NAIH (Hungary) - NAIH-175-12/2022
|NAIH (Hungary) - NAIH-175-12/2022|
|Relevant Law:||Article 5(1)(b) GDPR|
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(a) GDPR
Article 9(1) GDPR
Article 9(2)(a) GDPR
Article 13 GDPR
|National Case Number/Name:||NAIH-175-12/2022|
|European Case Law Identifier:||n/a|
|Original Source:||naih.hu (in HU)|
The Hungarian DPA fined an organisation and its Chair approximately €8,000 each for failing to inform the signatories of a campaign about the processing of their personal data and several other GDPR violations.
English Summary[edit | edit source]
Facts[edit | edit source]
The controllers are an organisation and its Chair.
In October 2020, the Chair launched a signature campaign against the introduction of compulsory vaccination both online and on paper. In addition to the purpose of the petition, the signatories were given the option to give their consent to be informed and contacted about the political activities of the Chair, thus indicating their political sympathy. They collected nearly 58,000 supporting signatures.
Holding[edit | edit source]
The DPA fined both controllers approximately €8,000 (HUF 3,000,000) each. Moreover, the DPA ordered the controllers to obtain valid consent from the data subjects and, in case of failure, delete the respective personal data. It also prohibited the controllers for the future from managing the data in the same way. The decision is based on several violations of the GDPR.
Second, the DPA found a violation of the principle of data minimisation, Article 5(1)(b) GDPR. It found that the controllers had in reality intended to build a sympathy mass data base.
Third, the controllers violated the principles of fairness, lawfulness and transparency pursuant to Article 5(1)(a) GDPR by misleading the data subjects about the purposes of data processing and the identity of the controller. In addition, Article 13 GDPR was violated because the controllers did not provide the data subjects with all information necessary.
Fourth, the DPA found an infringement of the principle of accountability, Article 5(2) GDPR because the controllers could not provide their compliance with Article 5(1) GDPR. In particular, the controllers did not carry out the data processing in such a way that they could prove at any time their compliance with the GDPR.
Finally, the DPA criticised the general conduct of the controllers in the proceedings. The controllers had not cooperated with the DPA.
When deciding on the fine, the DPA took into consideration the significance of the infringements since they concerned a current social issue, the large number of data subjects concerned, and the duration of the infringement.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.