NAIH (Hungary) - NAIH-175-12/2022

From GDPRhub
Revision as of 14:29, 23 March 2022 by Abel.kaszian (talk | contribs) (Corrected a reference to Article 9(2)(1) to 9(2)(a).)
NAIH (Hungary) - NAIH-175-12/2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(a) GDPR
Article 9(1) GDPR
Article 9(2)(a) GDPR
Article 13 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.03.2022
Published: 16.03.2022
Fine: 6,000,000 HUF
Parties: n/a
National Case Number/Name: NAIH-175-12/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Hungarian
Original Source: naih.hu (in HU)
Initial Contributor: kc

The Hungarian DPA fined an organisation and its chair approximately €8000 each for failing to inform the signatories of a campaign about the processing of their personal data, and not being able to prove the legal basis for this processing, in violation of multiple GDPR provisions.

English Summary

Facts

The controllers are an organisation and its Chair.

In October 2020, the Chair launched a signature campaign against the introduction of compulsory vaccination both online and on paper. In addition to the purpose of the petition, the signatories were given the option to give their consent to be informed and contacted about the political activities of the Chair, thus indicating their political sympathy. They collected nearly 58,000 supporting signatures.

Holding

The DPA fined both controllers approximately € 8000 (HUF 3,000,000) each. Moreover, the DPA ordered the controllers to obtain valid consent from the data subjects and, in case of failure, delete the respective personal data. It also prohibited the controllers for the future from managing the data in the same way. The decision is based on several violations of the GDPR.

First, the controllers processed the personal data without valid consent and therefore without a legal basis. The requirements for consent pursuant to Article 6(1)(a) GDPR were not fulfilled. Furthermore, since personal data revealing one's political opinions constitutes a special category of personal data under Article 9(1) GDPR, explicit consent (Article 9(2)(a) GDPR) would have been necessary for part of the processing operations. However, the controllers had not used two-factor authentication and the privacy policy was misleading. The DPA found that the data subject had not been able to express their will, making the consent invalid.

Second, the DPA found a violation of the principle of data minimisation, Article 5(1)(b) GDPR. It found that the controllers had in reality intended to build a sympathy mass data base.

Third, the controllers violated the principles of fairness, lawfulness and transparency pursuant to Article 5(1)(a) GDPR by misleading the data subjects about the purposes of data processing and the identity of the controller. In addition, Article 13 GDPR was violated because the controllers did not provide the data subjects with all information necessary.

Fourth, the DPA found an infringement of the principle of accountability, Article 5(2) GDPR because the controllers could not provide their compliance with Article 5(1) GDPR. In particular, the controllers did not carry out the data processing in such a way that they could prove at any time their compliance with the GDPR.

Finally, the DPA criticised the general conduct of the controllers in the proceedings. The controllers had not cooperated with the DPA.

When deciding on the fine, the DPA took into consideration the significance of the infringements since they concerned a current social issue, the large number of data subjects concerned, and the duration of the infringement.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-175-12 / 2022. Subject: Decision
History: NAIH-4769/2021.


                                        H A T A R O Z A T



The National Authority for Data Protection and Freedom of Information (hereinafter: the Authority) shall:
Cooperative Communities Association for the Living World (formerly Common Organization)
Nominating 2018 party; current seat: 4463 Tiszanagyfalu, Széchenyi utca 47 .; represented by: Zsolt Ladó
managing director; former headquarters: 1077 Budapest, Izabella u. 30 .; former representative of the organization: dr.

György Gődény; hereinafter: Customer1) and dr. György Gődény (address: […]; hereinafter:
Customer2) ‘I agree that no one should be required to be vaccinated and
no one shall be punished or restricted in his absence. " national signature collection (a
hereinafter referred to as "signature collection")
take the following decisions in ex officio data protection proceedings:


1. The Authority shall determine that Client1 and Client2 are https://alairasgyujtes.online
“I agree that no one should be required to be vaccinated and that
no one shall be punished or restricted in his absence. " legal basis in connection with the collection of signatures
the personal data of the data subjects are collected without prejudice to the data of natural persons
protection of personal data and the protection of such data
and repealing Directive 95/46 / EC

Article 6 (1) of the General Data Protection Regulation (GDPR) and
Article 9 (1).

2. The Authority shall determine that the Customer1 and the Customer2 by the purpose of data processing
not clearly defined, in breach of Article 5 (1) of the General Data Protection Regulation

the principle of purpose limitation set out in paragraph 1 (b).

3. The Authority finds that Client1 and Client2 by failing to provide
clear, relevant and factual information to stakeholders on paper and by
Implemented in connection with the collection of signatures on https: //alairasgyujtes.online
all relevant circumstances of the processing, in breach of Article 5 of the General Data Protection Regulation.

the principle of transparency referred to in Article 13 (1) (a) and Article 13 (1) to (2).

4. The Authority finds that Customer1 and Customer2 by their data controllers
their quality was unclear, data subjects were misled by the data controller
the purpose of the processing, in breach of Article 5 (1) of the General Data Protection Regulation.
principle of due process in accordance with paragraph 1 (a).


5. The Authority finds that Customer1 and Customer2 by directing to the Authority
they did not prove the lawfulness and transparency of the data processing, they violated the general rule
accountability requirement of Article 5 (2) of the Data Protection Regulation.

6. Pursuant to Article 58 (2) (g) of the General Data Protection Regulation, the

Customer1 and Customer2 to make this decision final within 30 days
documented deletion of the signature collection via the https://alairasgyujtes.online page of the
stakeholders, both for the initiative and for communication purposes online
collected all personal information.



…………………………………………………………………………………………………………

1055 Budapest Tel .: +36 1 391-1400 ugyfelszolgalat@naih.hu
Falk Miksa utca 9-11. Fax: +36 1 391-1410 www.naih.hu, 2



7. Pursuant to Article 58 (2) (d) and (g) of the General Data Protection Regulation, the

Customer1 and Customer2 to make this decision final within 30 days

    (i) at the same time as providing full information on the processing,
       in connection with the collection of signatures previously on paper-based sheets of their personal data
       request a confirmatory statement of consent from the donor and / or
    (ii) in the absence of the consent of the data subject, delete “I agree that
       no one should be required to be vaccinated and no one should be punished for failing to do so

       or restrict. " in the context of national signature collection, the paper-based signature collector
       from stakeholders for both initiative and outreach purposes
       collected all personal information.

8. Pursuant to Article 58 (2) (f) of the General Data Protection Regulation,
in connection with the collection of signatures, the continuation of data management in such a way that Customer1 and Customer2
complete immediately in connection with the collection of signatures both on paper and in

collection of personal data online.

9. The Authority
       a) the Customer1

                              HUF 3,000,000, ie HUF 3 million
                                       data protection fine


       b) Customer2

                              HUF 3,000,000, ie HUF 3 million
                                       data protection fine

obliges to pay.


Data protection fines shall be imposed within 30 days of the final adoption of this Decision
Authority's centralized revenue collection special purpose forint account (10032000-01040425-
00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000)
must be paid for. When transferring the amount, NAIH-175/2022. JUDGE. number should be referred to. If that
Customer1 and Customer2 fail to meet their obligation to pay the fine within the time limit,
is required to pay a late payment allowance. The rate of the late payment allowance is the statutory interest, which is a

equal to the central bank base rate valid on the first day of the calendar half-year affected by the delay.

The fulfillment of the obligations provided for in clauses 6, 7 and 8 shall be the responsibility of the Client1 and the Client2
within 30 (thirty) days of the decision becoming final
together with the submission of supporting evidence to the Authority. The obligation
in the event of non-compliance, the Authority shall order enforcement of the decision.


The Authority draws the attention of the Client1 and the Client2 to the fact that it is open to challenge the decision
until the expiry of the standing time limit for bringing an action or, in the case of an administrative action, the court is final
Until its decision, the data affected by the disputed data processing may not be deleted or destroyed.

No procedural costs were incurred in the proceedings.

There is no administrative remedy against this decision, but they are subject to notification

within 30 days of the application to the Metropolitan Court in an administrative lawsuit
can be challenged. The application must be submitted to the Authority, electronically, which is the case
forward it to the court together with his documents. Indicate the request for a hearing in the application
must. For those who do not benefit from full personal exemption, the fee for the administrative action shall be:



HUF 30,000, the lawsuit is subject to the right to record material taxes. In the proceedings before the Metropolitan Court, the legal

representation is mandatory.

The Authority shall issue this decision on the website of the Authority with the identification of the clients (name).
publish.


                                       I N D O K O L Á S



I. Procedure and clarification of the facts

I.1. Subject - matter of the proceedings

On October 13, 2020, Customer2 posted on his Facebook page called “Doctor Gödény”

provided information on the https://alairasgyujtes.online website for the collection of signatures (a
hereinafter ‘website’) and that ‘Today is an important
we will launch an initiative […] ”. The collection of signatures therefore started on 13 October 2020 and the procedure
also lasted.

To support the national signature collection examined at https://alairasgyujtes.online
is available online, as well as according to the information available on the website

signature collection is also paper-based, meaning it is possible to support the initiative
online and on paper, by downloading the signature collection form and its designated mailbox
by sending it to.

I.1.1. To support online signature collection, name, zip code, city, public name,
house number, floor / door, e-mail address are required, telephone number is optional. THE
When submitting an online support for an initiative, you must select “I have read and

I have taken note of the checkbox in front of the text “Privacy Notice”. On data management
information is available here only, via a hyperlink embedded in the text.

According to the data management information, the data controller is the Customer1. Designated data management purpose on the one hand -
in general, support for the collection of national signatures, on the one hand, and the organization, on the other
liaising with the sympathizer, providing information on the organization 's activities, and
events and sending invitations to join the organization’s campaigns. The

The legal basis for data processing, as set out in the prospectus, is that “contact with the data subject
regular activity ”with appropriate guarantees
[Article 9 (2) (d) GDPR], while “non-regular
in the case of contact ”means the express consent of the data subject prior to the recording of the data
declaration [Article 9 (2) (a) GDPR] or in the event of its withdrawal
name, address of residence / place of residence, telephone number and statement of consent (details of the blacklist)
necessary to protect the legal needs of the Client1 [Article 9 (2) GDPR

paragraph (f)].
The number of supporting signatures is displayed on the website as continuously available information,
which reaches approximately 58,000.

I.1.2. When supporting the collection of signatures on paper, name, address (postcode, town,
public space, house number / house / door), e-mail contact, telephone number and signature
option, however, there is no specific indication that the data is to be provided

mandatory or optional.
In the signature collection form - without reference to the data controller - the abbreviated name of the Customer1
logo is displayed. The sheet also has a signature collection website
availability, a separate group and page for collecting signatures on the social networking site (Facebook), 4



impressions and an email address are indicated.

The form contains a mailbox address (4405 Nyíregyháza, Pf .: 37.) for which the completed
signature sheets must be sent and a brief information on the data processing must be sent,
and a statement.

I.1.3. Article 9 of the General Data Protection Regulation defines personal data as special
categories. The regulation is a special category of personal, thus referring to political opinion
prohibits the processing of data as a general rule or makes it subject to strict conditions.


Personal provided to support the initiative of a political organization
however, the data do not constitute a special category of personal data. If
however, in addition to the purpose of the petition, the data subject also has the right to process data specifically for that purpose
gives his consent to him as a sympathizer later in the political organization
to inform about his / her activity, to get in touch with his / her political activity
personal data provided by the data subject for this further contact

necessary personal data as data indicating party sympathy is a special category - political
personal data.


I.2. History test procedure

The Authority shall provide information in accordance with Article 57 (1) (h) of the General Data Protection Regulation

CXII of 2011 on the right to self-determination and freedom of information Act (hereinafter:
Pursuant to Section 38 (3) (a) of the Information Act), NAIH-7613/2020. ex officio
launched an investigation into Customer1's "I agree that no one should be vaccinated
and no one shall be punished or restricted in his absence. " during signature collection
to examine the lawfulness of data processing.

Client1's previous name: Common Denominator 2018, organization type association, form party. The

Client1 most often communicated himself to the public as a party.

The Authority informed the Client1 in the request sent to the Client1's registered office
the initiation of a procedure in which the processing is carried out in order to clarify the facts
However, the Authority was approached on 10 November 2020
Returned with no search.


Subsequently, the Authority resent its request to the Client on 12 November 20201
the registered office of the Client1, dr. To the address of György Gődény and the
also mailed to the mailbox address listed on the signature collection form. Request for residence 2020.
Request sent to the mailbox address indicated on the signature collection form on 16 November 2020.
was received on 30 November. Request sent to Customer1's registered office in 2020.
however, on December 2, he returned with a “did not seek” sign.


The Client1 responded to the Authority's request in its reply dated 14 December 2020
information. Given that Customer1's responses did not fully include a
information necessary for the investigation and any questions raised during the investigation
The Authority needed further information and contacted Customer1 again.
hez.

To all three addresses of the Authority - the registered office of the Client1, the legal representative of the Client1, dr.

To the address of György Gődény and to the mailbox address indicated on the signature collection form - mailed
his request was returned on February 1, 2021, marked “not sought”.

In view of the fact that the facts could not be established during the investigation, the Authority



Infotv. Pursuant to Section 55 (1) (a) (b), the investigation was closed and on 10 May 2021

initiated ex officio data protection proceedings.


I.3. The official procedure

With regard to the data management under investigation, the Authority Newt
György also considered an individual to be a client and continued the official proceedings against him

given that, on the basis of the information disclosed during the investigation procedure, it was found that
Customer1 is not actually operating, is not operating, and is not Customer1 or not
the Client1 is the data controller in connection with the collection of signatures
respect.

The Authority has issued NAIH-4769-1 / 2021. notified Customer2 as an individual in his order no
on the initiation of the official data protection procedure and in order to clarify the facts

called for a statement and NAIH-4769-2 / 2021. In order no
notified the initiation of the official data protection proceedings at its official headquarters and also
called for a statement.
In view of the fact that the Authority has issued NAIH-4769-1 / 2021 and NAIH-4769-2 / 2021, respectively. number
In response to the questions contained in the orders of the
the obligation to cooperate provided for in the General Data Protection Regulation
violated, the Authority referred to Client1 in NAIH-4769-6 / 2021. in order no. 100,000 HUF, ie

Ákr ordered the payment of a procedural fine of one hundred thousand forints. Pursuant to Section 77 (3),
and repeatedly called on Customer1 for the information needed to clarify the facts
to specify. The Authority has issued NAIH-4769-6 / 2021. No. of the Customer1 electronic
tried to deliver to your mailbox (company gateway) - subject to Customer1
however, service of the document is confirmed
failed, the recipient did not accept it. The Authority will then impose a procedural fine and
the Client1 1077 Budapest tried to deliver the fact-finding order by post again,

Izabella utca 30 and the registered representative of the Customer1, ie
Customer2 address.

The Authority, taking into account that the Client1 in accordance with NAIH-4769-6 / 2021. imposed by order no
failed to pay the procedural fine, ordered the enforcement of the procedural fine.

The Authority has issued NAIH-4769-4 / 2021. In his order no., he also contacted […] Kft., requesting information

the identity of the person operating the http://kozosnevezo.hu/ website, and the designated website
contact details of your data controller.

The Authority has issued NAIH-4769-5 / 2021. s. In his order, the Client2 also repeatedly called on him to make a statement
in order to fully clarify the facts relating to the matters covered by the order
Customer2 stated in a letter dated 15 July 2021.


The data of the Client1 registered in the court register took place on September 28, 2021
have changed with the entry, which is a change in the name, registered office and representative of the organization
affected his person.

The Authority has issued NAIH-4769-11 / 2021. repeatedly in order to clarify the facts
addressed questions to the Client1, his order was entered in the court register of non-governmental organizations in 2021.
attempted to deliver by post to his new registered office on 28 September. THE

The authority's order was returned from the registered office of the Client1 with the indication "not sought".

The Authority has issued NAIH-4769-12 / 2021. order to request documents
made a request to the court that registers the Client1. The Authority, 6



a reply from the tribunal received on 21 November 2021.


The Authority has issued NAIH-4769-15 / 2021, NAIH-4769-16 / 2021, NAIH-4769-17 / 2021. and NAIH-4769-
18/2021. summoned Client2 for a personal hearing on 6 January 2022,
[…] The current newly registered representative of the Customer1 and […] and […] as the Customer1
members.

The Authority NAIH-4769-19 / 2021. requesting information and documents

he approached the National Investigation Bureau of the Standby Police.

Of the persons summoned by the Authority for a personal hearing on 6 January 2022 only
[…] Appeared before the Authority. The Authority did not appear at the personal hearing
three persons in NAIH-175-5 / 2022., NAIH-175-6 / 2022. and NAIH-175/2022. in his orders no
ordered to pay a procedural fine.


On January 6, 2022, the Authority examined the collection of signatures by providing test data
https://alairasgyujtes.online page.


I.4. Facts revealed

I.4.1. According to the statement of […] Kft., The registration of the domain name kozosnevezo.hu was performed by dr. Newt

It was carried out on January 10, 2018, at the request of George.

I.4.2. On behalf of Client1, the legal representative of the party, dr. György Gődény is the examination procedure
In relation to the questions raised by the Authority, the

During the collection of signatures, the names, addresses, e-mail addresses, telephone numbers and signatures of the persons concerned are personal
data collected by stakeholders through both online and paper-based signature collection

provided voluntarily.

The collection of signatures is done in accordance with the law for the “construction of a database of parties
in the privacy statement available at https://alairasgyujtes.online
as described.

On the marked https://alairasgyujtes.online website, data management is completely electronic

while the sheets received at the mailbox, according to his statement, were drilled by dr. György Gődény takes over,
which are then processed to the “operator’s data controller”.

Signatories may send the completed forms by post to 4405 Nyíregyháza, Pf .: 37, after which the
summary sheet for the data controller. The name of the specific data controller is not included in the signature collection form,
only the logo containing the abbreviated name of the Customer1 is indicated on the sheet. On a paper background
During the collection, the data subjects are informed about the data management in the collection form, and the

from the Internet address for collecting signatures as follows: “Included in the collection form
By providing information and signing the signature collection form, I consent to the disclosure of my information
Act CXII of 2011 on the right to information self-determination and freedom of information. Section 5 of the Act
Pursuant to paragraph 1 (a), for the purpose of further communication, consultation and information, the
until the withdrawal of the consent to the processing. I note that a
information that I may request information in connection with the processing of my personal data
from the data controller. Correction, deletion or blocking of personal data to the data controller

I may initiate it at any time with my statement. The data controller declares that the communicated
personal data will not be passed on to third parties and will not be disclosed
they are! ”, 7



The data provided by the signatories is not used "for the time being" and is not available to anyone

for and are not public.

In the data management information, the legal bases for data processing are “with you
in case of regular contact […] ”and“ non-regular contact with you
In the case of […] ”, he stated that it was more common in regular contacts
telephone or e-mail, while not regularly, infrequently or not at all
no contact is made or, if there is a specific request, reference or stipulation.


In relation to the storage of data and the database, in the format requested by the Authority, and
they do not have a structure because "the operator arranges and manages these online techniques."

The period of data retention is as described in the privacy statement, usually the consent
data from the blacklist shall be kept for a period of 5 years from the withdrawal of the consent
due to possible legal problems.


The records of the data management activity are kept by the data controller, “we” do not have any information about this
our records.

Regarding the use of data processors during the collection of signatures, he stated that “it
it is handled by the data controller, about which we have no information. ”


Regarding the duration of the collection of signatures, he stated that it is not tied to a deadline yet.

"The administration of the signatories' request shall be administered by the operator or the controller,
we do not have a related document. "

I.4.3. In order to further clarify the facts, the Authority - at the registered office of the Client1, dr. Newt
György, as the legal representative of the Client1 party, on the address and on the signature collection form

by mailing to the mailbox address indicated. - sent another request for information
inter alia, who understood the “data controller” referred to in the previous reply, “operator
data controller ”, as these persons as a person other than Customer1, respectively
refers to an organization. The Authority also requested information on who understood the database
"Operator".

The Authority's request to all addresses was returned with a "no search" flag.


I.4.4. The Client2 is included in the requests of the Authority within the framework of the data protection authority procedure
questions as a person independent of the Client1, his / her name is also the sender of the reply letter
and address, as opposed to the reply sent during the investigation procedure,
in which the Customer1 was indicated as the sender. In this response letter, Customer2 as
stated that Client1 is inoperable, has previously resigned from the management of Client1,
perform or perform duties which are relevant to the questions raised by the Authority

are not related. Therefore, no information is provided on the questions asked by the Authority
provides that the address of the Nyíregyháza mailbox may be linked to the Customer1, as it
has been opened for.

Customer2 stated that it did not collect signatures and did not collect signatures
no activity and therefore does not store anything related to it.


I.4.5. The Customer2 - already as a person independent of the Customer1 and on the envelope of the reply letter the Customer2
by indicating his name and address as "consignor" in his reply of 15 July 2021
further submitted that Customer1 is also inoperable because the National Tax and Customs Administration
The Tax and Customs Directorate of Eastern Budapest, case number 5339328442, dated 18 November 2019, 8



decided to cancel the tax number.


Client2 attached to his reply the first page of the decision of the tax authority referred to
a copy of the waiver dated 27 April 2018
resigns as executive director of the Common Denominator 2018 and requests membership of the organization
the appointment of a successor and the convening of a quorum for that purpose as soon as possible.

In its reply to the Authority dated 15 July 2021, Client2

that since a quorum was only recently convened, his resignation was formally resigned
it has also happened, but it has no control over when the court will pass the change.

Regarding the collection of signatures, he stated that it was done and organized by volunteers, in this
membership did not actively participate, only the name was added to the organization to make it more serious
weight. No decisions were made regarding the collection of signatures, no data
they were not collected or stored, and they were not involved in anything other than opening the mailbox.


Access to the mailbox is presumed to be with the person who has the key, but not about that person
information.

He stated that he could not say anything else to the Authority's questions as he had no information a
and “I did not collect any signatures and did not
specific activity, so if they ask their questions again, I can't say anything else

compared to the previous ones. "

I.4.6. Subject to the collection of signatures in the privacy statement as a data controller
named Customer1 did not respond to the Authority's requests, and
whereas the Authority has found that the data of the Client1 registered in the court register (organization
name, registered office, representative) have changed, the Authority needs to take a decision
held further clarification of the facts and therefore NAIH-4769-11 / 2021. with questions no

contacted Customer1 who changed based on the data.

The above number of the order sent to the new registered office of the Client1 on November 11, 2021 “did not seek”
returned to the Authority.

At the same time, the Authority issued NAIH-4769-12 / 2021. The Customer contacted him in his order no
the court keeping the register to send to the Authority the Customer1 2021.

on the basis of the changes registered on 28 September, a
a copy of all documents submitted or attached during the change registration procedure,
and send a copy of Client1's report for 2019 and 2020.

As an annex to its order of 21 November 2021, the Metropolitan Court sent the following
The documents on which the change registration procedure is based, and
informed the Authority that neither for 2019 nor for 2020

the report submitted by the Client1 can be found in the public register.

I.4.7. Given that all issues related to the Authority’s previous orders
both the Client2 and the Client1 did not respond fully or at all, therefore the Authority
considered it necessary to clarify the facts through a personal hearing.

The Authority therefore summoned Client2 for a personal hearing on 6 January 2022 […] as

Customer1 members and […] Customer1's current representative.

At a personal hearing before the Authority on 6 January 2022 […],
Customer1 member appeared. During the hearing, he stated that he was not currently a member of Client1 ,, 9



resigned in the fall of 2021. To certify this to the Authority on 19 January 2022

attached a copy of the declaration dated 9 October 2021,
in which the Client resigns from membership in 1 for personal reasons.
According to his statement, Customer1 has gathered support communities but no longer has any activity
perform. According to him, Client1 party started in the 2018 elections, its activity was
that they tried to reach people with political messages on a daily basis. After the election
Client1 was no longer an active party in the 2018 parliamentary elections
continued for years. Client1 party has an approx. Facebook group with 40,000 members, which is still there

operates, but Customer1 no longer performs significant activities. Currently with the coronavirus
engage in activities that are not specifically political in nature, sympathetic
circle has been changed, it is running under a different name, but it can be linked to the name of Client2 in the same way.

[…] Said he was the founder and CEO of the Customer1-
and handed over its management to Customer2 in about January 2018, and thereafter
Client2 became the party's executive, chief financial officer, and he handled the administration

activities.

[…] Stated in connection with the collection of signatures that he did not even know about it, he does not know
whether he left. He said he had previously indicated to supporters that during the signature collection
The question asked is a question that is inappropriate from an electoral point of view. THE
communication between members and members of the support community can be linked to Facebook in the name of the Customer2
groups, he expressed his opposition to the issue in these groups.

He stated that he did not know the signature collection sheets, did not take part in the signature collection,
he was not in any way aware of the collection of signatures. The Authority learned from the subpoena that
that signature collection is in progress. Regarding the collection of signatures, that its
whether it was conducted, whether volunteers participated, it is likely that the Client2 can report.
To the best of Customer1's knowledge, it does not work and has no information as to why
renamed the Common Denominator 2018 Association, while the actual activities have been in Normal
They are behind the Life Party.


You do not have information about the address marked as a return address on the signature collection form, nor
whether anything arrived on paper at the address indicated.
You have no information on how the data is handled, how the data collected is used,
and who has access to them. What kind of person, accountant, administrator is involved in the
in the collection of signatures, who is the operator of the servers, in the provision of the IT background
persons2, Customer2 may have information about it.


The mailing address and registered office of the Customer1 was the address of […] at the time of its establishment, the Customer1
The documents related to the establishment of the company - official documents, documents related to the operation - were kept on this
at the address. According to […] 's statement, these documents were later handed over together with the organization' s management
Customer2, then Customer2 or its accountant
things.


Customer1's current domicile says it is likely that […] is domiciled, but that
[…] Has no role in the activities of Customer1.

[…] Said that “I agree that no one should be required to be vaccinated and that its
should not be punished or restricted to a referendum earlier
proposed and submitted to the National Electoral Commission. The Authority is the National
On the website of the Electoral Office, a referendum on the same issue as the one indicated

found an initiative (initiated by the Civil Movement Association, registered office: 1144
Budapest, Füredi utca 60-62. fsz./6.), which is the subject of an initiative of the National Electoral
Commission Regulation (EU) No 52/2020 of 21 September 2020 Decision No
rejected the authentication of the question put to the referendum., 10





I.4.8. The Authority, subject to […], […] and the Client2’s summons to the Authority for service
despite his two attempts, he was not taken over and not at the personal interview
the imposition of a procedural fine. In view of this, the Authority
175-5 / 2022., NAIH-175-6 / 2022. and NAIH-175-7 / 2022. in orders No. Customer2 200,000
HUF, ie a procedural fine of HUF two hundred thousand; […] Customer1's representative is HUF 100,000, ie
a procedural fine of one hundred thousand forints; and […], the Client's 1 member is HUF 50,000, ie fifty thousand forints
ordered to pay a procedural fine.


I.4.9. The Authority was informed by press reports that the National Investigation Bureau of the Standby Police
(hereinafter: KRNNI) conducted a house search at Client2 due to the suspicion of spreading horror,
during which Customer2's computer was seized. In view of the above, the Authority
19/2021. In his order no., he contacted the KRNNI to request information that the
On a computer seized during a house search conducted at Customer2 and between the seized materials
whether there were any materials related to the collection of signatures or whether the KRNNI had seized a database

documents containing information on the collection of signatures.

According to the information provided by KRNNI upon request, during the analysis of the assets a
they were looking for data that could be used to prove a horror crime, so they weren’t
they know whether there are substances related to the data processing under investigation, but one
they were able to send a document that can be retrieved by the Client2's signature collection activity
context. The document contained three questions asked during the signature-gathering activity

read, including the issue of signature collection examined in the present proceedings.

I.4.10. The Authority will provide test data on 6 January 2022 as part of the clarification of the facts
examined the https://alairasgyujtes.online page for signature collection. In doing so, the Authority shall:
detected the following:

Mandatory information for online signature collection support: name, zip code,

settlement, name of public area, house number, floor / door, e-mail address, while optional
phone number.

To support this initiative, check the box “I have read and taken note of
Privacy Policy ”checkbox and the reCAPTCHA
test.


The privacy statement available on the site still designates Customer1 as the data controller,
and the abbreviated name of the Customer1 on the downloadable and paper-based signature collection form
logo is displayed.

According to the data management information sheet, “The Common Denominator is personal data in this area
consent only in the following forms:
    the) […]

    (b) electronically, in which the common denominator shall make a statement of consent
       by sending a message to the e-mail address you provided, and then
       in its reply to the confirmation message, confirm its intention to consent.
       cat. ”
In contrast, the confirmation email was not received during support
address.



I.4.11. On the basis of the information available, the Authority examined in its proceedings:
https://alairasgyujtes.online website in order to identify the operator behind it
determine. In doing so, we found the following: Users of the website on Cloudflare, 11



can be accessed through the servers of a content provider (hereinafter referred to as the Service Provider). THE

the website operator does not only provide faster access from the Service Provider
service, but also other technical services that are combined
The effect is that anyone who searches a free IP database for a website URL
it does not get the IP address of the server that originally hosted the website, but only the
The IP addresses associated with your ISP's servers. This keeps the website operator hidden. THE
the identity of the data controller could not be identified on the basis of the website.



II. Applicable legal requirements


Recital 39 of the General Data Protection Regulation: The principle of transparency requires
that information and communication related to the processing of personal data is easy
be accessible and comprehensible and that it be drafted in clear and simple language.
mazzat meg. This principle applies in particular to the identity of the data controller and the
the purpose of the treatment and any further information that it is provided
fair and transparent handling of the personal data of the data subject and the provision of
that data subjects have the right to receive confirmation and information about the data processed about them.

about.

Pursuant to Article 2 (1) of the General Data Protection Regulation, the general data protection
Regulation shall apply to the processing of personal data in a partially or fully automated manner
processing of personal data in a non-automated manner
which are part of a registration system or which are part of a
intended to be part of a registration system. Covered by the General Data Protection Regulation

Infotv. Pursuant to Section 2 (2), the General Data Protection Decree
shall apply with the additions indicated therein.

Pursuant to Article 2 (2) of the General Data Protection Regulation, the Regulation does not apply
processing of personal data if it:
    (a) carried out in the course of activities outside the scope of Union law;
    (b) by Member States in the activities covered by Chapter 2 of Title V of the TEU

       performed;
    (c) by natural persons exclusively in the course of their personal or domestic activities;
    (d) the prevention, investigation, detection and prosecution of criminal offenses by the competent authorities
       carried out for the purpose of conducting criminal proceedings or enforcing criminal sanctions, including:
       protection against and prevention of threats to public security.

According to Article 4 (1) of the General Data Protection Regulation, “personal data: the identified or

any information relating to an identifiable natural person ("data subject"); identifiable by a
a natural person who, directly or indirectly, in particular by an identifier, e.g.
name, number, location data, online identifier or physical, physiological,
genetic, intellectual, economic, cultural or social identity
identifiable by that factor. "
According to point 2 of the same article, “data processing: on personal data or data files
any operation or set of operations carried out in an automated or non-automated manner,

thus collecting, recording, organizing, sorting, storing, transforming or altering, querying,
available for inspection, use, communication, transmission or other means
harmonization or interconnection, restriction, deletion or destruction. "
According to Article 4 (7) of the General Data Protection Regulation, “controller” means the natural person
or a legal person, public authority, agency or any other body that is personal
determine the purposes and means of data processing, either individually or in association with others; if that
the purposes and means of the processing are determined by Union or Member State law, the controller or,



specific aspects of the designation of the controller are also governed by Union or Member State law

may determine. "
According to Article 4 (11) of the General Data Protection Regulation, "consent of the data subject" means the data subject
voluntary, specific and well-informed and unambiguous declaration of will,
by which the statement concerned or the act of confirmation is unequivocally expressed,
to give his or her consent to the processing of personal data concerning him or her.

According to Article 5 (1) of the General Data Protection Regulation, personal data:

(a) be processed lawfully and fairly and in a manner which is transparent to the data subject
("legality, fairness and transparency");
(b) collected for specified, explicit and legitimate purposes and not processed
in a way incompatible with those objectives; not in accordance with Article 89 (1)
considered incompatible with the original purpose for the purpose of archiving in the public interest, scientific
and further processing for historical research or statistical purposes (‘for purposes
constraint ”);

(c) be appropriate and relevant to the purposes for which the data are processed; and
they should be limited to what is necessary ("data saving");
(d) be accurate and, where necessary, kept up to date; all reasonable measures must be taken
in order to ensure that personal data are inaccurate for the purposes of data processing
deleted or corrected immediately ("accuracy");
(e) stored in a form which permits identification of data subjects for personal purposes only
allows the time necessary to achieve the purposes of data processing; personal information than this

longer storage can only take place if personal data
for archiving in the public interest in accordance with Article 89 (1)
and will be carried out for historical research or statistical purposes, those covered by this Regulation
appropriate technical and organizational arrangements to protect their rights and freedoms
subject to the implementation of measures ("limited storage");
(f) be handled in such a way that appropriate technical or organizational measures are taken
ensure the adequate security of personal data

unauthorized or unlawful handling, accidental loss, destruction or
including protection against damage ("integrity and confidentiality").
Subject to paragraph 2, the controller shall be responsible for complying with paragraph 1, and
must be able to demonstrate this compliance (‘accountability’).

Pursuant to Article 6 of the General Data Protection Regulation, the processing of personal data is limited to
is lawful if and to the extent that at least one of the following is met:

(a) the data subject has consented to the processing of his or her personal data for one or more specific purposes;
;
(b) processing is necessary for the performance of a contract to which one of the parties is a party;
or to take action at the request of the data subject prior to the conclusion of the contract
required;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary to protect the vital interests of the data subject or of another natural person.

necessary because of the mind;
(e) the exercise of a public interest or the exercise of official authority vested in the controller
necessary for the performance of its task;
(f) processing is necessary for the protection of the legitimate interests of the controller or of a third party.
unless those interests take precedence over those interests or
fundamental rights and freedoms which require the protection of personal data, in particular
if the child concerned.

Point (f) of the first subparagraph shall not apply to the performance of their duties by public authorities
data management.

According to Article 9 (1) of the General Data Protection Regulation, “racial or ethnic origin” 13



political opinion, religious or philosophical beliefs, or trade union membership

personal data and genetic and biological data for the unique identification of natural persons
biometric data, health data and the sexual life of natural persons or
the processing of personal data concerning his or her sexual orientation is prohibited. "
According to paragraph (2) (a) of the same section, paragraph (1) does not apply to
where the data subject has given his or her express consent to one or more of the said personal data
for a specific purpose, unless Union or Member State law provides that
the prohibition referred to in paragraph 1 may not be lifted with the consent of the data subject.


Article 13 (1) and (2) of the General Data Protection Regulation sets out the
information which the data subject has obtained at the time the personal data are obtained
should be made available to them if personal data are collected from the data subject. In accordance with paragraph 1
the controller shall provide the data subject with all of the following information:
(a) the identity and contact details of the controller and, if any, of the controller 's representative;
(b) the contact details of the Data Protection Officer, if any;

(c) the purpose of the intended processing of the personal data and the legal basis for the processing;
(d) in the case of processing based on Article 6 (1) (f), the controller or a third party
legitimate interests of a party;
(e) where applicable, the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller is a third country or international organization
personal data to the Commission and the Commission’s decision on compliance.
Article 46, Article 47 or Article 49 (1)

in the case of the transfer referred to in the second subparagraph, appropriate and suitable guarantees
and the means by which copies may be obtained or
reference to the
Pursuant to paragraph 2, the controller shall inform the data subject of the following additional information:
at the time of obtaining the personal data:
(a) the period for which the personal data will be stored or, if that is not possible, that period
aspects of its definition;

(b) the data subject's right to request from the controller the processing of personal data concerning him or her.
rectification, erasure or restriction on their use and may object
against the processing of such personal data and the right of the data subject to data portability;
(c) data based on Article 6 (1) (a) or Article 9 (2) (a)
in the case of treatment, the right to withdraw the consent at any time, which is not
affects the lawfulness of data processing carried out on the basis of consent prior to withdrawal;
(d) the right to lodge a complaint with the supervisory authority;

(e) that the provision of personal data is required by law or by a contractual obligation
based on or a precondition for concluding a contract and whether the person concerned is obliged to be personal
data and the possible consequences of providing the data
failure;
(f) the fact of automated decision-making referred to in Article 22 (1) and (4), including:
profiling and, at least in these cases, the logic used
understandable information on the significance of such processing and on the data subject

its expected consequences.

Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data
In order to do so, the Authority may initiate ex officio data protection proceedings.

Infotv. Pursuant to Section 61 (1) (a), it was taken in a data protection official proceeding
In its decision, the Authority Data management specified in Section 2 (2)

defined in the General Data Protection Regulation in the context of
may apply legal consequences.

Infotv. Pursuant to Section 61 (2), the Authority may order the decision of the data controller or, 14



disclosure of the identity of the processor, if the

This Decision affects a wide range of persons through the activities of a body performing public tasks
or the gravity of the infringement justifies disclosure.

Infotv. 75 / A. §: The Authority is set out in Article 83 (2) to (6) of the General Data Protection Regulation
exercise its powers in accordance with the principle of proportionality, in particular by:
legislation on the processing of personal data or binding European Union law
for the first time in the event of a breach of the rules laid down in

in accordance with Article 58 of the General Data Protection Regulation
by alerting the controller or processor.

Article 58 (2) (b), (d), (i), (f) and (g) GDPR: In the power of the supervisory authority to rectify
acting:
(b) reprimands the controller or the processor if he or she is acting in a data-processing capacity
has infringed the provisions of this Regulation;

(d) instruct the controller or processor to carry out its data processing operations, where applicable
in a specified manner and within a specified period, bring this Regulation into line
with its provisions;
(i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case
in addition to or instead of the measures referred to in this paragraph;
(f) temporarily or permanently restrict the processing, including the prohibition of the processing;
(g) order personal data in accordance with Articles 16, 17 and 18 respectively

rectification or erasure of data and restrictions on data processing, as well as Article 17 (2)
shall notify the addressees with whom it is addressed in accordance with paragraph 1 and Article 19
or with whom personal data have been communicated.

All supervisory authorities pursuant to Article 83 (1) of the General Data Protection Regulation
ensure that any infringement of this Regulation referred to in paragraphs 4, 5 and 6 is in accordance with this Article
The administrative fines imposed pursuant to this Regulation shall be effective, proportionate and dissuasive in each case

be dissuasive.

Pursuant to Article 83 (2) of the General Data Protection Regulation, administrative fines are imposed by
Article 58 (2) (a) to (4) of the General Data Protection Regulation, depending on the circumstances of the case.
It shall be imposed in addition to or instead of the measures referred to in points (h) and (j). When deciding
whether it is necessary to impose an administrative fine or the amount of the administrative fine
In each case, due account shall be taken of the following:

   (a) the nature, gravity and duration of the breach, taking into account the processing in question
   the nature, scope or purpose of the infringement and the number of persons affected by the infringement;
   the extent of the damage they have suffered;

   (b) the intentional or negligent nature of the infringement;
   (c) the mitigation of damage caused to the data subject by the controller or the processor
   any measures taken to
   (d) the extent of the responsibility of the controller or processor, taking into account the
   technical and organizational measures taken pursuant to Articles 25 and 32 of the General Data Protection Regulation
   measures;
   (e) relevant infringements previously committed by the controller or processor;

   (f) the supervisory authority to remedy the breach and the possible negative effects of the breach
   the degree of cooperation to alleviate
   (g) the categories of personal data concerned by the breach;
   (h) the manner in which the supervisory authority became aware of the infringement, in particular
   whether the controller or processor has reported the breach and, if so, what
   in detail;
   (i) if previously against the controller or processor concerned, in the same



   referred to in Article 58 (2) of the General Data Protection Regulation

   compliance with one of those measures;
   (j) whether the controller or processor has complied with the general data protection rules
   codes of conduct approved in accordance with Article 40 of this Regulation or general data protection
   approved certification mechanisms in accordance with Article 42 of the Regulation; and
   (k) other aggravating or mitigating factors relevant to the circumstances of the case,
   for example, the financial gain obtained as a direct or indirect consequence of the infringement
   or avoided loss.


Pursuant to Article 83 (5) of the General Data Protection Regulation, the following provisions apply
in accordance with paragraph 2
administrative fines or, in the case of undertakings, the full financial year of the previous financial year
up to 4% of its worldwide turnover, provided that
a higher amount should be charged:

   (a) the principles of data processing, including the conditions for consent, are laid down in the General Data Protection Regulation
   In accordance with Articles 5, 6, 7 and 9;

   (b) the rights of data subjects under Articles 12 to 22 of the General Data Protection Regulation. in accordance with Article

   (c) personal data to a recipient in a third country or to an international organization
   Articles 44 to 49 of the General Data Protection Regulation. in accordance with Article
   (d) Article IX of the General Data Protection Regulation. in accordance with the law of the Member States adopted pursuant to this Chapter
   liabilities;

   (e) the supervisory authority in accordance with Article 58 (2) of the General Data Protection Regulation
   temporary or permanent restriction of data processing or the flow of data
   non-compliance with the request for suspension or general data protection

   failure to grant access in breach of Article 58 (1) of the Regulation.


III. Decision of the Authority

III.1. The quality of data management


III.1.1. Customer1 data management quality

Information provided to stakeholders, including in the privacy statement available on the website
the national signature collection was initiated by Customer1 and “Each of the recorded data
the controller is the Common Denominator ’. The prospectus is therefore clearly Customer1
listed as a data controller. Personal data collected in connection with the collection of signatures
One of the purposes indicated in the data management information is to collect signatures

and specifically with the organization’s sympathizers
contact, information about the organization's activities and events, and a call
to join your organization's campaigns. Also on the paper-based signature collection sheet
the Customer1 or the logo containing its abbreviated name as information referring to the data controller
is indicated.
In addition, however, there is no documentable association decision that is
may be linked to the collection of signatures or on the basis of which a body of the Client1 would have dealt

by collecting signatures.

Based on the information revealed during the proceedings of the Authority, it emerged that the Client1 is a classic
does not function as a party within the meaning of Article
the legitimacy of its operation is questionable. This is supported, inter alia, by the Authority
In the course of the proceedings, the letters sent to the Customer's registered office1 were all marked "not sought", 16



back; that the Tax and Customs Directorate of NAV-Budapest was dated 18 November 2019

deleted the Customer's tax number by its decision; that the http://kozosnevezo.hu website is also
has become unavailable, and […], the statement of the party member, founder, and according to Client2
in the meantime, the renamed Customer1 no longer carries out significant activities, Customer1 as of 2018
was no longer active after the parliamentary elections, and the actual activities were no longer a
They take place behind an organization called the Party of Normal Life.

In the replies sent to the Authority's inquiries, the Client2 mentions one in several places

not named and not supported by any other data or evidence other than
A person or organization other than Customer1 or Customer2. In contrast, the procedure
from the declarations of the persons covered and from the documentary evidence obtained by the Authority
no other stakeholders in the data management operations were determined to decide on the data processing
a person who has defined the purpose or means of the processing. Such
person was not nominated by the parties heard and made a statement and is wide by the Authority
nor could it be inferred from the documentary evidence obtained.

Given that Customer1 provided the name for the signature collection, the online signature collection
The Customer1 is indicated on the interface and on the paper - based signature collection sheet, and the
The Customer1 is also explicitly designated as a data controller in the data management information, of which
consequently, the Client1 shall be considered a data controller in this respect, despite the fact that a
according to the available information, Customer1 is no longer operational in practice.



III.1.2. Customer2 data management quality

The Authority will send its first inquiries to Client1 to Client2 as Chair of Client1
addressed him and then declared him as a client in the proceedings as an individual.

Based on the evidence available to the Authority, the Client1 only operates on paper, it is actual
it does not operate legally, it does not hold regular meetings of members. Not available

a documentable decision that would demonstrate that in the context of signature collection
Customer1 would have made a decision despite the signature collection of Customer1's name
used.
In its reply to the Authority dated 31 May 2021, the Client2 - no longer the Client1
but as an independent person, he said that he was in charge of the administration
previously resigned, so he has no opportunity to answer the questions raised by the Authority
to answer, he has no information about the questions asked, the signatures are not his

has not carried out any activities in the collection of signatures and does not store them
nothing related to signature collection. As stated in the statement in the collection of signatures
did not perform any activity, only performs or performed tasks out of favor,
which, however, are not related to the questions asked by the Authority.

Client2 made several statements in the social media during the fact-finding exercise
statements made by the Authority in the course of the proceedings

however, they contradict these claims.

The role of Customer2 in data management is supported by the following:

According to his statement in his reply dated 14 December 2020, on the signature collection sheet
he receives the sheets received at the specified mailbox as the return address.
The mailbox address marked as the return address on the signature collection form is unchanged for the Customer1

change in registered data (name of organization, registered office, representative)
notwithstanding, the sheets returned by post, and thus the personal data provided by those concerned
data will continue to be in the possession of the Customer2 on the basis of a previous statement., 17



 In addition to performing data management, the quality of the Customer's 2 data controllers is supported by the following:


 i. Shipments mailed to Customer1's previous location were not picked up and marked
 there was no person at the headquarters who would have been entitled to receive the consignments. […]
 the registered office of the Client1, who is only a member of the association and does not hold a senior position, was registered at the address of
 under the chairmanship of Client2. The Authority shall also send its inquiries and orders to the address of the Client2
 to which the Customer2 received the Authority's inquiries three times. Customer1-
 could only be contacted through Customer2 - which is also not the organization

 supports the proper functioning of the Client2, ie the Client2 as the Client1’s
 a separate person also had a significant influence in the affairs of the Client1 and in the collection of signatures by
 that the name of Customer1 is actually Customer2. Consequently, for data management
 decision-making related to the purpose of data management is obviously the responsibility of the Client2-
 may be related to.

 ii. Customer2 on April 27, 2018. in its statement dated the day of the Common Denominator 2018

 resigned as ‘administrator resignation’ (‘resignation statement 1’) The signature of witnesses on the deed is not
 included in the proceedings, there was no evidence that Customer2 was the “waiver
 statement 1 ”to Client1 or to a legal representative in a change registration procedure
 in the absence of these, the "waiver 1" is the intended legal basis
 was not suitable for inducing an effect. Customer2 in a statement dated June 17, 2021
 (“Waiver 2”) - when Customer2 was already aware of the data protection authority procedure -
 has repeatedly resigned from the position of managing director of the Client1, from which the

 the conclusion is that he himself did not consider "resignation statement 1" to have any legal effect
 considered it appropriate to do so again. Furthermore, in the meantime
 Signature collection has started under Customer1. The data management activity is a paper only
 it must obviously be done by someone other than an operating organization, which also proves that
 the activity of the Client2 was maintained despite his previous resignation from the management. THE
 "Resignation statement 2" was submitted in the change registration procedure on 02.08.2021. on the day. THE
 The Metropolitan Court deleted Client2 as the senior official of Client1 by the NGOs

 from the register.

iii. Client2 has repeatedly promoted signature collection, e.g. the "Doctor Stork"
 in a Facebook post posted on October 13, 2020
 “Today we are launching an important national initiative [Ezért] That is why the Common Denominator
 movement (http://kozosnevezo.hu) due to its public nature and opportunities
 A NATIONAL COLLECTION OF SIGNATURES is organized by social pressure

 IN THE PURPOSE OF THE SPEECH OF THE PEOPLE AND THE VALIDITY OF THE PEOPLE! About this here
 you can find out everything: https://alairasgyujtes.online ”and then in several of your posts
 encourages people to support this initiative. Plurals throughout your posts
 using it, thus naming himself as the initiator or stating that the collection of signatures
 he himself took part in launching it.

arc. Https://444.hu/2020/10/20/godeny-probaljuk-a-tomegbazist- Pick up October 2020

 According to an article published on the 20th, the Client2 stated that the questions asked of him during the interview
 that he or she was the Customer1 - of which he was the 28 September 2021
 behind the collection of signatures and said that one of the main reasons for the collection of signatures
 aimed at trying to ‘gather a mass base’. The journalist wrote in the article that
 “After I called György Gődény, he answered a bunch of questions. […] Stork for a moment
 nor did it hide that one of their main goals with the whole was to try to “gather a mass base”.
 Customer2 has therefore stated that it and Customer1 are in charge of collecting signatures, ie

 behind the data processing examined in this case. And Client2 did not exalt himself as the chairman of Client1
 who, in addition to the Client1, mentioned himself separately from him, thus acknowledging that he,
 as an individual data controller., 18



 It can also be seen from the interview and the statements made during it that

 Client2 was able to answer the substantive questions related to the collection of signatures, he appeared in the
 as a competent person for the collection of signatures. Customer2 is apparently in the public mind as well
 appears as someone who has had and continues to have a decisive, influential role
 in signature collection. It can therefore be concluded that it is relevant to the collection of signatures
 information is available to Customer2, such as how the signature is collected,
 how long, so the partial decisions related to the collection of signatures can also be linked to the Client2.


v. Even in June 2021, Customer2’s social networking sites identified above
 has published a post promoting the collection of signatures, encouraging Customer1 to
 no longer referred to in his posts. Customer2 made the entries in his own name.

 For example, in his post of 10 June 2021, he called for a motion before a parliament on 20 June
 encouraged his followers to collect signatures.
 In its entry of 11 June 2021, it also called for support for the initiative, highlighting the

 the availability of a website to support the initiative.

vi. […], A member of Client1 testified before the Authority and also stated that a
 provided information that Customer1 has an approx. Facebook group with 40,000 members, which
 group is still operating, although the association no longer has significant activity
 or the Client1 no longer carries out any activity, it is not already a member,
 but also supporters, some of whom are connected in Facebook groups. Within the group and

 at all, in relation to Customer1, the circle of sympathy compared to the initial composition
 exchanged, there is currently activity associated with the coronavirus. Both the former and the
 current activity can be linked to the name of the Client2, he would know the meaningful answers to the questions of the Authority
 to give according to the witness.
 The testimony also confirms that the Customer2 is the key player in the collection of signatures
 the face of both the signature collection and the organizer of the campaign on the issue,
 central person.


 III.1.3. Summarizing the above, the Authority has established that the signature collection is the name of the Customer1
 one of its purposes is to sympathize with the Customer1 organization
 further contact and information for them. Accordingly, the collection of signatures
 The Customer1 is also listed on its website and on the paper-based signature collection form, as well as on the website
 also available data management information as the data manager of the data management specifically for the Customer1
 marks. Consequently, Customer1 is named as the data controller and for the purpose of data management

 Client1 can be linked, therefore the Authority considers Client1 to be a data controller in this respect
 he looked at.

 In addition to the above, the Authority found that Customer2 is the technical background for the collection of signatures
 played a prominent role in the provision and execution of the signature, collecting signatures on its own behalf
 promoted as an activist in the field of signature collection,
 acted as his key figure. These are clearly supported by the Customer2 in the collection of signatures, respectively

 decisive factor in the management of data in connection with the collection of signatures
 which had to play a key role in data management decisions
 spread, ie decisions were made by Customer2. This role is not just about collecting signatures
 participation, the performance of certain data management operations, but also the Client2 as
 the quality of the data controller of the individual and the corresponding responsibilities. This is the data controller
 liability is supported in particular by the fact that it is decisive for Customer2
 had an influence on the decision on data management, to determine the purpose of data management, that

 he had access to the mailbox address indicated during the signature collection, he declared himself
 that he was behind the collection of signatures, as evidenced by the testimony of the witness. Therefore, the
 The Authority shall also determine the quality of the Client2 's data controller with regard to the examined data management




III.1.4. In the Authority's view, it cannot be an organization that does not actually operate
or on its behalf so that the actual
data processing is disguised and personal relationships are unclear.

                                                                          1
As emphasized by the Authority in Part I of its recommendation to political parties, no
it is an acceptable situation that no one should be held responsible for the processing of data - especially one
during the national collection of signatures, which is also ongoing online, and
they try to avoid liability by claiming that the organization is not working, is

they know nothing about data management and do nothing. It contradicts those statements
in particular, the collection of signatures is still ongoing.
According to the Authority, it is not permissible for such data controllers to be relieved of their responsibilities in this way
data controllers collect personal data irresponsibly and without consequences,
they are used.


Furthermore, the fact that Customer1 is referred to as a “movement” does not mean that
that by perceiving a legal person as a “movement”, due to the indeterminacy of the participants a
liability of the legal person and the ‘movement’ and a
compliance with the legislation could be waived.


Based on the above, the Authority considers both Client1 and Client2 to be data controllers.
turn. The Authority examined it in accordance with Article 26 of the General Data Protection Regulation
and whether they are common controllers or parallel controllers. On this
As a result of the investigation, the Authority concluded that Client1 and Client2 were common

they are considered to be data controllers because there are no two separate data management or separate data management purposes
in terms of the data management examined, but also the qualities and responsibilities of the data controller
they exist in an atypical way, yet in the data controller construct examined in the present case
are inextricably linked. The role of the two data controllers in this Decision
cannot be separated more precisely than in the light of the procedural difficulties and the

lack of cooperation.

Accordingly, the Authority considered Client1 and Client2 to be joint controllers and this
established the liability of both of them despite the fact that Customer2 is the data controller
his quality was not recognized.


The legal classification of the violations committed in the case and the established
Furthermore, with regard to the legal consequences, it is irrelevant that parallel data controllers,
or customers are considered common data controllers.



III.2. Legality of information on data processing

It is closely linked to the validity of the consent that it be preceded by appropriate information
this is necessary in order for those concerned to be aware that they are specific

what they agree to know the details of the data management and exercise their consent
their right to withdraw. The person concerned is in possession of the relevant information
make a decision on whether to consent to the processing of personal data concerning him or her.
Failing this, the legal basis for consent, ie data processing, will be invalid.



1A Authority Recommendation on certain data protection requirements relating to the data management of political parties and organizations (February 2021
19.): “According to the experience of the Authority, one of the biggest shortcomings before the start of data processing is the lack of data controllers,
clear clarification. In the Authority 's view, it is no longer the obligation to provide prior information or
nor is it acceptable for a series of data processing operations not to have
so that, especially if an infringement is suspected in the course of data processing, it should be clarified
roles. ", 20



Article 5 (1) (a) and (b) of the GDPR and, in this context, Article 39

Recital 1 states that it must be transparent to natural persons,
how they collect and use their personal data about them
considered or otherwise treated, and in the context of a
the extent to which personal data is and will be processed. The principle of transparency applies
also to inform data subjects about the purposes of data processing. Personal data management is specific
their objectives are explicitly stated and legitimate, and are already personal
must be specified at the time of data collection.


Article 13 of the GDPR defines what information is available to data subjects
shall be informed at the time the data are obtained.

III.2.1. In the Authority's view, the website is not sufficiently transparent, clear and unambiguous
informing data subjects about the purposes of data processing. One of the purposes of data management is to express an opinion
(‘I agree that no one should be required to be vaccinated and that no one should be

may be penalized or restricted. ”) is highlighted only on the data collection interface,
data management information refers to it only as “support for national signature collection”, while
information that the data will be used for data processing purposes other than the original purpose
(contact) will only be handled by opening and reading the privacy statement
happens.

The fairness and lawfulness of the processing of data subjects' personal data, inter alia,

may be established if the data subject has been duly informed that:
personal data is collected for two different data processing purposes and specifically for naming purposes
what these data management purposes are. Information on the purposes of data management
its adequacy and clarity cannot be established on the basis of the above.

The legal basis in the data protection prospectus is Article 9 (2) (a) of the GDPR,
or (d). Article 9 of the GDPR provides for special categories of personal data,

which the regulation prohibits as a general rule or makes subject to strict conditions. THE
special categories of personal data may be processed, inter alia, if the
the data subject has given his or her express consent to their treatment for one or more specific purposes.

There is also no specific information in the privacy statement that the data
the duration of the collection of the data provided, nor the storage of the data provided in this context,
how long it takes to use. According to the information on the https://alairasgyujtes.online website, the

The collection of signatures is still ongoing, as determined by the Authority, or at the request of the Authority
Customer2 stated that data collection is not time-bound.

In the privacy statement, data subjects are informed that it is not automated
the data obtained in the course of data processing, received on a signature collection form and statements of consent
Customer1 shall be digitized and recorded by the database manager within 30 days of receipt
the original documents are handed over, presented or destroyed as a petition. No

information on the collection of signatures for an indefinite period
after what will happen to the signature collection sheets and those included in or collected online
with personal information.

III.2.2. In the Authority's view, the data collection sheet is on the signature collection sheet
a briefing should be provided to stakeholders on the planned data processing
key information set out in Article 13 of the GDPR.


With regard to the prospectus on the signature collection form, the Authority notes that
the data subjects have not been properly informed, inter alia, of the legal basis and the purposes of the data processing,
the wording refers, on the one hand, to consent based on the Information Act and, on the other hand, to 21



only for the purpose of contact, consultation and information

mentions. The prospectus does not specify which organization is responsible for data management.
The signature collection form does not specifically mention the data controller, only the Customer1
an emblem with its abbreviated name is shown on the sheet. Personal information collected
information on the duration of storage is also not included in the text on the sheet.

III.2.3. Based on the above, the Authority concludes that the controllers do not provide the
clear, adequate and real information to those concerned on paper

collection of signatures, nor in connection with the collection of signatures through the website
all relevant circumstances of the data processing and shall not be determined
clearly state the purpose of the processing, thereby violating the general data protection regulation
Article 5 (1) (a) and (b) and Article 13 (1) to (2).


III.3. Online data collection


III.3.1. Legal basis for online data collection

In addition to paper-based data collection, the signature collection is available at https://alairasgyujtes.online
also takes place on a website. To support the initiative online, the stakeholders below are personal
data are collected: name, postcode, town, name of public area, house number, floor / door, e-mail address,
phone number. From this information, entering the phone number is optional, which is in the fill-in interface

it is also indicated separately, while the other data are mandatory.

The success of the online support of the initiative, that is, to bring it to the system
"I have read and accepted the Privacy Notice." text
pre-checkbox. The privacy statement is provided through a hyperlink embedded in this text
available.


Despite the call of the Authority, the Client2 did not specify the legal basis of the data processing, the
According to a statement made as a representative of Client1, the persons involved in the collection of signatures are personal
their data is provided voluntarily.

According to the data protection prospectus, the legal basis for data processing is, on the one hand, that
data management with appropriate guarantees for regular contact with the data subject
In addition, the prospectus indicated the GDPR

Article 9 (2) (d). Furthermore, the legal basis for data processing is not regular for the data subject
in the case of contact, the express consent of the data subject prior to the recording of the data
declaration, ie Article 9 (2) (a) of the GDPR.

As detailed in the Privacy Notice, making a statement of consent is subject to
Customer1 will confirm this with a message sent to the email address provided by the data subject and thereafter
the data subject must confirm the consent in the reply to the confirmation message

intention.
The Authority emphasizes that during the testing of https://alairasgyujtes.online, it found that
Contrary to what is stated in the privacy statement, when supporting the collection of signatures online
the data controller does not send the opportunity to confirm the consent for the e-mail contact provided
insurance email.

The Privacy Notice therefore collects personal data from data subjects as described above

treats it as a special category of personal data.

Pursuant to Article 6 (1) (a) of the GDPR, the processing of personal data is lawful if it
the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes,



to treat.

Personal provided to support the initiative of a political organization
however, the data do not constitute a special category of personal data. If
however, in addition to the purpose of the petition, the data subject also has the right to process data specifically for that purpose

gives his consent to him as a sympathizer later in the political organization
to inform about his / her activity, to get in touch with his / her political activity
personal data provided by the data subject for this further contact
necessary personal data as data indicating party sympathy is a special category of personal
also constitute data.

According to the data protection information sheet, the purpose of data management is to support the collection of signatures by:

Customer1's contact with the data subject as a sympathizer, informing the data subject
activities and events, and send invitations to Customer1 campaigns
to join.

Personal data processed for the purpose of political contact is therefore accordingly
information referring to the political views of data subjects and, as such, general data protection
special categories of personal data within the meaning of Article 9 (1) of that Regulation

are considered. The processing of special categories of personal data is, as a general rule, prohibited by the Regulation,
or subject to strict conditions. These special categories of personal data include
In accordance with Article 9 (2) of the GDPR, they may be treated if they are concerned
express consent to their treatment for one or more specific purposes.

In order for the controller to be able to legitimately invoke the legal basis of the consent, the consent
all its conceptual elements must meet the requirements that apply to it.


5/2020 on the consent of the European Data Protection Board and
the Data Protection Directive issued pursuant to Article 29 of the Data Protection Directive
The Working Party’s Guideline WP259 on Consent also confirms that
that the statement or act expressing the confirmation unequivocally is lawful
precondition for consent. The guidelines state that "explicit consent" is required
in certain situations where there is a serious data protection risk. The general

According to the Data Protection Regulation, "express consent" plays an important role in personal
Article 9 on the handling of special categories of data, including political
also in the case of the processing of personal data processed for contact purposes. The word “express” in this is
In this case, it indicates the way in which the data subject expresses his or her consent. It means that
the data subject must make a statement of specific consent. Consent "explicit"
The obvious way to be convinced is that consent is given in a written statement
would be a clear confirmation.


As set out in Annex II of the Authority's Recommendation to Political Parties. also explained good practice
Takes note of the European Data Protection Board's contribution 5/2020 Guideline No
and established pursuant to Article 29 of the Data Protection Directive
As set out in Guideline WP259 on the consent of the Working Party on Data Protection, the
the method of two - step verification of consent, according to which the confirmation shall be
the data controller obtains it by electronic means provided by the data subject

send a letter notifying you that he or she intends to process the data subject's personal data,
to which he requests confirmation of his consent in a reply.
As stated in the privacy statement, the data controller will confirm your consent
apply the two-step verification method described above in practice
however, this method of confirming consent was not used.

In order for the data subject to be able to express his will in concrete terms, it is therefore necessary that,



data controller by obtaining consent related to data management activities

clearly separate related information from information on other issues.

Recital 42 of the General Data Protection Regulation also states that the controller
you must provide a pre-arranged statement of consent that is clear and easy to use
it must be made available in an accessible form and its language must be clear and
it must be clear and not contain unfair terms.


In the Authority's view, the provision of personal data on the online interface is on the one hand
consent to the use of personal data
on the other hand, it is not the original
for the processing of personal data for contact purposes in addition to the purpose of data processing
contribution.

Recital 32 of the GDPR states that data processing can only take place if:

by a clear affirmative action, such as in writing, including by electronic means
- or voluntary, specific, informed and unambiguous
consent to the processing of personal data concerning a natural person. If it is
data management serves more than one purpose at a time, you can contribute to all data management purposes
to be provided separately. If the data controller does not attempt to make each
ask for consent separately for this purpose, there is a lack of freedom of decision.


In the Authority's view, the lawfulness of the processing of the personal data of the data subjects at that time
can be established if the data subject is used for all data processing purposes
may have contributed separately to its management.

By giving consent as explained above, they are not concerned
clear and specific expression of his will, the data processing is not considered valid
legal basis. The Authority notes that data controllers handle it without a valid legal basis

personal data of data subjects, in breach of Article 6 of the General Data Protection Regulation
Paragraph 1. As these data are also data for political contacts a
special categories of personal data and their processing, among other things
it is possible, if the data subject has given his or her express consent, the
data processing also infringes Article 9 (1) of the General Data Protection Regulation.

III.3.2. Purposefulness of data collection


Article 5 (1) (b) of the GDPR provides for the principle of purposeful data processing, which
personal data may only be collected for specified, explicit and legitimate purposes,
and may not be treated in a way incompatible with those purposes.

According to the prospectus, the purpose of data management is to support the collection of national signatures,
on the other hand, the Client1’s contact with the data subject as a sympathizer, the data subject

informing the Client about its activities and events, and sending invitations to the Client1
to join its campaigns, i.e. as in the client2’s multiple press releases
further purpose of collecting signatures is to try to “gather a mass base”.

The privacy statement refers only in general terms to the “national
However, the prospectus does not specify which signatures to collect
applies. In this connection, the Authority notes that through the website the Client1

it also refers to another ongoing signature collection or via a hyperlink to it
navigates to a page that has a similar content structure and that page is referenced
The data protection information sheet also refers to the collection of national signatures of a general nature with the same content
information., 24





In the course of the procedure, the Authority found that the data protection reference was specific
"Support for the collection of national signatures" for data management purposes only in support of the initiative
“I agree that no one should be vaccinated
no one shall be subjected to any form of restraint or punishment. " text
indicates that the data protection notice does not indicate this specific purpose, while data management is different
the purpose for which the data will be collected for subsequent contact purposes, is
the interface for collecting data and supporting the initiative does not reveal that

The Authority considers that it is misleading for supporters of the initiative. The signatories
for, in a deceptive way, only the initiative is paramount on the data collection interface
the purpose of which is communicated by the controller, while there is no invitation to the signatory
all personal data - the telephone number is optional - for contact purposes only
will also be handled by the data handler, which can only be accessed via the hyperlink
provides information in a privacy statement.


Compliance with the purpose limitation principle requires, inter alia, specificity
the definition of the purpose stated before the start of the data processing and its
understandable, non-ambiguous and non-misleading communication to stakeholders.

On the basis of the information available, the Authority shall
noted that the purpose of collecting personal data is not in fact to collect signatures,
that is, support for the petition, but also for those interested in the subject, sympathizers, or personal

collecting their data.

This is borne out, among other things, by the fact that it is literally the same as the question of collecting signatures
as a matter of referendum proposed by the initiator of the Civil Movement Association earlier
(27 August 2020) was submitted to the National Electoral Commission. For the referendum
However, the National Electoral Committee (IX.21.) NVB
in its decision, however, in the privacy statement for the collection of signatures

misleading reference or information that the signature collection sheets are
intended to be handed over, presented as a petition. This is also indicated in the statement2 of the Customer2, which a
Article published on October 20, 2020 (https://444.hu/2020/10/20/godeny-probaljuk-a-tomegbazist-
to answer the question asked during the interview: “If you succeed more than 200 thousand
to collect a signature, a referendum initiative could be considered, the
pharmacist.".


So the collection of signatures, data collection is still in progress on an issue that
referendum on this issue is not possible and the stated purpose of the petition is clearly no longer
feasible. The real purpose of data processing is, in the Authority's view, the collection of personal data
to build a sympathy database, to create a mass base, but it is not clear whose
because Customer1 exists only on paper. This establishes that data management
purpose is unclear and unrealistic, so data controllers violate the general
the principle of purpose limitation under Article 5 (1) (b) of the Data Protection Regulation.


III.3.3. Infringement of the principle of due process

Article 5 (1) (a) of the General Data Protection Regulation provides for a fair procedure
the principle that personal data must be processed fairly.

In the course of the procedure, the Authority found that during the collection of signatures - Annex III.1. point

as detailed - the quality of the data controller is not sufficiently clarified, the data subjects
misleadingly informing the controller and a person not actually working
party is called data controller., 25



Information about the purpose of data processing is also misleading. A III.3.2. explained in point

on the one hand, it is misleading because the signatories on the data collection interface are not informed of the
on the other hand, for the purpose of collecting signatures
the purpose is indicated by the controller, which is a manifestly impossible purpose, as it is a well-known fact that
that the issue is not suitable for a referendum, its authentication by the National Electoral Commission
rejected it earlier for several reasons.

Based on the above, it can be concluded that the data processing is unfair, thus the data controllers

breach of Article 5 (1) (a) of the General Data Protection Regulation
the principle of a fair trial.


III.4. Paper-based signature collection

During the collection of signatures, according to the signature collection form that can be downloaded from the website, the parties involved are as follows

personal data is collected: name, address (postcode, town, name of public place,
house number / em. / door), e-mail contact, telephone number and signature. Privacy is available on the website
also available on the website in the signature collection form
reference is not included anyway - an ID number is assigned to the data subject's data
the data management consent can be documented. The signature collection sheet for each data set collected
it is not specified whether they are mandatory or optional.

The following information, which can be assessed as information on the legal basis of the data processing, can be found on the signature collection form:
veg: “By providing the information on the summary form and signing the signature collection form
I consent to the disclosure of my data on the right to self-determination of information and the
CXII. pursuant to Section 5 (1) (a) of the Act, further contact,

for the purpose of requesting an opinion and providing information, the statement of consent to the
until the end of the year. "

Until 25 May 2018, the main rules on data protection in Hungary will be regulated by Infotv. contain-
From that date, the GDPR is mandatory and directly applicable to the signature collector
However, the short information text in the form is in the Infotv. Section 5 (1) a)
refers to the legal basis of the consent indicated.


According to the statement of the Customer2, the data subjects have their personal data both online and on paper
provided voluntarily during the collection of signatures on this basis.

The pre-worded statement on the signature collection form is limited to “additional
for the purpose of communication, consultation and information "
refers to consent. However, the purpose of collecting signatures is not only to maintain further contact, and

related database building, but also support for the initiative, for which only it
Signature sheet "I agree that no one should be required to be vaccinated and that no
no one shall be punished or restricted. " main title refers to.

An important conceptual element of consent is that the request for consent is preceded by appropriate information
me. Article 5 (1) (a) and (b) of the GDPR and, in this context, Article 39
Recital 1 states that it must be transparent to natural persons,

how they collect and use their personal data about them
considered or otherwise treated, and in the context of a
the extent to which personal data is and will be processed. The principle of transparency applies
also to inform data subjects about the purposes of data processing. Personal data management is specific
their objectives are explicitly stated and legitimate, and are already personal
they must be specified at the time of data collection



It can therefore be concluded that data subjects have their personal data as "support for the initiative".

for the purpose of "contact, consultation and information"
their consent is given by completing the signature collection form, ie personal data
the legal basis for the management of the data subject is the consent of the data subjects.

The Authority has determined that the information on which the statement of consent is based is correct
however, the information on the signature sheet is inadequate, as indicated in Annex III.2.2.
as detailed in point 1 - is not exhaustive and therefore the consent cannot be considered

informed. However, despite the lack of information, the Authority is concerned
does not consider its consent to data processing to be invalid if it
data controllers requesting confirmation of their consent with appropriate information
obtain a statement from those concerned.


III.5. Infringement of the principle of accountability


The Authority points out that, in accordance with Article 5 (2) of the General Data Protection
essentially the objective responsibility and enhanced diligence of the controller
Due to the fundamental requirement of accountability formulating
the obligation to prove that the conditions for the lawfulness of data processing - data processing
from the beginning - they persist. To the data controller from the planning of data management
from the start of data processing to the deletion of all personal data processed

you must carry out the data processing operation in such a way that you can prove at any time that
how you complied with data protection regulations. Based on the principle of accountability,
the data controller must implement the data management throughout the data processing process
operations in order to be able to demonstrate compliance with data protection rules. The
the principle of accountability can therefore be interpreted not only in general, at the process level, but in all
specific data processing activity, the processing of personal data of a specific data subject
also applies to


The Authority states that data controllers do not guarantee the lawfulness and transparency of data processing
certified to the Authority, did not declare that the personal data collected
how and what it is used for, where the data is stored, and what the real purpose of data management is.

Based on the above, it can be concluded that the data controllers by not approaching the Authority
lawfulness of the data processing, breach of Article 5 of the General Data Protection Regulation.

principle of accountability set out in Article 2 (2).


III.6. Other findings

The Authority will, on the basis of the facts set out above, in the course of the data protection authority proceedings
found that the Client1 was operating in an illegal manner, or

inoperability.
Customer1 was not available at the registered office at the registered office
and is not currently secured, nor was it possible to deliver the items to the gatekeeper. The
Furthermore, most of the client1 was not available through his court-registered representative
case.

According to the registered data, however, in the data of the organization registered in the court register

there was a change (change of registered office, registered representative), contact details of the Customer1
however, it was not insured even after the change was recorded.

The previous registered office of the Client1 was reported to the address where the person who, a



is not a representative of the organization, only a member, thus the items mailed to the registered office of the Customer1

receipt was not guaranteed either.

The Authority has detected that Client1 is publishing the report or the public benefit annex
did not fulfill his obligation at all.

For all these reasons, the Authority initiated the Metropolitan Court with non-governmental organizations
CLXXXI of 2011 on the court register and the related procedural rules.

Act 71 / A.-71 / I. § of the lawfulness review procedure in accordance with


III.7. Legal consequences

III.7.1. The Authority shall act in accordance with Article 58 (2) (b) of the General Data Protection Regulation
finds that Customer1 and Customer2 infringe Article 6 of the General Data Protection Regulation

(1) and Article 9 (1) by going through the website
in the context of the collection of signatures, the personal data of data subjects are collected without a legal basis.

In accordance with Article 58 (2) (b) of the General Data Protection Regulation, the Authority finds that:
that Customer1 and Customer2 infringe Article 5 (1) (b) of the General Data Protection Regulation
the purpose of the purpose of the data processing is not clear
specified.


In accordance with Article 58 (2) (b) of the General Data Protection Regulation, the Authority finds that:
that Customer1 and Customer2 infringe Article 5 (1) (a) of the General Data Protection Regulation
Article 13 by not providing them to stakeholders
clear, appropriate and real information on paper and on a website
all relevant circumstances of the data processing in connection with the collection of signatures.


In accordance with Article 58 (2) (b) of the General Data Protection Regulation, the Authority finds that:
that Customer1 and Customer2, by their unclear quality as data controllers, are
data subjects have been misled as to the identity of the controller and the purpose of the processing,
breach of a fair practice within the meaning of Article 5 (1) (a) of the General Data Protection Regulation
principle of procedure.

In accordance with Article 58 (2) (b) of the General Data Protection Regulation, the Authority finds that:

that Customer1 and Customer2 have infringed Article 5 (2) of the General Data Protection Regulation
accountability requirement by not applying to the Authority
the lawfulness of the data processing has been verified.

The Authority, taking into account that data processing is a special category (party sympathy)
the processing of personal data and there is no specific information on the data collected
the use of personal data while the stated purpose of the data collection is unrealistic, and

the Client1 and the Client2 did not cooperate with the Authority during the procedure, the general
instructs Client1 and Client2 pursuant to Article 58 (2) (g) of the Data Protection Regulation,
to be deleted from the signatures collection website from stakeholders online in a documented manner
collected all personal data in this way.

The Authority shall issue an order pursuant to Article 58 (2) (d) and (g) of the General Data Protection Regulation
Client1 and Client2 to provide their consent on the paper-based signature collection form.

obtain full information on data processing from data subjects
a statement requesting confirmation of their consent, failing which the documented statement shall be deleted
stakeholders both to support the initiative and to liaise
personal information., 28





Pursuant to Article 58 (2) (f) of the General Data Protection Regulation, the Authority prohibits
in connection with the collection of signatures, the continuation of data management in such a way that Customer1 and Customer2
complete immediately in connection with the collection of signatures both on paper and in
the collection of personal data online, as its purpose is unclear and not clear
real, data collection is underway on an issue on which a referendum is not
sustainable and the stated purpose of the petition is no longer achievable. The real purpose of data management
building a sympathy database, creating a mass base so that the Customer1 in practice

does not work, only on paper, and the actual activities of the Normal Life Party organization name
take place during.

III.7.2. The Authority has examined whether it is justified to treat Client1 and Client2
imposition of a data protection fine. In this context, the Authority shall, in accordance with Article 83 (2) of the General Data Protection Regulation,
and Infotv. 75 / A. § considered all the circumstances of the case and found that
that in the case of infringements detected in the present proceedings, the warning is neither proportionate nor disproportionate

a dissuasive sanction, it is therefore necessary to impose a fine.

In setting the amount of the fine, the Authority took into account, in particular, that
Infringements by Customer1 and Customer2 are covered by Article 83 (5) of the General Data Protection Regulation.
shall constitute an infringement falling within the higher category of fines referred to in paragraph 1 (a)
[Article 83 (2) (a) GDPR]


The Authority has imposed a data protection fine on both Client1 and Client2
In determining the amount of
they have not yet been convicted of a breach of the General Data Protection Regulation [GDPR
Article 83 (2) (e)].

A) The Authority as an aggravating circumstance in imposing a fine on Client1
   has taken into account:

    - the nature of the infringements is serious and concerns a current social issue which is therefore significant,
        according to a large number of stakeholders (according to https://alairasgyujtes.online)
        nearly 58,000 supporting signatures) involved the processing of your personal data
        [Article 83 (2) (a) GDPR];
    - the Customer has infringed several provisions of the General Data Protection Regulation1 [GDPR 83.
        Article 2 (2) (a)];
    - the longer duration of the infringement (the collection of signatures started on 13 October 2020 and the proceedings

        data collection is still ongoing [Article 83 (2) GDPR
        paragraph (a)];
    - according to the Authority, actors in public and political life are increasingly expected to do so
        the collection of personal data in accordance with the provisions of the General Data Protection Regulation
        act accordingly [Article 83 (2) (a) GDPR];
    - unlawful data processing due to the Customer1's grossly negligent conduct, data processing
        caused by its practice [Article 83 (2) (b) GDPR];

    - from Customer1 as a political actor and from the category of personal data collected
        all technical and organizational measures would have been expected to be taken
        for the adequacy of data processing [Article 83 (2) (d) GDPR];
    the personal data collected are also special categories of personal data [Article 83 GDPR.
        Article 2 (2) (g)];
    - the conduct of the Client1 during the proceedings, the unavailability of which is the clarification of the facts
        greatly impeded [Article 83 (2) (f) GDPR];


The Authority did not consider it relevant to impose a fine on Client1
Circumstances under Article 83 (2) (c), (h), (i), (j) and (k) of the
cannot be interpreted in this case





B) The Authority as an aggravating circumstance in imposing fines on Client2
   has taken into account:
    - the nature of the infringements is serious and concerns a current social issue which is therefore significant,
        processing of the personal data of a large number of data subjects [Article 83 (2) GDPR
        paragraph (a)];
    - the Customer has infringed several provisions of the General Data Protection Regulation2 [GDPR 83.
        Article 2 (2) (a)];

    - the infringement has existed for a long time and data collection is still ongoing
        (Initiated and pending on 13 October 2020) [Article 83 (2) GDPR
        the dot];
    - from the Client2, as a person who is currently actively involved in political life
        it is increasingly expected that the general data protection regulation will apply to data processing
        comply with the requirements of [Article 83 (2) (a) GDPR];
    - Client2, on the one hand, as the party's manager, ie as Client1's legal representative

        he also had an influence on data management, but also as an individual data controller
        a key player in the case [Article 83 (2) (a) GDPR];
    - unlawful data processing due to the Customer's2 grossly negligent conduct, data processing
        caused by its practice [Article 83 (2) (b) GDPR];
    the personal data collected are also special categories of personal data [Article 83 GDPR.
        Article 2 (2) (g)];
    - the conduct and unavailability of the Client2 during the proceedings, the Authority

        disregarding the issues raised in his requests greatly clarifies the facts
        impeded [Article 83 (2) (f) GDPR];

The Authority took it as an attenuating circumstance when imposing fines on Client2
taking into account that the Client2 is a natural person [Article 83 (2) (k) GDPR].

The Authority did not consider it relevant to impose fines on Client2

Circumstances under Article 83 (2) (c), (d) (h), (i) and (j) of the
cannot be interpreted in this case.

The imposition of a fine on the basis of the above is necessary specifically for Client1 and Client2,
and the Authority in setting the amount of the fine in addition to the specific deterrence objective
also took into account the general preventive purpose to be achieved by the fine, with which the Client1 and the
In addition to deterring Customer2 from further infringement, the right to the protection of personal data

signatures.

Subject to the Client1's obligation to publish the report in recent years
has not complied with, the Authority has no specific information available to the Client for 1 year
income. In the course of the proceedings, the Client2 did not refer to such a fact either
circumstance which it is necessary to take into account in the imposition of any fine
would have kept it. The amount of the fine shall be based on the law of the Authority

acting in its discretion.

Based on the above, the Authority has decided in accordance with the operative part.


ARC. Other issues


The powers of the Authority shall be exercised in accordance with Infotv. Section 38 (2) and (2a), its jurisdiction is
covers the whole country., 30



The decision is based on Ákr. 80.-81. § and Infotv. It is based on Section 61 (1). The decision is based on Ákr. 82.

§ (1), it becomes final with its communication. The Ákr. Section 112, Section 116 (1),
or pursuant to Section 114 (1), there is an administrative action against the decision
redress.

                                               * * *

The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a

hereinafter: Kp.). A Kp. Pursuant to Section 12 (2) (a), the Authority
The administrative lawsuit against the decision of the Criminal Court falls within the jurisdiction of the court. Section 13 (11)
The Metropolitan Court shall have exclusive jurisdiction pursuant to On civil procedure
on the 2016 CXXX. Act (hereinafter: Pp.) - the Kp. Pursuant to Section 26 (1)
applicable - legal representation in a lawsuit falling within the jurisdiction of the tribunal pursuant to § 72
obligatory. Kp. Pursuant to Section 39 (6), unless otherwise provided by law, the application
has no suspensory effect on the entry into force of the administrative act.


A Kp. Section 29 (1) and with this regard Pp. Applicable in accordance with § 604, electronic
CCXXII of 2015 on the general rules of public administration and trust services. Section 9 of the Act
Under paragraph 1 (b), the client's legal representative is required to communicate electronically.

The time and place of the submission of the application is Section 39 (1).


The amount of the fee for an administrative lawsuit shall be determined in accordance with Act XCIII of 1990 on Fees. law
(hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee is
Itv. Section 59 (1) and Section 62 (1) (h) shall release the party instituting the proceedings.

If the Applicant does not duly prove the fulfillment of the required obligation, the Authority shall:
it considers that it has failed to fulfill its obligations within the prescribed period. The Ákr. According to § 132, if a
the obligor has not complied with the obligation contained in the final decision of the authority, it shall be enforceable. THE

Authority's decision on the Ákr. Pursuant to Section 82 (1), it becomes final with the communication. The Ákr. 133.
§, unless otherwise provided by law or government decree - a
ordered by the decision-making authority. The Ákr. Pursuant to § 134 - enforcement if law,
a government decree or, in the case of a municipal authority, a local government decree otherwise
does not have - the state tax authority implements it. Infotv. Pursuant to Section 60 (7) a
To carry out a specific act contained in a decision of an authority, specified
the decision as to the obligation to conduct, tolerate or stop

shall be carried out by the Authority.


Budapest, March 2, 2022

                                                                   Dr. Attila Péterfalvi
                                                                         President

                                                                   c. professor