NAIH (Hungary) - NAIH-5114-35/2022
From GDPRhub
| NAIH - NAIH-5114-35/2022 | |
|---|---|
 | |
| Authority: | NAIH (Hungary) |
| Jurisdiction: | Hungary |
| Relevant Law: | Article 5(1)(e) GDPR Article 6(1) GDPR Article 12(1) GDPR Article 13 GDPR Article 31 GDPR Article 58(2)(f) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 21.12.2022 |
| Published: | |
| Fine: | 3000000 HUF |
| Parties: | n/a |
| National Case Number/Name: | NAIH-5114-35/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Hungarian |
| Original Source: | NAIH (Hungary) (in HU) |
| Initial Contributor: | n/a |
The Hungarian DPA investigated the use of a surveillance camera sytem and fined the controller HUF 3,000,000.00 (approx. €8,000.00) for violating multiple GDPR provisions.
English Summary
Facts
The case initiated from a complaint made by a data subject who filed a complaint with the Hungarian DPA requesting the DPA to declare that a controller - a company providing accommodation services - within the neighbouring property unlawfully processes personal data with its surveillance camera systems (CCTV). The data subject requested the DPA to 1) prohibit the controller from monitoring the data subject's property with its CCTV systems, and 2) to order the controller to terminate the unlawful recordings.
The DPA extended the scope of the investigation (ex officio) against the controller. The DPA investigated all processing activities carried out by the controller with its CCTV systems and conducted an on-site inspection to the controller's property. The controller was using two CCTV systems that were identified within the investigation as Camera system No. 1 (consisting of 4 analogue cameras only providing live image) and Camera system No. 2 (consisting of 4 IP cameras recording image and audio) for which the recordings were said to be stored for three days by the controller.
The Camera system No. 1 showed views of the parking area within the property of the controller, a view from the gate to the building and to the reception area, and a small part of the backyard of the property, with a pavement leading to the reception area. The DPA noted that there were no recreational facilities located in these areas. The controller stated that the purposes of the CCTV in Camera sytem No. 1 were: 1) the protection of persons and property, 2) to detect possible infringements, 3) to catch a perpetrator in the act, and 4) to prevent infringing acts. The controller relied on legitimate interests under Article 6(1)(f) GDPR as a legal basis for the processing.
With regard to Camera system No. 2 showed views of: 1) a dining room, 2) a panoramic jacuzzi on the terrace - which previously showed a view of the data subject's property, but at the time of the DPA's on-site investigation, the controller had modified the angle view of the camera away from the data subject's property - 3) a patio, and 4) a reception desk. These cameras were motion-activated, recorded images, and some of them were placed with an angle of view to areas where the persons not only pass through but also rest and dine. Regardless of the DPA's request, the controller did not present any previous cases justifying the necessity for the use of the CCTV. The DPA considered that it was relevant whether any events had taken place in the past which would justify the placement of the cameras, as the data processing was more extensive compared to Camera system No 1. With regard to the previous monitoring of the data subject's property, the controller argued that it had had a legal basis under Article 6(1)(f), because it had legitimate interests for property protection purposes as it had accused the data subject’s husband for vandalism towards the fence separating the two properties.
Holding
With regard to the Camera system No. 1 the DPA concluded that the operation of the cameras is appropriate for the purposes pursued and a necessary security measure for the objective pursued by the controller. Additionally, the DPA viewed that because the cameras within Camera system No. 1 only transmitted live image, and did not record any images that it constituted a significantly lower intrusion into the privacy of the persons concerned than if the video images were recorded.
With regard to Camera system No. 2, the DPA considered that due to the more extensive monitoring carried out by the cameras, it was necessary to assess each camera separately. The controller's balancing of interests test lacked individual assessments of the cameras, and only included general wording such as that valuable objects are monitored, so the interest of the controller is to safeguard the mentioned objects.
The objectives and purposes pursued by the controller for each camera were unclear to the DPA. The DPA also took in consideration the fact that the controller had not examined any alternative(s) for the use of a CCTV system that would not involve processing or the processing would be more limited in scope. The DPA emphasized, that in order to use CCTV systems on the basis of a legitimate interest, the processing must be proportionate to the aim pursued and compatible with the purposes pursued, necessary to achieve the purpose, and the design and implementation of the processing must take into account the reasonable expectations of the data subjects. Secondly, the DPA emphasized that the legitimate interests must be real and present at the time when the processing starts because processing cannot be based on a possible future interests.
With regard to the Camera system No. 2 recording also audio, the DPA viewed that the controller had not presented any reasons which would justify the necessity of audio recording, and emphasized that it is not a common practice in the case of CCTV surveillance of property. The DPA stated that data subjects cannot expect the cameras recording their voice and conversations, in particularly, when the cameras could also be activated by some small non-human movement and so start recording the conversations of persons who are not even in the camera's view (the DPA found examples of such situations from the CCTV recordings during its investigation).
The DPA furthermore found regarding Camera system No. 2, that the controller did not have legitimate interests for processing the personal data and held that the controller violated Article 6(1) GDPR with regard to 1) the camera installed in the dining room, 2) the camera monitoring the panoramic jacuzzi on the terrace, and 3) the camera facing the patio. With regard to 4) the camera above the reception desk, the DPA found that the controller had legitimate interests that were the protection of property and monitoring of cash payments. The DPA considered the previous monitoring of the data subject’s property as a serious interference with private life, and that only in very rare situations can there be legitimate interests that are not overruled. The DPA took in consideration, that the balancing of interests -test did not include the data subject’s property – only the controller’s property.
The Hungarian DPA held, firstly, that the controller 1) had unlawfully processed personal data of the data subject who initially complained about the processing in breach of Article 6(1) GDPR. The DPA also prohibited the controller under 58(2)(f) GDPR from monitoring, in the future, the data subject's property. Secondly, the DPA held that the controller infringed 2) the principle of storage limitation under Article 5(1)(e) GDPR by not taking any measures to ensure that the recordings were deleted after set limitation of 3 days, 3) Article 12(1) GDPR by failing to inform the data subjects on the use of the camera surveillance in an easily accessible way, 4) Article 13 GDPR by failing to provided adequate information about the processing, 5) Article 31 GDPR by failing to comply with its duty to cooperate with the DPA as, in the DPA's view, the controller did not cooperate with the Authority during the procedure to the extent necessary, and in several cases provided false, incorrect or incomplete information.
The DPA fined the controller HUF 3 000 000 (three million forints).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH-5114-35/2022. Subject: decision
History case number: NAIH-7502/2021.
H A T A R O Z A T
Before the National Data Protection and Freedom of Information Authority (hereinafter: Authority) [...]
[...] applicant represented by a lawyer (residential address: [...]; hereinafter: Applicant) to the Authority
Your request was received on October 4, 2021 with [Kft.] (headquarters: […]; hereinafter: Applicant 1) –
representative […] (seat: […]) – and with [natural person] (residential address: […]; hereinafter:
Respondent 2 or Obligor; Applicant 1 and Applicant 2 hereinafter together:
Respondents) against the data protection authorities in connection with the management of their personal data
makes the following decisions in the procedure:
I. Granting the Applicant's request, the Authority determines that the Applicant 1
handled the Applicant's personal data illegally, thereby violating Article 6 (1) of the GDPR
paragraph.
II. Granting the Applicant's request, the Authority condemns him for the violation according to point I
Requested 1.
III. The Authority, granting the Applicant's request, Article 58, Paragraph 2, Point f) of the GDPR
prohibits Respondent 1 from operating in such a manner in the future
camera system to monitor the Applicant's property, and thus illegally
manage the personal data of the Applicant and his family.
The Authority operates in the area of [accommodation] (address: […]) vis-à-vis the Applicants
to examine the legality of data processing through camera systems November 15, 2021
in the official data protection procedure initiated by me ex officio and extended on August 4, 2022, the following
makes decisions:
ARC. The Authority finds that Respondent 1 is unlawful, Article 6 (1) of the GDPR
conducts conflicting data management in No. 2 camera system jacuzzi, restaurant and the inner courtyard
during the operation of surveillance cameras.
A. The Authority finds that Respondent 1 violated Article 5 (1) Paragraph e) of the GDPR
the principle of limited storability according to point
VI. The Authority finds that Respondent 1 violated Article 12 (1) of the GDPR,
since he did not provide the information regarding camera data management to those concerned
easily accessible.
…………………………………………………………………………………………………………
1055 Budapest Tel.: +36 1 391-1400 ugyfelszolgalat@naih.hu
Falk Miksa utca 9-11 Fax: +36 1 391-1410 www.naih.hu VII. The Authority finds that Respondent 1 violated Article 13 of the GDPR when it did not
provided adequate information about the data management implemented through the camera system.
VIII. The Authority finds that Respondent 1 violated Article 31 of the GDPR, as a
He did not fulfill his obligation to cooperate with the authorities.
IX. The Authority prohibits Applicant 1 from using the dining room, the panoramic Jacuzzi and the
parts of the inner courtyard for relaxation, such as the jacuzzi and hot tub through the camera system
monitoring, and the doors of the apartments opening from the courtyard, and the one in front of them
monitoring of the rest area and orders the cameras directed to them
disarmament.
X. The Authority instructs Applicant 1 that the 2. camera system jacuzzi, restaurant and the
delete all recordings recorded by your cameras monitoring the inner courtyard.
XI. The Authority instructs Respondent 1 that it is related to camera data management
transform its information practice in such a way that it fully complies with
GDPR Article 12 (1) and GDPR Article 13.
XII. The Authority is the I. and V-VIII. Requested 1 due to violations established in points
HUF 3,000,000 (i.e. three million forints)
obligates you to pay a data protection fine, which is due within 15 days of the delivery of this decision
must fulfill within
* * *
The Authority warns Applicant 1 that Infotv. The decision based on § 61, subsection (6).
until the expiry of the time limit for filing an action, or in the event of the initiation of an administrative lawsuit a
until a final court decision, the data affected by the disputed data management cannot be deleted or not
can be destroyed.
The IV. and the IX.-XI. measures prescribed in points to Respondent 1 against this decision
must do so within 30 days after the expiry of the legal remedy deadline, and their implementation
immediately - together with the presentation of supporting evidence - certify to the Authority.
The fine is transferred to the Authority's centralized revenue collection purpose settlement account (10032000-
01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000)
must be paid in favor of When transferring the amount, NAIH-5114/2022. FINE. number must be referred to.
If Respondent 1 does not comply with his obligation to pay the fine within the deadline, a late fee
is obliged to pay. The amount of the late fee is the legal interest, which is the calendar interest affected by the delay
is the same as the central bank base rate valid on the first day of the semester. Fines and late fees
in the event of non-payment, the Authority orders the execution of the decision, the fine and the late fee
2 collection in the manner of taxes. The collection of fines and late fees in the manner of taxes is a
It is carried out by the National Tax and Customs Office.
* * *
FINAL
The Authority terminates the procedure against Respondent 2.
There is no place for administrative appeal against this decision and order, but a
within 30 days from the date of notification, with a letter of claim addressed to the Capital Court
can be challenged in a lawsuit. The letter of claim must be submitted electronically to the Authority in charge of the case
forwards it to the court together with its documents. The request to hold a hearing must be indicated in the statement of claim. The
The petition submitted against the order terminating the proceedings was simplified by the Capital Court
judge it in a lawsuit, outside of a trial. For those who do not receive full personal tax exemption a
the fee for an administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to record fees. The Metropolitan Court
legal representation is mandatory in the procedure before it.
I N D O C O L A S
I. Facts
Application and case history
(1) The Requester for the data protection official procedure received by the Authority on October 4, 2021
requested in his application that the Authority establish that the Applicants at [accommodation]
with installed and operated cameras, they engage in illegal data management. He asked that this
forbid the continuation of camera surveillance directed at the Applicant's property, a
the recording of observed data and order its termination, as well as the unlawfully prepared
destruction of recordings, and also prohibit the Applicants from further infringement and
convict the Respondents and impose a data protection fine.
(2) The property of the Applicant is the […] inner area […] hrsz. registered under, in nature [...]
property at no. He is the owner of the property next door, naturally at […]
Respondent 2, on which [accommodation] operates and which is operated by Respondent 1.
(3) The fence between [two properties] has fallen, therefore Requested 1 new fence made of concrete elements
made it to the plot boundary. On July 26, 2021, the fence was damaged, with an approx.
A 30 cm vertical crack was created.
(4) According to the report of the […] Police Department dated July 27, 2021, the manager of Respondent 1,
[…] On July 26, 2021, an announcement was made at the [...] Police Station about the damage to the fence
because he saw through the camera installed in the boarding house that the property of the Applicant
the Applicant's husband was outside in his yard, around the fence [and in the present proceedings, legal
representative], [...] but he did not see that he had caused any damage to the fence. THE […]
Based on the information available at that time, according to the report of the Police Department No. […]
violation/criminal offense could not be established.
3(5) After that, the Regional Public Order Department of the […] Police Department on case number […]
However, the Commissioner's Sub-Department filed a violation report against the Applicant's husband
willful vandalism due to the commission of a regulation violation. In the facts of the complaint, [...]
The police station recorded that the construction of the fence was completed on July 26, 2021 by
contractor, and sent a photo of the damaged item to Respondent 1 on the same day
about a fence element. Since the manager was not on site, he looked back on his phone
recordings of the camera system installed in [accommodation]. Requested by 1 for presentation of the recording
went to the […] Police Department, on which three persons - the Applicant, the Applicant
her husband and father - the new one between the two properties was visible in the area of [Applicant's property].
at the fence. The recording showed that the Applicant's husband was standing in the yard, and then the
for fencing. The fence of the neighboring lot did not fall into the camera's field of view
part next to it, so from then on the recording could only be heard as a grinding sound. This
based on the conversation heard on the recording beforehand, the Applicant and his father - who
they are in bathing suits in the recording - they also told […], the Applicant's husband, not to do this
he can do it, the fence is not his property.
(6) The […].Sabs. [the accommodation
[accommodation] operated by Respondent 1]
was the manager of the store, according to which the above camera recording, which can be linked to the vandalism
[…], the manager of Respondent 1 forwarded it to him. In the recording, according to the testimony, it is clear
you hear "[…] don't do it, finish it, you can't touch other people's property!", and then this
loud hammer blows could be heard afterwards. In the preparatory procedure for violation of rules a
[…] The police station established that a criminal offense was suspected, as a
according to the victim's statement, the damage caused by vandalism exceeded the amount of the violation
value limit, therefore this procedure was terminated, and the documents were sent to the person in charge
criminal body, the Criminal Department of the […] Police Department.
(7) According to the Applicant's point of view, based on the above, the [accommodation] such technical devices
operated by the Applicants, which monitor your property through the use of tools,
his activities and communication there. According to him, given that
had previously suspected that they were being observed in some way by the Applicants, therefore
they documented the damage to the panel and its circumstances, and then organized a similar one
situation, on the basis of which they were able to make sure that surveillance is taking place a
On behalf of the applicants.
(8) The Applicant submitted that the surveillance directed at their property is of particular concern because
right next to the fence is the terrace area where the garden furniture was placed, there
receive their guests, clients, and the Applicant's husband is a lawyer, and if the weather is good, the
he used to make customer calls from the terrace. The Applicant could not identify that a
which of the cameras installed in the accommodation is suitable for monitoring their living space.
(9) The Authority ex officio expanded the subject of the procedure and dated November 15, 2021
notified the Respondents in its order that it would initiate a data protection official procedure ex officio
against them, data processing by the camera system operating in the [accommodation] area
to examine its legality. The examined period is from July 1, 2021, when the procedure was initiated
It was flagged up to 4 days ago. The Authority extended the examined period on August 4, 2022
until the day of the decision.
Characteristics of the camera system operated in the [accommodation] area
No. 1, analog camera system
(10) Based on the information provided by Respondent 1 and the on-site inspection conducted by the Authority - to which
It took place on July 5, 2022 without prior notice to the Applicants - in the area of [the accommodation]
two camera systems are in operation. The camera system consisting of 4 analog cameras (a
hereinafter: No. 1 camera system) requested 2 decided personal and
based on asset protection reasons, however, Respondent 1 stated that the examined
period, only he is considered a data controller.
(11) No. 1 The center of the camera system in an apartment with a completely separate entrance is a built-in one
it was placed in an attic-like room opening from a closet. The recording unit with a password
protected, which for the examination of the system the executive of Applicant 1 both the Authority and
previously made available to an IT expert assigned by the Police Department.
The Authority obtained the opinion of the IT expert from the Police Department, who
findings made only in relation to camera system No. 1. The IT
for the assignment of an expert on the suspicion of the crime of illegal data collection based on the Applicant's report
started due to […].bü. took place in procedure no.
(12) Two monitors are connected to the system, one is in the same room as the recording unit
placed at the reception of the other [accommodation]. The latter monitor is only suitable for a
show the images of the cameras according to the parameters set on the recorder, it does not control the recorder. The 1.
s. camera system only transmits live images, for image and sound recording, as well as recordings
not suitable for storage, as there is no hard disk in the recording unit. No. 1
it is not possible to remotely access the images of the camera system or its center.
(13) The cameras are fixed and cannot be moved after installation and adjustment
from a distance. No. 1 of the 4 analog cameras of the camera system, one is installed on the street front of the building
camera – CH1 – does not work, it transmits neither image nor sound, the Authority is responsible for this
was also convinced by the on-site inspection he conducted.
(14) On December 2, 2021, according to the screenshot attached by Respondent 1, the camera marked CH2
observes a private area entirely owned by Respondent 2, marked CH3
it was aimed at the parking lot, but a small part of the public area also fell into its line of sight. By the Authority
during the on-site inspection, the image of the CH3 camera sometimes disappeared, vibrated or
during certain periods nothing was visible on it. The current business manager of Respondent 1,
According to […], there has been a problem with this since the on-site inspection conducted by the police
with the camera.
(15) The CH4 camera is the camera images made available to the Authority in December 2021
according to him, he was watching the part of the sidewalk from the gate entrance to the entrance of the accommodation, and fell into his line of sight
the railway line separating the Applicant's property from the accommodation, and to a small extent the railway
Top of 5 soundproof walls. There is no sidewalk on the side of the sound-insulating wall, so typically, taking into account the
also for the resolution of the image transmitted by a camera, the third passing through the public area is not suitable
to monitor persons.
(16) Subsequent modification of the viewing angle of the CH4 camera, in April 2022 – a
According to recordings made by an expert appointed by the police department - the camera
the public space and the soundproof wall no longer fall into his line of sight, only the neighboring one
line separating properties, but it is not possible to see through it to the Applicant's property.
No. 2, IP camera system
(17) The other camera system (hereinafter: camera system no. 2) in December 2021 2
It consisted of a piece of IP camera according to the statement of Respondent 1 and the attached camera images, this
at an unknown date, two more cameras were added. No. 2 camera system cameras
images and sound are also recorded on the SD cards in the cameras, their resolution is Full HD, i.e
2 megapixel resolution. All four cameras have an infrared night vision function, a
10 meters for Tapo C200 cameras, 30 meters for Tapo C310 cameras
with sight distance.
(18) The cameras of this camera system have a motion sensor, the cameras record the recordings
not continuously, but only in the event of some movement
way that the cameras a few minutes before the event, the camera
movement taking place in its field of vision, and then for a few more minutes after it ends
afterwards.
(19) In many cases, the quality of audio recordings is affected by other noises, especially outdoor ones
in the case of cameras, e.g. the strength of the wind, the hum of the jacuzzi circulation pump. At the same time
under suitable conditions, sound recordings that can be clearly discerned from a sufficient distance
are made by the cameras.
(20) The images of the camera system and the recordings recorded by it on a closed system, online
are available, the corresponding software stores and saves the recordings if necessary. THE
the application required to access recordings is on the phone of the manager of Respondent 1
installed, which is protected by a pin code and facial recognition system according to the statement of Respondent 1.
The Authority could not check the phone of the manager of Respondent 1, as it
he could not participate in the on-site inspection held without prior notice.
(21) At the time of the inspection, the Authority made a copy of the recordings on the SD cards and
he used them during decision-making.
(22) No. 2 the first camera of the camera system was installed in the dining room, type TP-Link Tapo
C200. At the time of the on-site inspection, a total of 28 GB of data could be found on the camera's SD card
113 files in MP4 format, of which 1 is 0 bytes in size, i.e. a deleted or deleted recording
volt. The other recordings are uniformly 256 MB in size and were created before the review
From 15 days on, they included several recordings per day.
6(23) On the camera image taken on December 2, 2021 at 10:15 a.m. and attached by Applicant 1, three
table and a refrigerator was visible from the side view.
(24) Respondent 1 explained to the Authority's question that he kept it in the dining area
operation of the camera system is necessary, because there are several refrigerators that
in which, on a general basis, hundreds of thousands of forints worth of alcoholic beverages are continuously stored
drinks, other drinks and food. Further to the operation of the camera in the dining room
as a reason, Respondent 1 submitted that the boarding house has a 4-star rating
a professional expectation of a place of accommodation is to monitor the communal spaces with a camera a
for the property and personal protection of guests. In support of the latter's statement
you have not attached any documents.
(25) On the day of the on-site inspection conducted by the Authority on July 5, 2022, the angle of view of the camera
has been modified compared to the status of December 2021, the camera has been rotated a
towards reception. The area in front of the reception desk falls into his view of the room opening from there
with its door and the short corridor leading to the dining room, the self-service counter and the coffee machine.
Two of the tables in the dining room can be seen fully, one half, and the
upper corner of refrigerator. The windows were replaced by a refrigerator containing only soft drinks
for accommodation next to, from which - according to the inspection's testimony - the guests are free
they could serve themselves. No other property fell into the camera's field of view.
(26) The second camera was installed on the elevated terrace part of the building, its type is TP-
Link Tapo C310. This was the camera that recorded the infraction for vandalism,
then the camera footage objected to by the Applicant used in criminal proceedings. July 2021
On the 26th, according to the recording available to the Authority, the camera came into view
A part of the Applicant's property with the willow tree, thus recording the likeness of the Applicant and his family,
movement and their conversation.
(27) By December 2021, the angle of view of the camera had already been changed - about this, Respondent 1
also declared to the Authority - he is no longer suitable for monitoring the Applicant's property, a
on the camera image of the neighboring property on December 2, 2021, only one roof was visible -
presumably the roof of the tool shed - and one of the foliage of the willow tree near the plot boundary
part of. On December 7, 2021, the Company attached new pictures, at which time the roof part had not even fallen
into the camera's field of view.
(28) During the on-site inspection, in addition to the above, the upper terrace and the
jacuzzi in its entirety, depending on the layout, 2-4 outdoor chairs with a table, [a
accommodation] pier.
(29) In his statement dated December 2, 2021, Respondent 1 explained with the angle of view of the cameras
regarding the fact that none of them are aimed at the Applicant's property, not least because
because the border between the properties is not in the line of the fence, but one meter from it, a
In the direction of the applicant's property. However, there is no legal procedure in this regard
initiated against the Applicant and her husband, he did not substantiate his statement,
and according to the Applicant's statement, he is not aware of the plot boundary and the fence
lines should not coincide.
7(30) The memory card of the camera on the jacuzzi terrace had 114 GB of data at the time of the inspection, the
The earliest snapshot in the Snapshot directory was taken on March 24, 2022 at 10:28:34 a.m.
last on the day of the inspection. At the time of the inspection, 473 MP4 files were stored on the camera's SD card
it was a video file, 17 of which were 0 bytes in size, i.e. previously deleted or deleted recordings. The
available files were all 256MB in size, SD card going back 19 days
included recordings.
(31) In his statement dated December 2, 2021, Respondent 1 informed the Authority that the
No. 2 want to install 2 more cameras for the camera system. Requested legal
its representative stated in a statement dated June 8, 2022 that the camera system
expansion and installation of the planned cameras did not take place. The Authority requested that a
Requested 1 send pictures of the installed cameras in such a way that the cameras
environment is also included. Among these recordings, there were recordings that, however,
allowed us to conclude that the camera system had been expanded after all.
(32) During the on-site inspection held on July 5, 2022, the Authority was convinced that another 2
a camera has been installed - 3rd camera - one of which monitors the reception desk from above - type
TP-Link Tapo C200 – the L-shaped desk, the worker's chair and an additional chair.
(33) If an employee is behind the counter, it is suitable for observation, or
records the conversations between the guests and the employee working at the reception. The Authority
also found a recording that clearly shows the payment by bank card by a hotel guest
your PIN and the camera also recorded the cash transactions.
(34) At the time of the inspection, this camera had 28 GB of 116 recordings in MP4 format in total
there were 2 0-byte recordings, i.e. deleted or deleted recordings. On the SD card for 19 days
recordings can be found retrospectively, each half has a uniform size of 256 MB
was extensive.
(35) And the other camera - camera 4 - mainly on the door of one of the apartments opening from the courtyard, the
to the front part with garden furniture, to the yard, the jacuzzi located there is approx. in half, a
it is aimed at the bath tub, as well as the waterfront terrace and jetty and a part of Lake Balaton, type TP-
Link Tapo C310. The memory card of this camera had a total of 28 GB of data at the time of the review
stored, the Snapshot library snapshots taken by the camera at different times
contained, the earliest was made on May 31, 2022 at 10:23:12. In addition, the SD
card contained 110 video files in MP4 format going back 15 days, all in the same format
It was 256 MB.
The purpose and legal basis of data processing through the camera system are the statements of Respondent 1
Based on
8(36) The Applicant 1 test of interests and the operation of the camera system, as well as the
regulations on the use of recorded images - effective from July 1, 2021 - as well
attached to the Authority's statement dated December 2, 2021, the latter being the document
according to dated June 30, 2021.
(37) According to the camera regulations, the purpose of data management is the persons staying at the accommodation
protection of life, physical integrity, personal freedom, as well as in the field of real estate
staying persons, or assets owned or used by Respondent 1
protection. The detection of legal violations, the perpetrator, was also named as a data management purpose
prosecution, prevention of illegal acts, and also that the recordings with these
be used as evidence in official proceedings.
(38) According to camera regulations, images are stored on the SD cards in the cameras
for recording, which recordings in the absence of use by the Applicant 1, at most from the recording
stored for 3 days, longer storage of recordings is not justified. The recordings are a
according to the regulations, they are automatically deleted after 3 days.
(39) According to the camera regulations, the data management is based on the legitimate interests of Respondent 1, as well as
in the case of employees, as part of the control of behavior related to the employment relationship
Mt. 11/A. on the statutory authority based on paragraph (1) of §.
(40) To support the existence of a legitimate interest, Respondent 1 prepared an interest assessment test,
and also recorded in the camera regulations that the data management implemented is to reach
proportionally restricts the rights of the data subjects with the desired goal, since the angle of view of the cameras is set in such a way
setting, that in any case it is a person or event to be protected
be aimed at property. In addition, according to the camera regulations, the Data Controller is everything
informs those concerned about the fact of camera surveillance and is essential
about its circumstances, i.e. data processing does not affect the data subjects unexpectedly. Data management
its duration is adjusted to the legal requirements, the only way to get to know the data is the regulations
persons according to - Respondent 1's executive - are entitled in the cases specified therein -
Asserting the legitimate interest of the respondent or exercising the rights of the affected parties - it may come to that
beer.
(41) In the interest weighing test, as part of the identification of the existing legitimate interest, it was explained,
that Respondent 1 has a legitimate interest in data management - which is the data subjects
covers its image and sound - as it is of great value in the area open to guests
valuables - e.g. the jacuzzi worth several million forints - have been installed, as well as the camera system
its purpose is primarily asset protection and the protection of valuables. Data management is secondarily a
serves to protect guests' values, person, and physical integrity. According to Respondent 1
with the help of the camera system, you can ensure that you are not authorized to enter the accommodation area
no persons may enter, no activity that endangers the security of property
to continue.
(42) According to the weighing of interests test, if there is a decrease in the value of Respondent 1's valuables
would occur or they would be appropriated, you can reveal it by viewing the recordings
the reason for the decrease in value or the identity of the person who stole the valuable object, and the damage caused
9 can claim reimbursement. In the event of an accident, data management may contribute to the accident
to clarify its circumstances.
(43) In response to the Authority's question as to whether property security had previously occurred in the area of the accommodation
threatening event, Respondent 1 explained that the use of cameras is preventive
device, so not from the point of view of the legality of data processing through cameras
events that threaten property security in the relevant [accommodation] area
list, as the camera system is intended to prevent such events.
However, according to his statement, there were such incidents, but as an example, only the fence
he mentioned his vandalism, he did not specifically name other events, their occurrence
no supporting evidence was attached.
(44) In the weighing of interests test, it was explained in connection with the necessity of data management that
in the event of damage, it can only be done as a result of viewing the camera footage
to identify the perpetrator and to demand compensation from him. Respondent 1 explained
furthermore, that the preparation and use of recordings is proportionate to the purpose of data management, since
as a result of the data management, Respondent 1 can achieve the data management goal set by the data subjects
without disproportionately invading your privacy. According to the weighing of interests test, a
Respondent 1 has no alternative means or procedures at his disposal which
you could achieve the purpose of data management without data management.
(45) In the interest weighing test, Respondent 1 interests and rights of the stakeholders
during his identification, he recorded that the data management is informational for guests and other stakeholders
has the right to self-determination, and within that the right to image and privacy
effect. However, in his view, data management is not an internal, integral part of these
limits, its effect is proportional to the achievement of the data management goal, it is absolutely necessary for that.
The data is collected by Respondent 1 directly from the data subjects, which is clearly visible beforehand
informs guests about data management on signs placed in
the purpose and method of data management are widely and clearly understood."
(46) Respondent 1 in the weighing of interests test as the expected effect of data management
he claimed that the injury to his property could be remedied. He also emphasized
that those concerned do not lose control over their personal data, as the camera system
they receive information about its operation, so the data management can have little effect on them. THE
camera recordings will be viewed if the Applicant 1
there is a decrease in the value of your assets or an asset is appropriated, and
to discover the identity of the perpetrator or the circumstances of a possible accident
it is necessary to review the recordings.
(47) As a result of the balance of interests test, Respondent 1 came to the conclusion that
has a legitimate interest in data management and the camera recordings are justified for three days
storage.
Information about data management
10(48) In relation to information on data management, the Respondent stated that it is clearly visible,
warning signs were placed in the building, as well as [at the accommodation] a
it is done by means of camera regulations kept in a place accessible to guests and other stakeholders
fulfills its obligation to provide information. During the site inspection, the camera regulations are not good
placed in a visible place, but it was found at the reception after a short search, however, in that a
in the room for accommodation of hotel guests, where the staff of the Authority
they were absent during registration, the regulations and the information sheet could not be found.
The "Camera monitored area" sign was placed in several places in the building, one of which is
at the end of the corridor leading to the dining room, on the side of the self-service counter of the dining room, the other is the jacuzzi
at the entrance. Apart from that, the boards did not contain any additional information.
(49) According to the statement of Respondent 1, he verbally informed the Applicant several times that "the
He observes the land beyond the applicant's property, towards the Company, with a camera, basically
based on property protection reasons."
(50) According to Respondent 1, no information was received after the oral information
consent to data management on the part of the Applicant, but since it is based on his legitimate interest
data management, it was not even necessary, as the restriction of rights was proportionate, he even explained that "a
in our opinion, monitoring is lower than the properly necessary and proportionate level
level, which is no better proof than that the level of observation was not suitable for
To protect the company's property, which led to the police investigation [due to vandalism].
proceedings."
(51) To support the fact that the information was provided, Respondent 1 attached an unknown person
audio recording made at the time, on which the Applicant, the Applicant's husband and
The voice of the manager of Respondent 1 can be heard, a discussion about waste transportation with a wheelbarrow
during. During the discussion, it is said that “Through this camera you can see exactly that
how many times has he passed in front of our yard." The attached recording does not reveal which one exactly
the information referred to the camera, and that Respondent 1 during the conversation
observed a public area or the Applicants' property with the referred camera. The Applicant 1
stated that on the audio recording No. 1 camera system for a camera facing the parking lot
referred to, which does not record recordings, only transmits a live image.
Proceedings before the [...] Police Station
Tampering procedure
(52) Complaint and notification of the Applicant and Respondent 1 to the Police Department
on the basis of which two different procedures were in progress. The Police Department informed the
Authority, that in relation to the damage to the fence, the […] Police Department
Order of the Preparatory Group of the Public Order Protection Department […] decision no
the Investigation Department of the Police Department ordered an investigation based on During the investigation
it was established that the reported act is not a crime, therefore April 6, 2022
XC of 2017 on criminal proceedings. based on point a) of § 398, paragraph (1) of the Act, the
procedure was terminated.
11(53) The Police Department made the investigative documents available to the Authority, as well as the
the decision on the termination of the procedure, which for Respondent 2, as the aggrieved party,
It went to the manager of Respondent 1 as a whistleblower and to the […] District Prosecutor's Office
for delivery.
(54) Terminating the proceedings, […].bü. according to decision no. during the investigation a
The police department has assigned a forensic technical expert to the fence affected by the vandalism
conducted an on-site inspection. The expert came to the conclusion that the fence
during its design, the contractor made a technological error, and the lowest fence element was already in place
it was installed in a cracked state. The on-site inspection is such an external and intentional force
impact, which would have resulted in damage to the fence element, was not established on it
no external damage was found. The person who built the fence during his witness interview
said that there was a hairline crack on one of the fence elements, which was indicated by the customer,
He applied to 1 and with his approval it was installed as a bottom panel.
(55) During the investigation, the Police Department interviewed the manager of Respondent 1 as a witness
on January 4, 2022. In it [the executive] stated that "the property [accommodation] is at the back,
A camera works on the Balaton side. It faces our own area and we installed it to
that we can watch the jacuzzi, because usually they don't put the top back on. This camera does not
it is there to observe the neighbor, but unfortunately it falls into its field of vision
a very small part of the neighboring property on the other side of the fence. The camera
however, it does not record footage.” […] stated in his testimony that when the contractor indicated to him,
that someone from the other side of the fence shakes, pulls the fence, then he was looked at by the camera
pointed to a picture, according to which several people were walking on the other side of the fence, including [a
Applicant's husband] as well as the Applicant. […] according to his statement, then his own
he filmed the camera image with his mobile phone and recorded a few minutes, on which you can hear [a
[Applicant's husband] is tried by the person next to him to calm him down and calm him down, but he does not
he is doing something at the fence that is not visible in the camera image.
(56) On January 4, 2022, [the executive] sent the Police Department by e-mail the
the camera recordings made of suspected vandalism, damaged by the Applicant
camera recording saved from the application for viewing. This recording was made by
It was downloaded by the Police Department, written out on a CD, and a copy of this in its letter dated July 18, 2022
made available to the Authority as an attachment.
(57) Footage recorded by the camera above the jacuzzi between 18:37:36 and 18:39:52 on July 26, 2021
shows a period during which a part of the Applicant's yard with Lake Balaton was visible and
along with a willow tree. In the specific camera recording, it can be heard in the yard in addition to the chopping sounds
the conversation of three aloof people - not completely clear, but some sentences perfectly
can be taken out - as well as the Applicant and his father in bathing suits, as well as short
for a while the Applicant's husband was also in shorts and a T-shirt.
(58) In his submission dated December 2, 2021, Respondent 1 stated about the admission in question,
that it is no longer in his possession, he cannot make it available to the Authority, thereby
on the other hand, he sent it to the Police Department on January 4, 2022, and on
on March 1, he presented it on his phone to the technical expert assigned by the Police Department.
12 Procedure related to illegal data collection
(59) On September 30, 2021, the Applicant filed a complaint with the Police Department, apartment,
other rooms or the fenced areas belonging to them are done with a technical device
due to the suspicion of the crime of illegal data acquisition committed by secretly monitoring and recording,
on the basis of which the Police Department ordered an investigation.
(60) The Police Department terminated the procedure on June 8, 2022, because the available
based on the information, it was not possible to establish that a crime had been committed. The procedure
The Applicant filed a complaint against the termination decision, the complaint will be considered in July 2022
It was still in progress on the 20th.
(61) In the course of the investigation, the Police Department appointed a forensic IT expert, who in 2022.
On April 1, the on-site inspection carried out in the context of search and seizure examined the
Camera systems operated by Applicant 1. It was recorded in the expert opinion,
that there is a traditional closed-circuit security with 4 cameras on the property
system (camera system no. 1) and a digital one containing both external and several internal cameras
system (camera system no. 2). Regarding the latter, the expert is only towards the jacuzzi
regarding the mounted camera, he stated that it is fixed, not remotely
it can be moved and adjusted mechanically. He didn't check the camera image because
according to his reasoning, the SD cards in the cameras can be accessed remotely from an application
he didn't take it out of the cameras, he didn't watch the recordings on them, they weren't saved
not made. As a result, the expert opinion no. 2 with a camera system
does not contain additional findings in this context.
(62) The additional relevant findings in the expert opinion above –
were described under the title "characteristics of camera systems".
Property ownership of [accommodation].
(63) Based on the Applicant's letter dated June 8, 2022, the Authority queried on July 20, 2022
the title deed of […] property, according to which, on March 29, 2022, at […]
a request for its registration was received at the Land Registry, which was stamped. Therefore
- in case of registration of ownership - the property is removed from the property of Respondent 2, and its new
will be owned by […] (residential address: […])
III. Applicable legislation
Recital (47): The data controller - including the data controller with whom the personal data
may be disclosed - or the legitimate interest of a third party may create a legal basis for data processing, provided
that the interests, fundamental rights and freedoms of the data subject do not take priority, taking into account that
the reasonable expectations of the data subject based on his relationship with the data controller. This can be a legitimate interest
for example, when there is a relevant and appropriate relationship between the data subject and the data controller,
for example, in cases where the data subject is a client of the data controller or is employed by it. THE
in order to establish the existence of a legitimate interest, it must be carefully examined by several others
13 that the data subject is at the time of collection of the personal data and in connection therewith
can you reasonably expect that data processing may take place for the given purpose. The interests of the person concerned and
your fundamental rights may take precedence over the interest of the data controller if personal data
it is handled in circumstances in which the persons concerned do not matter further
for data management. Since it is the task of the legislator to define in legislation that the public authority
bodies, on what legal basis can I process personal data, supporting the legitimate interest of the data controller
no legal basis can be applied, carried out by public authorities in the performance of their duties
for data management. The processing of personal data is absolutely necessary for the purpose of fraud prevention
is also considered the legitimate interest of the data controller concerned. Personal data is for direct business purposes
its treatment can also be considered based on legitimate interest.
Based on Article 2 (1) of the GDPR, the GDPR must be applied to the data management in this case.
GDPR Article 4, point 1: "personal data": for an identified or identifiable natural person
any information concerning (“data subject”); the natural person who is directly you can be identified
indirectly, in particular an identifier such as name, number, location data, online
physical, physiological, genetic, intellectual, economic, cultural, or identifier of the natural person
can be identified based on one or more factors related to his social identity;
GDPR Article 4, point 2: "data management": personal data or data files are automated
any operation or set of operations performed in a non-automated manner, such as collection, recording,
organization, segmentation, storage, transformation or change, query, insight, use,
communication by means of transmission, distribution or otherwise making it available, coordination
or linking, restriction, deletion or destruction;
GDPR Article 4, Point 7: "data controller": the natural or legal person, public authority, agency
or any other body that determines the purposes and means of personal data management independently
defines with others; if the purposes and means of data management are EU or member state law
determines the data controller or the special aspects regarding the designation of the data controller
can also be defined by EU or member state law;
GDPR Article 5 (1) point c: Personal data from the point of view of the purposes of data management
they must be appropriate and relevant and limited to what is necessary
("data saving");
GDPR Article 5 (1) point e): Personal data must be stored in a form that
which the identification of the data subjects is only necessary to achieve the goals of personal data management
allows for a period of time; personal data may only be stored for a longer period of time
line, if the processing of personal data is in the public interest in accordance with Article 89 (1).
will take place for archiving purposes, for scientific and historical research purposes or for statistical purposes, that is
the appropriate technical required in this regulation in order to protect the rights and freedoms of the data subjects
and subject to the implementation of organizational measures ("limited storage capacity")
Article 6 (1) GDPR: The processing of personal data is only lawful if and to the extent that
if at least one of the following is met:
14 a) the data subject has given his consent to the processing of his personal data for one or more specific purposes
for its treatment;
b) data management is necessary for the performance of a contract in which the data subject is one of the parties,
or steps taken at the request of the data subject prior to the conclusion of the contract
necessary to do;
c) data management is necessary to fulfill the legal obligation of the data controller;
d) the data processing is for the vital interests of the data subject or another natural person
necessary for its protection;
e) the data management is in the public interest or for the exercise of public authority delegated to the data controller
necessary for the execution of the task carried out in the context of;
f) data management to enforce the legitimate interests of the data controller or a third party
necessary, unless the interests of the person concerned take precedence over these interests
interests or fundamental rights and freedoms that make personal data protection
necessary, especially if a child is involved.
Point f) of the first subparagraph cannot be applied by public authorities in the performance of their duties
for data management.
Article 12 (1) GDPR: The data controller takes appropriate measures to ensure that
all those mentioned in Articles 13 and 14 regarding the processing of personal data for the concerned party
information and 15–22. and each information according to Article 34 is concise, transparent, understandable and
provide it in an easily accessible form, clearly and comprehensibly worded, especially a
for any information addressed to children. The information in writing or otherwise –
including, where applicable, the electronic route - must be specified. Verbal information at the request of the person concerned
can be given, provided that the identity of the person concerned has been verified in another way.
GDPR Article 13: (1) If personal data concerning the data subject is collected from the data subject, the data controller shall
at the time of obtaining personal data, the following is made available to the data subject
all information:
a) the identity and contact details of the data controller and, if any, the representative of the data controller;
b) contact details of the data protection officer, if any;
c) the purpose of the planned processing of personal data and the legal basis of data processing;
d) in the case of data management based on point f) of paragraph (1) of Article 6, the data controller or a third party
legitimate interests of a party;
e) where appropriate, recipients of personal data, or categories of recipients, if any;
f) where appropriate, the fact that the data controller is a third country or an international organization
wishes to forward the personal data to, and the Compliance Committee
existence or absence of its decision, or in Article 46, Article 47 or Article 49 (1)
in the case of data transfer referred to in the second subparagraph of paragraph
indication of suitable guarantees, as well as for obtaining their copies
means or reference to their availability.
(2) In addition to the information mentioned in paragraph (1), the data controller is the personal data
at the time of acquisition, in order to ensure fair and transparent data management
ensure, informs the data subject of the following additional information:
15 a) on the period of storage of personal data, or if this is not possible, this period
aspects of its definition;
b) the data subject's right to request from the data controller the personal data relating to him
access to data, their correction, deletion or restriction of processing, and
you can object to the processing of such personal data, as well as to the data portability concerned
about his right;
c) based on point a) of Article 6 (1) or point a) of Article 9 (2)
in the case of data processing, the right to withdraw consent at any time,
which does not affect the data processing carried out on the basis of consent before the withdrawal
legality;
d) on the right to submit a complaint to the supervisory authority;
e) that the provision of personal data is a legal or contractual obligation
is a basis or a prerequisite for concluding a contract, and whether the person concerned is obliged to the personal
provide data, as well as what possible consequences it may have
failure to provide data;
f) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including
also profiling, and at least in these cases to the applied logic and that
comprehensible information regarding the significance of such data management and
what are the expected consequences for the person concerned.
(3) If the data controller performs additional data processing on personal data for a purpose other than the purpose of their collection
wish to perform, you must inform the data subject about this different purpose before further data processing
and all relevant additional information referred to in paragraph (2).
(4) Paragraphs (1), (2) and (3) do not apply if and to what extent the person concerned is already involved
has the information.
Article 25 (2) GDPR: The data controller implements appropriate technical and organizational measures
finally to ensure that, by default, only such personal data is processed
take place, which are necessary from the point of view of the given specific data management purpose. This is the obligation
applies to the amount of personal data collected, the extent of their processing, the duration of their storage and
their accessibility. These measures must in particular ensure that the personal
data should not become, by default, without the intervention of the natural person
accessible to an unspecified number of people.
GDPR Article 31: The data controller and the data processor and, if any, the data controller or the
during the execution of the tasks of the representative of the data processor with the supervisory authority - its inquiry
based on - cooperates.
GDPR Article 58 (2) points b), d), f) and i): Acting within the corrective powers of the supervisory authority:
b) condemns the data manager or the data processor if his data management activities violated e
the provisions of the decree;
d) instructs the data manager or the data processor that its data management operations - where applicable
in a specified manner and within a specified time - bring it into line with the provisions of this regulation;
f) temporarily or permanently restricts data management, including the prohibition of data management;
16i) imposes an administrative fine in accordance with Article 83, depending on the circumstances of the given case, e
in addition to or instead of the measures mentioned in paragraph
GDPR Article 77 Paragraph 1: Without prejudice to other administrative or judicial remedies,
all data subjects have the right to complain to a supervisory authority – especially the usual one
in the Member State of your place of residence, place of work or the place of the alleged infringement - if it is
according to the opinion of the data subject, the processing of personal data concerning him/her violates this regulation.
GDPR Article 83 Paragraphs (2)-(3) and (5): Administrative fines depend on the circumstances of the given case
in addition to or instead of the measures referred to in points a) to h) and j) of Article 58 (2), depending on the circumstances
must be imposed. When deciding whether it is necessary to impose an administrative fine or a
must be sufficiently taken into account in each case when determining the amount of the administrative fine
take the following:
a) the nature, severity and duration of the infringement, taking into account the data management in question
nature, scope or purpose, as well as the number of persons affected by the infringement, as well as the
the extent of the damage they have suffered;
b) the intentional or negligent nature of the infringement;
c) mitigating the damage suffered by the data controller or the data processor
any action taken in order to;
d) the extent of the responsibility of the data manager or data processor, taking into account the 25 and
technical and organizational measures implemented on the basis of Article 32;
e) relevant violations previously committed by the data controller or data processor;
f) with the supervisory authority to remedy the violation and the possible negative effects of the violation
extent of cooperation to mitigate;
g) categories of personal data affected by the infringement;
h) the manner in which the supervisory authority became aware of the violation, in particular the fact that
whether the data controller or the data processor reported the breach, and if so, what kind
with detail;
i) if against the relevant data controller or data processor earlier - in the same subject
- one of the measures referred to in Article 58 (2) was ordered, in question
compliance with measures;
j) whether the data controller or the data processor considered itself approved according to Article 40
to codes of conduct or approved certification mechanisms pursuant to Article 42;
as well as
k) other aggravating or mitigating factors relevant to the circumstances of the case, for example a
financial benefit obtained or avoided as a direct or indirect consequence of a violation
loss.
(3) If a data manager or data processor is involved in the same data management operation or is related to each other
with regard to data management operations - intentionally or negligently - this regulation has more
also violates its provision, the total amount of the fine may not exceed the most serious violation
in case of a specified amount.
(4) Violation of the following provisions - in accordance with paragraph (2) - a maximum of 10,000,000
with an administrative fine of EUR, and in the case of businesses, the entire previous financial year
can be hit with an amount of up to 2% of its 17-year world market turnover; the higher of the two
an amount must be imposed:
a) with regard to the data manager and the data processor in Articles 8, 11, 25-39, 42 and 43
specified obligations;
(5) Violation of the following provisions - in accordance with paragraph (2) - at most 20,000,000
with an administrative fine of EUR, and in the case of businesses, the entire previous financial year
shall be subject to an amount of no more than 4% of its annual world market turnover, provided that of the two
a higher amount must be imposed:
a) the principles of data management - including the conditions of consent - in accordance with Articles 5, 6, 7 and 9;
b) the rights of the data subjects in Articles 12–22. in accordance with Article; (…)
Infotv. Section 2 (2): Personal data according to (EU) 2016/679 of the European Parliament and of the Council
regulation (hereinafter: general data protection regulation) is the general
data protection decree III-V. and VI/A. In Chapter 3, as well as § 3, 4, 6, 11, 12, 13, 16, 17,
21., 23-24. point, paragraph (5) of § 4, paragraphs (3)-(5), (7) and (8) of § 5, § 13 (2)
paragraph, § 23, § 25, § 25/G. in paragraphs (3), (4) and (6) of § 25/H. § (2)
in paragraph 25/M. in paragraph (2) of § 25/N. § 51/A. in paragraph (1) of § 52-54. §-
in, paragraphs (1)-(2) of § 55, paragraphs 56-60 § 60/A. (1)-(3) and (6) of § § 61 (1)
paragraphs a) and c), § 61 paragraphs (2) and (3), paragraph (4) b) and (6)-(10)
in paragraph 62-71. §, § 72, § 75 (1)-(5), § 75/A. in § and 1.
shall be applied with the additions specified in the annex.
Infotv. Validation of the right to the protection of personal data based on § 60, paragraph (1).
in order to do so, the Authority may initiate an official data protection procedure ex officio. The data protection authority
for procedure CL. 2016 on the general administrative procedure. Act (hereinafter: Act)
rules shall be applied with the additions specified in Infotv. and the general data protection
with deviations according to the decree.
Infotv. According to § 61, paragraph (1), point a) in the decision made in the data protection official procedure
the Authority
a) in connection with the data management operations defined in paragraphs (2) and (4) of § 2, the
may apply the legal consequences specified in the general data protection decree, so in particular
upon request or ex officio order the unlawfully processed personal data determined by it
can be temporarily or permanently restricted in other ways
data management.
Infotv. Section 61, paragraph (6): Until the expiry of the time limit for filing an appeal against the decision,
and in case of initiation of a public administrative lawsuit, until the final decision of the court, affected by the disputed data management
data cannot be deleted or destroyed.
Infotv. 75/A. §: The Authority is contained in Article 83, Paragraphs (2)-(6) of the General Data Protection Regulation
exercises its powers taking into account the principle of proportionality, especially with the fact that the personal
regarding data management - in legislation or in a mandatory legal act of the European Union
in the case of the first violation of specified regulations, to remedy the violation - that
in accordance with Article 58 of the General Data Protection Regulation - you are primarily the data controller
takes action with a warning from the data processor.
18 On the detailed conditions for the continuation of accommodation service activities and the accommodation
239/2009 on the procedure for issuing an operating license. (X. 20.) Government Decree 4/A. § (1)
According to paragraph
prior to and after the first certification, the accommodation certifier is required every three years
to request an examination and evaluation of the organization, in accordance with the requirements for the type of accommodation
in order to be classified into a quality grade.
ARC. Decision
IV.1. Data management quality
(64) Based on the Applicant's request, the Authority notified both Respondent 1 and Respondent 2
that an official data protection procedure was initiated against them upon request or ex officio. THE
The authority's inquiries were received only by Respondent 1, and only he did so during the procedure
statement, in all cases from Respondent 2 they came back with a not wanted signal
Authority's orders, due to which the Authority imposed a procedural fine on Respondent 2.
(65) In his letter dated December 2, 2021, Respondent 1 informed the Authority that the
only he is responsible for the examined data management and the cameras installed in the [accommodation].
is considered a data controller.
(66) Based on the information revealed during the procedure and the statements of Respondent 1, the Authority
states that it was Respondent 1 who determined the purpose and means of data management, he
decided on the angle of view of the cameras, after the initiation of the procedure, he made changes to them,
and the installation and operation of additional cameras on the property was also his decision. On this
in addition, the indicated data management purposes were all intended to serve the interests of Respondent 1,
since the primary purpose of data management is to protect the property of the accommodation and hotel guests
has been flagged.
(67) It should also be noted that the document objected to by the Applicant, prepared on July 26, 2021
camera footage was also saved by Respondent 1 and used against the Applicant's husband
infraction and then criminal proceedings were initiated.
(68) During the procedure, the Applicant attached an audio recording, on which, according to his statement,
The voice of Respondent 2 can be heard, on which the unidentified speaking party states that
sees the image transmitted by cameras, including the Applicant and her husband, but the Authority does not
had the opportunity to make sure that the other speaking party was Respondent 2 or someone else
there is no evidence at the Authority's disposal that would prove beyond a doubt that a
recordings were accessed by Applicant 2.
(69) In view of all of this, the Authority concludes that with regard to the examined data management
Respondent 1 is considered a data controller. Due to this, as well as the fact that Applicant 2
in the meantime, the property was sold and the new owner is on the stamp, the procedure with Respondent 2
has become obsolete, since it does not affect the right or legitimate interest of the case, so the Authority a
in relation to the Akr. Based on § 47, subsection (1), point c), the procedure is terminated.
19 IV. 2. Lawfulness of data management through the camera system - general practice
(70) Respondent 1 processed personal data using the two camera systems
and considering that according to Article 4, point 1 of the GDPR, your natural personal voice,
your image is personal data. The people involved can be identified in the recordings, as is well exemplified by
They were also contained in the applicant's request. No. 1 camera system personal data, image and
it does not record audio, but the image of the cameras and the person in their field of view
transmits his natural personal image to the monitor located at the reception [of the accommodation],
or, if it is switched on, to a monitor placed in the same room as the recording unit.
Given that according to Article 4, point 2 of the GDPR, you are on personal data
any operation performed on data files in an automated or non-automated manner or
the totality of operations is considered data management, so no. 1. also through a camera system
data management under the scope of the GDPR is implemented.
(71) No. 2 camera system cameras have a motion sensor and detect motion
in this case, they record the image, voice, and activity of the persons concerned who are in their field of vision, that is
conversations of data subjects, i.e. also through this camera system according to Article 4, point 2 of the GDPR
implements data management Requested 1.
(72) The two camera systems and the legality of the data management carried out through them are the responsibility of the Authority
it is examined separately, taking into account the differences in the monitored areas and the data management
to its different nature.
No. 1 findings related to the camera system
(73) The 1st camera system consisting of 4 fixed, analog cameras - whose camera is marked CH1
it does not work - it only broadcasts live images, the recordings shown by the cameras are not saved
recording. The parking lot inside the [accommodation] and the building from the gate are in the view of the cameras
next to it, the road leading to the reception falls into it, as well as a small part of the property's backyard, a
with a sidewalk leading to reception. No recreational equipment was placed in this latter area
for placement.
(74) Requested 1 uniform regulations for the two camera systems, as well as consideration of interests
prepared a test, indicating the protection of personal and property as the purpose of data management -
detection of possible violations of law, prosecution of the perpetrator, prevention of illegal acts -
and as the legal basis for data management, he indicated his legitimate interest in the realization of this goal
i.e. Article 6 (1) point f) of the GDPR.
(75) With reference to point f) of Article 6 (1) of the GDPR, the personal data is then legal
management, if the data management is for the legitimate interests of the data controller or a third party
necessary for its enforcement, unless they take priority over these interests
concerned interests or fundamental rights and freedoms that protect personal data
make it necessary, especially if the child is involved.
(76) The European Data Protection Board on the processing of personal data using video devices
solo 3/2019. according to point 19 of guideline no. (hereinafter: Guidelines) is real
and in a dangerous situation, the purpose of protecting property against burglary, theft or vandalism is a
20 may be considered a legitimate interest in video surveillance. For the legitimate interest indeed
it must exist and actually exist at the time of data processing
it cannot be theoretical, as the Court of Justice of the European Union stated in C-708/18. brought in case no
he also stated in point 44 of his judgment.
(77) The Authority in the 1. does not consider it necessary in relation to the cameras of the camera system
data management purposes and the proportionality of data management for each camera, since
a uniform statement can be made about them.
(78) Requested 1, the Authority specifically for damage events that previously occurred at the accommodation
he did not answer his relevant question in substance, did not give examples, did not prove cases, only
stated that there were previous damage incidents. So Respondent 1 is legal
has indicated a data management purpose, to which it may have a legitimate interest recognized by the Board,
however, the existence of this legitimate interest was not factually supported or made probable.
(79) The Authority no. 1. in relation to the camera system, however, as existing even in its absence
considers the legitimate interest related to data management. The reason for this is that No. 1 camera system
all three working cameras are aimed at the property, the CH4 camera falls into the field of view
partly the top of the railway soundproofing wall, but for monitoring movement on the street
in a way suitable for personal identification, this camera is not suitable for both the distance and the
camera resolution, both because of the viewing angle. The cameras monitor parts of the property that
on which you can get to the area of the property on the one hand, and to the [accommodation] itself on the other hand,
and where hotel guests can park their vehicles, and in the meantime on these a
in these areas, hotel guests typically only pass through, not to rest or spend meaningful time
they use them. Due to the location of these cameras - as they are also clearly visible from the street -
have a deterrent effect against unauthorized entry into the property area, or
against the commission of other crimes against property. Based on all this, the Authority
determines that the operation of these cameras is appropriate for the purpose to be achieved and
is considered a necessary safety measure.
(80) In addition, the cameras only transmit live images, no recording takes place, which is what it is
it realizes a significantly lower degree of interference in the private sphere of stakeholders than if row
their personal data would be recorded. Based on all of this, the Authority concludes that 1.
s. data management through a camera system is suitable for achieving the goal, data management
its scope is proportional to the goal to be achieved, so no. 1. realized by means of a camera system
data management is legal, it complies with the regulations of the GDPR.
No. 2 findings related to the camera system
(81) Due to the more extensive data management carried out with this camera system, the Authority considers it necessary
considers that it should be considered separately for each camera that it is
data processing carried out by them is necessary, as well as the rights and freedoms of the data subjects
does it limit proportionally.
(82) As the Authority explained earlier in its decision, asset protection is contingent
enabling the subsequent proof of a legitimate data management purpose in connection with damage events
21 in general, but this alone is not enough for data management
to its legality. In order to conduct video surveillance on the basis of a legitimate interest
data management must be legal, the data management must be proportionate to the goal to be achieved, and the goal
it must be necessary to achieve it, as well as the planning and implementation of data management
the reasonable expectations of those concerned must be taken into account [GDPR (47)
recital].
(83) In the interest assessment test attached by Respondent 1, the individual was not described
in relation to cameras separately, that for data management the Respondent 1 exactly
what legitimate interest it has - beyond the general wording that for the guests
valuable valuables were placed in an open area, i.e. the camera system
purpose is primarily asset protection - what are the circumstances that data management
make it necessary, or the rights of the data subjects have not been separately identified, as well as
their reasonable expectations regarding data management.
(84) The Authority in accordance with No. 2 regarding the cameras of the camera system, he refers back to his earlier statement,
that the legitimate interest must be real and existing at the start of data processing,
data management cannot be continued based on a possible future interest. As the
As explained above by the Authority, Respondent 1 did not, despite the Authority's express request
presented previous cases that would prove the need for camera data management,
whose No. 2 is important in relation to the camera system, since they are on the one hand
they are activated for movement, the completed recordings are recorded, on the other hand [the accommodation] is individual
were placed in his premises and in his yard with a viewing angle setting that
areas, the people concerned not only pass through, but rest and eat there, i.e. here
in the case of cameras, it is actually important whether there have been previous events that
which would justify the placement of the cameras, since the data management is good for them
wider than No. 1 regarding the camera system.
(85) Regarding the necessity of operating the camera system, it should be noted that a
according to available information, Respondent 1 did not check that the cameraman
is there an alternative to data management that is not personal or less personal
by handling data. In addition, it was revealed during the evidence procedure conducted by the Authority
based on the circumstances, it cannot be declared that there is no alternative to No. 2. camera system
to data management carried out through, or it could not be continued in a way that is less
impairs the right of data subjects to protect their personal data.
(86) Regarding the necessity of data management, Respondent 1 also referred to the fact that a
professional expectations for accommodations with four-star pension certification a
surveillance of public spaces with a camera. Respondent 1 did not respond to the Authority's question
stated what classification system requires this for accommodations, merely
he referred to sector expectations, and to the fact that all hotels and pensions operate
camera system. According to the photograph taken at the inspection, the accommodation is Panzió Nemzeti
has a certification Trademark that is valid until 2024. The accommodation service
on the detailed conditions for the continuation of the activity and the accommodation operation license
239/2009 on the procedure for issuing (X. 20.) Government Decree 4/A. According to paragraph (1) of § a
accommodation service provider prior to the notification of the accommodation's operational activity,
22 and the accommodation certification organization is obliged every three years after the first certification
to request its examination and evaluation, in accordance with the requirements for the type of accommodation
in order to be classified into a quality grade. The qualification requirements are the accommodation qualification
are published on the organization's website, which is Hungarian Tourism from January 1, 2022
Quality Certification Body Nonprofit Kft., website https://szallashelyminosites.hu/panzio. THE
in the criteria system for boarding houses -
https://szlashelyminosites.hu/docs/panzio_kriteriumrendszer_utmututatoval.pdf - not included
as a qualification criterion, the monitoring of common spaces by means of a camera system, of which
therefore, the Authority considers professional expectations as one of the reasons for the operation of the camera system
does not consider it acceptable, as well as the argument that other accommodations
carry out similar data management.
(87) Respondent 1 mentioned in the attached interest assessment test among the processed data that
the cameras also record sound, but it was not covered at all in the consideration of interests test
to why the audio recording is kept in order to achieve the indicated data management purposes
necessary, and why you do not consider the marked available without audio recording
data management purpose. According to the Authority's point of view, this is different from image recording
data management, the legality of which and the legitimate interest attached to it should have been separate
prove to Respondent 1 during the procedure. However, Respondent 1 did not during the procedure
presented circumstances that would support the need for audio recording.
(88) The Authority's position is that it causes more serious damage to the private sector if the cameras
in addition, sound is also recorded, especially considering that the sound recording cannot be viewed
as a common practice in the case of asset protection camera surveillance, so it is
in the absence of information, those concerned cannot expect the cameras to be their likeness
also records their voices and conversations. This is especially true when the cameras
they are also activated for some small, non-human movement, and thus the conversation of such persons
are also recorded by those who are not in the camera's field of view, to which the SD-
The Authority also found an example among the recordings on the cards (record number […]).
(89) Based on all of this, the Authority concludes that the 2. no. with the cameras of the camera system
audio recording is illegal and violates Article 6 (1) of the GDPR.
(90) Further circumstances of data management, the proportionality and necessity of data management, and thus
the legality of the Authority in the 2. no. in relation to some cameras of the camera system a
further examined separately, due to the differences in the areas observed by them.
A camera located in the dining room
(91) In the dining room, Respondent 1 considers the camera system necessary
operation, because there are several refrigerators in which, on a general basis,
they continuously store hundreds of thousands of forints worth of alcoholic drinks, other drinks and
foods.
(92) During the on-site inspection, the Authority established that the camera located in the dining room
only one refrigerator falls into his field of vision - only the corner of it when it is closed -,
23 in which only non-alcoholic soft drinks were placed during the inspection, and of which a
guests served themselves freely. The alcoholic beverages Requested 1 is a smaller one
stored in a refrigerator, which is protected by a padlock.
(93) Due to the placement of the camera, however, not only this one piece of refrigerator falls into the
into the camera's field of view, but the tables placed there, at which the guests are
they complicate their meals.
(94) According to the Authority's point of view, the implemented data management is not proportionate to the desired goal
for property protection purposes, since, on the one hand, contrary to the claim of Respondent 1, the camera
hundreds of thousands of forints worth of food was not stored in the refrigerator within sight
or alcoholic beverages, on the other hand, protecting the contents of the refrigerators is simple
would be with the lock installed on the coolers - as is the case with the cooler containing small alcohols
also happened - or by placing a lockable refrigerator in advance, i.e. it is not for the goal to be achieved
need for data management.
(95) In relation to the secondary purpose - that is, if there is any decrease in assets
causative event, so that the circumstances of the case can be revealed - Applicant 1 no
made it probable that this is a real interest existing at the time of data processing, i.e. that
you can realistically expect to damage the refrigerator or any food in it
to steal a drink. The Authority further notes that in the event that the Applicant
1 would have proved that he has a legitimate interest in the camera monitoring of the refrigerators, so
even in that case, it would have been possible to place the camera in such a way, and the angle of view would have been such
to monitor only the refrigerator and not the entire refrigerator
dining room, subject to Article 5 (1) point c) of the GDPR.
(96) The Authority also notes that in the present case, the current position and angle of view of the camera
in addition, he would not consider it sufficient if Respondent 1 were to mask the room outside the refrigerator
parts, as the camera in its current position would create a sense of observation in this
also in the case of those involved, who would not be able to ascertain in any way that
the camera image has actually been masked.
(97) The Data Protection Board 3/2019. s. guidelines and recital (47) of the GDPR
consideration of the interests of the data controller and the rights and freedoms of the data subjects
the reasonable expectations of the stakeholders must be taken into account. According to the Guidelines, it is
reasonable expectations of stakeholders should not be determined subjectively, but according to the fact that
whether an objective third party can reasonably calculate and infer in the given situation
to be observed.
(98) According to paragraphs (37)-(38) of the Guidelines, those concerned may expect not to be observed
them in public places, especially if these places are typically for recuperation and rest
and used for recreational activities as well as in places where individuals
stay and communicate, for example in lounges, at restaurant tables, in parks,
in cinemas and fitness facilities. In this case, the interests or rights of the data subject and
your freedoms often take precedence over the legitimate interests of the data controller.
(99) Hostel guests typically come [to the accommodation] to relax, have breakfast there,
they talk, organize their day. During these activities, their observation and
24 in particular, the recording of their conversation is particularly disadvantageous for those involved and in general
it is not necessary for the purpose indicated by Respondent 1. The Guidelines emphasize that it is
signs informing the person concerned about video camera surveillance are irrelevant
when establishing the objective expectations of the stakeholders.
Consequently, in connection with the data processing carried out by the camera placed in the restaurant
you cannot rely on the fact that one has been placed on the side of the self-service counter
area board observed with a camera, and especially not because of the fact of audio recording
Respondent 1 did not draw the attention of those concerned anywhere.
(100) During the inspection, the Authority made a copy of a recording on which, on the one hand,
workers packing up and cleaning after a meal can be seen, on the other hand, one
a hotel guest sitting at one of the tables with a laptop, working, talking on the phone, then heading for the heat
she stands up with respect and fans herself with her skirt while walking in such a way that a
the recording also shows her underwear or the bottom of her swimsuit (video file named […]). All of these
on the basis of which it can be stated that the hotel guests did not and do not reasonably count
they could expect to be watched in the dining room.
(101) The Authority finds that Respondent 1 illegally operates the camera in the restaurant
and illegally observes the hotel guests staying there, eating and conversing, thereby
in violation of Article 6 (1) of the GDPR.
A camera monitoring the panoramic jacuzzi on the terrace
(102) The necessity of the camera directed mainly at the jacuzzi was justified by Respondent 1 by saying that the
jacuzzi is worth several million forints, so data management is necessary to protect your property.
(103) The camera is mainly aimed at the jacuzzi, but e.g. shouting from the yard to the terrace
also records ([…]; […]).
(104) In view of what was explained in the previous subsection, the Authority does not consider it to be the desired goal
proportional to the fact that Applicant 1 typically sees hotel guests in bathing suits, resting,
he observes and records them while relaxing. There are several couples in the recordings,
who hug each other, kiss in the jacuzzi, others are naked or half-naked
they bathe, take pictures of themselves in bathing suits, and children also use the jacuzzi
([…]; […]; […]). Based on the recordings, the people involved did not count at all, and reasonably not
they could also count on being told about them while using the jacuzzi, while relaxing
intimate moments are recorded. According to the Authority's point of view, it may play a role in this
also that Respondent 1 also sells packages that include a private panoramic jacuzzi
use is promised, which may give those concerned the impression that the panorama is a Jacuzzi
they are actually alone while using the jacuzzi, no one is using them
disturbs them, which includes not observing them while bathing
with a camera.
(105) The Authority considers it necessary to state here again that the sign observed by the camera
according to the Guidelines, its location is not relevant when determining that it is
stakeholders, what their expectations may be objectively. Also, the area monitored by the camera
Based on 25 signals, those involved could not even expect that the camera would not only transmit live images,
but also records the recordings.
(106) The Authority also does not consider the argument regarding the top of the jacuzzi to be acceptable, since
the image of the camera cannot be followed live via a monitor in the accommodation, as in No. 1.
in the case of a camera system, and for viewing the recorded camera images, Applicant 1
according to his statement, it will only take place in justified cases, with the recording of minutes - log files
in its absence, the Authority could not be convinced of this - i.e. the statement of Respondent 1
system established according to is not suitable for the Applicant to check that the
have guests put the top of the jacuzzi back on.
(107) Based on all of this, the Authority concludes that Respondent 1 illegally operates the
a camera aimed at the jacuzzi and illegally records the voice and image of the persons concerned there,
activities, thereby violating Article 6 (1) point f) of the GDPR.
The camera facing the inner courtyard
(108) The camera facing the inner courtyard on the door of one of the apartments opening from the courtyard, the one in front
partly with garden furniture, to the yard, the jacuzzi located there is approx. in half, on the bath tub,
and it is directed to the waterfront terrace and pier and a part of Lake Balaton.
(109) According to Respondent 1, the purpose of monitoring the inner courtyard with a camera is to protect property,
in the event of a possible theft or break-in, there is a high chance of being identified by the cameras facing the inner courtyard
they know the perpetrator of the crime.
(110) The Authority does not dispute that a certain degree of monitoring of the inner courtyard may be necessary
prevention of potential crimes against property, or in the event of their occurrence
in order to reveal them, as the Authority in no. 1 camera system marked CH2
he also explained about his camera. A significant difference between the viewing angles of the two cameras is that
No. 1 the rear camera of the camera system, facing the inner courtyard, does not record footage on the one hand,
on the other hand, it is directed only to the part of the sidewalk where the entrance to the accommodation is located, and it is a thin one
lane from the part of the yard next to the sidewalk. In these areas - as the Authority previously did
also described - hotel guests typically only pass through this area to rest,
not used for recreation. On the other hand, no. 2 camera system for the inner courtyard
only areas where the hotel guests are in the field of view of the camera
they rest and relax, in many cases in bathing suits, e.g. Jacuzzi, hot tub. Also on camera
the movements and activities of hotel guests who are in the camera's field of view can be followed
they stayed in the second apartment, who usually use the one located in front of the apartment
also garden furniture, they talk and relax there.
(111) The Authority's position is that at the time of the inspection, the camera's field of view is much wider
made monitoring possible, as was necessary to achieve the data management goal, since
for property protection purposes, only the entrance leading to the reception of the accommodation would be sufficient
camera surveillance, which does not require the hotel guests to be at rest
observation. In addition, according to the Authority's point of view, the concerned parties reasonably do not
they can count on video and audio recording of their movements in the hotel yard,
26 as it is an area for recreation. Based on all of this, the Authority determines,
that Respondent 1 is illegally fixing the inner yard beyond the necessary extent
with a camera aimed at the voice, likeness, and activity of the data subjects, in violation of the GDPR
Article 6, paragraph 1, point f).
The camera above the reception desk
(112) The camera above the reception desk captures the reception desk from above, the person behind it
employee or employees, or the cabinet placed next to the wall, as well as the
hotel guests, whose faces are only visible when they are very close
they go to the counter and lean over it a little or lean on it, if someone just
he passes by the counter, his face is not visible in the footage. The store manager is in the camera's field of view
monitor used by is not included.
(113) According to the statement of Respondent 1 dated August 28, 2022, the reception desk with a camera
monitoring also has the purpose of asset protection, since according to his statement, the guests
they regularly pay in cash. This statement was copied by the Authority during the inspection
- 19 days - supported by camera footage.
(114) In view of this, the Authority does not consider data processing to be excessive, and considers that the
Claimed 1's legitimate interest as there is actually cash flow at the front desk where
the money box serving as the house cash register was also placed. Furthermore, the reception desk is not
it is located in a closed space, it cannot be fenced off separately, as the reception also opens to an apartment
from the side.
(115) According to the Authority's point of view, from the business manager's job and the nature of the job
therefore, the camera above the reception desk is not suitable for monitoring the employee, or a
to measure his performance, since the tasks of the business manager are not limited to those that
you must finish sitting at your desk.
(116) Based on this, the Authority concludes that Respondent 1 legally installed the camera above the reception
is operated, its legitimate interest – asset protection, monitoring of cash payments –
data processing carried out in order to enforce
typically the business manager's right to protect his personal data, the restriction does not
can be considered excessive.
IV.3. Violation of the principle of limited storage capacity
(117) According to Article 5 (1) of the GDPR, personal data must be stored in such a form
to happen, which identifies the data subjects only for the purposes of processing personal data
for the time required to reach it.
(118) According to the statement of Respondent 1, the purpose of data management through the camera system is a
it was property protection. In this regard, the camera regulation 6.2. for recording in point
it was decided that, in the absence of use of the recorded images, the Applicant 1, at most a
it is stored for 3 days from the date of recording, as the general person and
27, compared to property protection purposes, no special reason arises, which has a longer content
would justify data retention. In the absence of use, the recordings will be on the 3rd day from the recording
are automatically deleted.
(119) According to the Authority's point of view, the retention period of the camera recordings is adequate, as it was intended to be
has been defined proportionally to the purpose in the camera regulations, since if it is of any kind
a crime against or other event involving property damage occurs, within 3 days
Respondent 1 will certainly detect and take appropriate action on the recordings
in order to save.
(120) However, the Respondent did not take any measures against the provisions of the camera regulations
in order for the recordings to be deleted after 3 days, he did not apply such a setting
on the cameras, and placed relatively large SD cards in the cameras, which thus
they can store much more than 3 days of recordings.
(121) At the time of the inspection, no. 2 camera system directed to the inner courtyard and in the dining room
on the SD card of its cameras for 15 days, while for the jacuzzi and the reception
the SD cards of the cameras had recordings going back 19 days.
(122) The Authority considers these retention periods neither necessary nor proportionate
in relation to a camera system operated for property protection purposes, therefore it states that
Respondent 1 violated the limited liability under Article 5 (1) point (e) of the GDPR
storability principle.
IV.4. Information about camera data management
(123) In the case of data management through a camera system, the data controller is the personal data
is collected from the data subject, therefore the obligation to provide information according to Article 13 of the GDPR is sufficient
to the data controller.
(124) In relation to the information, the Authority primarily reviewed the website of Respondent 1, where separately
there is no data management information or data protection tab. By clicking on the Reservation menu item
at the bottom of the page there is a clickable menu item called Data Management Policy, however
it redirects to the GTC.
(125) In point [...] of the Terms and Conditions on the website, under the heading Obligations of Guests, call the
the attention of guests and potential guests that it operates a camera system [a
accommodation] area: "[…]" In addition, they can be found in point [...] of the General Terms and Conditions with data management
related information, e.g. newsletter subscription, transfer of personal data request
for authority, etc.
(126) During the inspection, the Authority came to the conclusion that it was not found anywhere in the building
detailed for posting, containing all the conditions of camera data management
information sheet. The camera policy was found at the reception, although it was not posted,
therefore, guests cannot access it without a special request. Area under surveillance
sign was placed in several places - at the entrance to the jacuzzi and the self-service in the dining room
on the side of the counter - however, the boards did not contain any additional information beyond the fact of data management.
28 In addition, information was not posted or placed in any other way in the rooms
about data management through a camera system.
(127) As a result, the Authority disputes the interest assessment test made by Respondent 1
statement that "guests are informed on signs placed in a clearly visible place
on data management, on the basis of which the purpose and method of data management are broadly and clearly defined
understandable."
(128) The Article 29 working group on transparency under Regulation EU 2016/679
according to its guidelines (WP260), information is easily accessible if the person concerned
you don't have to search for the information; it must be immediately visible to him that the information
where and how it can be reached, for example by providing information directly, to the data subjects
directing to information or clearly marking the path leading to information. The
according to point 11 of the guideline, those data controllers who have a website know that
make information about data management easily accessible, if it is on their website
are made accessible. Direct to this data protection declaration, information
link must be clearly visible on all pages of the website.
(129) Respondent 1 did not post detailed information on camera data management on its website
information, as well as information related to data management, was not separated by it
from GTC, i.e. did not draw the attention of hotel guests or potential hotel guests to the
on the website that a camera surveillance system is operating in the area [of the accommodation], that a
can already count on data management when booking, and that hotel guests need
in the event that the staff of the accommodation can easily obtain information about data management
without involving. In addition, Respondent 1 did not have an easy time at the accommodation
made the information about camera data management available, did not post it, or
placed one copy of each in the rooms, i.e. in the absence of active behavior of the affected person
the essential elements of data management were not available to those concerned. Based on this, the
Authority states that it is related to data management, according to Article 13 of the GDPR
Respondent 1 did not make information easily accessible to any person concerned,
thereby violating Article 12 (1) of the GDPR.
(130) The Authority also notes that the Guidelines per se apply to camera data management
does not consider the posting of warning signs to be a sufficient measure, if the additional
does not contain minimum information: identity of data controller, purpose of data processing, rights of data subjects,
information about the biggest effects of data management, e.g. data controller for data management
its legitimate interest. It must also include the availability of the complete prospectus. On this
the signs posted by Respondent 1 did not meet this requirement.
(131) Respondent 1 does not have a separate data management information sheet for camera data management
information regarding its circumstances is contained in the camera regulations
According to Respondent 1's statement dated December 2, 2022. The camera policy is
In connection with data management, there is also a lot of wrong or difficult to interpret information
contain. On the one hand, text formulation and accurate knowledge of camera images
in the absence of 3.1. The figure placed in point is not suitable for the people concerned
get to know the scope of data management and the viewing angle of the cameras, on the one hand, its small size
29, on the other hand, because the function of the rooms was not indicated on the drawing. The policy
on the other hand, it does not mention that the cameras marked in blue - these are the cameras that
In December 2021 and June 2022, according to the statements of Respondent 1, not yet
were put into operation, while they were already being installed when the second declaration was made
were installed and operated - what the stakeholders need to know.
(132) In relation to the scope of data management, neither the camera regulations nor the posted signs
they provide information that the cameras also record sound, which is part of the data management
a very significant, not-to-be-ignored circumstance, to which, moreover, the affected parties
they could not reasonably count, since there is no particularly clear reason which
would support the need for audio recording and the general practice of data controllers
in case of operation of cameras, that they do not record sound.
(133) In point 4 of the camera regulations, Respondent 1 stated that "The cameras
in monitored areas, the purpose of camera surveillance is with less restrictive measures
was not available.", even though Respondent 1 did not carry out the consideration of interests at all
separately in relation to the camera, on the other hand, on the merits according to the weighing of interests test
it did not even examine the possibility of alternative solutions, i.e. data management
it gave incorrect information regarding its inevitability and its proportionality
to those concerned.
(134) The 4.2. point, it is also mentioned that the duration of data management is required by law
adjusts, and then further refers to point 6, according to which the recorded recordings are not used
store it for up to 3 days and the recordings are automatically deleted on the 3rd day. On the one hand,
of 2005 on personal and property protection and the rules of private detective activity.
year CXXXIII. the rule of the law - 31/A. Section (2) - which was determined in 3 working days
and the duration of storage of camera recordings, expired on April 26, 2019,
i.e. wrongly informed those concerned about the duration of the storage of the camera recordings
determined by law. On the other hand, contrary to what was stated in the information sheet, he did not
measures to ensure that camera recordings are deleted within 3 days, a
cameras have large SD cards - 32 and 128 GB - and the review
according to his testimony, the recordings were available 15-19 days ago.
(135) The Authority further notes that in the camera regulations, the Authority until September 1, 2020
valid contact information has been indicated, although the regulations came into effect on July 1, 2021
into force.
(136) Based on all of this, the Authority concludes that Respondent 1 violated Article 13 of the GDPR
Paragraphs (1)-(2), since the camera regulations, which also serve as information, incorrectly, or
misleadingly informed those concerned about the handling of their personal data.
IV.5. Obligation to cooperate with the Authority
(137) According to Article 31 of the GDPR, the data controller, in the course of carrying out his duties, shall communicate with the supervisory authority
- based on its inquiry - cooperates.
30(138) According to the Authority, Respondent 1 did not cooperate with the Authority during the procedure
provided untrue, incorrect or incomplete information to the extent necessary, in several cases a
For inquiries from the authority as follows.
(139) Respondent 1 stated in his statement dated December 2, 2021 that July 2021
The recording made on the 26th, which was affected by the Applicant's request, is not available to you, and then that
nevertheless sent it to the Police Department on January 4, 2022, and presented the technical
as an expert on March 1, 2022. When the Authority asked about this contradiction,
Respondent 1's legal representative stated that Respondent 1 made a false statement, which
explained that the video was no longer available on the camera software because the SD
the recordings are automatically deleted from the card, however, the recording is expressed by the police
was saved at his request, and presumably about this saving, the manager of the Respondent a
he forgot when making the statement. In this case, according to the Authority's opinion, at the latest
On January 4, 2022, you should have noticed that the recording was still available to you, and that
then he should have sent it to the Authority. In contrast, his statement is not
amended, the recording was not released by the Authority's order, which the Authority finally a
he obtained a recording from the Police Department, which recording was requested by the Applicant
was of particular importance from the point of view, since without it the Authority would not have been able to
without a doubt, make sure of the camera's setting and angle of view.
(140) On December 2, 2021, Respondent 1 stated that the cameras marked in blue on the floor plan
they are not working yet, they are only planning to put them into operation. On May 17, 2022, in its order a
The authority asked whether the planned cameras had been put into operation
Respondent 1 received a negative response on June 7, 2022. In contrast, Respondent 1
to the same statement he has already attached photographs based on which
it could be established that the planned cameras were installed on the property, which a
were already in operation at the time of the inspection, i.e. Respondent 1 did not provide complete information
about the data management carried out by him at the request of the Authority.
(141) Respondent 1 also gave evasive answers to a number of the Authority's questions, e.g. what kind of
classification system requires the operation of a camera system for accommodation facilities
according to his point of view. He also did not inform the Authority that it was sold by Respondent 2
property on which [the accommodation] is located, although he was aware that in the proceedings
Respondent 2 is also a customer.
(142) Based on these, the Authority concludes that Respondent 1 violated Article 31 of the GDPR.
(143) In its order dated November 8, 2022, the Authority imposed a procedural fine on Applicant 1,
because, despite a second invitation, he did not provide information that during the period under review,
How many people stayed [at the accommodation] between July 2021 and October 2022, in the absence of
the Authority was unable to determine the number of those affected. As a result, the Authority on this
evaluates the behavior as contrary to Article 31 of the GDPR, however, during the imposition of the fine, it already
does not take into account the fact that he was sanctioned earlier during the procedure.
IV.6. Assessment of the Applicant's request
(144) In its application for the data protection authority procedure, the Applicant requested that the Authority establish
and that the cameras installed and operated by the Applicants at [accommodation] are illegal
They carry out 31 data management. He requested that, for this reason, he prohibit the access to the Applicant's property
the continuation of surveillance with a camera, the recording of the observed and order it
termination, as well as the destruction of illegally made recordings, and also prohibit it
enjoin the Respondents from further infringement and enjoin the Respondents, as well as impose
out data protection fine.
(145) The on-site inspection conducted by the Authority on July 5, 2022 without prior notification
established that at the time of the inspection the cameras of both camera systems were as such
setting that they were not suitable for the Applicant's property, the applicant and his family
to monitor your activities on the property. The Applicant is dated July 11, 2022
in response to his statement, the Authority considers it necessary to point out that the 1. no. camera system
4.'s camera - as it was already recorded earlier in the factual part of the decision
– is not suitable for monitoring the Applicant's property, only the
The property used by applicant 1 and the row of fences between the two fences can be seen.
(146) The recording related to the damage to the fence can be found in no. 2. belonging to a camera system, a
on the terrace, it was recorded by the camera placed above the jacuzzi, which on July 26, 2021
according to the available recordings, it was determined that the Applicant was suitable
his property, to observe the activities there, as the two fell into his field of vision
fence separating the plot, as well as a small part of the Applicant's garden with the willow tree and Lake Balaton.
(147) According to Respondent 1, the monitoring of the Applicant's property with a camera,
and the legal basis for recording what happened there (audio and image recording) is Article 6 (1) of the GDPR
he had a legitimate interest according to paragraph f), which is his property, or Respondent 2
related to the protection of his property. He further explained that, in his opinion, the Applicant
monitoring of his property did not reach the required level, since on July 26, 2021
the camera did not record the events that took place in a way that left no doubt
to determine whether the Applicant's husband damaged the fence or the fence
its concrete element cracked due to a construction error.
(148) The Authority does not share the position of Respondent 1. According to the position of the Authority, a
it is considered a serious interference with private life if someone destroys another person's property,
continuously monitors your movements and activities on the property. Camera surveillance
only in the rarest of cases can it extend beyond the boundary of its own property, and in such cases it is
legitimate interest in data management and the restriction of rights implemented on the basis thereof
it must be proportionate to the objective to be achieved.
(149) According to the Authority's point of view, the continuous monitoring of a part of the Applicant's property, a
Recording the movements, activities and conversations of the applicant and his family there -
with particular regard to the fact that it is a property on the shores of Lake Balaton, i.e. the Applicant and
her family is likely to be there often in bathing suits, as on July 26, 2021
it was also done in the recording - it cannot be considered proportionate as indicated by the Applicant 1
for property protection purposes. The circumstance to be taken into account in relation to the proportionality of data management is
also that the Applicant and his family did not know that Applicant 1
equipped camera is also partly aimed at the area of their property, which is obviously recreational
purposes are used. Information referred to by Respondent 1, of which audio recording
32 is attached, even though it cannot be considered adequate information, since it is another, no. 1.
related to a camera belonging to a camera system, or the appropriate information in itself
nor would it make the data processing carried out by Respondent 1 legal.
(150) During the procedure, Respondent 1 attached a general interest assessment test, which
however, it only covered the data management carried out in the hotel area - not enough for that
with detail - it is not mentioned that the camera surveillance covers a
Also for the applicant's property. As Respondent 1 admitted, on camera
implemented data management was not suitable for achieving the goal, it did not serve a clear purpose
as evidence in infringement and then criminal proceedings regarding vandalism. THE
However, the authority does not draw the same conclusion from this as Respondent 1, that a
the level of monitoring was too low, but that the data management was not suitable for the purpose
access, and was also disproportionately limited by the personal data of the Applicant and his family
their right to protection and to the inviolability of their private sphere.
(151) Based on all of this, the Authority concludes that Respondent 1 unlawfully observed the
Applicant's property and unlawfully handled the personal data of the Applicant and his family,
thereby violating Article 6 (1) of the GDPR.
(152) In its application, the Applicant requested that the Authority oblige the Respondents to unlawfully
to delete recorded recordings. The Authority is only aware of one recording
on which the Applicant appears, and this was taken at the fence on July 26, 2021
camera recording, which he initiated as evidence for the vandalism
used in criminal proceedings. For this use, according to the Authority's opinion
Respondent 1 had a legitimate interest, as the admission was for the enforcement of his legal requirements and
it was used for the purpose of protection, which is a legitimate interest also named by the GDPR. The vandalism
in the meantime, the infringement or criminal proceedings initiated due to the Police Department have been completed
terminated the procedure in the absence of a crime, and Respondent 2 was aggrieved by the decision
against which he had no legal recourse. Consequently, the procedures in which the recording
were used as evidence, they are no longer used in the present proceedings
He requested, but the Police Department made the recording available to the Authority, that
Respondent 1 did not attach it as evidence to the Authority's request. As a result, the
Authority states that since the procedures where Applicant 1 as evidence
used the recording depicting the Applicant and his family members, they have been legally terminated, so it is
the purpose of data management has ceased, the legitimate interest in data management no longer exists.
(153) According to the statement of Respondent 1, the representation of the Applicant was carried out accordingly
to delete camera recordings.
IV.6. The Applicant's request for the imposition of a fine
(154) The Authority rejects the Applicant's request for the imposition of a data protection fine, as this
the application of a legal consequence does not directly affect the rights or legitimate interests of the Applicant,
such a decision of the Authority does not create any right or obligation for him, as a result
with regard to the application of this legal consequence falling within the scope of public interest enforcement - a
regarding the imposition of fines - the Applicant is not considered a customer under Art. Section 10 (1)
33, so there is no place to submit an application in this regard, the submission is based on this
part cannot be interpreted as a request.
IV.7. Motions for Evidence
(155) In the Applicant's submission to the Authority on December 8, 2022, a large number
made a comment and motion for evidence.
(156) The Applicant made a motion for proof that the Authority should contact […]
Police Department, and obtain by the executive of Respondent 1 on March 30, 2021 the
the document of her report against her husband, as well as the report of the arriving police officers
about on-site action. He considered this necessary in order to provide support
avoid that the camera systems operated by Respondent 1 during this period
cameras were set up in such a way that they were suitable for public areas
for observation. According to the Authority's point of view, this evidentiary motion is so hypothetical
refers to illegal behavior which, based on the Applicant's request, did not occur before
the subject of the procedure, and the submission of a motion for proof in itself cannot be considered a request
extension, and the Applicant did not make it likely that this data management
in respect of which he is considered to be affected, only during the conversation referred to by him
statements that her husband can be seen in the broadcast image of a camera.
(157) In addition, the Authority ex officio fully examined the
The data processing carried out by means of camera systems operated by Respondent 1 was examined
period, an on-site inspection was conducted in the case, the facts are the request
revealed to the extent necessary for assessment and decision-making. The position of the Authority
taking into account the findings made above and the provisions of the statutory part,
there is no need to contact the […] Police Department, thus this evidence motion
ignores.
(158) As an additional motion for evidence, the applicant requested that the Authority make new statements
obtain from Respondent 1 in relation to the audio recording you have attached for the purpose of
certifies that the Applicant has been informed about the operation of the camera system, and a
In relation to Respondent 1's claim that the fence is not on the real plot boundary. The Authority a
in terms of clarifying the facts, Respondent 1 does not consider this necessary
his statement in the questions given that he did not accept it in the attached audio recording
audible conversation as adequate information about data management, nor the Respondent 1
did not support his argument regarding the plot boundary, so these statements are further
the examination of his circumstances would only hinder the completion of the procedure, the disclosure of the facts
and they are not important from the point of view of
(159) The Applicant also initiated as a proof motion that the Authority is newer
invites Respondent 1 to make a statement in No. 2 for camera system recordings
regarding access. According to the Authority's point of view, not for the assessment of the Applicant's request
it is necessary for the Authority to accurately reveal to the minute that the applicant's 1 manager and
where was the store manager on July 26, 2021, the recording he objected to was completed,
rescue or at the time of the police's arrival, since the violation is in the absence of knowledge of these
could also be established, and during the procedure, no information regarding
that the camera footage taken on July 26, 2021 was illegally accessed by a third party
person, so the Authority does not consider it necessary to investigate these circumstances. The Applicant
furthermore, he also made a motion to clarify circumstances that the Authority considers him to be
already revealed during the evidentiary procedure, and about which the Applicant was informed
within the framework of ensuring the right to inspect documents, e.g. which camera made the objectionable recording,
34 which part of the fence was visible in the recording, was it recorded, when did you attach the
recording in criminal proceedings, etc.
(160) The Applicant also requested the Authority that the site plan attached by Applicant 1 and the
based on a photo taken by him earlier from a camera installed on the side of [the accommodation].
determine the previous angle of view of this camera and the extent to which this camera was
suitable for monitoring his property. According to the Authority's point of view, this is evidential
motion is, on the one hand, unfulfillable, and, on the other hand, significant from the point of view of the Applicant's request
does not hold, the legal consequences requested by him are the 1. for camera system CH4
Even in the absence of knowledge of his "previous" angle of vision, they were revealed during the procedure
based on other evidence.
(161) The requirement that the factual situation is well-founded in official cases does not mean that it is
the acting authority must establish all the circumstances of the case step by step. THE
The authority is only obliged to reveal the facts to the extent necessary for decision-making. THE
the facts could be established in sufficient depth, the additional proposed by the Applicant
even without proof, and based on the established facts, the Applicant's requests can be assessed
they were.
(162) On the basis of the above, the Authority conducts the proof according to the evidentiary motions
ignores. In this round, the Authority based on the evidence at its disposal, the facts
sufficiently revealed, and his obligation to clarify the facts is not unlimited.
IV.8. Legal consequences, decision on the application
(163) At the request of the Applicant, the Authority determines that Respondent 1 unlawfully observed
a part of the Applicant's property and thus unlawfully handled by the Applicant personally
data, thereby violating Article 6 (1) of the GDPR. Due to the violation, the Authority is the GDPR
Based on Article 58, paragraph (2), point b) it convicts Respondent 1.
(164) The Authority rejected the Applicant's request to prohibit Respondent 2 from
the continuation of camera surveillance on your property and order its termination,
rejects, given that the camera has 26 July 2021 and 2 December 2021
made a modification between
it includes the property of the Applicant.
(165) The Authority granted the Applicant's request in accordance with Article 58(2)(f) of the GDPR
prohibits Respondent 1 from operating a camera system in the future in such a way that
in the process observe the Applicant's property and thus unlawfully treat the Applicant and
your family's personal information.
(166) The Authority ex officio finds that Respondent 1 is unlawful, Article 6 (1) of the GDPR
conducts data management in conflict with paragraph 2 of Art. camera system jacuzzi, restaurant and the interior
by its cameras monitoring the yard.
(167) The Authority finds ex officio that Respondent 1 violated Article 5 (1) of the GDPR
the principle of limited storability according to paragraph e).
35(168) The Authority ex officio finds that Respondent 1 violated Article 12 (1) of the GDPR
paragraph, as the information regarding camera data management was not provided by the data subjects
easily accessible to him.
(169) The Authority finds ex officio that Respondent 1 violated Article 13 of the GDPR when
did not provide adequate information about the data management carried out through the camera system.
(170) The Authority ex officio, on the basis of Article 58 (2) point f) of the GDPR, prohibits Respondent 1
for him, the dining room, the panoramic jacuzzi, and the inner courtyard are for relaxation
parts, such as the jacuzzi and the hot tub, through the camera system, as well as from the yard
the observation of the opening doors of apartments and the area for rest in front of them and
orders the decommissioning of the cameras directed at them.
According to the Authority's point of view, the camera system in relation to the above areas
Unlawful data processing that takes place cannot be remedied in any other way, it is personal to those concerned
their right to data protection cannot be ensured in any other way. According to the Authority, there is none
nor can a legitimate interest be shown on the data controller's side that would support and
would justify the monitoring of the guests through a camera system and their personal data
treatment in rooms for recreation and relaxation, where their expectations are reasonable
otherwise they would not be able to be monitored - their personal data would not be processed -
thus in the dining room, at the panoramic jacuzzi and in the relaxation areas of the inner courtyard.
(171) The Authority ex officio, Article 58 (2) point d) of the GDPR and Infotv. Section 61, paragraph (1).
on the basis of point a) is ordered by no. 2 camera system monitoring the jacuzzi, restaurant and the inner courtyard
the deletion of all recordings recorded by its cameras, given that they were made by the
according to the provisions of this decision, it took place illegally.
(172) The Authority ex officio instructs Respondent 1, based on point d) of Article 58 (2) of the GDPR,
to transform its information practices related to camera data management in a way that
that it fully complies with Article 12 (1) of the GDPR and Article 13 of the GDPR.
article, and take it into account when developing the information practice
Regarding the guidelines and the accessibility of the information referred to in the Decision,
WP260. working group opinion no.
(173) The Authority examined ex officio whether due to the established violations, the
Imposition of a data protection fine against Respondent 1.
(174) In this context, the Authority is required by Article 83 (2) of the General Data Protection Regulation and Infotv.
75/A. considered all the circumstances of the case based on §. Given the circumstances of the case, it is
to the nature of data management, therefore the Authority established that it was revealed during this procedure
in case of violation, the warning is neither a proportionate nor a dissuasive sanction, therefore
it is necessary to impose a fine on the basis of Article 58 (2) point (i) of the GDPR.
(175) The violations committed by Respondent 1 are Article 83 (5) of the General Data Protection Regulation
According to points a) and b) of paragraph 1, the category of fines with a higher amount is more serious
constitute a violation of law, not including the violation of Article 31 of the GDPR. With attention to
36 Article 83 (3) of the GDPR, based on the nature of the violations, the maximum fine that can be imposed
limit is 20,000,000 based on Article 83 (5) points a) and b) of the General Data Protection Regulation
EUR, or a maximum of 4% of the total world market turnover of the previous financial year.
(176) According to Respondent 1's balance sheet for the year 2021, the net sales revenue was HUF […],
the amount of the imposed fine is […] % of the net sales of Respondent 1.
(177) During the imposition of fines, the Authority assessed the following circumstances as aggravating circumstances:
• Violations committed by Respondent 1 - excluding Article 31 of the GDPR
violation - in terms of their nature, they are considered a more serious violation, since
Requested 1 principle, related to the legality of data management (legal basis) and affected
violated provisions on rights [GDPR Article 83 (1) point a)];
• Implemented by Respondent 1 by operating camera system No. 2
violations persisted for a long time, more than a year - on July 27, 2021
definitely carried out illegal data processing - and also at the time of the decision
exist [83. Article (2) point a)];
• According to the statement of Respondent 1, approximately 1,300 in the examined period
stayed [at the accommodation], i.e. the number of people affected can be considered high. The examined
period, the number of hotel guests could not be precisely determined
to the fact that data can only be retrieved from NTAK going back one year, while IFA
on the declaration forms, the number of guest nights, not the
number of guests will be registered. That is, the number of those affected is only approximate,
the registered guest nights and the average days spent [at the accommodation].
could be determined as a quotient. [83. Article (2) point a)];
• The voice and likeness of the persons concerned due to the nature of the data processing carried out
does not constitute a special category of personal data, however, for the jacuzzi and the interior
in the field of view of the camera, the hotel guests are regularly in bathing suits
are staying, and the Applicant is also wearing a bathing suit made for him
on camera. According to the Authority's point of view, it is more harmful to those concerned
data management through the camera system results in a situation, if not in the recordings
in general street clothes, but in more incomplete clothes, such as in a bathing suit
are included. Use of the jacuzzi based on the recordings of the camera located at the jacuzzi
several guests took off their bathing suits during
a camera shot of another guest without a top and without swimming trunks, or more
the camera recorded the party in an intimate position. According to the Authority's point of view, the
personal data recorded by a camera placed at the jacuzzi
its illegal handling has greater material weight. [GDPR Article 83(2)(a)].
(178) During the imposition of the fine, the Authority assessed the following circumstances as mitigating circumstances:
• the sign of the area monitored by the camera has been placed at the jacuzzi, so if the recordings
not to record it, but those concerned could count on camera data management, and it is
those involved were also involved in the fact that they were photographed without swimwear
camera recordings [GDPR Article 83(2)(k)];
37 • the established violations can be considered negligent in nature, the Authority on intentionality
no suggestive circumstance was revealed during the official data protection procedure [GDPR Article 83 (2)
paragraph b)];
• Respondent 1 has not previously committed a data protection matter under the scope of the GDPR
breach of law [GDPR Article 83(2)(e)];
• during the procedure, Respondent 1 canceled the audio recording by means of cameras
Regarding the cameras of camera system No. 2 [GDPR Article 83 (2) f)
point];
• the Authority exceeded Infotv during the procedure. 60/A. Administrative according to paragraph (1) of §
deadline [GDPR Article 83 (2) k)].
(179) The Authority also took it into account - but not as a mitigating or aggravating circumstance
understood - that the established data protection violations do not affect personal data
special category [GDPR Article 83 (2) point (g)].
(180) The Authority did not consider the general data protection regulation relevant when imposing the fine
circumstances according to points c, d, h, i, j of Article 83 paragraph (2), since they are specific to the case
cannot be interpreted in connection with
(181) The amount of the fine was determined by the Authority acting within its statutory discretion
yes.
(182) On the basis of the above, the Authority made a decision in accordance with the statutory part.
A. Other questions
(183) The competence of the Authority is defined by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is
covers the entire territory of the country.
(184) The decision in Art. 80-81 § and Infotv. It is based on paragraph (1) of § 61. The decision is in Art.
Based on § 82, paragraph (1), it becomes final upon its publication.
(185) The Art. § 112, and § 116, paragraph (1), and § 114, paragraph (1) with the decision
on the other hand, there is room for legal redress through a public administrative lawsuit.
(186) The rules of administrative proceedings are laid down in Act I of 2017 on Administrative Procedures (the
hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority
the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13, paragraph (3).
Based on point a) subpoint aa), the Metropolitan Court is exclusively competent. The Kp. Section 27 (1)
legal representation in a lawsuit within the jurisdiction of the court based on paragraph b).
obligatory. The Kp. According to paragraph (6) of § 39, the submission of the claim is administrative
does not have the effect of postponing the entry into force of the act.
38(187) Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, the electronic one is applicable
CCXXII of 2015 on the general rules of administration and trust services. law (a
hereinafter: E-administration act) according to § 9, paragraph (1), point b) of the customer's legal representative
obliged to maintain electronic contact.
(188) The time and place of filing the statement of claim is specified in Kp. It is defined by § 39, paragraph (1). THE
information on the possibility of a request to hold a hearing in Kp. Paragraphs (1)-(2) of § 77
is based on. The amount of the fee for the administrative lawsuit is determined by Act XCIII of 1990 on fees. law
(hereinafter: Itv.) 45/A. Section (1) defines. From the advance payment of the fee
the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the person initiating the procedure
half.
Budapest, December 21, 2022.
Dr. Attila Péterfalvi
president
c. professor
39
