NAIH (Hungary) - NAIH-924-10/2021

From GDPRhub
NAIH (Hungary) - NAIH-924-10/2021
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(d) GDPR
Article 6(1) GDPR
Article 12 GDPR
Article 17(1)(d) GDPR
Article 25(2) GDPR
Article 58(2)(d) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 18.06.2021
Published:
Fine: 10,000,000 HUF
Parties: Magyar Telekom Nyrt
National Case Number/Name: NAIH-924-10/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: Decision Nr. NAIH-924-10/2021 (in HU)
Initial Contributor: n/a

The Hungarian DPA fined a telecommunications company €28,000 (HUF 10,000,000) for sending unsolicited emails to a data subject, despite several requests that his email be deleted, and for making the process by which data subjects can unsubscribe to emails unnecessarily difficult.

English Summary

Facts

The complainant received unsolicited emails from the controller Magyar Telekom Plc., a hungarian telecommunications company. After the receipt of such emails, the complainant requested the controller to delete his email address several times.

The controller continued to send unsolicited messages and required the complainant to register on its webpage to unsubscribe from its newsletter. However, the complainant was unable to unsubscribe from the newsletter since the website asked for customer data, that the complainant (not a customer of the company) could not provide.

The controller argued that the availability of the contact data of the complainant was an individual mistake due to an unknown third party providing their email address. It was therefore not caused by any inadequate internal policies or processes.

Holding

The Hungarian DPA found that the controller had not confirmed the entitlement of the third party data provider to use the complainant's data. Moreover, it was the controllers decision to introduce unnecessary obstacles to unsubscribe from their newsletter. In this regard, the controller only deleted the email address after being informed about the DPA's investigation. The DPA hold, that the controller failed to implement measures to facilitate the exercise of data subject rights and fined them approximately €28,000 (10,000,000 HUF) for violating Articles 12(2), and 25(2) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

 Case number: NAIH-924-10 / 2021 Subject: Decision
 Former Case NAIH / 2020/8890
 Clerk:

                                     DECISION



Before the National Data Protection and Freedom of Information Authority (hereinafter: the Authority)
………………………… (address: ………………………; postal address:
……………………………………………) to the applicant (hereinafter: the Applicant) in 2020.
On December 18, Magyar Telekom Plc. (registered office: 1097 Budapest, Könyves Kálmán körút
36.) unlawful processing of personal data against the applicant (hereinafter: the Requested)
a data protection authority procedure was initiated on the basis of his request. The Authority is the Data Protection Authority
take the following decisions in official proceedings:


1. The Authority shall request the Applicant to provide the Applicant with the Applicant's email address
order it to be canceled because it has become impossible to

                                       rejects.

2. The Authority shall establish of its own motion that the Applicant has infringed the Applicant

with regard to the processing of personal data by natural persons
protection and the free movement of such data and repealing Directive 95/46 / EC
Article 5 of Regulation (EU) 2016/679 (hereinafter referred to as the General Data Protection Regulation)
Article 6 (1) (d), Article 6 (1), Article 12 (2), (3) and (4), Article 17 (1)
and violates the general practice of the Applicant in relation to the above data processing
Articles 12 (2) and 25 (2) of the General Data Protection Regulation.


3. The Authority shall issue ex officio pursuant to Article 58 (2) (d) of the General Data Protection Regulation
instructs the Applicant to change its data management practices so as to remove customer status
regardless of the rights of the data subject, no additional surplus should be required by default
a condition which is not necessary to assess the admissibility of the application, unlawfully restricted
the possibility for the data subject to exercise his or her rights, in particular contact email addresses.

4. The Authority shall examine the applicant of its own motion


                             HUF 10,000,000, ie HUF ten million
                                    data protection fine

                                  obliges to pay.

Fulfillment of the obligation provided for in Clause 3 from the date on which the Debtor becomes final of this decision
must be submitted in writing within 30 days of the

to the Authority.

The fine referred to in point 4 shall be imposed within 30 days of the date on which this Decision becomes final
Authority's centralized revenue collection target forint account (10032000-01040425-
00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000)
must be paid. When transferring the amount, "NAIH-924/2021 JUDGMENT." should be referred to. 2






If the Debtor fails to meet its obligation to pay the fine within the time limit, a penalty for late payment
obliged to pay. The amount of the late payment allowance is the statutory interest affected by the delay
equal to the central bank base rate valid on the first day of the calendar half-year.

Failure to pay the fine and the penalty payment or the obligation under point 3 above shall not
the Authority shall order the enforcement of the decision.


There is no administrative remedy against this decision, but it is from notification
within 30 days of the application to the Metropolitan Court in an administrative lawsuit
can be challenged. The application must be submitted to the Authority, electronically, which is the case
forward it to the court together with its documents. A hearing may be requested in the application. The entire
for those who do not receive personal tax exemption, the fee for the administrative lawsuit is HUF 30,000, a
subject to the right to record material duty. Legal representation in proceedings before the Metropolitan Court
obligatory.


Act CXII of 2011 on the right to information self-determination and freedom of information. Act (a
hereinafter: the Information Act) pursuant to Section 61 (2) (c) of the Information Act, the Authority
It publishes the applicant's identification data anonymised on the Authority's website.


                                        EXPLANATORY STATEMENT


I. Establishment of the facts and procedure

I.1. Facts

On 18 December 2020, the Applicant submitted an application to the Authority, in which it
that he received an unsolicited e-mail from the Applicant on 13 November 2020

……………………… email account because it is presumably a third party entered it incorrectly
………………………… address (which is considered identical by the gmail service to all characters before the @ sign
version separated by point). For this reason, Applicant on November 13, 2020 is
has sent a request for the email address ………………………… .. to the email address ugyfelszolgalat@telekom.hu
to delete the email address owned by him, indicating that he is not the Customer of the Requested.

Because he received unsolicited emails again on November 17, 2020 and November 24, 2020
from the Applicant, and the Applicant on 20 November 2020 in response to a template login

The requesting newsletter sent an unsubscribe link to the Applicant, therefore the Applicant 's request was sent in 2020.
reiterated on 24 November, asking for confirmation of the deletion, again indicating that
you do not want to unsubscribe from the newsletter, but the Applicant requests the complete deletion of the email address
on behalf of.

Subsequently, on 8 December 2020, the Applicant again received an unsolicited e-mail from the
An application that again asked you to delete your email address on December 11, 2020. For this, the former

received a repeat reply from the newsletter about unsubscribing. THE …………………………………
In its reply to Information No. No. Applicant indicated that the unsubscribe reference
redirects you to a login page where, as a customer, you cannot proceed. The Requested
the customer service response of 12 December 2020 again recommended unsubscribing as a solution
claiming that it is not necessary to log in to the link in the unsolicited email
when using.


Following the submission of the application, on 15 January 2021, the Applicant again received an unsolicited newsletter a
From the applicant. The Authority will use the following email unsubscribe links sent by the Applicant 3






  examined and they are not logged out but logged in
  (https://www.telekom.hu/telekomfiok/belepes?0&successUrl=/telekomfiok/telekom-profil)
  redirected.

  I.2. Procedure

  In its application submitted to the Authority on 18 December 2020, the Applicant is a data protection authority

  initiating the procedure and requesting that the Applicant be ordered to delete the above e-mail address.

  The Authority asked the following questions to clarify the facts:

 (i) For what reason did the Applicant fail to comply on 13 November 2020, 24 November 2020, and
       Stakeholder Lawsuit filed on December 11, 2020, for deletion of email address
       requests?

 (ii) Consideration of the above application submitted on 11 December 2020 to which organizational unit
       belongs to? Support your answer with regulations!

(iii) On what basis is it proposed to unsubscribe instead of cancel, the cancellation and unsubscribe
       how do you differentiate it in practice? Support your answer with regulations!

(iv) For what reason does the unsubscribe link in the emails sent to the Applicant not work,
       why are you redirecting you to a login page?

 (v) In which databases and which organizational and logical is the e-mail address of the Applicant to be deleted
       methods to ensure that in the event of a cancellation request, the email address will be deleted from each of them
       including gmail.com domains or similar addresses
       are they just a point in the position or absence of different variations? Support your answer
       with regulations!

(vi) In the course of a data protection authority proceeding, the Authority will find an infringement
       may impose a data protection fine ex officio, therefore present all relevant facts and
       a circumstance which may be relevant in the possible imposition of a fine, inter alia
       the value of its total annual worldwide turnover according to its most recently published accounts
       supported!


  At the request of the Authority, the Applicant received the letter received on 19 February 2021 as follows
  made statements:

     (i) The address ……………………… .. was entered incorrectly by one of their clients in their own electronic
     as your contact address. For this reason, newsletters sent to this email address do not have such unsubscriptions
     provided a link that can be used by anyone, but an unsubscribe link to the account
     will be taken to the unsubscribe interface within the account after mandatory login, so only

     can be used by the subscriber to unsubscribe.
     (ii) Within customer service, a special matters group deals with general privacy
     applications under this Regulation.

     (iii) Their administrative colleague did not recognize that in the present case it was not one of their clients
     it is necessary to provide technical assistance as the email address is the same as a customer email
     therefore did not forward the Applicant's requests to the Special Cases Group.

     (iv) The Special Affairs Group is aware of the operation of the Gmail Service detailed above
     the peculiarity of which az. and that ……………………………. email addresses
     belong to the same account and respond to the requests of the data subject accordingly.

     (v) The erasure requested by the Applicant was carried out after the request of the Authority. 4






   (vi) According to the applicant, neither the misrepresentation of the third party customer nor the
   The specifics of the Gmail mail system are not the responsibility of the Applicant, so they are not
   may be assessed at the expense of the Applicant.
   (vii) Applicant supplemented the Internal Administrator's Manual to be even larger

   emphasis on the proper handling of cancellation and other data protection requests; and
   examine the possibility of further steps.
   (viii) In the opinion of the Applicant, the inconvenience experienced by the Applicant is a

   rooted in third-party customer misrepresentation and the Gmail mail system
   which the Applicant has no influence over and is not aware of
   problem would affect another person and the Applicant would not have any financial or legal disadvantages
   for him.

CL of the Authority on General Administrative Procedure 2016. Act (hereinafter: Act)
76. The Applicant requested access to the file, of which the Authority separately

order. Furthermore, the Applicant stated that on 18 January 2021 and 2021.
received further emails from the Applicant on 19 January, not thereafter.

The Authority Pursuant to Section 76, on 25 March 2021, he invited the Applicant to submit comments
and may make a statement in connection with the present proceedings and ex officio in the present proceedings
to be taken into account NAIH / 2018/4939 / V, NAIH / 2019/192, NAIH / 2019/5205, NAIH / 2020/4999,
Cases NAIH / 2020/6469.


The Authority Ákr. Upon request pursuant to Section 76, the Applicant shall history detailed in point
In those cases, it stated that they made a significant difference to the present case
compared to the fact that the circle of stakeholders is different, the recording of incorrect contact details can be due to other reasons
and various stakeholder rights have been enforced in the cases. According to his statement
in isolated, individual cases, an error occurred that the complainants did not know about
enforce their needs.


The Applicant will also take the individual into account when modifying its internal book (Magic Book)
experience, and the curriculum for customer service places a special emphasis on the stakeholder
exercise their rights. In cases of similarity, individual clerical errors are to be followed
was a deviation from the procedure for unauthorized data processing and the requests of the data subject did not
led to the proper settlement. According to the requested opinion in case NAIH / 2020/4999
official statement that “Based on the available information, it is not appropriate

the lack of technical, organizational measures allowed for prior procedures for consent
unauthorized modification of the data. " by managing the contributions of non-customer (non-subscriber) stakeholders
they can also be traced back to a non-systemic error.

Regarding the requirement to unsubscribe from Telekom branch registration, the Applicant stated that
that this is necessary because in some cases a contact may be linked to more than one person,
thus, the identification of the appropriate subscription is not possible with the data alone, it needs to be determined

also the identity of the subscriber.

According to the Applicant's statement, to eliminate and correct individual errors
it constantly takes steps that it recognizes the need for.


II. Background cases which may be relevant to the subject - matter of the present case ('the case - law')

cases) 5






II.1. NAIH / 2018/4939 / V

In investigation case NAIH / 2018/4939 / V, the complainant complained that the
a third party customer erroneously provided the complainant 's mobile phone number as contact information
Entered into a contract with the Applicant, and the Applicant therefore sent it to the complainant several times
text messages and unidentified calls made under a third party contract
connection. Despite the complainant 's request, the Applicant did not delete this contact details and

did not restrict its use. The Claimant relied on an individual clerical error as well as that
stated that he had once again drawn the attention of his administrators to the proper handling of the requests concerned,
improve its procedure. As the Applicant provided the contact details of the Authority's fact-finding letter
canceled upon receipt, it was not necessary to initiate official data protection proceedings, so
the Authority closed the investigation and found that the request for cancellation had not been made earlier
the Applicant has infringed Article 12 (2) to (4) of the General Data Protection Regulation
and Article 17 (1) (d).



II.2. NAIH / 2019/192

In investigation case NAIH / 2019/192, the complainant erred in concluding his contract online
recorded the complainant's statement concerning the marketing inquiries. The Requested
clerk erroneously informed the complainant that a signed statement was required for marketing

consent to change the terms of the email address for marketing purposes
cessation of treatment, which was excessive for the complainant, and in its absence
refused the complainant's request that his email address not be used for marketing purposes. The Authority
does not investigate the sending of unsolicited messages, the National Media and Communications Authority
authority, the Authority shall comply with the email address data management legislation and the general
examined the enforcement of data subjects' rights under the Data Protection Regulation. As the Requested
he stated (in retrospect not actually) that the marketing request for consent consent setting

canceled by the Authority upon receipt of a letter clarifying the facts, data protection authority proceedings
According to the information available, it was not necessary to initiate the procedure
terminated the investigation and found that, by failing to comply with the previous request, the
Applicant has infringed Article 5 (1) (d) of the General Data Protection Regulation
appropriate information in accordance with Article 13 of the General Data Protection Regulation
unjustified marketing for data purposes due to general data protection
Article 6 of the General Data Protection Regulation and that Articles 12 (2) and 24 of the General Data Protection Regulation
Pursuant to Article 1 (1), the controller is responsible for the adequacy of the data processing that the controller provides

under Article 5 (2) of the General Data Protection Regulation. THE
Applicant also informed the Authority that its systems were similar to the above
made changes from May 2018 to eliminate administrative errors.


II.3. NAIH / 2019/5205 (NAIH / 2020/2679)


The investigation case NAIH / 2019/5205 was initiated because II.2. in the case detailed in point
Despite the statement made by the Applicant, the Applicant again sent a marketing email to the II.2. complainant under point
email address, and the complainant found in his settings that the marketing consent was in place
marked, although the complainant did not change it. According to the Applicant's statement, the cause of the error is not
could not be saved in the previous case, probably due to an individual clerk error
indicated change in marketing settings. For this reason, the Applicant repeatedly took the a
marketing email address management and this can be done from your system at the request of the Authority

verified by screenshots. As the Applicant for the violation of the Authority, the facts are clarified
upon receipt of the letter, the data protection authority did not initiate proceedings 6






necessary, the Authority terminated the investigation and found that it was Applicant
repeatedly infringed Article 5 (1) (d) of the General Data Protection Regulation
appropriate information in accordance with Article 13 of the General Data Protection Regulation
unjustified marketing for data purposes due to general data protection
Article 6 of the General Data Protection Regulation and that Articles 12 (2) and 24 of the General Data Protection Regulation
Pursuant to Article 1 (1), the controller is responsible for the adequacy of the data processing that the controller provides
under Article 5 (2) of the General Data Protection Regulation.



II.4. NAIH / 2020/4999

II.2 above. and II.3. In cases NAIH / 2020/4999, the Authority initiated an official inspection of the
Application for direct business acquisition contributions in general
the adequacy of its practice, in particular Article 32 of the General Data Protection Regulation

to verify compliance with the requirements of The case did not raise any related issues
fact or circumstance that it is related to the direct acquisition of business at the Applicant
there would be a lack of action on the management of contributions. Available
based on the information, the lack of appropriate technical and organizational measures did not allow the
unwanted changes to consent data in prior proceedings.



II.5. NAIH / 2020/1773

In consultation case NAIH / 2020/1773, Article 57 of the General Data Protection Regulation is concerned
Pursuant to paragraph 1 (e), it requested the Authority to inform it of its rights
may be exercised if the Applicant treats his e-mail address as if they were a customer, unsolicited
receives messages from the Applicant referring to contracts which he has not concluded, and
you cannot unsubscribe from these emails. The Authority informed the data subject of the general data protection

Article 17 of the General Data Protection Regulation and Article 12 (3) to (4) of the General Data Protection Regulation.
obligations under paragraph 1.


III. Applicable legal provisions

Pursuant to Article 2 (1) of the General Data Protection Regulation, the General Data Protection Regulation
shall apply to the processing of personal data in a partially or fully automated manner,

and the non - automated processing of personal data which:
are part of a registration system or are part of a registration system
they want to do.

The Infotv. Section 2 (2)
according to the general data protection regulation in the provisions indicated therein
shall apply with additions.


Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data
To that end, the Authority shall, at the request of the data subject, initiate a data protection authority procedure and
may initiate ex officio data protection proceedings.

Infotv. Pursuant to Section 71 (2), the Authority has lawfully obtained a document in the course of its proceedings,
data or other means of proof in another procedure. 7






Unless otherwise provided in the General Data Protection Regulation, data protection was initiated upon request
for official proceedings under Ákr. shall apply with the exceptions specified in the Infotv.

The Acre. Pursuant to § 36, the application is a written or personal statement of the client
requesting an official procedure or a decision of the authority on his right or legitimate interest
in order to validate.


Infotv. Pursuant to Section 60 (2), the application for the initiation of data protection official proceedings is
Article 77 (1) for data processing covered by the General Data Protection Regulation
may be submitted in a specific case.

Pursuant to Article 77 (1) of the General Data Protection Regulation, all data subjects have the right to:
lodge a complaint with a supervisory authority if it considers that it is relevant to it
the processing of personal data violates the general data protection regulation.


According to Article 5 (1) (d) of the General Data Protection Regulation
they must be accurate and, where necessary, kept up to date; all reasonable measures must be taken
to ensure that personal data are inaccurate for the purposes of data processing
deleted or corrected immediately ("accuracy").

Pursuant to Article 6 (1) of the General Data Protection Regulation, the processing of personal data

lawful only if and to the extent that at least one of the following is met:
   (a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes
   treatment;
   (b) processing is necessary for the performance of a contract to which one of the parties is a party,
   or to take action at the request of the data subject prior to the conclusion of the contract
   required;
   (c) processing is necessary for compliance with a legal obligation to which the controller is subject;

   (d) the processing is in the vital interests of the data subject or of another natural person
   necessary for its protection;
   (e) the processing is in the public interest or a public authority conferred on the controller
   necessary for the performance of the task carried out in the exercise of
   (f) processing for the legitimate interests of the controller or of a third party
   necessary, unless the interests of the data subject take precedence over those interests
   or fundamental rights and freedoms which require the protection of personal data,
   especially if the child is affected.

Point (f) of the first subparagraph shall not apply to the performance of their tasks by public authorities
data management.

According to Article 12 (2) of the General Data Protection Regulation, the controller shall assist the data subject
15–22. exercise of their rights under this Article.

According to Article 12 (3) of the General Data Protection Regulation, the controller is unjustified

without delay, but in any case within one month of receipt of the request
inform the data subject in accordance with Articles 15 to 22. on the action taken in response to a request under Article. Need
In view of the complexity of the application and the number of applications, this time limit shall be extended by two further periods
may be extended by one month. The extension of the deadline by the data controller shall be the reasons for the delay
within one month of receipt of the request. If
the data subject has submitted the application electronically, the information shall be provided, if possible, electronically
unless otherwise requested by the data subject. 8






According to Article 12 (3) of the General Data Protection Regulation, if the controller does not do so
measures at the request of the data subject, without delay, but at the latest at the time of the request
inform the data subject of the non-action within one month of receipt
and that the person concerned may lodge a complaint with a supervisory authority and may reside
with the right to judicial redress.

Pursuant to Article 17 (1) (d) of the General Data Protection Regulation, the data subject is entitled to

that, at the request of the controller, delete the personal data relating to him without undue delay
data, and the controller is obliged to provide personal data concerning the data subject
delete without undue delay if personal data have been processed unlawfully.

According to Article 25 (2) of the General Data Protection Regulation, the controller is the appropriate technical
and implements organizational measures to ensure that, by default, only
the processing of personal data for a specific data processing purpose

necessary for the This obligation applies to personal information collected
the extent of their handling, the duration of their storage and their availability. These are
measures in particular need to ensure that personal data is provided by default
they cannot be accessed indefinitely without the intervention of a natural person
for number of persons.

According to Article 57 (1) (a) of the General Data Protection Regulation, the general data protection

without prejudice to the other tasks set out in this Regulation, the supervisory authority in its territory
monitors and enforces the application of the General Data Protection Regulation.

Pursuant to Article 58 (2) of the General Data Protection Regulation, the supervisory authority is corrective
acting within its competence:

   (a) warn the controller or processor that certain data processing operations are planned
   its activities are likely to infringe the provisions of this Regulation;

   (b) condemn the controller or the processor if his or her data processing activities
   has infringed the provisions of this Regulation;
   (c) instruct the controller or the processor to comply with this Regulation

   exercise its rights under this Regulation;
   (d) instruct the controller or processor to carry out its data processing operations, where applicable
   in a specified manner and within a specified period, in accordance with this Regulation

   with its provisions;
   (e) instruct the controller to inform the data subject of the data protection incident;

   (f) temporarily or permanently restrict the processing, including the prohibition of the processing
   is;

   (g) order personal data in accordance with Articles 16, 17 and 18 respectively
   rectification or erasure of data or restrictions on data processing, and in accordance with Article 17 (2).
   order notification to the addressees in accordance with
   with whom or with whom the personal data have been communicated;

   (h) withdraw the certificate or instruct the certification body in accordance with Articles 42 and 43
   revoke a duly issued certificate or instruct the certification body not to
   issue the certificate if the conditions for certification are not or are no longer met;

   (i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case
   in addition to or instead of the measures referred to in this paragraph; and 9






   (j) order the flow of data to a recipient in a third country or to an international organization
   suspension.

According to Article 83 (1) of the General Data Protection Regulation, all supervisory authorities
ensure that it is referred to in Article 83 (4), (5) and (6) of the General Data Protection Regulation
The administrative fines imposed for non-compliance shall be effective and proportionate in each case
and be dissuasive.


According to Article 83 (2) of the General Data Protection Regulation, administrative fines are granted
Article 58 (2) (a) to (h) and (b) of the General Data Protection Regulation, depending on the circumstances of the case
shall be imposed in addition to or instead of the measures referred to in point (j). When deciding that
whether it is necessary to impose an administrative fine or the amount of the administrative fine
In each case, due account shall be taken of the following:

   (a) the nature, gravity and duration of the breach, taking into account the processing in question
   the nature, scope or purpose of the infringement and the number of persons affected by the infringement;
   the extent of the damage they have suffered;

   (b) the intentional or negligent nature of the infringement;

   (c) the mitigation of damage suffered by the data subject by the controller or the processor
   any measures taken to
   (d) the extent of the responsibility of the controller or processor, taking into account the

   technical and organizational measures taken pursuant to Articles 25 and 32 of the General Data Protection Regulation
   measures;
   (e) relevant infringements previously committed by the controller or processor;

   (f) the supervisory authority to remedy the breach and the possible negative effects of the breach
   the extent of cooperation to alleviate

   (g) the categories of personal data affected by the breach;

   (h) the manner in which the supervisory authority became aware of the infringement, in particular
   whether the controller or processor has reported the breach and, if so, what
   in detail;

   (i) if previously against the controller or processor concerned, in the same
   referred to in Article 58 (2) of the General Data Protection Regulation
   compliance with one of those measures;
   (j) whether the controller or processor has complied with the general data protection rules

   approved codes of conduct pursuant to Article 40 of this Regulation or general data protection
   approved certification mechanisms in accordance with Article 42 of this Regulation; and
   (k) other aggravating or mitigating factors relevant to the circumstances of the case, such as:

   financial gain gained or avoided as a direct or indirect consequence of the infringement
   loss.

Pursuant to Article 83 (5) of the General Data Protection Regulation, the following provisions
an administrative fine of up to EUR 20 000 000 in accordance with paragraph 2
fines or, in the case of undertakings, the total annual worldwide turnover of the preceding financial year
shall not be more than 4%, with the higher of the two amounts

to impose:
   (a) the principles of data processing, including the conditions for consent, are set out in the General Data Protection Regulation
   In accordance with Articles 5, 6, 7 and 9; 10






   (b) the rights of data subjects under Articles 12 to 22 of the General Data Protection Regulation. in accordance with Article
   (c) the transfer of personal data to a recipient in a third country or to an international organization
   Articles 44 to 49 of the General Data Protection Regulation. in accordance with Article

   (d) Article IX of the General Data Protection Regulation. in accordance with the law of the Member States adopted pursuant to this Chapter
   liabilities;

   (e) the supervisory authority in accordance with Article 58 (2) of the General Data Protection Regulation
   temporary or permanent restriction of data processing or the flow of data
   non-compliance with the request for suspension or general data protection
   failure to provide access in breach of Article 58 (1) of Regulation


Infotv. Pursuant to Article 75 / A, the Authority is required to comply with Article 83 (2) to (6) of the General Data Protection Regulation.
exercise the powers set out in paragraph 1 in accordance with the principle of proportionality, in particular:
by the law on the processing of personal data or by the European Union
in the event of a first breach of the rules laid down in a mandatory act of the
in accordance with Article 58 of the General Data Protection Regulation
it takes action by alerting the controller or processor.


The Basic Law of Hungary VI. According to Article 3 (3), everyone has the right to personal data
and the knowledge and dissemination of data of public interest.

According to Article 8 (1) of the Charter of Fundamental Rights of the European Union, everyone has the right to benefit from it
protection of personal data relating to



ARC. Decision of the Authority

IV.1. Assessment of an individual infringement

The Applicant was canceled by the Applicant upon receipt of the Authority's fact-finding order
email address data from its database, therefore fulfilling the request for a cancellation order
it became impossible.


The Applicant did not have a provision under Article 6 (1) of the General Data Protection Regulation
none of the legal bases in connection with the Applicant’s email address and becoming aware of it
- despite the Applicant's repeated express indication - did not comply with the general data protection
obligation under Article 5 (1) (d) of the Regulation is undoubtedly incorrect
expected the cancellation from the Applicant, who, moreover, for reasons falling within the
for some reason he was not even able to. The email address holder is easily identifiable as

it appears in the correspondence as the sender, so there was no circumstance which is the request of the person concerned
would have justified not correcting the error.

The Applicant did not respond to the request of the Applicant concerned, the non-client is concerned
reference to an unsubscribe reference which cannot be used by the Commission - repeated several times without change
Article 12 (3) and (4) of the General Data Protection Regulation
or a duly substantiated rejection.


Pursuant to Article 17 (1) (d) of the General Data Protection Regulation, the Applicant became obliged
would have deleted the contact details immediately at the request of the Applicant, but this has been repeatedly requested
nevertheless did not do so and only complied with the Applicant’s request for cancellation when the Authority
became aware of the present proceedings, without which the cancellation would not have taken place. 11







In view of the above, the Authority decided on the individual application for cancellation in accordance with the operative part
of its own motion
Article 5 (1) (d), Article 6 (1), Article 12 (2), (3) and (4) of that Regulation,
and a violation of Article 17 (1) (d) in respect of the Applicant.



IV.2. The role of general practice in relation to an individual infringement

(i) The Applicant's policy regarding the exercise of data subject's rights is contact information
respect

Article 57 (1) (a) and Article 58 (2) (b) of the General Data Protection Regulation
and d), Article 83 (1), (2) and (5), and Infotv. 75 / A of the Authority

examined of its own motion in the course of the proceedings the Applicant's general practice affecting the present case
part. The Authority has issued the Infotv. Pursuant to Section 71 (2) in any other proceedings
may use the resulting document in other proceedings.

According to the revealed facts, the Applicant is recording the contact details (telephone number, email address)
does not in any way control the right to control the given contact details,
or if the contact data, which is considered personal data, is not provided by the person entitled to it, no

asks for any proof that you are the owner of the contact details (phone number, email)
contributed. The existence of a legal basis under Article 6 (1) of the General Data Protection Regulation is the responsibility of the controller
at all stages of data management. For example, entering a one-time code
request, which is sent by SMS or email to the given phone number or email address, is
can prevent a case similar to all Applicants, and this is the case for a large communications provider
in no way a disproportionate obligation.


The Applicant is considered a data controller and is obliged to comply with the general data protection regulation
this obligation may not be partially transferred by certain
administrators and their individual faults or other third parties who have personal data
sources. The controller may only process personal data whose source is lawful, if so
he is not convinced in any reasonable way, he cannot be released from liability.

The Applicant's procedure did not facilitate the exercise of the rights of the Applicant concerned, it is unnecessary for him -
and, if applicable, impossible - condition, login to a third party Telekom account

in the present case several times from the Applicant. General practice of the Applicant,
that in messages sent to the email address assigned to the Telekom account, the unsubscribe link is a
takes you to a login page, direct unsubscription is not possible.

(ii) Similarities of the present case with prior cases

Some parts of the present case and the background cases highlighted by the Applicant are different,

however, the identity exists in the relevant details below which are relevant to the present case.

The common practice of the Applicant in the present case and in individual antecedent cases is to have a newsletter
you do not ask for any proof of the correctness of the given telephone number or e-mail address when signing up,
thus, either due to the fault of the third party customer or the Applicant, there may be a wrong contact
record data.


Following the erroneous recording, there was no correction or deletion of the erroneous data in the individual antecedent cases
possible by the data subject who is the owner of the telephone number or email address. In the present case, too, 12






data protection authority proceedings were initiated because the Applicant was unable to delete the email address himself
because a condition - login to the Telekom branch - was required by the Applicant,
which was impossible to comply with and, despite repeated requests, prior to the Authority 's proceedings, the
Applicant did not remedy it.

The combination of circumstances detailed above has led to the applicant - and the
NAIH / 2018/4939 / V, NAIH / 2019/192, and NAIH / 2019/5205, NAIH / 2020/1773,

your rights under the General Data Protection Regulation have been violated.

(iii) Consideration of relevant statements made by the Applicant on the above issue

Contrary to the statements made during the Requested Procedure, it is detailed in the above paragraphs
circumstances do not constitute an unavoidable cause beyond the control of the Applicant, they are a
Applicant could have effectively and effectively affected both the data collection and the erasure

procedure.

In the Authority's view, contrary to the Applicant's allegations, the Applicant's infringement
the direct reason was not that a third party misrepresented the Applicant’s contact details
to the Applicant, and not a feature of the Gmail system - of which
knowledge of the applicant was expressly acknowledged by the Applicant in the present case by letter received on 19 February 2021.
Nevertheless, the Applicant 's good practice could have ensured that the Applicant - and the

the rights of those involved in background cases.

Confirmation and, if not, automatic deletion of the contact details at the time of data collection
internationally accepted practice and of a similar type and size to the Applicant
telecommunications provider.

Applicant's argument that deleting contact information without logging in is specific

using contact information does not allow because some contact information for multiple accounts
are also incorrect. On the one hand, if several subscribers have data (for example,
email address, contact phone number) and is not entitled to dispose of that contact information
subscriber requests cancellation, he shall, as a general rule, in the absence of a specifically named subscriber,
it is necessary to delete from all accounts, especially if the reason is explicitly that the data is above
the data subject did not consent to the use of the data. In addition, for example, if
places a unsubscribe link in a newsletter and multiple accounts
sent on behalf of an email address, you can place multiple unsubscribe links, which are only

the email address will be deleted for each account (although if, as in the present case, it is unauthorized
person provided the contact address, this is not relevant either). From the above, it is clear that
there is technically no obstacle to resolving them incorrectly without logging in
provided contact data cancellations at the request of the data subjects, and therefore at the sole discretion of the Applicant
was a restriction based on that in both the present case and the individual antecedent cases
led to unnecessary and unlawful processing of personal data.


The official decision in case NAIH / 2020/4999 referred to by the Applicant III. point
the last paragraph expressly stated that “This official inspection shall be limited to the Client’s
its practice in managing direct acquisition contributions
legal compliance, a bottleneck in data management and is not considered
approval and audit of the Client's general data management practices beyond the above,
or certification of conformity. ". The general enforcement of the rights of data subjects shall be carried out by the Authority a
In case NAIH / 2020/4999, it was not examined, it was not established, it is the subject of the proceedings

specifically the data management compliance of the database managing the contributions was in that
whether an unauthorized person could have altered the consent without notice. Accordingly, the applicant 's 13






the data processing detailed in this decision, which is the subject of an ex officio part of the present proceedings
in Case NAIH / 2020/4999
they do not affect the findings of the present case.

The Authority also does not share the Applicant 's view that the Applicant - and similar cases
the persons concerned - do not suffer any pecuniary or legal damage. The general
The Data Protection Regulation protects the right to the protection of personal data, which is

Basic Law VI. Article 8 (3) of the Charter of Fundamental Rights of the European Union
constitutes a fundamental constitutional right. In the relevant legislation - such as
General Data Protection Regulation III. for the protection of fundamental rights
unnecessarily restricting the rights of those affected, making it impossible with administrative barriers
causes damage to fundamental rights even without direct financial loss.

Other than the data recording of the Requested and the practical feasibility of the exercise of the rights concerned

statements as well as the Applicant’s internal tutorials not addressing the above issues
several amendments have not substantially affected the practice examined by the Authority above,
thus, the Authority could not take them into account in the interest of the Applicant.

(iv) Illegality of the Applicant's investigated practice

Pursuant to Article 12 (2) of the General Data Protection Regulation, the Applicant has the rights of the data subject

on the other hand, both the recording of contact details and the
the procedure for requesting a repair or cancellation by a person outside the customer in the Applicant's practice
carries with it, in principle and in practice, the possibility of infringing the rights of the data subject,
which has been proven in a number of antecedents.

The Authority shall as detailed in section 1 has repeatedly established the general data protection
Infringement of Article 12 of the Regulation by the Applicant in relation to contact details

due to non-compliance with the exercise of rights.

The problem with the Application has been raised several times, as explained above
occurred at the Applicant and did not cease despite the Applicant's repeated previous statements
as evidenced by antecedent cases and the present case. In addition, the Applicant is not the antecedent either
nor in the present proceedings has it been justified to change its practice in accordance with Article IV: 2.
would be an effective solution to the problems identified in For this reason, the general can be established
also infringe Article 25 (2) of the Data Protection Regulation, as the Applicant is solely his own

defined its organizational procedures as organizational solutions
employed that they involve a real risk of infringement for the data subject, either by the Applicant or by the
in the event of a loss of data by a third party, and in several cases there has been a real infringement.

In view of the above, the Authority considers, in accordance with the operative part, that Article 58 (2) of the General Data Protection Regulation
pursuant to paragraph (b) of this paragraph, found that by enforcing the rights of the Applicant concerned
infringes Article 12 (2) of the General Data Protection Regulation and

Article 25 (2) and Article 58 (2) (d) of the General Data Protection Regulation
instructed to bring the infringing practice into line with the General Data Protection Regulation.


IV.3. The data protection fine

The Authority is the other measure under Article 83 (2) of the General Data Protection Regulation

may impose a data protection fine instead or in addition. The Authority is governed by the case law
accordingly, Article 83 (2) 14 of the General Data Protection Regulation applies to the imposition of fines in such a case






The decision shall set out the merits of the aspects listed in paragraph
justification.

The Applicant handles a huge amount of personal data, millions of affected customers and
- as in the present case and in Annex II. The cases detailed in point 1 also show an indeterminate number
non-customer handles relevant personal data, aggregate annual revenue for 2020 accounts
according to which it was HUF 524,131,000,000, ie five hundred and twenty-four billion to one hundred and thirty-one million forints

In 2020. In addition, the Applicant's breach of the General Data Protection Regulation is not the first
established by the Authority on several occasions, not once on a substantially related issue. THE
Applicant has repeatedly indicated that he will take steps to avoid similar cases in the future,
however, non-customer stakeholders are still not provided easily and unnecessarily
without administration, under the minimum conditions necessary for data security
right of cancellation. It has long been used, repeatedly causing problems and unreasonable solutions to it
in some cases, only the customer knows the contact information provided incorrectly by the customers

rectified if the data subject requests the deletion just through the contact details complained of, and
the decision rests with clerks who misjudge such obvious cases. Neither the contact information
immediately after the grant of the application does not provide an effective means for the Applicant to
stakeholders to deal with the deletion (e.g. with a link that can be used by anyone, etc.). All this
confirms that the protection of personal data, which is the responsibility of the Authority, cannot be achieved
without imposing a data protection fine. Infotv. None of the mitigating circumstances under § 75 / A exists,
whereas the Applicant is not an SME and is not the first to infringe the General Data Protection Regulation. THE

the imposition of fines serves both special and general prevention, for which the
decision will also be published on the website of the Authority, the identification data of the Applicant
anonymization.

In determining the amount of the data protection fine, the Authority took it as an attenuating circumstance
taking into account that

(a) the applicant has, at the request of the Authority, deleted the
Applicant has unlawfully processed personal data,

(b) the root of the problem was the misrepresentation of a third party (however, the acquisition of knowledge
following an effective solution to the problem would have been the Applicant's obligation in general
under Article 25 of the Data Protection Regulation, failure to do so requires a fine
due to incorrect data alone),

(c) the nature and gravity of the breach are moderately significant in the individual case (the General Data Protection Directive)
infringements other than Article 25 of that Regulation),

(d) the duration of the infringement was not significant in the individual case,
(e) the personal data affected by the breach were contact details only, not sensitive data,

(f) the internal rules were designed to commit an unintentional data breach.

In setting the level of the data protection fine, the Authority took it as an aggravating circumstance
taking into account that

(a) the internal procedural problem giving rise to the infringement has persisted for a long time and the
breach of the obligation under Article 25 of that Regulation,

(b) the applicant's commitments in previous similar cases and the Authority's previous findings
despite eliminating the actual solution to date, no solution has been developed
attempts at the merits of the problem, the right of cancellation is easy and without unnecessary administration
the issue of the exercise of the right has not been addressed, in particular in view of the legitimate need of those concerned to:






to make account registration and other unnecessary administration without the actual data disposition
be able to act by presenting the right,
(c) based on the extent and market position of the Requested 's data processing,
It is up to the applicant not to depend on the individual and unsupervised decision of each clerk

the exercise of rights, especially if the technical subject is much simpler for the data subject
a solution can also ensure the erasure of incorrectly entered data,
(d) the online financial statements are also available according to the 2020 Requested Entity

It had an annual income of HUF 524,131,000,000, ie five hundred and twenty-four billion to one hundred and thirty-one million forints,
thus, a very small fine would have no punitive or deterrent effect.

Based on the above, according to the operative part, the maximum amount that can be imposed by the Authority is approx. four
ten thousand (0.04%) of the case considered the imposition of a data protection fine
proportionate and dissuasive in relation to the Applicant.



V. Other issues

Infotv. Pursuant to Section 38 (2), the Authority is responsible for the protection of personal data, and
the exercise of the right of access to data in the public interest and in the public interest
free movement of personal data within the European Union
promoting. Infotv. Pursuant to Section 38 (2a) of the General Data Protection Decree a

the tasks and powers established for the supervisory authority under the jurisdiction of Hungary
in the General Data Protection Regulation and in this Act
exercised by the Authority as defined in The competence of the Authority is the whole of Hungary
covers its territory.

The Acre. Pursuant to Section 112 (1), Section 114 (1) and Section 116 (1) by decision
there is a right of appeal against an administrative action.


                                               * * *

The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a
hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by decision of the Authority
The administrative lawsuit against the court falls within the jurisdiction of the court. Section 13 (3) a)
The General Court has exclusive jurisdiction under subparagraph (aa) of


A Kp. Pursuant to Section 27 (1), legal representation in administrative proceedings before the General Court
obligatory. A Kp. Pursuant to Section 39 (6), the filing of an application is administrative
has no suspensive effect on the entry into force of the act.

A Kp. Section 29 (1) and with this regard Act CXXX of 2016 on the Code of Civil Procedure. law
Applicable under Section 604, electronic administration and trust services are general

CCXXII of 2015 on the rules of According to Section 9 (1) (b) of the Act, the customer is legal
representative is required to communicate electronically.

The time and place of the filing of the application is Section 39 (1). The trial
Information on the possibility of requesting the maintenance of the It is based on Section 77 (1) - (2).

The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. Act (hereinafter:

Itv.) 45 / A. § (1). From the advance payment of the fee, the Itv. Section 59 (1)
and Section 62 (1) (h) exempt the party initiating the proceedings. 16







If the obligor does not duly prove the fulfillment of the prescribed obligations, the Authority shall
considers that it has not fulfilled its obligations within the time allowed. The Acre. According to § 132, if a
The debtor has not fulfilled the obligation contained in the final decision of the Authority, it is enforceable.
The decision of the Authority Pursuant to Section 82 (1), it becomes final upon notification. The Acre. 133.
§, unless otherwise provided by law or government decree - a
ordered by the decision-making authority. The Acre. Pursuant to Section 134 of the Act - if by law,

government decree or, in the case of a municipal authority, a local government decree otherwise
by the state tax authority. Infotv. Pursuant to Section 61 (7), the Authority
to carry out a specific act, to behave
enforcement of the decision in respect of the obligation to tolerate or cease
implements.

Budapest, June 18, 2021






                                                                 Dr. Attila Péterfalvi
                                                                        President

                                                                   c. professor