NAIH (Hungary) - NAIH-1091-10/2022 (NAIH-6936/2021)
|NAIH - NAIH-1091-10/2022.(NAIH-6936/2021)|
|Relevant Law:||Article 5(2) GDPR|
Article 6(1) GDPR
Article 7(1) GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 15(1) GDPR
Article 17(1) GDPR
|National Case Number/Name:||NAIH-1091-10/2022.(NAIH-6936/2021)|
|European Case Law Identifier:||n/a|
|Original Source:||NAIH (in HU)|
|Initial Contributor:||Vilma Margarit|
The Hungarian DPA imposed a €1,228 fine on a hotel booking service for sending direct marketing emails without a valid legal basis and not complying with data subject rights under Articles 12, 15, 17 and 21(2) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
Two data subjects received unsolicited commercial emails from a hotel booking website (the controller). They objected to the processing of their personal data for direct marketing purposes and requested their email address to be deleted form the controller's register. However, the controller did not comply with the request and continued sending unsolicited emails. The same happened to the second data subject. Additionally, one of the data subjects submitted an access request to the controller but did not receive a response.
Both data subjects filed a complaint with the Hungarian DPA. The DPA initiated an investigation, trying to contact the controller several times. After not receiving any reply, the DPA started sanctioning proceedings.
During the proceedings, the controller argued that it was not aware of the data protection aspect of its activity and only considered it "simple advertising". Moreover, the controller stated that it had given instructions to delete the data from the mailing list, but an error occurred, as a result of which the personal data was still in the register. Furthermore, according to the controller, once the error was remedied, the data subjects were orally informed by a phonecall about the deletion of their data.
Holding[edit | edit source]
Additionally, the DPA established a violation of Article 6(1) GDPR because the consent given by the data subjects was not informed since the controller provided conflicting information about the legal basis. Furthermore, the consent was not obtained separately for every specific purpose as there were no separate checkboxes for data marketing purposes.
The DPA also held that the controller did not have proof of consent, violating Article 7(1) GDPR. The controller also violated Article 5(2) GDPR as it never sent to the DPA the requested proves of consent or an assessment of balancing the legitimate interests at stake.
The DPA emphasised that data processing for marketing purposes is of a special nature. The DPA referred to Article 21(2) GDPR, according to which the data subject can at any time object to personal data processing for direct marketing purposes. In such cases, the controller has no discretion, but must delete the personal data (Article 17(1)(c) GDPR).
Regarding the access request made by one of the data subjects, the DPA found a violation of Article 15 GDPR as the controller never responded to the request.
For the above-discussed violations, the Hungarian DPA fined the controller HUF 500,000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH-1091-10/2022. History: NAIH-6936/2021. Subject: decision establishing a violation of law F H A T A R O Z A T The National Data Protection and Freedom of Information Authority (hereinafter: the Authority) [...]- (hereinafter referred to as: Customer) for marketing data processing and exercise of stakeholder rights practice regarding the fulfillment of the personal data of natural persons regarding its protection and the free flow of such data, as well as a of Regulation 2016/679 (EU) on the repeal of Directive 95/46/EC (hereinafter: GDPR and General Data Protection Regulation) - 25.05.2018-01.09.2021. in the period between the following decision in the data protection official procedure initiated ex officio to examine its compliance bring I.1. The Authority believes that the Customer has violated: - Paragraph 1 of Article 6 of the GDPR, as it was handled without a legal basis for direct business acquisition purposes personal data, - Article 7 (1) of the GDPR and Article 5 (2) of the GDPR, as he could not to certify the processing of the personal data of the data subjects for the purpose of direct business acquisition his consent, nor his legitimate interest in data management, - Article 12 (1) of the GDPR, as it did not provide transparent and understandable information, - Article 15 (1) and Article 17 (1) of the GDPR, Article 12 (1) - (4) of the GDPR paragraph, as he did not fulfill the prescribed deadline, or only because of the procedure data subjects to delete personal data processed for the purpose of direct business acquisition requests […] (e-mail address: […]; hereinafter: Data Subject 1) and […] (e-mail address: [...] ; the hereinafter: in the case of Data Subject 2), and not to Data Subject 2's access request answered. I.2. The Authority obliges the Customer to: - provide written information to the Data Subjects by fulfilling their data subject requests in context, furthermore - its data management operations are brought into line with the general data protection regulation with its provisions by transforming its direct business acquisition practices and on the basis of a suitable legal basis and the relevant rules of the General Data Protection Regulation it manages them by keeping them, furthermore - give clear information to those concerned before obtaining e-mail addresses, and knowing this, ask for their express consent to the processing of data for marketing purposes, if you manage them based on consent. I.3. The Authority is the Client ex officio due to the illegal data processing it has carried out HUF 500,000, i.e. five hundred thousand HUF2 data protection fine obliged to pay. I.2. - I.3. the Customer from taking the measure to fulfill the obligation according to point must be submitted in writing within 15 days of the certify to the Authority. In case of non-fulfillment of the obligation, the Authority shall issue a decision implementation. The data protection fine is the governing action for the initiation of the administrative lawsuit within 15 days after the expiration of the deadline or, in the case of an administrative lawsuit, after the court's decision a Authority's centralized revenue collection target settlement HUF account (10032000- 01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000) must be paid in favor of When transferring the amount, NAIH-1091/2022. FINE. must count refer to. If the Customer does not fulfill his obligation to pay the fine within the deadline, he is in default must pay an allowance. The amount of the late fee is the legal interest, which is due to the delay is the same as the central bank base rate valid on the first day of the relevant calendar semester. The fine and the in case of non-payment of late payment, the Authority orders the execution of the decision. There is no place for an administrative appeal against the decision, but it is subject to notification Within 30 days with a letter of claim addressed to the Capital Court in a public administrative case can be attacked. The statement of claim must be submitted to the Authority, electronically1, which is the case forwards it to the court together with its documents. The request to hold the hearing must be indicated in the statement of claim must For those who do not benefit from the full personal tax exemption, the administrative court fee HUF 30,000, the lawsuit is subject to the right to record the levy. In the proceedings before the Metropolitan Court, the legal representation is mandatory. I N D O C O L A S I. Procedure of the procedure I.1. Based on the complaints of the interested parties, NAIH/2020/147. and NAIH/2019/7264. it is on account Article 57 (1) point f) of the General Data Protection Regulation and information self-determination CXII of 2011 on law and freedom of information. Act (hereinafter: Infotv.) § 38 Based on point a) of paragraph (3), an investigation procedure was initiated before the Authority. I.2. The Authority is Infotv. Based on § 55 (1) point ab) NAIH/2020/1247. and the NAIH/2020/147. closed its investigation procedures, and Infotv. Based on § 60, paragraph (1). ex officio initiated a data protection official procedure against the Customer. I.3. At the request of the Authority, the Client shall submit NAIH-6936-1/2021., NAIH-6936-3/2021. and the NAIH 1091-1/2022. in order no. he was invited to make a statement in order to clarify the facts I.4. The Authority NAIH-1091-1/2022. 150,000 HUF procedural fine in order no obliged the Client to pay, and also invited him to make a statement, since the Authority NAIH- 6936-1/2021. to call no., and NAIH-6936-3/2021. to his repeated call no answering questions essential to the discovery of data management conditions missed it. The Customer is obliged to pay the procedural fine and make a statement complied with the Authority's deadline extension request NAIH-1091-3/2022. rejected by order no. I.5. The Authority NAIH/2020/147. No. and NAIH/2019/7264. investigation cases no 1 The NAIH_KO1 form is used to initiate the administrative lawsuit: NAIH KO1 form (16.09.2019) The form can be filled out using the general form filling program (ÁNYK program). 3 2016 CL on the general administrative procedure for its complainants. law (a hereinafter: Ákr.) based on paragraph (1) of § 10, client legal status was granted by NAIH-1091-2/2022. and NAIH-1091-8/2022. in his orders No. and called them to declare and they can exercise their right to inspect documents. The complainants involved as clients the orders of the Authority received, but did not make a statement within the specified deadline. II. Clarification of facts II.1. History II.1.1. NAIH/2020/147. investigation case no The Authority received a complaint on October 4, 2019, in which [...] (email address: [...] ; the hereinafter: Data subject 1) objected to the processing of the Customer's data, since on March 12, 2019 submitted a request to the [...] e-mail address to delete the [...] e-mail address and all its data from the From the customer's register, because Data Subject 1 did not consent to data management. Your request is However, the customer did not comply and continued to send unsolicited emails to the e-mail address of Data Subject 1. The Data Subject forwarded 1 copy to the Authority to the Customer on March 12, 2019 sent stakeholder request. The Authority in the case of Article 57 (1) point f) of the General Data Protection Regulation and Infotv. NAIH/2019/7219 initiated an investigation procedure based on the request based on point a) of paragraph (3) of § 38. number in connection with the Customer's data processing for marketing purposes. NAIH/2020/1247. contacted the Customer with call no., which call the Customer made according to the proof of the receipt, it was received by its authorized representative on January 31, 2020. Given that that the Client did not respond to the Authority's call, and therefore the Authority again to make a statement called the Customer. The Customer is authorized to call the Authority again by the receipt according to his testimony, he received it on May 12, 2020, but did not respond to that Authority. II.1.2. NAIH/2019/7264. investigation case no In parallel with the above investigation procedure, NAIH/2019/7264 before the Authority. investigation on number proceedings have been initiated against the Customer pursuant to Article 57 (1) Paragraph f) of the General Data Protection Regulation point and Infotv. Based on § 38, paragraph (3), point a), since [….] (e-mail address: [...] ; the hereinafter: Data subject 2) also objected to the Client's data management. Data Subject 2 based on his right of access - electronically, in his letter sent to […] requested information from the Customer in connection with the processed personal data, and also requested a deletion of personal data on 20.03.2019. day after receiving a direct marketing e-mail 12/03/2019 on the day of To date, Data Subject 2 has not responded to requests submitted on the basis of his data subject rights received a response from the Customer, however, despite his cancellation request, 10.03.2019, 10.2019. on day 07, then on May 11, 2020 and October 31, 2020, you received another direct marketing e-mail from the Customer. In connection with the above, the Authority first - with reference to Infotv. Section 54, subsection (1) a) and point c) - NAIH/2020/147/2. contacted the Customer with call no the Customer's representative received it on January 10, 2020, as evidenced by the receipt. Given that the Client did not respond to the Authority's call, the Authority a NAIH/2020/1247/4. in invitation no. (repeated invitation) he was again asked to make a statement, which repeated call is authorized by the Customer as evidenced by the receipt May 2020 It was received on the 12th, but the Customer did not respond to that either. II.1.3. Closing investigative cases, initiating official data protection proceedings4 Considering that the Client is the Authority NAIH/2020/1247. and NAIH/2020/147. test no he did not respond to his calls in his proceedings, and for this reason it was assumed that he was its data processing continues to harm Data Subject 1 and Data Subject 2 (hereinafter collectively: Data Subjects), also the rights of other data subjects specified in the General Data Protection Regulation, and a contained in the notifications made it likely that the General Data Protection Regulation was violated, a Authority is Infotv. Based on § 55 (1) point ab) NAIH/2020/1247. and NAIH/2020/147. closed its investigation procedures (hereinafter: previous investigation cases) and Infotv. 60. On September 1, 2021, on the basis of paragraph (1) of § of its general data management practices for the purpose of obtaining direct business with the Customer and concerning the examination of the fulfillment of stakeholder requests. II.2. At the request of the Authority, the Client - NAIH-6936-1/2021. No. and NAIH-6936-3/2021. in its responses to orders no. - provided the following information: For all bookings, the Customer requests that the guest request a price quote electronically for the period for which you wish to book accommodation. With the Stakeholders being aware of this the accommodation was booked electronically, - according to the Customer's point of view - at the same time have accepted that the Customer has received their e-mails, thus their e-mails accessed his address, and thus entered the "data bank" of the electronic mail program. Because of this the Data Subjects received from the hotel circular, at the end of which, according to the Customer's statement in all cases, it is written that if you do not wish to receive circulars from the Customer, please let us know and it will be deleted from the register. In this regard, the Authority found that this is a contradiction in background investigation cases attached by the concerned parties and sent to them by the customer with the contents of the letters, because there was no indication in the letter of how they could have the their personal data to the Data Subjects. The Customer also referred to the fact that the Data Subjects via the Customer's website they visited the Customer's hotel and booked through it, therefore it is general terms and conditions (T&C) were accepted. The Customer's executive stated that he had given instructions to delete the unsubscribers a from the mailing list, however, for some reason this was not available for the concerned parties, probably the Due to the lack of labor due to the COVID-19 epidemic, therefore to delete the personal data of the Data Subjects did not take place. When the Customer's activity was restarted, the omission was corrected and deleted Your personal data from your records. The Customer disputes that it handled the personal data of the Data Subjects for direct business purposes. In his opinion, the mail program automatically saves those electronic the mailing address of those who have already sent an electronic mail to them is not considered data processing, not even a database. If the Authority still considers this to be data processing, then it is in this case, no data other than the electronic mail address is stored. The Customer stated that he does not conduct marketing activities over the phone. The Customer also made the observation that, in his opinion, since the procedure is the Data Subjects was initiated based on his notification, therefore it cannot be considered a procedure initiated ex officio. Other offices they do not initiate ex officio proceedings upon request or based on a report. The Client attached the following to the Authority's request: - the text of 2 circular emails containing offers operated by the Customer for booking accommodation in a hotel, related care and health care services. The e-mails also contain the price of the services, as well as 2 e-mails in the case of unsubscribing from e-mail, you can read the information at the bottom of the letter in connection.5 - General Terms and Conditions for the year 2021 attached by the customer, which is the 20 there are provisions related to data protection in point "Protection of consumer interests, under the heading "data protection". II.3. Point 4 of the data management information on the Customer's website [...] contained the following in the examined period, in connection with data processing for marketing purposes, the "newsletter data management related to subscription" under the heading: "Our company keeps in touch with its guests by means of a newsletter, to whom it is recommended informs about its services, news and promotions related to its operation. Controller of personal data: [...] Kft. Purpose of data management: maintaining contact with potential hotel guests Legal basis for data management: the consent of the data subject - Article 6 (1) point a) GDPR. Designation of the legitimate interest: business-related with partners and hotel guests maintenance and development Scope of processed personal data: name, e-mail address Duration of data management: our company manages e-mail addresses until you unsubscribe from the newsletter. [...]" II.5. The Authority NAIH-1091-1/2022. in order no., the Customer is fined HUF 150,000 obliged him to pay, and also repeatedly called him to make a statement in view of the fact that The customer, with his behavior, is required to cooperate and provide data in the Ákr. and the GDPR breached its obligation, as it did not provide full information despite repeated calls from the Authority information. In response to the above order of the Authority, the Client's legal representative stated the following: Due to a misinterpretation due to incomplete knowledge of data protection concepts, the executive is wrong made a statement about data management for the purpose of acquiring business. The Customer actually sent the a letter explaining promotions to hotel guests, which, however, was not considered prohibited for data management. The customer will delete the objectionable paragraph of the General Terms and Conditions. The Customer was not aware of the data protection aspect of his activity, the legal basis is "that they considered it a simple advertising activity'. The persons concerned gave it when checking in to the hotel and their e-mail address after a verbal question about whether they can send them information about promotions information notices. The e-mail addresses are in the mandatory hotel records are included, a separate list of them has not been prepared. If the guest makes a reservation on the hotel's website room, so the e-mail address is recorded in the inbox. In the examined period, approx. The Customer sent 600 letters to hotel guests. The Customer attached the program used for correspondence, its name and information about it stated that for reasons unknown to him the e-mail addresses stored there were deleted from the system. According to the Customer's statement, the Customer informed Data Subject 1 orally about the cancellation, who he took note. The Customer also verbally informed Data Subject 2 about the deletion. The Customer was unable to prove with documents that the Data Subjects were guests of his hotel, since the relevant data was deleted from its records for technical reasons. III. Applicable legal regulations Based on Article 2 (1) of the GDPR, the GDPR is required for data management in this case apply. 6 Infotv. Pursuant to Article 55, Paragraph (1), the Authority shall initiate the investigation ex officio or within two months from the date of receipt of the notification ab) closes the investigation and initiates a data protection official procedure according to § 60. Infotv. Enforcement of the right to the protection of personal data based on Section 60 (1). in order to do so, the Authority initiates an official data protection procedure at the request of the data subject and may initiate official data protection proceedings ex officio. For data management under the scope of the GDPR, Infotv. According to Section 2 (2) of the GDPR, there shall be applied with the additions contained in the specified provisions. Pursuant to GDPR Article 4, point 1, "personal data": identified or identifiable natural any information relating to a person ("data subject"); the natural person who directly or indirectly, in particular an identifier such as name, number, location data, online identifier or physical, physiological, genetic, one or more factors related to your intellectual, economic, cultural or social identity can be identified based on; According to Article 4, point 2 of the GDPR, "data management": on personal data or data files any action or actions performed by automated or non-automated means totality, such as the collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or otherwise by way of making it available, coordination or connection, limitation, deletion or destruction; According to GDPR Article 4, point 7, "data controller": the natural or legal person, public authority body, agency or any other body that determines the purposes of personal data management and determines its assets independently or together with others; if the purposes and means of data management determined by EU or Member State law, to designate the data controller or the data controller relevant special aspects may also be determined by EU or member state law; Based on GDPR Article 4, point 11, "data subject's consent": voluntary of the data subject's will, specific and clear declaration based on adequate information by the data subject indicates by a statement or by an act clearly expressing the confirmation that gives his consent to the processing of his personal data; Based on recital (44) of the GDPR, data processing is considered lawful if it is necessary in the context of a contract or intention to enter into a contract. Based on recital (47) of the GDPR, the data controller - including the data controller to whom the personal data may be disclosed - or the legitimate interest of a third party is a legal basis may create for data management, provided that the interests, fundamental rights and freedoms of the data subject are not have priority, taking into account the data subject based on his relationship with the data controller reasonable expectations. Such a legitimate interest can be discussed, for example, when it is relevant and there is an appropriate relationship between the data subject and the data controller, for example in cases where the data subject is a client of the data controller or is employed by it. The existence of a legitimate interest in order to establish that, it is necessary to carefully examine, among other things, that it is concerned at the time of collection of personal data and whether it can count in connection with it reasonable that data management may take place for the given purpose. The interests of the person concerned and fundamental rights may take precedence over the interest of the data controller if the personal data is such it is handled in circumstances in which the persons concerned do not matter further for data management. Since it is the task of the legislator to define in legislation that the public authority bodies, on what legal basis can I process personal data, the legitimate interest of the data controller a supporting legal basis cannot be used by public authorities in the performance of their duties for data management. Personal data for the purpose of fraud prevention absolutely 7 its necessary processing is also considered the legitimate interest of the data controller concerned. Personal data its handling for the purpose of obtaining direct business can also be considered based on a legitimate interest. Pursuant to Article 5 (1) point a) of the GDPR, the processing of personal data is lawful and must be carried out fairly and in a transparent manner for the data subject ("legality, fair procedure and transparency'); Pursuant to Article 5 (1) point b) of the GDPR, the collection of personal data is only defined, be done for a clear and legitimate purpose, and they should not be treated in conflict with these purposes in a negotiable manner; in accordance with Article 89 (1) does not qualify as the original purpose incompatible for the purpose of archiving in the public interest, scientific and historical research further data processing for purposes or for statistical purposes ("target binding"); Based on Article 5 (2) of the GDPR, the data controller is responsible for paragraph (1). for compliance and must be able to demonstrate this compliance ("accountability"). On the basis of Article 6 (1) of the GDPR, personal data is processed only when and to the extent that it is legal if at least one of the following is met: a) the data subject has given his consent to the processing of his personal data for one or more specific purposes for its treatment; b) data management is necessary for the performance of a contract in which the data subject is one of the parties, or to take steps at the request of the data subject prior to the conclusion of the contract required; c) data management is necessary to fulfill the legal obligation of the data controller; d) the data processing is for the vital interests of the data subject or another natural person necessary for its protection; e) data processing is in the public interest or the data controller is authorized by a public authority necessary for the execution of a task performed in the context of its exercise; f) data management to enforce the legitimate interests of the data controller or a third party necessary, unless the interests of the data subject take precedence over these interests or fundamental rights and freedoms that require the protection of personal data, especially if a child is involved. Pursuant to Article 7 (1) of the GDPR, if data processing is based on consent, it data controller must be able to prove that the data subject's personal data contributed to its treatment. Based on Article 12 (1) – (4) of the GDPR: (1) The data controller shall take appropriate measures in order to ensure that the data subject a all the information referred to in Articles 13 and 14 regarding the management of personal data and 15-22. and each information according to Article 34 is concise, transparent, comprehensible and easy provide it in an accessible form, clearly and comprehensibly worded, especially a for any information addressed to children. Information in writing or otherwise - including, where applicable, the electronic route - must be provided. Oral at the request of the person concerned information can also be provided, provided that the identity of the person concerned has been verified in another way. (2) The data controller facilitates the relevant 15-22. the exercise of his rights according to art. Article 11 (2) in the cases referred to in paragraph 15-22, the data controller is the person concerned. to exercise his rights according to art may not refuse to fulfill your request, unless you prove that the person concerned cannot be identified. (3) The data controller without undue delay, but in any case from the receipt of the request informs the person concerned within one month of the 15-22. following a request according to art on measures taken. If necessary, taking into account the complexity of the request and the number of applications, this deadline can be extended by another two months. The deadline request for an extension by the data controller indicating the reasons for the delay informs the person concerned within one month of receipt. If the data subject is electronic submitted the application via e-mail, the information must be provided electronically if possible, 8 unless the data subject requests otherwise. (4) If the data controller does not take measures following the data subject's request, without delay, but informs the person concerned no later than one month from the date of receipt of the request about the reasons for the failure to take action, as well as about the fact that the person concerned can submit a complaint to a with a supervisory authority, and can exercise his right to judicial redress. Based on Article 15 (1) of the GDPR, the data subject is entitled to request from the data controller receive feedback on whether your personal data is being processed, and if such data processing is in progress, you are entitled to access personal data and get access to the following information: a) the purposes of data management; b) categories of personal data concerned; c) recipients or categories of recipients with whom or with which the personal data communicated or will be communicated, including in particular to recipients in third countries, or international organizations; d) where appropriate, the planned period of storage of personal data, or if this is not the case possible aspects of determining this period; e) the data subject's right to request personal data relating to him from the data controller rectification, deletion or restriction of processing and may object to such personal data against treatment; f) the right to submit a complaint addressed to a supervisory authority; g) if the data were not collected from the data subject, everything about their source is available information; Based on Article 17 (1) of the GDPR, the data subject is entitled to request that the data controller delete the personal data concerning him without undue delay, and the data controller is obliged to provide the personal data concerning the data subject without undue delay delete if any of the following reasons apply: a) the personal data are no longer needed for the purpose for which they were collected or otherwise treated in a manner; b) the data subject withdraws it pursuant to point a) of Article 6 (1) or point a) of Article 9 (2) pursuant to point 1, the consent that forms the basis of the data management, and the data management does not have other legal basis; c) the data subject objects to the data processing on the basis of Article 21 (1), and there is no an overriding legitimate reason for data processing, or the data subject is Article 21 (2). objects to data processing based on; d) personal data were handled unlawfully; e) the personal data is legal as prescribed by EU or member state law applicable to the data controller must be deleted to fulfill an obligation; f) to collect personal data with the information society referred to in paragraph 1 of Article 8 took place in connection with the offering of related services. Based on Article 17 (3) of the GDPR, paragraphs (1) and (2) do not apply if data management is necessary: […] b) EU or Member State law applicable to the data controller, which prescribes the processing of personal data fulfillment of the obligation according to, or in the public interest or public authority entrusted to the data controller for the purpose of performing a task performed in the context of exercising a driver's license; […] Based on Article 21 (1) of the GDPR, the data subject is entitled to, with his own situation object at any time to your personal data for reasons related to Article 6 (1) e) or against its processing based on point f), including profiling based on the aforementioned provisions too. In this case, the data controller may no longer process the personal data, unless it is the data controller proves that the data processing is justified by compelling legitimate reasons, which take precedence over the interests, rights and freedoms of the data subject, or which are related to the submission, enforcement or defense of legal claims.9 Pursuant to Article 21 (4) of the GDPR, the right referred to in paragraphs (1) and (2) shall be exercised no later than during the first contact with the data subject, the attention of the data subject must be specifically drawn to this relevant information must be displayed clearly and separately from all other information. According to Article 77 (1) of the GDPR, all data subjects have the right to file a complaint with a supervisory authority, if, in the opinion of the data subject, the personal data relating to him/her handling violates the GDPR. Article 58(2)(b), (d) and (i) of the GDPR: Within the corrective powers of the supervisory authority acting as: b) condemns the data manager or the data processor if its data management activities violated the provisions of this regulation; d) instructs the data manager or the data processor that its data management operations - where applicable in a specified manner and within a specified period of time - is brought into line with this regulation with its provisions; i) imposes an administrative fine in accordance with Article 83, depending on the circumstances of the given case in addition to or instead of the measures mentioned in this paragraph; Infotv. According to § 38, paragraph (2), the Authority is responsible for the protection of personal data, and the right to access data of public interest and public interest control and promotion of its validity, as well as personal data within the European Union facilitating its free flow. According to paragraph (2a) of the same § in the GDPR, the supervisory tasks and powers established for the authority under the jurisdiction of Hungary in terms of legal entities, as defined in the GDPR and this law, the Authority practice. Infotv. According to Section 60 (1), enforcement of the right to the protection of personal data in order to do so, the Authority may initiate an official data protection procedure ex officio. Infotv. According to § 61, paragraph (1), point a), it was made in the official data protection procedure in its decision, the Authority issued Infotv. Data management defined in paragraph (2) of § 2 in connection with operations, you can apply the legal consequences defined in the GDPR. In the absence of a different provision of the GDPR, the data protection authority procedure initiated upon the request is CL of 2016 on general administrative regulations. Act (hereinafter: Act) provisions shall be applied with the deviations specified in Infotv. The Akr. Based on Section 10 (1), the customer is a natural or legal person, other organization whose right or legitimate interest is directly affected by the case, to whom the official register contains data, or who (which) is subject to official control pulled The Akr. Based on § 80, subsection (1), the decision is a decision or an order. The authority - the (4) with the exception specified in paragraph - makes a decision on the merits of the case, during the procedure made other decisions orders. Infotv. 75/A. pursuant to § 83 (2)-(6) of the General Data Protection Regulation, the Authority exercises its powers in accordance with the principle of proportionality, especially with the fact that you are in the law regarding the handling of personal data The regulations defined in the mandatory legal act of the European Union are being implemented for the first time in case of violation, to remedy the violation with Article 58 of the General Data Protection Regulation in accordance with - takes action primarily with the warning of the data manager or data processor. Infotv. On the basis of § 71, paragraph (2), the Authority legally obtained a document during its procedures, data or other means of proof can be used in other proceedings. ARC. Decision of the Authority10 During the clarification of the facts, the Authority referred the previous cases to Infotv. Based on § 71, paragraph (2). used as evidence. IV.1. The Customer's activity and quality of data management According to the company registry, the Customer's main activity is hotel services, other its activities include holiday, other temporary services, restaurants and mobile catering. The Authority established that in the case concerned with the investigated data management, the above mentioned in connection with its activities, the Customer independently determines the purpose and means of data management determines, therefore, based on Article 4, point 7 of the GDPR, it is an independent data controller. IV.2. Electronic mail address as personal data and its storage as data management Pursuant to Article 4, point 1 of the GDPR, the electronic mail address in relation to a private individual is considered personal data. Based on Article 4, point 2 of the GDPR, personal data is considered data processing any operation or set of operations performed on data, i.e. by the Customer storing, uses it, sends circular emails to the given address, performs data management. IV.3. Data processing for the purpose of direct business acquisition and its legal basis IV.3.1. Informing stakeholders If the personal data concerning the data subject is collected from the data subject, the data controller has a fair and transparent data management at the time of obtaining personal data in order to provide data subjects with detailed information pursuant to Article 13 (1) of the GDPR of what is written in paragraph Recital (39) of the GDPR and Article 5 (1) point a) of the GDPR stipulate that the information on data management must be transparent, in an appropriate manner must be made available to those concerned (e.g. on the website of the data controller), taking into account the chosen to possible additional conditions of legal bases. Article 12 of the GDPR defines the formal requirements that must be observed be the data controllers when they enable and ensure the exercise of data subject rights, including prior information of those concerned. Based on this, the data controllers can manage personal data all relevant information in a concise, transparent, understandable and easily accessible form, they must provide clearly and comprehensibly. This must be made available to those concerned in an appropriate manner for (e.g. on the data controller's website), taking into account the possible legal grounds chosen additional conditions. The Customer referred to the General Terms and Conditions being read by the Data Subjects and accepted away, so they also consented to the processing of their personal data. Adopted by the Data Protection Working Group established on the basis of Article 29 of Directive 95/46/EC, a Guidelines on transparency facilitating the application and interpretation of GDPR (a hereinafter: Guidelines) to the data controllers as required by the GDPR they must provide it in a "concise, transparent, comprehensible and easily accessible" manner. "This information must be clearly separated from other information not related to data protection, for example, from contractual provisions or general terms and conditions.” (Guidelines 8. point) The "easily accessible" criterion is met if the data controller is According to the guidelines, if you place the information on the website in such a way that the person concerned has it you don't have to search and, for example, "Privacy", "Privacy notice" or "Privacy can be accessed with one click under the heading "declaration". (Point 11 of the Guidelines) It must also meet the requirement of transparent information in that regard to the data controller that the purpose and legal basis of the processing of personal data is in the information sheet11 be clearly defined, so avoid 'abstract' or 'ambiguous' use of expressions. According to the Authority's findings, the General Terms and Conditions referred to by the Customer in relation to data management it did not and does not contain provisions, as - as the name suggests - it is it is about general terms and conditions. The Customer's website contained its data management information sheet, which was examined by the Authority, and found that in relation to newsletters, in connection with data management, there are two also mentions a separate legal basis, points a) and f) of Article 6 (1) of the GDPR. Article 6 (1) of the GDPR point a) of the paragraph was expressly referred to by the Customer, and the legitimate interest was also indicated, not specifically as a legal basis, but his legitimate interest ("with partners, hotel guests established business-related maintenance and development") he named. However, this is not the case is acceptable, because if you perform data processing with reference to GDPR Article 6 (1) point a), then it is unnecessary and at the same time misleading to refer to a legitimate interest. The Customer must choose a of two legal bases, given that each legal basis requires different conditions as explained above. If the Customer is the start of data management designates a legal basis before, then the entire data management process must be consistent with it adjust, which in this case means that it is legitimate for data processing based on consent reference to interest is not acceptable. The purpose indicated by the Customer was not properly established either, as it was not for sending a newsletter the goal is to "keep in touch with potential hotel guests", but information is current about offers, so direct business acquisition is the actual goal. By the fact that the Client did not provide clear information regarding the purpose and legal basis, the Authority in his opinion, the Customer violated Article 12 (1) of the GDPR, as he did not give clear information neither in the GTC he refers to, nor in the data management policy on his website by way of information. IV.3.2. Data subject consent and legitimate interest as the legal basis for data management Article 6 (1) of the GDPR regulates the legal grounds, including the data subject consent and legitimate interest. IV.3.2.1. Data processing for the purpose of direct business acquisition is with the consent of those concerned, so a It can also be carried out on the basis of point a) of Article 6, paragraph (1) of the GDPR. In the case of data processing for marketing purposes based on Article 6 (1) point a) of the GDPR, it is essential condition based on Article 4, point 11 of the GDPR, that the data subjects have adequate information provide for the granting of consent in connection with the data management conditions before making their related decision, and also clearly declare the their contribution. The fact that those concerned must have adequate information means that the information given to them must be clear and unambiguous, and a information must have content in accordance with Article 13 of the GDPR. The additional requirement, that the persons concerned must clearly declare their consent means that it must be specific, so it must be for data processing related to a specific purpose apply. III.3.2. due to point 11 of Article 4 of the GDPR, the condition that a consent must be based on adequate information could not be enforced, because the legal basis the Client provided conflicting information to those concerned. The Customer did not comment on whether the subscription to the newsletter had any consequences with an advantage, as it denied data processing for marketing purposes at the beginning of the procedure, despite the fact that the data management information on its website specifically provides for this as well. Later, the Customer In the briefing given to the Authority by his legal representative, he admitted that "[…] He really sent a Ltd. a letter describing special offers to old and satisfied hotel guests,...[…]". 12 The Authority notes that the Data Protection Act established under Article 29 of Directive 95/46/EC The guidelines issued under the number WP259 adopted by the working group are strict imposes requirements for the exercise of free will, therefore if subscribing to the newsletter provides some advantage, the extent of that advantage must be examined individually influences volunteering. The granting of the benefit cannot be limited in any way by those concerned your rights under GDPR (opt-out, right to erasure). So this means that promotions are not they can be addressed exclusively to subscribers to the newsletter. The Authority further established that on the interface where the reservation could be submitted, it despite the fact that the data management information indicated the legal basis of the consent for marketing purposes in connection with data management, did not place a separate checkbox for direct marketing purposes for data management, even though this is an independent purpose, and consent must be obtained separately for each purpose. Based on the above, the Authority therefore established that Article 6 (1) point a) of the GDPR legal basis does not exist, as there is no consent pursuant to Article 4, Clause 11 of the GDPR For the customer's data management for the purpose of obtaining direct business. IV.3.2.2. In addition to Article 6 (1) point a) of the GDPR, the Customer also has a legitimate interest on its website referred to in point 4 as follows: “[…] Legal basis for data management: the consent of the data subject - Article 6 (1) point a) GDPR. Designation of legitimate interest: business relationships established with partners and hotel guests maintenance and development [...]" However, the Client did not refer to the above in his statement sent to the Authority, and a Despite the authority's express request, it did not specify a legal basis for data processing for marketing purposes context, since he initially disputed that he was conducting such data management, only the Authority repeatedly the Client's legal representative acknowledged it in his statement sent to his request. It can be evaluated as a contradiction in the Customer's statement when he referred to the fact that those concerned provided their relevant e-mail address when checking in to the hotel after a verbal question as to whether they can send them notifications about promotions, and then cited that the email addresses are in "mandatory hotel records". Based on this, one of the data processing companies indicated data management for the purpose of direct business acquisition purpose, and then referred to the fact that e-mails are included in mandatory records addresses, so fulfilling the preservation obligation would be the other goal, however he did not even indicate the legislation regarding records. Another contradiction is that it is also about stated that the Customer finally deleted the e-mail addresses and that all e-mail addresses were deleted from its records, so this contradicts the possible retention obligation. If the Customer would really have an obligation to keep e-mail addresses, then you can manage those e-mail addresses only in order to fulfill your retention obligation, for the purpose of obtaining direct business, i.e. for the purpose of sending newsletters, if the Customer You do not know your consent according to GDPR, or your legitimate interest in this regard verify, and in these cases, not even if the Customer requests that the hereinafter newsletters. If it performs data processing for the direct purpose of obtaining business with reference to a legitimate interest, it is Customer, in that case based on the preamble paragraph (47) of the GDPR, with a consideration of interests must be supported. The Customer's website also refers to the legitimate interest, which may be acceptable in possession of a consideration of interests, but the Customer did not attach it, nor did it refer to it to that. The data controller is responsible for the legality of the data management it carries out. Article 6 (1) of the GDPR arising from the nature of the legal basis according to point f) of the paragraph, to the data controller who has a legitimate interest refers to, you must be able to indicate precisely that it is the processing of specific personal data which is the legitimate interest of the data controller and why is it necessary in view of this interest 13 data management, you must at the same time verify and prove that the person concerned has priority against his legitimate interest and his right to the protection of personal data. In this context, the Authority emphasizes that data management is for marketing purposes of a special nature. This is referred to in Article 21 (2) of the GDPR, according to which the data subject can at any time may object to the processing of personal data relating to him for the purpose of direct business acquisition against, and if you have done so, then the personal data can no longer be processed for this purpose. In such cases therefore, the data controller has no discretion as to whether to delete the personal data data or not, against the processing of which the data subject objected. IV.3.2.1. and IV.3.2.2. points, the Authority determined that it was handled illegally the Client violated the GDPR with the personal data of the Data Subjects and other guests Paragraph 1 of Article 6, because consent according to Article 4, point 11 of the GDPR was not verified by the He did not substantiate his legitimate interest with the authorities, nor with a consideration of interests. IV.3.3. Principle of accountability, lack of proof of consent and legitimate interest An essential condition for the legality of data management is that it has an appropriate legal basis be. Article 6 of the GDPR provides for the possible legal bases for processing personal data, i.e on the cases when a data management can be legal, as long as it is general data protection complies with the other provisions of the Decree, such a legal basis may be - among others - the person concerned contribution. The GDPR does not contain any restrictions on the form of consent, only that requirements for its validity - voluntary, specific, appropriate information based on a clear declaration of intent with which the affected statement or confirmation by means of an unmistakably expressive act, he indicates that he gives his consent to the personal information concerning him to manage data - define. Based on Article 7 (1) of the GDPR, if data processing is based on consent, it data controller must be able to prove that the data subject's personal data contributed to treatment. Therefore, if the legal basis of the data management is according to Article 6 (1) point a) of the GDPR consent, the data controller must be able to prove that he has obtained valid consent from the data subject, the data subject has given his consent to the data management. Despite the Authority's express invitation, the Client did not attach a document which would support that the data subjects gave their consent to the data management, so with this violated Article 7 (1) of the GDPR. With reference to the application of Article 6 (1) point f) of the GDPR, i.e. the legitimate interest the condition for data processing is that the Customer prioritizes its legitimate interests in accordance with the GDPR (47) in accordance with the preamble paragraph, it is justified by a consideration of interests. However, the Customer is did not forward his assessment of interests to the Authority, thereby violating Article 5 (2) of the GDPR paragraph, i.e. the principle of "accountability". IV.3.4. Fulfilling stakeholder requests IV.3.4.1. Deletion of personal data and objection to the processing of personal data In the case of data processing pursuant to Article 6 (1) point f) of the GDPR, the data subject is subject to Article 21 (2) of the GDPR you can exercise your right according to paragraph 6 of the GDPR. and in the case of data processing on the legal basis according to Article (1) point a), the data subject you can withdraw your consent to data management. 14 In the investigation procedures prior to the official procedure, the Stakeholders stated that objected to the processing of their personal data and wanted to unsubscribe from the newsletters. This supported by attached documents. The Data Subjects' unsubscribe from the newsletter is The client did not doubt it either, he admitted this in the official data protection procedure to the Authority in the statement sent. The data controller responds to data subject requests as a general rule based on paragraphs (1)-(3) of Article 12 of the GDPR is obliged to provide transparent and comprehensible information within one month, or to fulfill them, or a in case of non-performance, to provide information on the reason for the non-performance. Based on Article 12 (4) of the GDPR, if the data controller does not take measures, the data subject following your request, without delay, but no later than one from the date of receipt of the request informs the person concerned about the reasons for not taking the measure within a month, as well as that the person concerned can file a complaint with a supervisory authority and seek legal remedies with his right. According to the Customer's statement, the Customer is in a situation due to the COVID-19 (coronavirus) epidemic probably did not respond due to an administrative error. Pursuant to Article 4, point 7 of the GDPR, a data controller is a natural or legal person […] that a determines the purposes and means of processing personal data independently or together with others […]2. According to the Authority's point of view, the argument regarding an administrative error does not exempt it Customer from data controller responsibility, given that pursuant to Article 4, Clause 7 of the GDPR the Customer is considered a data controller. The Customer is the one who organizes the data management process and creates its conditions. The most important characteristic of the data manager is that it is meaningful has decision-making authority and is responsible for all data management, that for the fulfillment of the obligation laid down in the general data protection regulation. In those cases, when a specific natural person is appointed to ensure the data protection principles compliance or to process personal data, this person will not be a data controller, but acts on behalf of the legal entity (company or public body) which in its capacity as a data controller, remains responsible in the event of a violation of the principles. The Customer stated that, after his default, he complied with the Data Subjects' request and deleted electronic mail addresses. However, the Client does not, despite the Authority's express request attached the document that would support this statement, i.e. that it is In accordance with Article 12 of the GDPR, data subjects were informed about the fulfillment of their data subject request. THE In the statement sent to the authorities, the Customer only referred to the fact that the Data Subject 1 "spoken", however, this does not comply with GDPR Article 12 (1) and GDPR Article 5 (2) of the provisions of paragraph 2, and he did not even mention the Data Subject 2. Based on GDPR Article 17 (1) points b), c), d), the Customer is obliged to provide the e-mail to delete their addresses based on the request of the data subjects, as they must be deleted even if they are revoked their consent, or in the case of an e-mail address managed with reference to a legitimate interest, objects to it and there is no overriding legal reason for data processing, and even then it is personal data was handled illegally. In the present case, the Authority established that the Customer handled the e-mail addresses of the data subjects illegally and without legal basis, therefore Article 17 point d) of the GDPR there is an obligation to delete based on Given that the Data Subjects have indicated that they are not they want to receive newsletters in the future, so based on this they automatically had to do it would have the Customer cancel it. 2GDPR Article 4.7 "data controller": the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes of data management and its means are determined by EU or member state law, the data controller or the special data controller designation aspects can also be determined by EU or member state law; 15 Due to the above, the Authority determined that the Customer violated Article 12 (1) - (4) of the GDPR paragraph, as it did not comply with the deletion request of the Data Subjects. The Customer is only the data protection deleted the personal data processed for marketing purposes after the initiation of the official procedure, so a in this case, following the submission of data subject requests requiring automatic deletion also managed (stored and used) personal data for a long time. Furthermore, no proved that after the deletion took place, he notified the Data Subjects of this in writing, only sent a statement about it. IV.3.4.2. Access request According to the documents of the investigation process initiated by Data Subject 2, Data Subject 2 also submitted an access request submitted to the Customer on 20.03.2019. on the day of Subject to the request submitted on the basis of the data subject's right 2 did not receive a response from the Customer. Based on Article 15 (1) of the GDPR, the data subjects are entitled to request information about their personal data about the circumstances of its treatment, thus their personal data based on Article 15 (1) point g). also about its source. Despite the Authority's express request, the Customer did not make a statement submitted by Data Subject 2 about the non-fulfillment of his access request, the reason for it, and he did not substantiate it either the Customer acknowledges that he has fulfilled this request, despite the fact that Article 5 (2) of the GDPR would be obliged to do so based on the principle of accountability. For data subject requests, including access requests in accordance with the GDPR, the data controller shall comply with Article 12 of the GDPR. based on paragraphs (1)-(3) of Article, as a general rule, it must be transparent and understandable within one month to provide information and fulfill them, or in case of non-fulfilment, the fulfillment to provide information on the reason for the absence. Given that the Customer did not prove that the Data Subject 2's access request fulfilled, therefore the Authority found that it also violated the GDPR in this context the provisions of Article 12 (1) – (4). IV.3.5. According to the Customer's observation, there would have been no reason to initiate this procedure, or it should have been terminated after deleting the Data Subjects' personal data. Considering that the Client is the Authority NAIH/2020/1247. and NAIH/2020/147. test no he did not respond to his calls in his proceedings, and for this reason it could be assumed that he was data processing may still violate the provisions of the General Data Protection Regulation for Data Subjects rights, and the reports contained violations of the General Data Protection Regulation made it probable, the Authority is Infotv. Based on § 55 (1) point ab) NAIH/2020/1247. and NAIH/2020/147. closed its investigation procedures, and Infotv. Based on § 60, paragraph (1). ex officio initiated a data protection official procedure against the Client for direct business acquisition investigation of its general data management practices and the fulfillment of data subject requests tangentially. Regarding the above, the Authority refers the Client to NAIH-6936-1/2021. he also informed in his order no there he also highlighted that in order to move the official data protection procedure, Infotv. § 55, paragraph (1). point ab) and Infotv. It took place on the basis of § 60, paragraph (1). The history of the official data protection procedure initiated ex officio was therefore started on the basis of the reports was an investigation procedure, which ended unsuccessfully due to the Customer's lack of cooperation. Neither Ákr. nor Infotv. does not contain a provision that the procedure by the Customer must be terminated for the reason cited. IV.4. Legal consequences The Authority condemns the Customer based on Article 58 (2) point b) of the GDPR, because violated: - Article 6 (1) of the GDPR, 16 - Article 5 (2) of the GDPR, - Article 7 (1) of the GDPR, - Paragraphs (1) – (4) of Article 12 of the GDPR and - Article 15 (1) and Article 17 (1) of the GDPR. Above all, the Authority took into account that the violations committed by the Customer are GDPR According to points a) and b) of Article 83, paragraph (5), belonging to the higher fine category are considered a violation of law. When imposing the fine, the Authority took into account the following aggravating factors: - Violation related to the lack of information, as well as the related legal basis data management without is related to the Customer's data management practices and has been in place for a long time, since the Client's violation of rights towards the Stakeholders is the stakeholder requests sent in 2019 existed since, and the information on the Customer's website, as well as the Customer based on his statement, it can be established that he did not change his practice in the meantime, and according to the Customer's statement, approx. He sent 600 letters during the examined period hotel guests. (Article 83 (2) point a) of the General Data Protection Regulation). - The Customer did not show cooperative behavior in the official data protection procedure neither during, because, despite the Authority's express request, not all statements were made - a from the point of view of clarifying the facts - about an important circumstance with which the facts made it difficult to clarify, so several invitations had to be sent to him. (general Article 83 (2) point (f) of the Data Protection Regulation When imposing the fine, the Authority took into account the following mitigating factors: - Condemning the Customer for violating the general data protection regulation did not take place. (General Data Protection Regulation Article 83 (2) points e) and i) - The Authority considered the sign as a mitigating circumstance when imposing the fine, that the Authority exceeded Infotv during the procedure. According to paragraph (1) of § 60/A administrative deadline of one hundred and fifty days. (GDPR Article 83 (2) point k) Based on the nature of the violation - the violation of the principles of data management - the fine that can be imposed is the maximum its limit is EUR 20,000,000 based on Article 83 (5) point a) of the General Data Protection Regulation, or a maximum of 4% of the total world market turnover of the previous financial year. (general data protection Regulation Article 83 (5) point a) Based on the Customer's 2021 profit and loss statement, its profit before tax was HUF 5,942,000. The Authority, when determining the amount of the fine imposed, in addition to the special purpose of prevention it was also mindful of the general preventive goal to be achieved with the fine, with which - the Client is newer in addition to refraining from infringement - the data management practices of all market participants a wants to achieve its movement in the direction of legality. Namely, the appropriate designation of the legal basis and its verification, as well as the enforcement of stakeholder rights, is a fundamental requirement, which is data controllers must in all cases properly certify, and their exercise must be done in advance to help them. A. Other questions The competence of the Authority is set by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is covers the territory of the entire country. 17 The Akr. § 112, § 116, paragraph (1) and § 114, paragraph (1) there is room for legal remedy against the decision and the order through a public administrative lawsuit. * * * The rules of the administrative trial are set out in Act I of 2017 on the Administrative Procedure hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. § 13, subsection (3) a) Based on point aa), the Metropolitan Court is exclusively competent. The Kp. Section 27 (1) legal representation is mandatory in a lawsuit falling within the jurisdiction of the court based on paragraph b). The Kp. According to paragraph (6) of § 39, the submission of a claim is an administrative act does not have the effect of postponing its entry into force. The Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, it is applicable of 2015 on the general rules of electronic administration and trust services CCXXII. Act (hereinafter: E-Administration Act) according to Section 9 (1) point b) the customer legal representative is obliged to maintain electronic contact. The place and time of submitting the statement of claim is set by Kp. It is defined by § 39, paragraph (1). THE information on the possibility of a request to hold a hearing in Kp. Paragraphs (1) - (2) of § 77 is based on. The amount of the fee for the administrative lawsuit is determined by Act XCIII of 1990 on fees. law (hereinafter: Itv.) 45/A. Section (1) defines. It is from the advance payment of the fee Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the party initiating the procedure. If the Customer does not adequately certify the fulfillment of the prescribed obligation, the Authority shall considers that the obligation has not been fulfilled within the deadline. The Akr. According to § 132, if a the obligee has not complied with the obligation contained in the final decision of the authority, it can be enforced. The Authority's decision in Art. According to § 82, paragraph (1), it becomes final with the communication. The Akr. Pursuant to § 133, enforcement - unless otherwise provided by law or government decree - ordered by the decision-making authority. The Akr. Pursuant to § 134, the execution - if it is a law, government decree or, in the case of municipal authority, a local government decree otherwise does not have - the state tax authority undertakes. Infotv. Based on § 60, paragraph (7) a To carry out a specific act included in the authority's decision, specified the decision regarding the obligation to conduct, tolerate or stop its implementation is undertaken by the Authority. dated: Budapest, according to the electronic signature Dr. Attila Péterfalvi president c. university teacher