NAIH (Hungary) - NAIH-3076-14/2024

NAIH - NAIH-3076-14/2024
Authority:	NAIH (Hungary)
Jurisdiction:	Hungary
Relevant Law:	Article 6(1)(a) GDPR Article 12(3) GDPR Article 25(1) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:	01.02.2024
Decided:	13.12.2024
Published:	20.02.2025
Fine:	n/a
Parties:	n/a
National Case Number/Name:	NAIH-3076-14/2024
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Hungarian
Original Source:	naih.hu (in HU)
Initial Contributor:	annamaticsek

A user repeatedly failed to unsubscribe from a newsletter despite confirmation from the controller. NAIH found the company violated Articles 6(1)(a), 12(3), and 25(1) GDPR.

English Summary

Facts

The data subject attempted to unsubscribe from a newsletter sent by a company. On September 29, 2019, the data subject submitted a request to unsubscribe through the controller’s website. The controller confirmed the removal of the email address from the mailing list on October 17, 2019. However, the data subject continued to receive newsletters on several occasions, specifically on October 26, October 29, and November 1, 2019.

On December 16, 2020, the data subject lodged a complaint with the Romanian data protection authority, which subsequently referred the matter to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) in accordance with the GDPR’s cooperation mechanism. The NAIH commenced an investigation (case number: NAIH-1478/2021), during which the controller acknowledged a technical issue that prevented the unsubscribe requests from reaching the newsletter system.

On February 1, 2024, following the conclusions of the earlier investigation, the NAIH initiated an authority procedure for data protection ex officio (case number: NAIH-3076/2024) to assess whether the controller had breached the GDPR.

Holding

The NAIH found that the controller violated multiple provisions of the GDPR by failing to properly address the data subject’s unsubscribe requests.

First, the NAIH held that the controller violated Article 6(1)(a) GDPR, as it continued processing the data subject’s email address for marketing purposes without a valid legal basis. The data subject had withdrawn consent by attempting to unsubscribe multiple times, but the controller still sent newsletters between 30 July 2019 and 11 May 2021.

Second, the NAIH determined that the controller breached Article 12(3) GDPR by providing misleading information about the status of the data subject’s request. The controller confirmed the removal of the data subject’s email address on 17 October 2019, but in reality, due to a technical failure, the email remained in the newsletter system.

Third, the NAIH found that the controller failed to implement appropriate technical and organizational measures violating Article 25 (1) GDPR. The controller’s system did not ensure that unsubscribe requests were properly executed, leading to the continued unlawful processing of the data subject’s email address.

As a mitigating factor, the NAIH considered that the controller eventually removed the data subject’s email and ceased using the faulty system for newsletters. However, the prolonged non-compliance and misleading communication were aggravating circumstances.

The NAIH ordered the controller to notify the data subject of the final deletion of their email address and warned that failure to comply within 30 days could lead to enforcement action.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-3076-14/2024. Subject: decision establishing an infringement
Administrator: […]

DECISION

The National Data Protection and Freedom of Information Authority (hereinafter: Authority) (registered office: […]; company registration number: […]; tax number: […]; legal representative […] (registered office: […]; tax number: […]; acting attorney: […]) and […] (registered office: [...], acting attorney: […]); hereinafter: Client) in connection with the compliance with the requirements of Regulation (EU) 2016/679 (EU) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: General Data Protection Regulation)

hereby makes the following decisions

in the data protection authority procedure initiated ex officio by […]

(registered office: […]; company registration number: […]; tax number: […]; legal representative […] (registered office: […]; tax number: […]; acting attorney: […]); hereinafter: Client)

1. The Authority finds that the Client has infringed Article 6(1)(a), Article 12(3) and Article 25(1) of the General Data Protection Regulation

and therefore finds the Client guilty.

2. The Authority orders the Client to inform the Complainant, within 30 days of receipt of this decision, of the measures taken to delete his/her e-mail address from the newsletter database, as set out in the reasons for the decision.

The Client must provide the Authority with written confirmation of the measures taken in accordance with point 2 within 30 days of receipt of this decision, together with the supporting evidence.

In the event of failure to comply with the obligation under point 2, the Authority shall order the execution of the decision.

There is no administrative remedy against this decision, but it may be challenged in an administrative lawsuit by means of a statement of claim addressed to the Metropolitan Court within 30 days of its notification. The statement of claim must be submitted to the Authority, electronically, 1

which will forward it to the court together with the case documents. The request for a hearing must be indicated in the statement of claim. For those not entitled to full personal exemption from fees, the administrative lawsuit fee is HUF 30,000, and the lawsuit is subject to the right to record the subject-matter fee. Legal representation is mandatory in the procedure before the Metropolitan Court.

1The form NAIH_K01 is used to initiate an administrative lawsuit: NAIH_K01 form (2019.09.16.)
The form can be completed using the general form-filling program (ÁNYK program).
The form is available at the following link: https://naih.hu/kozig-hatarozat-birosagi-felulvizsgalata
................................................................................................................................................................................................................................................................................

1055 Budapest Tel.: +36 1 391-1400 naih.hu/adatkezelesi-tajekoztatok
Falk Miksa utca 9-11. KR ID: 429616918 ugyfelszolgalat@naih.hu 2

JUSTIFICATION

I. Background

(1) A report was received by the Authority on 16 December 2020 through the Romanian data protection authority
, in which the Complainant stated that he had tried to unsubscribe from the

Client newsletter several times by clicking on the unsubscribe button at the end of the email, but nevertheless
he continued to receive the Client newsletter. On 29 September 2019, the Complainant also indicated to the Client by filling out the form provided for this purpose on the Client’s website that he did not wish to receive newsletters in the future. According to the Complainant’s statement, on 17 October 2019, he received a response from the Client’s data protection officer at the email address […] that, in accordance with his
request – referring to Article 17(1)(b) of the General Data Protection Regulation – his email address had been deleted from the newsletter database, he had been unsubscribed from the
newsletters, and he would not receive newsletters in the future in connection with the Client’s services. Despite this, the Complainant continued to receive newsletters, for example on 26 October, 29 October and 1 November 2019.

(2) On 11 December 2020, the Romanian Data Protection Authority initiated a procedure for the identification of the lead and the relevant supervisory authority pursuant to Article 56 of the GDPR. Given that the Client has its place of business in […]

and that it carries out cross-border data processing, and that the decisions regarding the purposes and means of the processing of personal data within the Client’s
organization are taken in Hungary, the Client’s centre of business is located in Hungary, and therefore, in accordance with Article 4(23)(b)
and Article 4(22)(a) of the GDPR, the Authority is entitled to act as the lead authority.

(3) In order to investigate the Complainant’s report, an investigation was initiated under the case number NAIH-1478/2021, pursuant to Article 57 (1) f) of the General Data Protection Regulation and Article 38 (3) a) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the Infotv.), during which the Authority called on the Client to make a statement on several occasions. (4) During its investigation, the Authority concluded that a violation of the law had occurred in connection with the processing of personal data and that a fine should be imposed pursuant to the provisions of the General Data Protection Regulation, therefore the investigation procedure was closed pursuant to Article 55 (1) ab) of the Infotv. and Pursuant to Section 60 (3) b)
, the Authority initiated a data protection authority procedure in the case on 1 February 2024 ex officio, under the case number NAIH-
3076/2024.

II. Procedure

(5) In its order dated 1 February 2024, under the case number NAIH-
3076-1/2024.

, the Authority informed the Client about the initiation of the data protection authority procedure on that day, and
invited him to make a statement, in which he also stated whether the Client maintained the statements made in the data protection investigation procedure initiated under the case number NAIH-
1478/2021.

and whether he intended to supplement them.

(6) The Client, in the case number NAIH-
3076-2/2024. filed under file number
and the letters received on 26 February 2024 and filed under file number NAIH-3076-3/2024. 3

(7) Furthermore, on 27 February 2024, under file number NAIH-3076-4/2024.
the Authority made a note of the fact that the entire
documents of the investigation procedure related to the present case, initiated under file number NAIH-1478/2021, will be used during the decision-making process, which document is an annex to the note.

III. Clarification of the facts

(8) Based on the documents of the investigation procedure No. NAIH-1478/2021, the Client processed the Complainant’s […]
email address in connection with the investigation procedure, the legal basis for which is the fulfillment of a legal
obligation.

(9) In addition, the Complainant has a […] account registered with this email address,
the legal basis and purpose of which is the fulfillment of the terms and conditions of use of the […] account
as a contract concluded with the Complainant. The Complainant did not otherwise use the Client’s travel services
. The Client processed the Complainant’s email address for the purpose of sending newsletters
based on the Complainant’s previous consent, however, in light of the findings of the internal investigation conducted in connection with the present case
the Complainant’s email address was unsubscribed from the newsletter sending systems by the Client’s
IT service provider partners, therefore the Client no longer performs such
data processing.

(10) According to the Client’s statement, the Complainant has an active […] user account, therefore the
Client did not delete his email address, but terminated the processing of this personal data for the purpose of sending newsletters.

(11) According to the Client’s statement, it conducted an internal investigation, based on which
it established that although the online unsubscribe process took place each time
the Complainant unsubscribed, the Client unsubscribed the Complainant’s email address – following his request
as set out in the confirmation sent to the Complainant,
and the related events were logged by the related system,
however, these
online unsubscribe requests did not reach the system that sent the newsletters, the […] system,
due to a technical error, and therefore the Complainant’s
email address was listed in the […] system as having an active subscription between July 30, 2019 (the date of the Complainant’s
first unsubscribe) and May 11, 2021 (the date of the last newsletter sent to the Complainant).

(12) The Client engaged the manufacturer of the […] system
to investigate the causes of the error causing the above technical problem. Based on the feedback received from the manufacturer of the […] during the internal investigation, the
Client determined that the consent belonging to the Complainant’s e-mail address was deleted from the previous […]
system by an unknown person – presumably due to individual negligence – on 8 June 2017.
changed it manually on the day.

(13) According to the Client’s statement, at the time of the incident, the […]
database managing newsletter subscriptions was […], and all modifications were made by the Client on the […] data. This
meant that, due to this manual intervention, the unsubscribe in the newsletter subscription management system called […] did not reach the […] system and did not cause any changes there in connection with the unsubscribe. This may have been the reason why the Complainant
was unable to unsubscribe from the Client’s newsletters in any meaningful way, and the deletion carried out by the Client
did not appear in the […] system either. The manufacturer of the […]
system was unable to provide any further information, and in this regard, the Client was unable to continue the investigation in any meaningful way, thus partially closing it without any results. The Client sent an e-mail summarizing the results of the internal
investigation to the Authority
. To summarize the result, the Client sent newsletters to the Complainant between 30 July 2019 (the date of the Complainant’s first unsubscribe) and 11 May 2021 (the date of the last newsletter sent to the Complainant) due to a technical error. The cause of this technical error was an incident that occurred on 8 June 2017, which the Client’s internal investigation could only partially uncover due to the passage of time, personnel changes and system change that had already occurred in 2021. The Client wished to emphasize that it was an individual complaint, the Client had corrected the error, and since then the […] system had not been used for sending newsletters. (14) The Client also sent the Romanian and non-authentic English translations of the correspondence between it and the Complainant to the Authority. Based on the internal investigation,
the Client has determined that the Complainant modified his newsletter subscription status at the following times through the Client's online function:

- 30/07/2019 16:34

- 30/07/2019 16:35

- 20/09/2019 23:22

- 17/10/2019 15:12

- 04/11/2019 00:12

(15) In the present data protection authority procedure, the Client has submitted the following documents to the competent authority:
received on 21 February 2024 and filed under the case number
NAIH-3076-2/2024, and received on 26 February 2024 and filed under the case number
NAIH-3076-3/2024. submitted the following in its letters filed under case number:

(16) The Client maintained its statements made during the investigation procedure, stating that the Complainant’s […] account registered with the email address […] is currently active, and the Complainant has not sent any new

complaints or comments to the Client in connection with the matter that is the subject of these proceedings.

(17) The Client further maintained that it will not process data regarding the newsletter services regarding the Complainant, following the Complainant’s request to unsubscribe. The Client conducted the necessary investigation regarding the technical error in the newsletter sending system, following which it was concluded that the

technical error occurred with only one data subject, thus the problem was not
systemic. In addition, the Client is not aware of any damage on the Complainant's side, and no similar case has occurred since the closure of the investigation.

(18) In order to clarify its financial situation, the Client has attached to the Authority its annual reports for the periods from 1 April 2020 to 31 March 2021, from 1 April 2021 to 31 March 2022 and from 1 April 2022 to 31 March 2023, closing the general business year.

IV. Applicable legal provisions

(19) Pursuant to Section 2 (2)

of the Data Protection Act, the General Data Protection Regulation shall apply to data processing falling within the scope of the General Data Protection Regulation with the additions specified in the provisions specified there.

(20) The Data Protection Act Pursuant to Section 60(3), the Authority shall initiate a data protection authority proceeding ex officio if, based on its investigation, it establishes that a legal infringement has occurred or there is an imminent threat of such an infringement in connection with the processing of personal data and that a fine may be imposed in accordance with the provisions of the General Data Protection Regulation. 5

(21) Pursuant to Section 7 of Act CL of 2016 on General Administrative Procedure (hereinafter referred to as the General Data Protection Regulation), the provisions of the General Data Protection Regulation shall apply to the data protection authority proceeding. Pursuant to Section 103(1) of the General Data Protection Regulation, in the ex officio initiated administrative proceeding, the provisions of the General Data Protection Regulation relating to procedures initiated upon request shall apply with the derogations set out in Sections 103 and 104 of the General Data Protection Regulation.

(22) According to Article 4(1) of the GDPR: “personal data” means any information relating to an identified
or identifiable natural person (the “data subject”);
an identifiable natural person who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person.”

(23) According to Article 4(2) of the GDPR: “processing” means any operation or set of operations which is performed on personal
data or on sets of data, whether or not by automated means, such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

(24) According to Article 4(7) of the GDPR: “controller” means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific aspects relating to the designation of the controller may also be determined by Union or Member State law.”

(25) According to Article 4(11) of the GDPR: “consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear and unambiguous indication of his or her consent to the processing of personal data relating to him or her.”

(26) According to Article 6(1)(a) of the GDPR: “The processing of personal data shall be lawful only if and to the extent that at least one of the following

is met:
a) the data subject has given consent to the processing of his or her personal data for one or more specific
purposes.

(27) According to Article 7(3) of the GDPR: “The data subject shall have the right
to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on consent before its withdrawal. The data subject shall be informed of this before the consent is given. The withdrawal of consent shall be made possible in the same
easy way as the giving of it.”

(28) According to Article 12(3) of the GDPR, the controller shall, without undue
delay and in any event not later than one month from the date of receipt of the request,
inform the data subject of the action taken on the request pursuant to Articles 15 to 22.

If necessary, taking into account the complexity of the request and the number of requests, this

deadline may be extended by a further two months. The controller shall inform the data subject of the extension of the deadline, stating the reasons for the delay, within one
month of receipt of the request. If the data subject has submitted the
request electronically, the information shall be provided electronically, where possible, unless the data subject otherwise requests. 6

(29) Pursuant to Article 17(1)(b) of the General Data Protection Regulation, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data concerning him or her without undue delay where one of the following grounds applies:
(b) the data subject withdraws his or her consent to the processing pursuant to Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing.

(30) According to Article 25(1) of the General Data Protection Regulation, the controller shall, taking into account the state of the art and the costs of implementation, the nature, scope, circumstances and purposes of the processing and the risks of varying likelihood and severity to the rights and freedoms of natural persons, implement appropriate technical and organisational measures, such as pseudonymisation, both when determining the means of processing and during the processing, in order to ensure the effective implementation of data protection principles, such as data minimisation, and to incorporate into the processing appropriate safeguards to meet the requirements of this Regulation and to protect the rights of data subjects.

(31) Pursuant to Article 58(2) of the General Data Protection Regulation, the supervisory authority may, in the exercise of its corrective powers, for example:
b) order the controller or processor to comply with the data subject’s request to exercise his or her rights under this Regulation
;
d) order the controller or processor to bring its processing operations into compliance with the provisions of this Regulation, in a specified manner and within a specified period, where appropriate.

(32) Pursuant to Section 71(2) of the Infotv.: “The Authority may use documents, data or other means of evidence lawfully obtained in the course of its proceedings in other proceedings.”

V. Decision

(33) Based on the definitions of the General Data Protection Regulation, the Complainant's email address
constitutes personal data, and any operation performed on personal data, including its use
for the purpose of sending newsletters, constitutes data processing.

(34) In the present case, the Complainant objected that on 29 September 2019, on the Client's website, by filling out the form provided for this purpose, he indicated to the Client that he did not wish to
receive newsletters in the future. On 17 October 2019, he received a response from the Client's
data protection officer, from the email address […], that in accordance with his request, his email address had been deleted from the
newsletter database, he had been unsubscribed from the newsletters, and he would not
receive newsletters in connection with the Client's services in the future, in accordance with
Article 17(1)(b) of the General Data Protection Regulation. The Complainant nevertheless
continued to receive newsletters, for example on 26 October, 29 October and 1 November 2019.

(35) According to Article 17(1)(b) of the General Data Protection Regulation, as referred to by the Client, the data subject has the right to request that the controller erase personal data concerning him or her without undue delay
and the controller is obliged to erase personal data concerning him or her without undue delay if the data subject 7

withdraws his or her consent to the processing pursuant to Article 6(1)(a) or Article 9(2)(a)
and there is no other legal basis for the processing.

(36) The Client – as acknowledged by the Client – processed the Complainant’s e-mail address for the purpose of sending newsletters based on the Complainant’s previous consent, which the Client stated was given before the General Data Protection Regulation
became applicable.

(37) In the present proceedings, the Authority did not examine the legality of the Complainant’s previous consent
nor its compliance with the General Data Protection Regulation after the General Data Protection Regulation
became applicable, but rather the manner in which
the Client complied with the Complainant’s request that the Client not process

his e-mail address for the purpose of sending newsletters.

(38) The Complainant attempted to unsubscribe from the Client’s newsletter on several occasions by clicking on the unsubscribe button at the end of the e-mail, and on 29 September 2019, by filling out the form provided on the Client’s website, he indicated to the Client that he did not wish to receive newsletters in the future, expressing that he was withdrawing his previously given consent to the use of his e-mail address for the purpose of sending newsletters.

(39) Despite this, and the information sent by the Client to the Complainant – also acknowledged by the Client, due to a technical error – the Client continued to use the Complainant’s e-mail address for the purpose of sending newsletters, for example on 26 October, 29 October and 1 November 2019.

(40) In relation to the email address previously processed based on the Complainant's consent, the data subject's consent pursuant to Article 6(1)(a) of the GDPR must be based on adequate information, be freely given and constitute a specific, clear and unambiguous indication of the data subject's wishes by a statement or a clear affirmative action.

(41) A further requirement is that in the case of processing based on consent, it must be ensured that the data subject can withdraw his or her consent at any time in the same simple manner as he or she gave his or her consent, and that the data subject has the right, in accordance with Article 17(1)(b) of the GDPR, to obtain from the controller the erasure of personal data concerning him or her without undue delay.

(42) Among these requirements, the Authority in the present proceedings – as described above, without examining the main circumstances relating to the granting of consent and the conformity of the consent with the GDPR when the GDPR became applicable – examined how the Client ensured, in relation to the Complainant, the requirement under Article 7(3) of the GDPR that the data subject can withdraw his or her consent at any time – in the same simple manner as when he or she gave his or her consent.

(43) In the present case, it can be established that the Complainant used the Complainant’s e-mail address for the purpose of sending newsletters based on his previous consent, which he tried to revoke several times, in several ways – by unsubscribing and then submitting a separate form – without success, according to the Client’s statement, at the following times: 8

- 30/07/2019 16:34

- 30/07/2019 16:35

- 20/09/2019 23:22

- 17/10/2019 15:12

- 04/11/2019 00:12

(44) Despite all this, the Complainant still received a newsletter to his e-mail address on 11 May 2021.

(45) On this basis, it can therefore be established that the Client, after the Complainant had expressed on several occasions and in various forms that he would withdraw his consent to the processing of his e-mail address for the purpose of sending newsletters, the Client, in the absence of the Complainant’s consent, i.e. an appropriate legal basis, processed the Complainant’s personal data – his e-mail address – for the purpose of sending newsletters, in breach of Article 6(1)(a) of the General Data Protection Regulation, after the Complainant had withdrawn his consent. This unlawful situation existed between the date of the Complainant’s first unsubscribe, i.e. 30 July 2019, and the date of the last newsletter sent to the Complainant, i.e. 11 May 2021. (46) Although the Complainant did not request the deletion of his personal data, the Client classified the Complainant’s requests to unsubscribe from the newsletters as a request for deletion and, accordingly, informed the Complainant that he had deleted his e-mail address from the newsletter database, so that he would not receive newsletters in the future.

(47) Despite this, the Client, as confirmed by documents, did not actually delete the Complainant’s e-mail address, and he received several newsletters despite the information, the reason for which
was that a technical error occurred in the […] system used by the Client for sending newsletters.

This was revealed by an internal investigation conducted by the Client,
the correspondence related to which was made available by the Client to the Authority.

(48) Based on these, it can be stated that the Client received a response to the Complainant’s request for data protection, not specifically for deletion, but concerning the processing of his personal data – his e-mail address – sent on 29 September 2019, within the one-month deadline, on 17 October 2019. In this regard, the Client did not commit a violation of law or violate Article 12(3) of the General Data Protection Regulation, as it informed the Complainant of the measures taken in connection with his data protection request within the deadline.

(49) However, the Client already provided incorrect information about the measure and, contrary to its information, did not delete the Complainant’s e-mail address from the newsletter database, but continued to process it for the purpose of sending newsletters, as the Complainant continued to receive e-mails. Therefore, the Authority finds that the Client has infringed Article 12(3) of the General Data Protection Regulation by providing incorrect information on the measures it has taken.

(50) Based on the information available to the Authority, it can also be established that the Client did not provide the Complainant with information after it had actually deleted his e-mail address from the newsletter database. The Client has infringed Article 12(3) of the General Data Protection Regulation in this regard as well. In view of this, it is necessary to provide the Client with information on the measures taken by the Complainant to fulfil the request for deletion.

(51) As a reason for the incorrect deletion of personal data, the Client referred to a technical error in the system […] used for sending the newsletter. 9

(52) In this regard, Article 25(1) of the General Data Protection Regulation requires that the controller shall implement effective technical and organisational measures to ensure that the provisions of the General Data Protection Regulation are implemented. In accordance with recital 59 of the General Data Protection Regulation, the controller shall also establish procedures and operate an IT system to ensure that the data subject's requests, in this case the withdrawal of consent and the erasure of personal data, can be fulfilled in an appropriate manner.

(53) According to recital (59) of the General Data Protection Regulation, measures should be provided to facilitate the exercise of the rights granted to data subjects in the General Data Protection Regulation, including mechanisms by which, among others, the data subject may request and, where appropriate, obtain, free of charge, access to, rectification and erasure of personal data and exercise the right to object. Accordingly, the controller shall provide the means to submit requests electronically, in particular where the personal data are processed electronically. The controller shall be required to respond to the data subject's request without undue delay and at the latest within one month, and shall provide reasons for any failure to comply with any request by the data subject.

(54) However, the claim of a technical error shall not exempt the Customer from the controller's liability. Consequently, in this case, even if the Client claims that there is no problem affecting more than one person, it is still necessary to use software that will effectively delete personal data. In addition, the system must also be capable of allowing the data subject to unsubscribe from unwanted newsletters directly. This is particularly important for a data controller with a large client base, such as the Client. (55) Based on all of this, the Authority finds ex officio that the Client, by using a system with technical problems for a long time, as acknowledged by the Client, as a result of which the Complainant's e-mail address was not deleted from the Client's newsletter database, the Client failed to take the necessary technical measures to ensure the requests of the data subject, in breach of Article 25(1) of the General Data Protection Regulation in the period between the date of the Complainant's first unsubscribe, i.e. 30 July 2019, and the date of the last newsletter sent to the Complainant, i.e. 11 May 2021. (56) However, given that during the data protection authority procedure the Client deleted the Complainant's e-mail address from its newsletter database, according to its statement, and that since the incident, the […] system has no longer been used for sending newsletters, the Complainant's e-mail no action is required regarding the deletion of the address.

VI. Legal consequences

(57) In the data protection authority procedure initiated ex officio, the Authority finds, on the basis of Article 58(2)(b) of the General Data Protection
Regulation, that the Client has violated Article 6(1)(a) of the General Data Protection Regulation
between the date of the Complainant's first
unsubscribe, i.e. 30 July 2019, and the date of the last
newsletter sent to the Complainant, i.e. 11 May 2021,

Article 12(3) and Article 25(1).

(58) In the data protection authority procedure initiated ex officio, the Authority, pursuant to Article 58(2)(c) of the General Data Protection Regulation, instructs the Client to inform the Complainant, in accordance with Article 12 of the General Data Protection Regulation, of the measures taken to delete his e-mail address from the newsletter database and of the fact of the actual deletion.

(59) Based on all of this, the Authority has decided as set out in the operative part.

VII. Other issues:

(60) The Authority’s competence is determined by Section 38(2) and (2a) of the Information Act, and its competence extends to the entire territory of the
country.

(61) The Authority’s present decision is based on Sections 80-81 of the Act on the Protection of Personal Data and Section 61(1) of the Information Act. The
decision is based on Section 38(2) and (2a) of the Act on the Protection of Personal Data. Pursuant to Section 82 (1), it becomes final upon its publication. Pursuant to Sections 112,
and Sections 116 (1) and (4) d) of the Administrative Procedure Act, and Section 114 (1),
the decision may be appealed through an administrative lawsuit.

* * *

(62) The rules of administrative litigation are determined by Act I of 2017 on the Code of Administrative Procedure (hereinafter referred to as the Administrative Procedure Act). Pursuant to Section 12 (1) of the Administrative Procedure Act, administrative litigation against the decision of the Authority
falls within the jurisdiction of the courts, and the Metropolitan Court has exclusive jurisdiction over the lawsuit pursuant to Section 13 (3)
paragraph a) sub-point aa).
The Administrative Procedure Act According to Section 27(1)(b), in a dispute in which the court
has exclusive jurisdiction, legal representation is mandatory. According to Section 39(6) of the Civil Procedure Code, the filing of a claim shall not have a suspensive effect on the entry into force of the administrative act.

(63) According to Section 29(1) of the Civil Procedure Code and, in view of this, Section 604 of Act CXXX of 2016 on the Code of Civil Procedure, and Section 19(1)(b) of Act CIII of 2023 on the Digital State and Certain Rules for the Provision of Digital Services
, the client’s legal representative is obliged to maintain electronic communication.

(64) The time and place of filing a claim shall be determined by Section 39(1)(c) of the Civil Procedure Code.

Information on the possibility of requesting a hearing shall be provided in accordance with Section 39(1)(c) of the Civil Procedure Code. 77. § (1)-(2)

(65) The amount of the administrative litigation fee is determined by Section 45/A. § (1) of Act XCIII of 1990 on Fees
(hereinafter: Itv.). The party initiating the procedure
is exempted from paying the fee in advance
by Section 59. § (1) and Section 62. § (1) h) of Itv.
. (66) If the Client fails to provide adequate proof of the fulfillment of the prescribed obligation, the Authority
shall consider that the Client has not fulfilled its obligation within the deadline. According to Section 132 of the Ákr.
, if the Client has not fulfilled the obligation set out in the final decision of the Authority,
it shall be enforceable. The Authority's decision shall become final upon notification, according to Section 82. § (1) of the Ákr.
. Pursuant to Section 133 of the Tax Code, the enforcement shall be ordered by the authority that made the decision, unless otherwise provided by law or a government decree. Pursuant to Section 134 of the Tax Code, the enforcement shall be carried out by the state tax authority, unless otherwise provided by law, a government decree or, in the case of a local government, a decree of a local government. Pursuant to Section 61 (7) of the Information Act, the Authority shall implement the enforcement of the decision in relation to the obligation to perform a specific act, to behave in a specific manner, to tolerate or to cease to act.

Budapest, 13 December 2024

Dr. habil. Attila Péterfalvi
President
c. university professor