NAIH (Hungary) - 7286-1/2023: Difference between revisions

Revision as of 13:37, 15 March 2024

NAIH - 7286-1/2023

Authority:	NAIH (Hungary)
Jurisdiction:	Hungary
Relevant Law:	Article 4(7) GDPR Article 15 GDPR Article 15(1) GDPR
Type:	Complaint
Outcome:	Partly Upheld
Started:	15.06.2022
Decided:	02.08.2023
Published:	07.03.2024
Fine:	n/a
Parties:	n/a
National Case Number/Name:	7286-1/2023
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Hungarian
Original Source:	NAIH homepage (in HU)
Initial Contributor:	im

The DPA issued a reprimand to controller for responding to an access request after the deadline and to a misspelled e-mail address violating Article 15 GDPR.

English Summary

Facts

On 07 April 2022, the data subject received an e-mail from a recruiter, the controller, mentioning the data subject’s standout resume among job seekers’ profiles. It was unclear to the data subject how the controller obtained access to his contact information as he never disclosed it on the jobseeker’ website which is generally used by the recruiters to directly contact the candidates. Therefore, data subject asked the controller for an explanation based on Article 15 GDPR. Despite reminders, no response was received.

The data subject requested the DPA to investigate the controller’s conduct and compel them to respond. Additionally, the data subject requested to investigate the relationship between the website operator and the recruiter and whether a joint liability could be established.

The data controller declared to the DPA that he is registered on the jobseekers’ website as an independent data controller to carry out recruitment activities. Additionally, the data subject provided his consent to be contacted for recruitment purposes. The controller, therefore, had an access to his e-mail address as a subscriber to the website.

The controller attributed the lack of response to the data subject's request to an administrative error, specifically, the misspelling of their email address in the response sent on 17 May 2022. This oversight came to light subsequent to the order from the Data Protection Authority to address the allegations.

Holding

The DPA held that the controller’s argument does not relieve them of their liability as a controller as per Article 4(7) GDPR. Despite the fact that controller intended to comply with the data subject’s access request under Article 15 GDPR, the DPA observed two things. First, the controller sent the reply on 12 May 2022 which is exceeding the one-month deadline (on 7 May 2022) under Article 12(3) GDPR.

Second, the DPA highlighted that the most important characteristic of a controller is that they have substantive decision-making power and responsibility for compliance with all the obligations of the processing laid down in the GDPR.

Lastly, the DPA rejected an argument that the website owner qualifies as a controller in this case where the recruiter organised the process and created the conditions for the data processing.

For the reasons set out above, the DPA found that the controller has infringed Article 15(1) GDPR and ordered them to comply with the data subject’s access request.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-7286-1/2023.

History: NAIH-5460/2022. Subject: decision partially granting the request

DECISION

The National Data Protection and Freedom of Information Authority (hereinafter: Authority) [...]
applicant (hereinafter: Applicant) 06.15.2022 on the basis of the application submitted on
regarding the non-fulfillment of the request with [...] represented by a lawyer (hereinafter: Lawyer).
(hereinafter: Applicant 1) and with [...] (hereinafter: Applicant 2) (hereinafter

together with: Respondents) the following decisions in the official data protection proceedings against
brings:

I. 1. The Authority in its decision to the Applicant's request

partially correct and

I.2. finds that Respondent 2 has violated it

- to natural persons regarding the management of personal data
protection and the free flow of such data, as well as the 95/46/EC Directive

Regulation 2016/679 (EU) on its exclusion (hereinafter: GDPR or general
data protection regulation) Article 15 (1), as it was submitted based on the right of access
he did not fulfill his request, furthermore

II. obligates Respondent 2 to within 15 days of the decision becoming final
provide information to the Applicant about the fulfillment of the request submitted under Article 15 of the GDPR

regarding.

III. The Authority, in its decision, regarding Respondent 1, the Applicant's request

rejects.

The II. the fulfillment of the obligation of the Respondent 2 from taking the measure
must be in writing within 15 days - the supporting evidence, i.e. written to the Applicant
together with the submission of a copy of the letter and the document certifying its dispatch - to be verified by the Authority
towards. In case of non-fulfilment of the obligation, the Authority orders the execution of the decision.

During the official procedure, no procedural costs were incurred, so there was no provision to bear them
the Authority.

* * *

There is no place for administrative appeal against this decision, but from the announcement
within 30 days with a claim addressed to the Capital Tribunal in a public administrative case
can be attacked. The statement of claim must be submitted electronically to the Authority, which is the case

1 The NAIH_KO1 form is used to initiate an administrative lawsuit: NAIH KO1 form (16.09.2019) The
the form can be filled out using the general form filling program (ÁNYK program) and forwarded to the court together with its documents. The request to hold the hearing must be indicated in the statement of claim
must For those who do not benefit from the full personal tax exemption, the administrative court fee

HUF 30,000, the lawsuit is subject to the right to record the levy. In the proceedings before the Metropolitan Court, the legal
representation is mandatory.

JUSTIFICATION

I. Procedure of the procedure

(1) At the request of the Applicant, on the right to self-determination of information and freedom of information
CXII of 2011 Act (hereinafter: Infotv.) on the basis of Section 60 (1) - a
After fulfilling the applicant's obligation to make up the gap - on June 15, 2022
official data protection procedure has been initiated.

(2) In its order, the Authority invited the Respondents to make a statement to clarify the facts

order, with reference to the 2016 CL.
Act (hereinafter: Act) to § 63, to which the Respondents' answers within the deadline
they arrived at the Authority.

(3) The Authority notified the Applicant and the Respondents that the evidence procedure
has been completed and has drawn their attention to the fact that they may make a statement or comment. THE
Applicant 2 exercised his right to inspect documents. With their right to make a statement, the Applicant and

The applicants were not alive either.

II. Clarification of facts

II.1. Request of the Applicant (NAIH-5460-1/2022.)

(4) In his application submitted to the Authority on May 21, 2022, the Applicant submitted that the
received a letter from [...] e-mail address on April 7, 2022, in which […] wrote that "the
browsing the profiles of job seekers, your profile stood out to me.” THE
letter […], as signed by the head of the office of the Respondent 2, and also reports as part of the signature
and the information that Respondent 2 is a member of Respondent 1's network.

(5) Since the Applicant never gave his contact information to the letter writer ([…] and

He applied for 2), and since he did not know what data sheet he was referring to, therefore the
in the reply message sent to [...] that day, he asked to be informed how he got to the
The applicant's address and what other data was given to him. Because he didn't get an answer
the Applicant therefore wrote to Respondent 2 again on May 11, 2022, mentioning that
that if he does not answer, he will file a report with the Authority. Nor to this letter from the Applicant
received an answer according to what was submitted in his application of May 21, 2022.

(6) The Authority called on the Applicant to fill in the gaps, to which the Applicant responded
submitted his definite request regarding the procedure, received on June 14, 2022
with his statement.

(7) The Applicant requested the following from the Authority in filling the gaps (NAIH-5460-3/2022.):

- examine the relationship between Applicant 1 and Applicant 2, who

responsible for the management of your data, whether there has been a violation due to the failure to respond and
if so, determine that it was not properly performed based on your right of access
submitted application,
- in the event of a legal violation, oblige the data controller to respond.

II.2. Statement of Applicant 1 (NAIH-5460-6/2022.)(8) Applicant 1 operates the national real estate brokerage franchise network. In [...] - a
Franchise partner businesses in a franchise relationship with the applicant 1 is the trademark

under, but they carry out their economic activities independently. Respondent 1 is […]
as an operator with some businesses for the benefit of franchise partner customers
can enter into framework contracts. For this reason, Respondent 1 is in a framework contract
[...] Kft. The Authority sent 1 copy of the referenced contract to the Applicant
for.

(9) Based on the referenced framework agreement, to the database of jobseekers registered on the [...] website

it is accessed by the franchise partner who uses this service of […]. THE […]
service to the Applicant 2 indicated in the order as the franchise partner of the Applicant 1
uses. The individual franchise partners receive the online directly from […] Kft
access to the database. Each franchise partner business is recruiting
they perform their activities independently, thus as independent data controllers.

(10) To the knowledge of Respondent 1, the franchise partners are connected to the database

if they have access, they can contact the data subject. Respondent 1's assumption
According to Respondent 2, by using this service, he could have come into contact with a
With an applicant.

(11) The Applicant's data is not managed by the Applicant 1. Respondent 1 also does not know about it
to state whether Respondent 2 or the franchise partner office manager received [….].
request from the Applicant and whether he has responded to it.

II.3. Statement of Respondent 2 (NAIH-5460-7/2022.)

(12) The Applicant 2 uses the service provided by [….] Kft. to the partners of […]
Based on the framework agreement between [...] Kft. and Applicant 1, which operates […].

(13) As a customer of the service, Respondent 2 has access to the […] website

to the database in which the jobseekers - with their consent -
can be contacted for recruitment purposes. The legal basis for data management is on the website concerned […]
his voluntary consent to the fact that those offering him the job - in this case a
Applicant 2 - can be contacted.

(14) At the Applicant's stakeholder request, due to an administrative error, the substantive action was not taken
answering. According to the statement of the Respondent 2, this omission is the result of the order of the Authority

detected after receipt.

(15) Respondent 2 using the [...] database service of the Applicant's data
became its manager, to which the voluntary consent given by the Applicant on the […] website
on the basis of which Respondent 2 could access it. The Respondent 2 the Applicant's name and e-mail
you used your address when you made the inquiry, it does not process your other data. The referred call was issued by
It was sent by the manager of the real estate office operated by Respondent 2 for recruitment purposes.

(16) The Respondent sent it to the Authority in 2 copies to the Applicant - at [...]
a copy of the electronic letter you sent, which you declared in paragraph (14).
as explained, that after receiving the order of the Authority, he noticed that
an administrative error occurred. In the letter, it can be discovered that […], under the name of the sender
12.05.2022 date is included, and the e-mail address was misspelled, as it was not […],
but it was sent to […] email address.

The text of the letter is as follows:

"Dear […]!

Our company is a subscriber to the [...] job search portal, whose database contains your e-
email address as a current job seeker. If you are not currently looking for a job, please complete your profile on […]
permanent deletion, which can be found in the settings menu after logging in.

We only received your e-mail address, we do not store any other data about you
we don't have any information.

At the same time, we declare that we have deleted it from our address list!

Best regards:

[...]"

III. Applicable legal provisions

(17) The GDPR must be applied to personal data in a partially or fully automated manner
processing, as well as those personal data in a non-automated manner

which are part of a registration system or which
they want to make it part of a registration system. Subject to the GDPR
for data management by Infotv. According to Section 2 (2), the GDPR is indicated there
must be applied with supplements.

(18) Based on points 1, 2, 7 of Article 4 of the GDPR:
1. "personal data": for an identified or identifiable natural person ("data subject")

any information relating to; the natural person who is directly you can be identified
indirectly, in particular an identifier such as name, number, location data,
online identifier or physical, physiological, genetic, mental, economic,
based on one or more factors related to your cultural or social identity
identifiable;
2. "data management": automated or not on personal data or data files
any operation or set of operations performed in an automated manner, such as collection,

recording, organizing, categorizing, storing, transforming or changing, querying,
viewing, use, communication, transmission, distribution or otherwise
by making it available, coordinating or connecting, limiting, deleting, or
destruction;
7. "data controller": the natural or legal person, public authority, agency or
any other body that independently manages the purposes and means of personal data
or determines with others; if the purposes and means of data management are defined by the EU or

determined by the law of the Member State, concerning the data controller or the designation of the data controller
special aspects may also be determined by EU or member state law;

(19) Based on paragraphs (1)-(6) of Article 12 of the GDPR:

(1) The data controller shall take appropriate measures in order to ensure that the data subject a
all those referred to in Articles 13 and 14 relating to the management of personal data

information and 15-22. and each piece of information according to Article 34 is concise, transparent,
in an understandable and easily accessible form, clearly and intelligibly formulated
provide, especially for any information directed at children. The information
must be given in writing or in another way - including, where applicable, the electronic way. The
at the request of the data subject, oral information can also be provided, provided that the data subject has confirmed otherwise
identity.
(2) The data controller facilitates the relevant 15-22. the exercise of his rights according to art. Article 11

In the cases referred to in paragraph (2), the data controller is the data subject concerned in Articles 15-22. your rights under Art
may not refuse to fulfill your request for exercise, unless you prove that
that the person concerned cannot be identified.
(3) The data controller without undue delay, but in any case the request
within one month of its receipt, informs the person concerned of the 15-22 according to article
on measures taken following a request. If necessary, taking into account the request
complexity and the number of applications, this deadline can be extended by another two months. Regarding the extension of the deadline, the data controller explains the reasons for the delay
indicating within one month from the receipt of the request

concerned. If the person concerned submitted the request electronically, the information is possible
must be provided electronically, unless the data subject requests otherwise.

(20) Pursuant to Article 15 (1) of the GDPR:
(1) The data subject is entitled to receive feedback from the data controller regarding
whether your personal data is being processed and if such data is being processed
is entitled to access to personal data and the following information

get:
a) the purposes of data management;
b) categories of personal data concerned;
c) recipients or categories of recipients with whom or with which the personal
data has been disclosed or will be disclosed, including in particular third-country recipients,
and international organizations;
d) where appropriate, the planned period of storage of personal data, or if this is not the case

possible aspects of determining this period;
e) the right of the data subject to request from the data controller the personal data relating to him
rectification, deletion or restriction of processing of data, and may object to such
against the processing of personal data;
f) the right to submit a complaint addressed to a supervisory authority;
g) if the data were not collected from the data subject, everything about their source is available
information;

h) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including
also profiling, and at least in these cases to the applied logic and that
comprehensible information about the significance of such data management and that
what are the expected consequences for the person concerned.

(21) Pursuant to points b) and d) of Article 58 (2) of the GDPR, the supervisory authority
acting within its competence:

b) condemns the data manager or the data processor if its data management activities
violated the provisions of this regulation.
d) instructs the data manager or the data processor that its data management operations - given
in a specified manner and within a specified period of time - harmonized by this decree
with its provisions.

(22) Pursuant to Article 77 (1) of the GDPR, other administrative or judicial remedies
without prejudice, all data subjects are entitled to lodge a complaint with a supervisory authority
- in particular your usual place of residence, place of work or the place of the alleged infringement
in the Member State of origin - if, according to the judgment of the data subject, the personal data relating to him
handling violates this regulation.

(23) Infotv. § 60 (1) In order to assert the right to the protection of personal data a
At the request of the data subject, the authority initiates official data protection proceedings ex officio
may initiate a data protection official procedure.

(24) Infotv. On the basis of § 71, paragraph (1) during the Authority's procedure - for its conduct
to the necessary extent and for the duration - can manage all personal data, as well as the law

data classified as secrets protected by and secrets bound to the exercise of a profession, which are
are related to the procedure, and the management of which is the successful completion of the procedure
necessary for

(25) Pursuant to Section 46 (1) of the Ákr, the authority shall reject the application if

a) the legally defined condition for the initiation of the procedure is missing, and this law
it does not attach any other legal consequences. (26) Pursuant to § 47, subsection (1) of the Ákr, the authority terminates the procedure if
a) the request should have been rejected, but the reason for that was the initiation of the procedure

came to the attention of the authorities.

ARC. Decision:

IV.1. Personal data of the Applicant, quality of data management

(27) According to Article 4, Point 1 of the General Data Protection Regulation, the contact details of the Applicant,
surname, first name, e-mail address are the personal data of the Applicant,
the storage of which data is in accordance with Article 4, Point 2 of the General Data Protection Regulation
is considered data management.

(28) The Respondents declared to the Authority that Respondent 2 is the data controller

determines its purpose and means independently, therefore it is an independent data controller, since it was taken over from […]
personal data of job seekers, including the management of the Applicant's personal data
has independent decision-making authority.

(29) Due to the above, Respondent 2, as a data controller, was obliged to respond to the Applicant's data subject request
fulfill and provide information to him in connection with the data subject's request.

(30) The subject of the present proceedings was only the examination of whether the Applicant is a personal person
data subject's request to those written in the general data protection regulation
has been properly fulfilled, i.e. the Authority's handling of the Applicant's personal data,
did not examine the data management conditions of their receipt from […].

IV.2. Completing an access request and the related obligation to provide information

(31) The data subject's right of access is regulated by Article 15 of the GDPR. Based on this, the data subject is entitled
to receive feedback on the data management that it is personal
whether your data is being processed, and if such data processing is underway, you are entitled
to receive information about the purpose of data management, the personal data concerned
categories, the recipients to whom your personal data was (will be) disclosed, a
the duration of their storage, the source of the data, the exercise of the data subject's rights, and a
On the right to appeal to the authorities.

(32) On April 7, 2022, the Applicant turned to Respondent 2 with its access request. THE
Respondent 2 as detailed in paragraph (14) only of the order of the Authority
after receiving it, he noticed that this did not happen due to an administrative error.

(33) Pursuant to Article 12 (3) of the GDPR, the Respondent 2 from the receipt of the request
should have informed the Applicant about the access within one month

regarding your request. Based on this, the access letter sent to Respondent 2 by the Applicant
the one-month deadline for responding to your request was May 7, 2022
down, so Respondent 2 should have informed the Applicant by this deadline. THE
However, Respondent 2 failed to inform the Applicant within this deadline,
According to his statement sent to the authorities, the reason for this was an administrative error. His statement
according to the attached e-mail copy, the Applicant's e-mail address was typed,
so that was the reason why he did not receive Respondent 2's reply letter. The buckled

according to a copy, on May 12, 2022, i.e. the Applicant's reminder e-mail (in which again
requested access, on the other hand, he claimed that he would turn to the Authority if they did not comply
the request) would have sent the response of the Respondent 2, so Article 12 (3) of the GDPR
exceeding the one-month deadline according to paragraph

(34) Respondent 2 claimed that due to an administrative error, he did not answer a
At the request of the applicant's stakeholders. According to this, it was unintentional behavior that caused Respondent 2 not to fulfill the stakeholder request at all. According to the position of the Authority
this argument does not exempt Respondent 2 from data controller responsibility, given

to the fact that, pursuant to Article 4, point 7 of the GDPR, Respondent 2 is considered a data controller. THE
Respondent 2 is the one who organizes and develops the data management process
circumstances. The most important feature of the data controller is that it is a substantive decision-maker
has authority and is responsible for all data management, the general
for fulfilling the obligation stipulated in the data protection decree. Because of the above, the Authority
found that Respondent 2 violated Article 15 (1) of the GDPR.

(35) The European Data Protection Board on the concept of data processor and data controller according to the GDPR
07/2020 (hereinafter: Guideline)
according to "Sometimes companies and public bodies appoint a separate person for data management
to carry out an activity. Even though sometimes a specific natural
a person is appointed to ensure compliance with data protection rules,
this person will not be a data controller, but for that legal entity (or company
public law body) acts on its behalf, which is the data controller in case of violation of the rules

is ultimately responsible for its quality. In the same way, even if you are a specific class
organizational unit is operative with regard to certain data management activities
is also responsible for ensuring compliance, this does not mean that it is
department or unit will be the data controller (rather than the organization as a whole).” The Guidelines
In addition, his summary notes in this regard that "As a general rule, there is none
restriction on the type of organization that can fulfill the role of data controller,
however, in practice it is usually the organization itself, rather than those within the organization

a person (such as a CEO, employee, or board member) that
act as a data controller."

(36) Based on all of this, the violation related to the case is also the Respondent 2, as a data controller
falls under his responsibility. Article 25 of the GDPR requires that the controller is the controller
implement appropriate technical and organizational measures throughout its entire process
to ensure that you respond to data subject requests in a timely manner

be fulfilled.

ARC. 3. Request related to obliging the Respondent to fulfill 2 stakeholder requests

(37) Considering that the Respondent 2 established in paragraph (34) of this decision
did not comply with the Applicant's access request, therefore the Authority approved the
Petitioner's request and obliged Respondent 2 to comply with it.

IV.4. Request related to obliging Respondent 1 to fulfill the stakeholder request

(38) Since Respondent 1 was not qualified for the data management complained about in the application
decision IV.1. because of what was written in point, namely with the examined data management
in this context, the Applicant 2 is qualified as a data controller, therefore the Authority is the Applicant
He rejected his request for Respondent 1.

IV.5. Legal consequences

(39) The Authority convicts Respondent 2 on the basis of GDPR Article 58 (2) point b),
because it violated Article 15 (1) of the GDPR.

(40) In accordance with Article 58 (2) point d) of the GDPR, the Authority ordered that the

Respondent 2 fulfill the Requester's access request.

(41) The Authority exceeded Infotv. administrative deadline according to § 60/A. (1), therefore
HUF 10,000, i.e. ten thousand forints, is due to the Applicant - according to his choice - to a bank account
by money order or postal order Based on point b) of paragraph (1) of § 51.V. Other questions:

(42) The competence of the Authority is defined by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is
covers the entire territory of the country.

(43) The decision in Art. 80-81 § and Infotv. It is based on paragraph (1) of § 61. The decision is
Acr. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. § 112 and § 116
(1) and on the basis of § 114, paragraph (1) administrative against the decision
there is room for legal redress through a lawsuit.

* * *
(44) The rules of administrative proceedings are laid down in Act I of 2017 on Administrative Procedures (the
hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority
the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13 (3)
Based on subparagraph a) point aa), the Metropolitan Court is exclusively competent. The Kp.
Pursuant to § 27, paragraph (1) point b) in a lawsuit within the jurisdiction of the court, the legal
representation is mandatory. The Kp. According to paragraph (6) of § 39, the submission of the statement of claim a

does not have the effect of postponing the entry into force of an administrative act.

(45) The Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, it is applicable
of 2015 on the general rules of electronic administration and trust services
CCXXII. Act (hereinafter: E-Administration Act) according to Section 9 (1) point b) of the
the client's legal representative is obliged to maintain electronic contact.

(46) The time and place of filing the statement of claim is determined by Kp. It is defined by § 39, paragraph (1). THE
information on the possibility of a request to hold a hearing in Kp. Section 77 (1)-(2)
based on paragraph The amount of the administrative lawsuit fee is determined by the 1990 Law on Fees
XCIII. Act (hereinafter: Itv.) 45/A. Section (1) defines. The fee is in advance
from the payment of the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt it
party initiating the procedure.

(47) If the Respondent 2 does not adequately certify the fulfillment of the prescribed obligation, a
The authority considers that the obligation was not fulfilled within the deadline. The Akr. § 132
according to, if the obligee has not complied with the obligation contained in the final decision of the authority,
is enforceable. The Authority's decision in Art. According to § 82, paragraph (1), with the communication
becomes permanent. The Akr. Pursuant to § 133, enforcement - if you are a law
government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. 134.
pursuant to § the execution - if it is a law, government decree or municipal authority

the decree of the local government does not provide otherwise - the state tax authority
undertakes.

(48) During the procedure, the Authority exceeded Infotv. One hundred and fifty days according to paragraph (1) of § 60/A
administrative deadline, therefore the Ákr. Based on point b) of § 51, he pays ten thousand forints a
To the applicant.

dated: Budapest, according to the electronic signature

Dr. Habil. Attila Péterfalvi
president
c. professor