NAIH (Hungary) - 7286-1/2023

From GDPRhub
NAIH - 7286-1/2023
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 4(7) GDPR
Article 15 GDPR
Article 15(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 15.06.2022
Decided: 02.08.2023
Published: 07.03.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 7286-1/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH homepage (in HU)
Initial Contributor: im

The DPA held that the operator of a job application platform and recruiters making use of such a platform are not joint controllers for the processing of job applicants

English Summary

Facts

On 07 April 2022, the data subject received an e-mail from a recruiter, the controller, mentioning the data subject’s standout resume among job seekers’ profiles. It was unclear to the data subject how the controller obtained access to his contact information as he never disclosed it on the jobseeker’ website which is generally used by the recruiters to directly contact the candidates. Therefore, data subject asked the controller for an explanation based on Article 15 GDPR. Despite reminders, no response was received.

The data subject requested the DPA to investigate the controller’s conduct and compel them to respond. Additionally, the data subject requested to investigate the relationship between the website operator and the recruiter and whether a joint liability could be established.

The controller declared to the DPA that they were registered on the jobseekers’ website as an independent data controller to carry out recruitment activities. Additionally, the data subject provided his consent to be contacted for recruitment purposes on the website. The controller had access to the data subject's e-mail address as a subscriber to the website.

The controller attributed the lack of response to the data subject's request to an administrative error, specifically, the misspelling of their email address in the response sent on 17 May 2022. This oversight came to light subsequent to the order from the DPA to address the allegations.

Holding

The DPA held that the controller’s argument did not relieve them of their liability as a controller under Article 4(7) GDPR. The DPA highlighted that the most important characteristic of a controller is that they have substantive decision-making power and responsibility for compliance with all the obligations of the processing laid down in the GDPR.

Despite the fact that controller intended to comply with the data subject’s access request under Article 15 GDPR, the DPA observed that this provision was violated. The controller sent the reply on 12 May 2022, which exceeds the one-month deadline (on 7 May 2022) under Article 12(3) GDPR.

Concerning the website operator, the DPA rejected the argument that the latter qualified as a controller in this case, as the recruiter organised the process and created the conditions for the data processing. The website owner declared that each undertaking which they enter into a framework agreement carries out recruitment activities independently and is, therefore, an independent data controller. Based on that, the DPA rejected a claim against the website operator.

For the reasons set out above, the DPA found that the controller infringed Article 15(1) GDPR and ordered them to comply with the data subject’s access request.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-7286-1/2023.

History: NAIH-5460/2022. Subject: decision partially granting the request


                                          DECISION



The National Data Protection and Freedom of Information Authority (hereinafter: Authority) [...]
applicant (hereinafter: Applicant) 06.15.2022 on the basis of the application submitted on
regarding the non-fulfillment of the request with [...] represented by a lawyer (hereinafter: Lawyer).
(hereinafter: Applicant 1) and with [...] (hereinafter: Applicant 2) (hereinafter

together with: Respondents) the following decisions in the official data protection proceedings against
brings:

I. 1. The Authority in its decision to the Applicant's request



                                      partially correct and

I.2. finds that Respondent 2 has violated it

    - to natural persons regarding the management of personal data
       protection and the free flow of such data, as well as the 95/46/EC Directive

       Regulation 2016/679 (EU) on its exclusion (hereinafter: GDPR or general
       data protection regulation) Article 15 (1), as it was submitted based on the right of access
       he did not fulfill his request, furthermore

II. obligates Respondent 2 to within 15 days of the decision becoming final
provide information to the Applicant about the fulfillment of the request submitted under Article 15 of the GDPR

regarding.


III. The Authority, in its decision, regarding Respondent 1, the Applicant's request


                                           rejects.

The II. the fulfillment of the obligation of the Respondent 2 from taking the measure
must be in writing within 15 days - the supporting evidence, i.e. written to the Applicant
together with the submission of a copy of the letter and the document certifying its dispatch - to be verified by the Authority
towards. In case of non-fulfilment of the obligation, the Authority orders the execution of the decision.


During the official procedure, no procedural costs were incurred, so there was no provision to bear them
the Authority.

                                               * * *


There is no place for administrative appeal against this decision, but from the announcement
within 30 days with a claim addressed to the Capital Tribunal in a public administrative case
can be attacked. The statement of claim must be submitted electronically to the Authority, which is the case

1 The NAIH_KO1 form is used to initiate an administrative lawsuit: NAIH KO1 form (16.09.2019) The
the form can be filled out using the general form filling program (ÁNYK program) and forwarded to the court together with its documents. The request to hold the hearing must be indicated in the statement of claim
must For those who do not benefit from the full personal tax exemption, the administrative court fee

HUF 30,000, the lawsuit is subject to the right to record the levy. In the proceedings before the Metropolitan Court, the legal
representation is mandatory.


                                          JUSTIFICATION

I. Procedure of the procedure


(1) At the request of the Applicant, on the right to self-determination of information and freedom of information
    CXII of 2011 Act (hereinafter: Infotv.) on the basis of Section 60 (1) - a
    After fulfilling the applicant's obligation to make up the gap - on June 15, 2022
    official data protection procedure has been initiated.

(2) In its order, the Authority invited the Respondents to make a statement to clarify the facts

    order, with reference to the 2016 CL.
    Act (hereinafter: Act) to § 63, to which the Respondents' answers within the deadline
    they arrived at the Authority.

(3) The Authority notified the Applicant and the Respondents that the evidence procedure
    has been completed and has drawn their attention to the fact that they may make a statement or comment. THE
    Applicant 2 exercised his right to inspect documents. With their right to make a statement, the Applicant and

    The applicants were not alive either.


II. Clarification of facts

II.1. Request of the Applicant (NAIH-5460-1/2022.)


(4) In his application submitted to the Authority on May 21, 2022, the Applicant submitted that the
    received a letter from [...] e-mail address on April 7, 2022, in which […] wrote that "the
    browsing the profiles of job seekers, your profile stood out to me.” THE
    letter […], as signed by the head of the office of the Respondent 2, and also reports as part of the signature
    and the information that Respondent 2 is a member of Respondent 1's network.

(5) Since the Applicant never gave his contact information to the letter writer ([…] and

    He applied for 2), and since he did not know what data sheet he was referring to, therefore the
    in the reply message sent to [...] that day, he asked to be informed how he got to the
    The applicant's address and what other data was given to him. Because he didn't get an answer
    the Applicant therefore wrote to Respondent 2 again on May 11, 2022, mentioning that
    that if he does not answer, he will file a report with the Authority. Nor to this letter from the Applicant
    received an answer according to what was submitted in his application of May 21, 2022.


(6) The Authority called on the Applicant to fill in the gaps, to which the Applicant responded
    submitted his definite request regarding the procedure, received on June 14, 2022
    with his statement.

(7) The Applicant requested the following from the Authority in filling the gaps (NAIH-5460-3/2022.):

    - examine the relationship between Applicant 1 and Applicant 2, who

       responsible for the management of your data, whether there has been a violation due to the failure to respond and
       if so, determine that it was not properly performed based on your right of access
       submitted application,
    - in the event of a legal violation, oblige the data controller to respond.

II.2. Statement of Applicant 1 (NAIH-5460-6/2022.)(8) Applicant 1 operates the national real estate brokerage franchise network. In [...] - a
     Franchise partner businesses in a franchise relationship with the applicant 1 is the trademark

     under, but they carry out their economic activities independently. Respondent 1 is […]
     as an operator with some businesses for the benefit of franchise partner customers
     can enter into framework contracts. For this reason, Respondent 1 is in a framework contract
     [...] Kft. The Authority sent 1 copy of the referenced contract to the Applicant
     for.

(9) Based on the referenced framework agreement, to the database of jobseekers registered on the [...] website

     it is accessed by the franchise partner who uses this service of […]. THE […]
     service to the Applicant 2 indicated in the order as the franchise partner of the Applicant 1
     uses. The individual franchise partners receive the online directly from […] Kft
     access to the database. Each franchise partner business is recruiting
     they perform their activities independently, thus as independent data controllers.

(10) To the knowledge of Respondent 1, the franchise partners are connected to the database

     if they have access, they can contact the data subject. Respondent 1's assumption
     According to Respondent 2, by using this service, he could have come into contact with a
     With an applicant.

 (11) The Applicant's data is not managed by the Applicant 1. Respondent 1 also does not know about it
     to state whether Respondent 2 or the franchise partner office manager received [….].
     request from the Applicant and whether he has responded to it.


II.3. Statement of Respondent 2 (NAIH-5460-7/2022.)

(12) The Applicant 2 uses the service provided by [….] Kft. to the partners of […]
     Based on the framework agreement between [...] Kft. and Applicant 1, which operates […].

(13) As a customer of the service, Respondent 2 has access to the […] website

     to the database in which the jobseekers - with their consent -
     can be contacted for recruitment purposes. The legal basis for data management is on the website concerned […]
     his voluntary consent to the fact that those offering him the job - in this case a
     Applicant 2 - can be contacted.

(14) At the Applicant's stakeholder request, due to an administrative error, the substantive action was not taken
     answering. According to the statement of the Respondent 2, this omission is the result of the order of the Authority

     detected after receipt.

(15) Respondent 2 using the [...] database service of the Applicant's data
      became its manager, to which the voluntary consent given by the Applicant on the […] website
      on the basis of which Respondent 2 could access it. The Respondent 2 the Applicant's name and e-mail
      you used your address when you made the inquiry, it does not process your other data. The referred call was issued by
      It was sent by the manager of the real estate office operated by Respondent 2 for recruitment purposes.


(16) The Respondent sent it to the Authority in 2 copies to the Applicant - at [...]
      a copy of the electronic letter you sent, which you declared in paragraph (14).
      as explained, that after receiving the order of the Authority, he noticed that
      an administrative error occurred. In the letter, it can be discovered that […], under the name of the sender
      12.05.2022 date is included, and the e-mail address was misspelled, as it was not […],
      but it was sent to […] email address.


      The text of the letter is as follows:

      "Dear […]!

      Our company is a subscriber to the [...] job search portal, whose database contains your e-
      email address as a current job seeker. If you are not currently looking for a job, please complete your profile on […]
      permanent deletion, which can be found in the settings menu after logging in.

      We only received your e-mail address, we do not store any other data about you
      we don't have any information.

      At the same time, we declare that we have deleted it from our address list!

      Best regards:


      [...]"


III. Applicable legal provisions

(17) The GDPR must be applied to personal data in a partially or fully automated manner
    processing, as well as those personal data in a non-automated manner

    which are part of a registration system or which
    they want to make it part of a registration system. Subject to the GDPR
    for data management by Infotv. According to Section 2 (2), the GDPR is indicated there
    must be applied with supplements.

(18) Based on points 1, 2, 7 of Article 4 of the GDPR:
    1. "personal data": for an identified or identifiable natural person ("data subject")

    any information relating to; the natural person who is directly you can be identified
    indirectly, in particular an identifier such as name, number, location data,
    online identifier or physical, physiological, genetic, mental, economic,
    based on one or more factors related to your cultural or social identity
    identifiable;
    2. "data management": automated or not on personal data or data files
    any operation or set of operations performed in an automated manner, such as collection,

    recording, organizing, categorizing, storing, transforming or changing, querying,
    viewing, use, communication, transmission, distribution or otherwise
    by making it available, coordinating or connecting, limiting, deleting, or
    destruction;
    7. "data controller": the natural or legal person, public authority, agency or
    any other body that independently manages the purposes and means of personal data
    or determines with others; if the purposes and means of data management are defined by the EU or

    determined by the law of the Member State, concerning the data controller or the designation of the data controller
    special aspects may also be determined by EU or member state law;

(19) Based on paragraphs (1)-(6) of Article 12 of the GDPR:

    (1) The data controller shall take appropriate measures in order to ensure that the data subject a
    all those referred to in Articles 13 and 14 relating to the management of personal data

    information and 15-22. and each piece of information according to Article 34 is concise, transparent,
    in an understandable and easily accessible form, clearly and intelligibly formulated
    provide, especially for any information directed at children. The information
    must be given in writing or in another way - including, where applicable, the electronic way. The
    at the request of the data subject, oral information can also be provided, provided that the data subject has confirmed otherwise
    identity.
    (2) The data controller facilitates the relevant 15-22. the exercise of his rights according to art. Article 11

    In the cases referred to in paragraph (2), the data controller is the data subject concerned in Articles 15-22. your rights under Art
    may not refuse to fulfill your request for exercise, unless you prove that
    that the person concerned cannot be identified.
    (3) The data controller without undue delay, but in any case the request
    within one month of its receipt, informs the person concerned of the 15-22 according to article
    on measures taken following a request. If necessary, taking into account the request
    complexity and the number of applications, this deadline can be extended by another two months. Regarding the extension of the deadline, the data controller explains the reasons for the delay
    indicating within one month from the receipt of the request

    concerned. If the person concerned submitted the request electronically, the information is possible
    must be provided electronically, unless the data subject requests otherwise.

(20) Pursuant to Article 15 (1) of the GDPR:
    (1) The data subject is entitled to receive feedback from the data controller regarding
    whether your personal data is being processed and if such data is being processed
    is entitled to access to personal data and the following information

    get:
    a) the purposes of data management;
    b) categories of personal data concerned;
    c) recipients or categories of recipients with whom or with which the personal
    data has been disclosed or will be disclosed, including in particular third-country recipients,
    and international organizations;
    d) where appropriate, the planned period of storage of personal data, or if this is not the case

    possible aspects of determining this period;
    e) the right of the data subject to request from the data controller the personal data relating to him
    rectification, deletion or restriction of processing of data, and may object to such
    against the processing of personal data;
    f) the right to submit a complaint addressed to a supervisory authority;
    g) if the data were not collected from the data subject, everything about their source is available
    information;

    h) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including
    also profiling, and at least in these cases to the applied logic and that
    comprehensible information about the significance of such data management and that
    what are the expected consequences for the person concerned.

(21) Pursuant to points b) and d) of Article 58 (2) of the GDPR, the supervisory authority
    acting within its competence:

    b) condemns the data manager or the data processor if its data management activities
    violated the provisions of this regulation.
    d) instructs the data manager or the data processor that its data management operations - given
    in a specified manner and within a specified period of time - harmonized by this decree
    with its provisions.


(22) Pursuant to Article 77 (1) of the GDPR, other administrative or judicial remedies
    without prejudice, all data subjects are entitled to lodge a complaint with a supervisory authority
    - in particular your usual place of residence, place of work or the place of the alleged infringement
    in the Member State of origin - if, according to the judgment of the data subject, the personal data relating to him
    handling violates this regulation.


(23) Infotv. § 60 (1) In order to assert the right to the protection of personal data a
    At the request of the data subject, the authority initiates official data protection proceedings ex officio
    may initiate a data protection official procedure.

(24) Infotv. On the basis of § 71, paragraph (1) during the Authority's procedure - for its conduct
    to the necessary extent and for the duration - can manage all personal data, as well as the law

    data classified as secrets protected by and secrets bound to the exercise of a profession, which are
    are related to the procedure, and the management of which is the successful completion of the procedure
    necessary for

(25) Pursuant to Section 46 (1) of the Ákr, the authority shall reject the application if


    a) the legally defined condition for the initiation of the procedure is missing, and this law
    it does not attach any other legal consequences. (26) Pursuant to § 47, subsection (1) of the Ákr, the authority terminates the procedure if
    a) the request should have been rejected, but the reason for that was the initiation of the procedure

    came to the attention of the authorities.


ARC. Decision:


IV.1. Personal data of the Applicant, quality of data management


(27) According to Article 4, Point 1 of the General Data Protection Regulation, the contact details of the Applicant,
    surname, first name, e-mail address are the personal data of the Applicant,
    the storage of which data is in accordance with Article 4, Point 2 of the General Data Protection Regulation
    is considered data management.

(28) The Respondents declared to the Authority that Respondent 2 is the data controller

    determines its purpose and means independently, therefore it is an independent data controller, since it was taken over from […]
    personal data of job seekers, including the management of the Applicant's personal data
    has independent decision-making authority.

(29) Due to the above, Respondent 2, as a data controller, was obliged to respond to the Applicant's data subject request
    fulfill and provide information to him in connection with the data subject's request.


(30) The subject of the present proceedings was only the examination of whether the Applicant is a personal person
    data subject's request to those written in the general data protection regulation
    has been properly fulfilled, i.e. the Authority's handling of the Applicant's personal data,
    did not examine the data management conditions of their receipt from […].

IV.2. Completing an access request and the related obligation to provide information


(31) The data subject's right of access is regulated by Article 15 of the GDPR. Based on this, the data subject is entitled
      to receive feedback on the data management that it is personal
      whether your data is being processed, and if such data processing is underway, you are entitled
      to receive information about the purpose of data management, the personal data concerned
      categories, the recipients to whom your personal data was (will be) disclosed, a
      the duration of their storage, the source of the data, the exercise of the data subject's rights, and a
      On the right to appeal to the authorities.


(32) On April 7, 2022, the Applicant turned to Respondent 2 with its access request. THE
      Respondent 2 as detailed in paragraph (14) only of the order of the Authority
      after receiving it, he noticed that this did not happen due to an administrative error.

(33) Pursuant to Article 12 (3) of the GDPR, the Respondent 2 from the receipt of the request
      should have informed the Applicant about the access within one month

      regarding your request. Based on this, the access letter sent to Respondent 2 by the Applicant
      the one-month deadline for responding to your request was May 7, 2022
      down, so Respondent 2 should have informed the Applicant by this deadline. THE
      However, Respondent 2 failed to inform the Applicant within this deadline,
      According to his statement sent to the authorities, the reason for this was an administrative error. His statement
      according to the attached e-mail copy, the Applicant's e-mail address was typed,
      so that was the reason why he did not receive Respondent 2's reply letter. The buckled

      according to a copy, on May 12, 2022, i.e. the Applicant's reminder e-mail (in which again
      requested access, on the other hand, he claimed that he would turn to the Authority if they did not comply
      the request) would have sent the response of the Respondent 2, so Article 12 (3) of the GDPR
      exceeding the one-month deadline according to paragraph

(34) Respondent 2 claimed that due to an administrative error, he did not answer a
      At the request of the applicant's stakeholders. According to this, it was unintentional behavior that caused Respondent 2 not to fulfill the stakeholder request at all. According to the position of the Authority
      this argument does not exempt Respondent 2 from data controller responsibility, given

      to the fact that, pursuant to Article 4, point 7 of the GDPR, Respondent 2 is considered a data controller. THE
      Respondent 2 is the one who organizes and develops the data management process
      circumstances. The most important feature of the data controller is that it is a substantive decision-maker
      has authority and is responsible for all data management, the general
      for fulfilling the obligation stipulated in the data protection decree. Because of the above, the Authority
      found that Respondent 2 violated Article 15 (1) of the GDPR.


(35) The European Data Protection Board on the concept of data processor and data controller according to the GDPR
      07/2020 (hereinafter: Guideline)
      according to "Sometimes companies and public bodies appoint a separate person for data management
      to carry out an activity. Even though sometimes a specific natural
      a person is appointed to ensure compliance with data protection rules,
      this person will not be a data controller, but for that legal entity (or company
      public law body) acts on its behalf, which is the data controller in case of violation of the rules

      is ultimately responsible for its quality. In the same way, even if you are a specific class
      organizational unit is operative with regard to certain data management activities
      is also responsible for ensuring compliance, this does not mean that it is
      department or unit will be the data controller (rather than the organization as a whole).” The Guidelines
      In addition, his summary notes in this regard that "As a general rule, there is none
      restriction on the type of organization that can fulfill the role of data controller,
      however, in practice it is usually the organization itself, rather than those within the organization

      a person (such as a CEO, employee, or board member) that
      act as a data controller."

(36) Based on all of this, the violation related to the case is also the Respondent 2, as a data controller
      falls under his responsibility. Article 25 of the GDPR requires that the controller is the controller
      implement appropriate technical and organizational measures throughout its entire process
      to ensure that you respond to data subject requests in a timely manner

      be fulfilled.

ARC. 3. Request related to obliging the Respondent to fulfill 2 stakeholder requests

(37) Considering that the Respondent 2 established in paragraph (34) of this decision
      did not comply with the Applicant's access request, therefore the Authority approved the
      Petitioner's request and obliged Respondent 2 to comply with it.


IV.4. Request related to obliging Respondent 1 to fulfill the stakeholder request

(38) Since Respondent 1 was not qualified for the data management complained about in the application
      decision IV.1. because of what was written in point, namely with the examined data management
      in this context, the Applicant 2 is qualified as a data controller, therefore the Authority is the Applicant
      He rejected his request for Respondent 1.


IV.5. Legal consequences

(39) The Authority convicts Respondent 2 on the basis of GDPR Article 58 (2) point b),
      because it violated Article 15 (1) of the GDPR.

(40) In accordance with Article 58 (2) point d) of the GDPR, the Authority ordered that the

      Respondent 2 fulfill the Requester's access request.

(41) The Authority exceeded Infotv. administrative deadline according to § 60/A. (1), therefore
      HUF 10,000, i.e. ten thousand forints, is due to the Applicant - according to his choice - to a bank account
      by money order or postal order Based on point b) of paragraph (1) of § 51.V. Other questions:


(42) The competence of the Authority is defined by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is
    covers the entire territory of the country.

(43) The decision in Art. 80-81 § and Infotv. It is based on paragraph (1) of § 61. The decision is
    Acr. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. § 112 and § 116
    (1) and on the basis of § 114, paragraph (1) administrative against the decision
    there is room for legal redress through a lawsuit.

                                               * * *
(44) The rules of administrative proceedings are laid down in Act I of 2017 on Administrative Procedures (the
    hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority
    the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13 (3)
    Based on subparagraph a) point aa), the Metropolitan Court is exclusively competent. The Kp.
    Pursuant to § 27, paragraph (1) point b) in a lawsuit within the jurisdiction of the court, the legal
    representation is mandatory. The Kp. According to paragraph (6) of § 39, the submission of the statement of claim a

    does not have the effect of postponing the entry into force of an administrative act.

(45) The Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, it is applicable
    of 2015 on the general rules of electronic administration and trust services
    CCXXII. Act (hereinafter: E-Administration Act) according to Section 9 (1) point b) of the
    the client's legal representative is obliged to maintain electronic contact.


(46) The time and place of filing the statement of claim is determined by Kp. It is defined by § 39, paragraph (1). THE
    information on the possibility of a request to hold a hearing in Kp. Section 77 (1)-(2)
    based on paragraph The amount of the administrative lawsuit fee is determined by the 1990 Law on Fees
    XCIII. Act (hereinafter: Itv.) 45/A. Section (1) defines. The fee is in advance
    from the payment of the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt it
    party initiating the procedure.


(47) If the Respondent 2 does not adequately certify the fulfillment of the prescribed obligation, a
    The authority considers that the obligation was not fulfilled within the deadline. The Akr. § 132
    according to, if the obligee has not complied with the obligation contained in the final decision of the authority,
    is enforceable. The Authority's decision in Art. According to § 82, paragraph (1), with the communication
    becomes permanent. The Akr. Pursuant to § 133, enforcement - if you are a law
    government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. 134.
    pursuant to § the execution - if it is a law, government decree or municipal authority

    the decree of the local government does not provide otherwise - the state tax authority
    undertakes.

(48) During the procedure, the Authority exceeded Infotv. One hundred and fifty days according to paragraph (1) of § 60/A
    administrative deadline, therefore the Ákr. Based on point b) of § 51, he pays ten thousand forints a
    To the applicant.


dated: Budapest, according to the electronic signature

                                                               Dr. Habil. Attila Péterfalvi
                                                                         president
                                                                   c. professor