prove his absence (absence), given that for an event that did not happen related logfile is not and cannot be available to the Applicant. II. Applicable law Pursuant to Article 2 (1) of the General Data Protection Regulation, for the processing of data in the present case the general data protection regulation applies. Infotv. Pursuant to Section 2 (2), the General Data Protection Decree is indicated therein shall apply with the additions provided for in Infotv. Pursuant to Section 38 (2), the Authority is responsible for the protection of personal data, and the right of access to data of public interest and public interest personal data within the European Union facilitating its free movement. Infotv. Pursuant to Section 38 (2a) of the General Data Protection Decree on Supervision the tasks and powers established for the authority under the jurisdiction of Hungary as defined in the General Data Protection Regulation and this Act according to the Authority. Infotv. Pursuant to Section 38 (3) (b), within the scope of its responsibilities under Section 38 (2) and (2a) as defined in this Act, in particular at the request of the data subject and ex officio data protection conduct an official procedure. Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data To that end, the Authority shall, upon request, initiate a data protection authority procedure and of its own motion initiate data protection authority proceedings. The data protection authority procedure is general CL of 2016 on administrative order. (hereinafter: Ákr.) apply with the additions specified in the Infotv. and the general data protection regulation with the derogations provided for in Infotv. Pursuant to Section 60 (2): “For the initiation of data protection authority proceedings Article 77 (1) and Article 22 (b) of the General Data Protection Regulation. may be submitted in the case provided for in Under Article 77 (1) of the General Data Protection Regulation, “other administrative or without prejudice to judicial remedies, any person concerned shall have the right to lodge a complaint with one At the supervisory authority, in particular at the place of usual residence, place of work or in the Member State of the alleged infringement, if it considers that the the processing of personal data infringes this Regulation. " Article 5 (1) (d) of the General Data Protection Regulation states: “Personal data shall: […] (d) be accurate and, where necessary, kept up to date; all reasonable measures must be taken in order to ensure that personal data are inaccurate for the purposes of data processing immediately deleted or corrected ("accuracy") ". Under Article 16 of the General Data Protection Regulation, the data subject has the right to request data controller to correct inaccurate personal data without undue delay data. Taking into account the purpose of the data processing, the data subject is entitled to request the incomplete supplementing personal data, inter alia by means of a supplementary declaration. According to Article 12 (1) to (6) of the General Data Protection Regulation: “1. The controller shall take measures to enable the data subject to process personal data all the information referred to in Articles 13 and 14 and Articles 15 to 22. and Article 34 each piece of information in a concise, transparent, comprehensible and easily accessible form, in a clear manner and provide it in plain language, in particular any information addressed to children in the case of. The information shall be provided in writing or by other means, including, where appropriate, by electronic means also - must be specified. Oral information may be provided at the request of the data subject, provided otherwise the identity of the data subject has been verified. 2. The controller shall facilitate the processing of the data subject concerned in accordance with Articles 15 to 22. exercise of their rights under this Article. Article 11 (2) In the cases referred to in paragraphs 15 to 22, the controller shall exercise their rights under Article may not refuse to comply with his request unless he proves that the person concerned unable to identify. 3. The controller shall, without undue delay, but in any case upon receipt of the request, inform the data subject within one month of the following an application under Article measures. If necessary, taking into account the complexity of the application and the requests this period may be extended by a further two months. On the extension of the deadline the controller shall indicate the reasons for the delay from the date of receipt of the request inform the data subject within one month. If the application has been submitted by electronic means, the information shall, as far as possible, be provided by electronic means, unless the data subject provides otherwise asks. If the controller does not act on the data subject 's request without delay, but shall inform the data subject no later than one month after receipt of the request the reasons for not taking action and the fact that the person concerned may lodge a complaint supervisory authority and may exercise its right to a judicial remedy. 5. In accordance with Articles 13 and 14 information and Articles 15 to 22. The information and action provided for in Articles 31 and 34 shall be provided free of charge to assure. If the data subject's request is clearly unfounded or - particularly repetitive excessive, the controller, in view of the provision of the requested information or information or for the administrative costs of taking the requested action: (a) a reasonable fee or (b) refuse to act on the request. The application the burden of proving that it is manifestly unfounded or excessive is on the controller. (6) A 11. without prejudice to Articles 15 to 21, if the controller has reasonable doubts in accordance with Article the identity of the natural person submitting the application request the information necessary to confirm his identity. " 4Article 23 (1) of the General Data Protection Regulation states: “The controller or Union or Member State law applicable to the processor may be limited by legislative measures a 12-22. Articles 12 and 34 and Articles 12 to 22. with the rights set out in Article the rights and obligations set out in Article 5 in respect of obligations if the restriction respects fundamental rights and freedoms necessary and proportionate measure to protect the following in a democratic society: (a) national security; b) national defense; (c) public safety; (d) the prevention, investigation, detection or prosecution of criminal offenses; or enforcement of criminal sanctions, including against threats to public security protection and prevention of these dangers; (e) other important general interest objectives of general interest of the Union or of a Member State, in particular: Important economic or financial interests of the Union or of a Member State, including monetary, budgetary and fiscal issues, public health and social security; (f) protection of judicial independence and judicial proceedings; g) in the case of regulated professions, the prevention, investigation and detection of ethical violations and conducting related procedures; (h) in the cases referred to in points (a) to (e) and (g), even occasionally, the performance of public control, inspection or regulatory activity related to the provision of (i) the protection of the data subject or the protection of the rights and freedoms of others; (j) the enforcement of civil claims. " According to Article 58 (2) of the General Data Protection Regulation: “The supervisory authority shall be corrective acting within its competence: (a) warn the controller or processor that certain data processing operations are planned its activities are likely to infringe the provisions of this Regulation; (b) condemn the controller or the processor if his or her data processing activities has infringed the provisions of this Regulation; (c) instruct the controller or the processor to comply with this Regulation exercise its rights under this Regulation; (d) instruct the controller or processor to carry out its data processing operations, where applicable in a specified manner and within a specified period, in accordance with this Regulation with its provisions; (e) instruct the controller to inform the data subject of the data protection incident; (f) temporarily or permanently restrict the processing, including the prohibition of the processing; (g) order personal data in accordance with Articles 16, 17 and 18 respectively rectification or erasure of data or restrictions on data processing, and in accordance with Article 17 (2). order to notify the addressees with whom it is addressed in accordance with paragraph 1 and Article 19 or with whom personal data have been communicated; (h) withdraw the certificate or instruct the certification body in accordance with Articles 42 and 43 revoke a duly issued certificate or instruct the certification body not to grant it issue the certificate if the conditions for certification are not or are no longer met; (i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case in addition to or instead of the measures referred to in this paragraph; and (j) order the flow of data to a recipient in a third country or to an international organization suspension. " 5 Pursuant to Article 83 (2), (5) and (7) of the General Data Protection Regulation: “[...] administrative fines in accordance with Article 58 (2) (a) to (h), depending on the circumstances of the case. and (j) shall be imposed in addition to or instead of the measures referred to in When deciding that whether it is necessary to impose an administrative fine or the amount of the administrative fine In each case, due account shall be taken of the following: (a) the nature, gravity and duration of the breach, taking into account the processing in question the nature, scope or purpose of the infringement and the number of persons affected by the infringement; the extent of the damage they have suffered; (b) the intentional or negligent nature of the infringement; (c) the mitigation of damage suffered by the data subject by the controller or the processor any measures taken to (d) the extent of the responsibility of the controller or processor, taking into account the and technical and organizational measures taken pursuant to Article 32; (e) relevant infringements previously committed by the controller or the processor; (f) the supervisory authority to remedy the breach and the possible negative effects of the breach the extent of cooperation to alleviate (g) the categories of personal data affected by the breach; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor has reported the breach and, if so, what in detail; (i) if previously against the controller or processor concerned, in the same one of the measures referred to in Article 58 (2), orally compliance with revolving measures; (j) whether the controller or processor has considered itself approved in accordance with Article 40 codes of conduct or approved certification mechanisms in accordance with Article 42; and (k) other aggravating or mitigating factors relevant to the circumstances of the case, such as: financial gain obtained or avoided as a direct or indirect consequence of the infringement loss. […] Infringements of the following provisions, in accordance with paragraph 2, shall be An administrative fine of EUR 000 000 or, in the case of undertakings, the previous financial penalty shall not exceed 4% of the total annual world market turnover for the year, provided that the the higher of the two shall be charged: (a) the principles of data processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9; appropriately; (b) the rights of data subjects under Articles 12 to 22. in accordance with Article (c) the transfer of personal data to a recipient in a third country or to an international organization transmission in accordance with Articles 44 to 49. in accordance with Article d) IX. obligations under the law of a Member State adopted pursuant to this Chapter; (e) instructions from the supervisory authority pursuant to Article 58 (2) and data processing temporary or permanent restriction or suspension of data flows or in breach of Article 58 (1) failure to provide. […] (7) Without prejudice to the supervisory powers of the supervisory authorities under Article 58 (2), each Member State may lay down rules on the may be imposed on a public authority or other body with a public function administrative fine and, if so, the amount. " 6Infotv. 75 / A. §: The Authority is included in Article 83 (2) - (6) of the General Data Protection Regulation exercise its powers in accordance with the principle of proportionality, in particular by: legislation on the processing of personal data or binding European Union law in the event of a first breach of the rules set out in its act in accordance with Article 58 of the General Data Protection Regulation by alerting the controller or processor. Infotv. According to Section 61 (4) (b): “The amount of the fine is from one hundred thousand to twenty million forints may be extended if the fine imposed in a decision taken in a data protection authority proceeding budgetary body under Article 83 of the General Data Protection Regulation in the case of a fine imposed. " ARC. Decision In its application, the Applicant requested the Authority to establish that the Applicant infringed his right to rectification under Article 16 of the General Data Protection Regulation by his e-mail address during the change. Regarding how to provide information on the correction of personal data the obligations of the controller are detailed in Article 12 of the General Data Protection Regulation. It was not possible to prove that fact in a credible manner in the present proceedings - and The Authority has not identified any other means by which it can be optimally clarified that Whether or not the applicant clicked on the “confirm” button on 21 February 2020 or on the same day, the Applicant’s employee manually corrected the Applicant’s email address. However, it can be stated that before 20 February 2020 alone, the Applicant The legal declaration communicated by the Commission to the Applicant on the Applicant's interface shall not be considered a data subject as an application, as in that case it was carried out by only one Applicant it was an amendment to the data and not a request for a correction indicating the inaccuracy of the data. So the The applicant's only complaint to the Applicant, submitted on 20 February 2020, was considered as a request for rectification under Article 16 of the General Data Protection Regulation without undue delay, but no later than one month. However, despite the fact that the Applicant lawfully amended the In view of the applicant's complaint lodged on 20 February 2020, the e-mail address, the so-called campaign management system illegally on 8 July 2020 only as a result of the present proceedings corrected the Applicant's email address. On the basis of all this, in view of the fact that the Applicant to correct the Applicant's e-mail address has not complied with its request of 20 February 2020, the Authority finds that The applicant infringed Article 16 of the General Data Protection Regulation. However, given that that the Applicant has corrected the Applicant's e-mail address as a result of the present proceedings, further no measure is required. Also given the rights of the data subject are closely linked to data protection principles, the Authority concludes ex officio that By violating the details of the exact e-mail address of the Applicant, the Applicant violated it the principle of accuracy under Article 5 (1) (d) of the General Data Protection Regulation. The Authority finds, as an infringement related to the above infringement, that at the same time the treated personal data without legal basis in connection with the sending of the newsletter, as it was two newsletters 7is sent (March 16, 2020 and March 20, 2020) after February 21, 2020 about it informed the Applicant that he had corrected his e-mail address. The Acre. According to Section 51 (b), if the authority exceeds the administrative deadline - and there was no place to make a decision - equivalent to a fee or charge for conducting the proceedings in the absence of this, he shall pay ten thousand forints to the applicant client, who shall be released from the from the payment of procedural costs. Consequently, the Authority shall take a decision in accordance with the operative part brought. IV.3. Legal consequences The Authority examined whether it was justified to impose a data protection fine on the Applicant. In this context, the Authority complies with Article 83 (2) of the General Data Protection Regulation and Infotv. 75 / A. §- on the basis of which it considered all the circumstances of the case and found that in the present proceedings in the case of detected infringements, the warning is a proportionate, dissuasive sanction and therefore a fine is not required. The Authority shall use the following criteria for each measure, as appropriate has decided, in the light of: - the gravity of the infringement is low, also taking into account the fact that it has been established the infringements are closely linked and the damage suffered has not occurred in proceedings [Article 83 (2) (a) of the General Data Protection Regulation]; the infringement is the result of the Applicant 's negligent conduct [general data protection Article 83 (2) (b) of the Regulation] - the Authority convicted the Applicant of NAIH / 2020/2758/4. In its decision no breach of the General Data Protection Regulation, however, NAIH / 2020/2758. No. The findings made in the course of the proceedings cannot be regarded as relevant in the present case [General Article 83 (2) (e) of the Data Protection Regulation]; - the personal data (email address) affected by the breach do not constitute special data [Article 83 (2) (g) of the General Data Protection Regulation] - the Applicant as soon as it becomes aware that the Applicant is not a valid e-mail records its address, has rectified it [General Data Protection Regulation Article 83 (2) (k)]. Based on the above, the Authority has decided in accordance with the operative part. V. Other issues The powers of the Authority are limited by the Infotv. Section 38 (2) and (2a), its jurisdiction is covers the whole country. The present decision of the Authority is based on Art. 80-81. § and Infotv. It is based on Section 61 (1). The decision is Ákr. Pursuant to Section 82 (1), it becomes final with its communication. The Acre. Section 112 and Section 116 (1) and (4) (d) and § 114 (1) against the decision there is a right of appeal through an administrative lawsuit. 8 * * * The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by a decision of the Authority The administrative lawsuit against the court falls within the jurisdiction of the court. Section 13 (3) a) The General Court has exclusive jurisdiction under point (aa) of A Kp. Section 27 (1) In a dispute in which the tribunal has exclusive jurisdiction, the representation is mandatory. A Kp. Pursuant to Section 39 (6), the filing of the application a has no suspensive effect on the entry into force of an administrative act. A Kp. Section 29 (1) and with this regard Act CXXX of 2016 on the Code of Civil Procedure. applicable pursuant to Section 604 of the Act, electronic administration and trust services CCXXII of 2015 on the general rules of pursuant to Section 9 (1) (b) of the Act legal representative is required to communicate electronically. The time and place of the filing of the application is Section 39 (1). THE Information on the possibility to request a hearing can be found in Kp. Section 77 (1) - (2) based on. The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. law (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee is Itv. Section 59 (1) and Section 62 (1) (h) shall release the party initiating the proceedings. Budapest, November 18, 2020 Dr. Attila Péterfalvi President c. professor 9