NAIH (Hungary) - NAIH-180-16/2022: Difference between revisions

From GDPRhub
No edit summary
 
(One intermediate revision by one other user not shown)
Line 55: Line 55:
}}
}}


The Hungarian DPA issued a fine of €13,000 against a public online directory operated by a telecom operator for breaching the accountability principle and processing data without a valid legal basis, in violation of [[Article 5 GDPR#2|Articles 5(2)]] and [[Article 6 GDPR#1|6(1) GDPR]].
The Hungarian DPA issued a fine of €13,000 against an online directory operated by a telecom operator (including customers' names, addresses and mobile numbers) for breaching the accountability principle and processing data without a valid legal basis, in violation of [[Article 5 GDPR#2|Articles 5(2)]] and [[Article 6 GDPR#1|6(1) GDPR]].


== English Summary ==
== English Summary ==

Latest revision as of 16:35, 27 April 2022

NAIH (Hungary) - NAIH-180-16/2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(2) GDPR
Article 6(1) GDPR
Article 12(2) GDPR
Article 84(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 15.06.2021
Decided: 02.03.2022
Published: 04.04.2022
Fine: 5000000 HUF
Parties: n/a
National Case Number/Name: NAIH-180-16/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: n/a

The Hungarian DPA issued a fine of €13,000 against an online directory operated by a telecom operator (including customers' names, addresses and mobile numbers) for breaching the accountability principle and processing data without a valid legal basis, in violation of Articles 5(2) and 6(1) GDPR.

English Summary

Facts

A data subject found that his data (name, address, mobile number) were included in a public online directory operated by a telecom operator (controller). The data was obtained by the operator in 2015, when the data subject first contracted with the company, but only got disclosed in 2018, when the data subject renewed his subscription via telephone. He first requested the deletion of his data via an online form, but found later that the request was ignored. He then requested the deletion via telephone as well. This once again proved unsuccessful, in spite of the promises he received on the phone. He subsequently filed a complaint with the Hungarian DPA to enforce the deletion of his data. In the meantime, the controller deleted the data from the registry.

Holding

The Hungarian DPA (NAIH) found that the data subject's request for deletion was already fulfilled, and that therefore there was no need for the controller to act on this aspect of the complaint. However, the NAIH started an own-volition investigation into the controller's data processing practices with particular regard to data subject requests.

Subsequently, the NAIH found that the controller was in breach of the accountability principle under Article 5(2) GDPR, since it could not prove that it had received valid consent for the processing of the data subject's personal data. Moreover, it also found that since the controller had not even asked the data subject for valid consent, it had no legal grounds for processing under Article 6(1) GDPR. Finally, the NAIH held that the controller was in breach of Article 12(2) GDPR for mis-registering the data subject's request for the deletion of his data as a complaint about the service.

The NAIH decided to subsequently impose a fine on the controller. It argued that a simple reprimand would not be proportionate or dissuasive, for multiple reasons. As aggravating circumstances, the NAIH took into account the fact that the data subject had to request deletion multiple times and that the data was included in the database for more than 3 years without a valid legal ground (Article 83(2)(a)); that the controller committed multiple infringements (Article 83(2)(d)) including gross negligence in handling the case (Article 83(2)(b)); as well as that the NAIH had already warned the controller about its processing activities previously (Article 83(2)(b)).

However, the NAIH took into account as mitigating factors that the controller offered a small compensation to the data subject (Article 83(2)(c)); that it conducted the requested deletion in the meantime (Article 83(2)(f)); as well as the the NAIH missed some of its deadlines when investigating the case (Article 83(2)(k)). Subsequently, the NAIH decided to fine the controller 5,000,000 HUF (~€13,000). Given that the controller's annual turnover was more than €752,000,000, this fine is very far from the maximum threshold allowed by the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

      Case number: NAIH-180-16 / 2022. Subject: Infringement and application
                 (NAIH-5378/2021)




                                            DECISION



      The National Data Protection and Freedom of Information Authority (hereinafter referred to as the Authority) […]
      (place and date of birth: […]; address: […]; hereinafter: Applicant) to the Authority in 2021.
      received at the request on 4 June 2006, registered in […] (registered office: […];
      hereinafter referred to as the “Requested”) in the data protection official proceedings initiated against

      makes the following decisions:

      1. The Authority shall grant the applicant's application in part and shall condemn the applicant
      because he did not delete his personal data from his online inquiry at the request of the Applicant,
      in breach of the rules governing the processing of personal data by natural persons

      the free movement of such data and Directive 95/46 / EC
      Regulation (EU) 2016/679 repealing Regulation (EU) No
      Article 17 (1) (b) of the Data Protection Regulation).

      2. The Authority will ex officio condemn the Applicant for its general data protection

      not in breach of the accountability requirement of Article 5 (2) of this Regulation
      proved that the Applicant had indeed consented to the personal data of the Applicant
      to publish it in its online directory.

      3. The Authority will ex officio condemn the Applicant for its general data protection

      in breach of Article 6 (1) of the Regulation, was disclosed by the Applicant without legal basis
      personal information in your online directory.

      4. The Authority will ex officio condemn the Applicant for failing to facilitate a
      Deletion of the Applicant's personal data by the Applicant classifying it as a complaint

      in breach of Article 12 (2) of the General Data Protection Regulation.
      paragraph.

      5. Ex officio


                                    HUF 5,000,000, ie HUF 5 million
                                          data protection fine

      order the Applicant to pay.


      6. The Authority shall reject the application in so far as it requires the Authority to:
      Applicant for the immediate deletion of the Applicant's personal data in a verified manner
      from the public inquiry, as the application has become devoid of purpose in this part.

                                                   * * *


      Within 30 days of the final adoption of this decision, the data protection fine shall be imposed by a
      Authority's centralized revenue collection special purpose forint account (10032000-
      01040425-00000000 Centralized direct debit IBAN: HU83 1003 2000 0104 0425


.................................................. .................................................. .................................................. .................................................. .................................................. ..............

      Falk Miksa utca 9-11. Fax: +36 1 391-14100 www.naih.hualat@naih.hu, 2


0000 0000). When transferring the amount, NAIH-5378/2021. JUDGE. for
should be referred to.


If the Applicant fails to meet the obligation to pay the fine within the time limit, the above
is required to pay a late payment surcharge on the account number. The amount of the late payment allowance is legal
interest that is valid on the first day of the calendar half-year affected by the delay
equal to the basic interest rate.

In the event of non-payment of the data protection fine and the late payment allowance, the Authority shall order a

implementation of this Decision.

There is no administrative remedy against this decision, but from the date of notification
within 30 days of the application lodged with the Metropolitan Court
can be challenged in a lawsuit. The application shall be submitted to the Authority, electronically, which shall:
it forwards it to the court together with the case file. The request for a hearing shall be made by:
must be indicated in the application. For those who do not benefit from full personal exemption

the fee for the court review procedure is HUF 30,000, the lawsuit is subject to the right to record the material fee. THE
Legal representation is mandatory in proceedings before the Metropolitan Court.


                                      EXPLANATORY STATEMENT



I. Procedure

In the letter received by the Applicant on June 4, 2021, it is a data protection official procedure
He applied to the Authority to initiate proceedings against
personal data - name, address, telephone number - are nevertheless publicly available at
He requested from his public inquiry ([…]) that he had not consented to their disclosure.


The Applicant indicated all this and his request for cancellation on 2 May 2021
telephone customer service, which was recorded by the Applicant as a complaint under number […]. THE
The Applicant promised the Applicant a period of thirty days to remove his personal data,
however, by the date of their request for data protection authority proceedings, 2021.
until 3 June - were still publicly available and from the Applicant on this
has not received any feedback by.


The Applicant has requested the Authority to request the Applicant to provide proof of personal data
immediately deleted from the public directory.


II. Clarification of the facts

1. On 15 June 2021, the Authority issued NAIH-5378-3 / 2021. case number clarifies the facts

issued an order in which the Applicant was notified of the data protection authority proceedings
and called for a statement.

2. The Applicant - the Authority, dated 20 July 2021, NAIH-5378-7 / 2021. case number
for re-clarification - sent its replies on 3 and 16 August 2021
to the Authority.


The Authority also has three audio recordings in which the Applicant is the Applicant
telephone conversations with their administrators can be heard., 3


3. The Applicant is May 2021. Sound recording recorded on day 2 (13 minutes 29 seconds)
sent to the Authority. Accordingly, the Applicant indicated to the Applicant's Administrator that

your personal data can still be seen in the public directory on the […] website,
that the Applicant on the Applicant's online interface approximately two weeks prior to the telephone call
initiated their deletion. The Applicant's clerk informed the Applicant that he was
despite searching the Applicant's personal data in the directory, he or she will not see a hit name
and phone number. As no progress was made in resolving the problem, the Applicant
his clerk consulted an employee of another department who was given a name
hits, not phone numbers. A staff member from another department suggested that

the Applicant's problem should be recorded in the complaint. Employee of another department
during the subsequent check, he already received a hit for a phone number, so he repeated it
advised the clerk to record in his complaint that, although it was done according to the system
deleting the Applicant's personal data from the inquiry office, but in practice this is the case
however, it is not fulfilled because the system also matches the name and phone number.

After consultation with an employee of another department, the Applicant

an administrator on a conversation with an employee of another department and a
informed the Applicant about the registration as a complaint, and also about the fact that the
the time to investigate a complaint is officially 30 days, but the administrator says it won’t take that much time
take advantage of the process. Based on the information of the Applicant's administrator by e-mail
will inform the Applicant of the outcome of the investigation of the complaint.

The Applicant will record two audio recordings (1: May 2, 2021, 9 minutes: 46 seconds; 2: June 25, 2021,

20 minutes 23 seconds). The first recording is the same as
With an audio recording sent by the Applicant, provided that the Applicant does not hear it
coordination between the administrator and the staff member of the other department.

On the second recording, the Applicant was contacted by telephone on June 25, 2021
inquired in May 2021. On the 2nd day, he made a complaint based on his number […]
and requested a copy of the telephone call of 2 May 2021 and 25 June 2021

sending. The Applicant's Administrator informed the Applicant that the May 2021
Your complaint of 2 was not properly recorded due to an operator error Requested internal
and the complaint was unduly closed and the application was therefore closed as
no further investigation or measure was connected to the closed complaint. Given that
the personal data of the Applicant recorded as a complaint under the number […] of the Applicant online
the request to delete it from his inquiry was not complied with, the complaint
has been locked, which cannot be changed due to the system, so it is new again

the problem was recorded as […] as a complaint. The Applicant is dated May 2, 2021 and June 2021
Request for a copy of the audio recordings of the telephone conversation on 25
also recorded separately.

4. Statements by the Applicant and by him and the Applicant by the Authority
On the basis of the sound recordings made available to him by the Applicant on May 2021. On the 2nd day
during the initiated telephone administration indicated to the Applicant that his / her personal data

they can be seen in the public inquiry office on the […] website, even though
Applicant on the Applicant's online interface approximately two weeks prior to the telephone call
initiated their deletion. Based on the data of the Applicant's internal records, although a
The Applicant's request for cancellation has been processed by the Applicant and the steps required for cancellation
performed, due to a technical error, the actual deletion of personal data did not take place, they
they remained available on the public inquiry interface.


This telephone call of the Applicant was recorded as a complaint under the number […] of the Applicant, and the
The requested administrator informed him that the case was officially open for thirty days
at the disposal of the Applicant., 4


In the absence of a reply, the Applicant will also be contacted by telephone on 25 June 2021
inquired about the action taken on his complaint under […] and requested

also send a copy of the phone call of 2 May and 25 June 2021. The Requested
The Administrator informed the Applicant that his complaint of 2 May 2021 was a one-off, managerial
was not properly recorded in the Applicant 's internal records due to an error, and
complaint has been unduly closed, so there is more to the report as a closed complaint
investigation, measure was no longer related. Given that the Applicant […] number
personal data recorded as a complaint from the Applicant's online directory
your request for cancellation has not been complied with, the complaint has been closed,

which cannot be modified due to the system operated by the Applicant, therefore
again, the problem was recorded as a new complaint, number […]. The Applicant dated 2 May and 2021
To issue copies of audio recordings of a telephone conversation on June 25, 2021
his application was also recorded separately under number […].

5. The Applicant's request for cancellation was finally repeated by the Applicant on 25 June 2021
on the basis of the application, on 5 July 2021 - informing the Applicant of the error

which was also sent to the Authority on 19 July 2021.
Confirmed back to the Applicant by letter dated […] dated
your personal data is no longer available in the Applicant's online directory. In addition, the
Applicant sent the Requested to the Applicant on August 2, 2021
sound recordings.

The Applicant also offered a gross compensation of HUF 5,000 to the Applicant for it

to alleviate the inconvenience.

6. Thus, as acknowledged by the Applicant, the Applicant's cancellation claims in May 2021 - the 2021.
approximately 2 weeks prior to the telephone administration initiated on May 2; a 2021.
Application filed as a complaint on May 2 - due to technical and administrative errors
materialized. First, the Applicant's online cancellation request is made by the Applicant
processed and took the necessary steps to delete due to a technical error

however, personal data has not actually been deleted and is still available
remained on the public inquiry interface. Subsequently, the Applicant's complaint of 2 May 2021
the Requested internal was not properly recorded due to a one-time operator error
and the complaint has been unduly closed.

According to the Applicant's statement, the statements related to data processing,
including to modify inclusion in the online directory for customers through multiple channels

they also have the opportunity to. The statement of the Applicant and the statement sent by him, a
according to the process description for changing the listing
The change initiated on the interface automatically runs through the systems of the Requested, which
the data will be updated in the Applicant's own directory within 48 hours. In force
according to current processes, the change will also be sent to the domestic inquiry within 48 hours,
however, the national database is only updated every two weeks. Given that the objection
In this case, the automatic delete did not run properly, a technical problem occurred

related subscribers in order to investigate and subsequently meet the subscriber demand
notifications were recorded as complaints in the Applicant's internal records.

7. It was also sent between the Applicant and the Applicant on 30 April 2015
a copy of the subscription contract for the prepaid service provided,
according to which the Applicant did not consent to the fact that the Applicant is
publish the name, permanent address and telephone number of the subscriber by the Applicant

reserved and in the national directory.

According to the Applicant 's statement, on the basis of the data recorded in its register, the
Due to the failure of the applicant to reconcile the annual data, the electronic communications, 5


according to the declaration of Section 134 of Act C of 2003 on Services (hereinafter: Eht.)
(1a), in fact under paragraph 10a (d), the Applicant was obliged to contact the Applicant

terminate the subscriber contract with immediate effect. Given that the annual
due to the failure to reconcile the data, the termination has taken place, the Applicant will only
he was able to keep his number after the contract, so he was re-contracted on June 12, 2018
with the Applicant, in which case the statements made by him were also amended.

According to the Claimant's statement, the re-contract was made by telephone ([…]) when
also in accordance with the valid process, only the reconciliation of the data, and

requesting consents - including the processing of the Applicant's personal data in the directory
consent to such publication. The Applicant's administrator is the Applicant
based on their responses, the data reconciliation required by the re-contract process was required
make or request the statements and then reactivate the number
for. In the re-contract process, no contract was posted and signed by the parties
subject to the fact that the subscription contract is governed by Eht. in a way made possible by it
was created by the process by which the subscriber submits a contractual statement to the SIM

by activating the card and using the service as an implied behavior
me. At the time of the re-contract, the telephone directory consent was also given to the Applicant
on behalf of.

The Claimant's statement is in effect at the time of the re-contract, however
currently repealed, electronic communications subscriber contracts are special
2/2015 on the rules of (III. 30.) of the NMHH, the Applicant

voice recordings of telephone customer service calls from the time of recording
for 2 years, so the sound recording concerning the Applicant's re-contract has been canceled
therefore, the Applicant sent the re-contract to support the consent
a screenshot of the registered system data.


III. Applicable legal provisions


Pursuant to Article 2 (1) of the General Data Protection Regulation, this is the case here
the general data protection regulation applies to data processing.

Act CXII of 2011 on the right to information self-determination and freedom of information.
Pursuant to Section 2 (2) of the Act (hereinafter: the Information Act), the General Data Protection Act
This Regulation shall apply with the additions set out in that Regulation.


Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data
the Authority shall, upon request, initiate an official data protection procedure and of its own motion
initiate proceedings against the data protection authority. The data protection authority procedure is general
CL of 2016 on administrative order. (hereinafter: Ákr.)
apply with the additions specified in the Infotv. and the general data protection
with derogations under this Regulation.


Infotv. Pursuant to Section 60 (2): “To initiate official data protection proceedings
Article 77 (1) and Article 22 (b) of the General Data Protection Regulation
may be submitted in the case specified in

Under Article 77 (1) of the General Data Protection Regulation:
without prejudice to administrative or judicial remedies, all persons concerned shall have the right to:

make a complaint to a supervisory authority, in particular where you have your habitual residence,
in the Member State of employment or of the alleged infringement, if any
considers that the processing of personal data concerning him or her infringes this Regulation. ", 6


According to Article 6 (1) of the General Data Protection Regulation: “Processing of personal data
lawful only if and to the extent that at least one of the following is met:

(a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes
treatment;
(b) processing is necessary for the performance of a contract to which the data subject is party
at the request of the party concerned or before the conclusion of the contract
necessary to do so;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is in the vital interests of the data subject or of another natural person

necessary for its protection;
(e) the processing is in the public interest or a public authority vested in the controller
necessary for the performance of the task
(f) processing for the legitimate interests of the controller or of a third party
necessary, unless those interests take precedence over such interests
interests or fundamental rights and freedoms that protect personal data
especially if the child concerned.

Point (f) of the first subparagraph shall not apply to the performance of their duties by public authorities
processing of personal data during the

Under Article 7 (3) of the General Data Protection Regulation: “The data subject shall have the right to
to withdraw his consent at any time. Withdrawal of consent shall not affect the
the lawfulness of consent-based data processing prior to withdrawal. The consent
the data subject shall be informed before Withdrawal of consent is the same

should be made possible in a simpler way than giving it. "

Under Article 12 (1) to (6) of the General Data Protection Regulation: '1. The controller
take appropriate measures to provide the data subject with personal data
all the information referred to in Articles 13 and 14 and
Each information pursuant to Article 34 shall be concise, transparent, comprehensible and easily accessible
in a clear and comprehensible manner, in particular for children

for any information to which it is addressed. The information shall be provided in writing or otherwise - including
where appropriate, the electronic route. Oral information at the request of the data subject
provided that the identity of the data subject has been otherwise established.
2. The controller shall facilitate the processing of the data subject in accordance with Articles 15 to 22. exercise of their rights under this Article. Article 11
In the cases referred to in paragraph 2, the controller shall rights under Article
may not refuse to comply with your request for the exercise of the right to exercise his
that the data subject cannot be identified.

(3) The data controller shall, without undue delay, but in any case upon request
within one month of receipt of the information. in accordance with Article
on the action taken on the request. If necessary, taking into account the application
complexity and number of applications, this deadline may be extended by a further two months.
On the extension of the time limit, the controller shall indicate the reasons for the delay a
inform the data subject within one month of receipt of the request. If concerned
submitted the application electronically, the information preferably by electronic means

unless otherwise requested by the data subject.
4. If the controller does not act on the data subject's request without delay,
but shall inform the data subject no later than one month after receipt of the request
the reasons for not taking action and the possibility for the person concerned to lodge a complaint
before a supervisory authority and may exercise its right of judicial review
5. The information referred to in Articles 13 and 14 and Articles 15 to 22 and 34
the measure shall be provided free of charge. If the data subject's request is clearly unfounded

or, in particular because of its repetitive nature, excessive, the data controller, subject to the information requested
or the administrative nature of providing the information or taking the requested action
costs:
(a) charge a reasonable fee, or,


(b) refuse to act on the application.
Demonstration of the clearly unfounded or excessive nature of the request to the controller

burden.
6. Without prejudice to Article 11, where the controller has reasonable doubts as to the application of Articles 15 to 21,
the identity of the natural person submitting the application under Article
may request the information necessary to confirm his identity. "

According to Article 17 of the General Data Protection Regulation: “1. The data subject shall have the right to request
the controller deletes personal data concerning him without undue delay,

and the data controller is obliged to make the personal data of the data subject unjustified
delete without delay if one of the following reasons exists:
(a) personal data are no longer required for the purpose for which they were collected or
treated differently;
(b) the data subject withdraws the authorization referred to in Article 6 (1) (a) or Article 9 (2)
(a) the consent which is the basis for the processing and the processing
there is no other legal basis;

(c) the data subject objects to the processing pursuant to Article 21 (1) and is not
priority legitimate reason for the processing, or Article 21 (2) is concerned
protests against data processing on the basis of
(d) personal data have been processed unlawfully;
(e) personal data are required by the law of the Union or Member State applicable to the controller
must be deleted in order to fulfill an obligation;
(f) the collection of personal data referred to in Article 8 (1)

in connection with the provision of social services.
(2) If the controller has disclosed personal data and in accordance with paragraph 1
it is required to delete the available technology and implementation costs
take such reasonable steps, including technical measures, as may be taken into account
measures to inform data controllers that
the data subject has requested from them links to the personal data in question or e
deletion of a copy or duplicate of personal data.

3. Paragraphs 1 and 2 shall not apply if the processing is necessary:
(a) for the purpose of exercising the right to freedom of expression and information;
(b) the Union or Member State rules governing the processing of personal data applicable to the controller
fulfillment of a legal obligation or in the public interest or entrusted to the controller
for the performance of a task performed in the exercise of a public authority;
(c) in accordance with Article 9 (2) (h) and (i) and Article 9 (3)
on grounds of public interest in the field of public health;

(d) for the purposes of archiving in the public interest in accordance with Article 89 (1), scientific and
for historical research or statistical purposes, in so far as the right referred to in paragraph 1 is concerned
would be likely to make such processing impossible or seriously jeopardize;
obsession
(e) to bring, assert or defend legal claims. "

According to Article 24 of the General Data Protection Regulation: "1. The controller shall

its scope, circumstances and purposes, and the rights and freedoms of natural persons
appropriate given the varying probability and severity of the reported risk
implement technical and organizational measures to ensure and demonstrate that
that personal data are processed in accordance with this Regulation. These are the
measures shall be reviewed and, if necessary, updated by the controller.
2. If it is proportionate to the data processing activity, it shall be referred to in paragraph 1
As part of these measures, the controller shall also apply appropriate internal data protection rules.

3. For codes of conduct approved in accordance with Article 40 or approved in accordance with Article 42
joining a certification mechanism may be used as part of the demonstration that
that the controller fulfills his obligations. ”, 8


Under Article 25 of the General Data Protection Regulation: '1. The controller shall be a scientific and
the state of the art and the cost of implementation, as well as the nature and scope of data

the rights and freedoms of natural persons,
varying in the probability and severity of risk taking into account both data management
appropriate technical and administrative procedures for determining the
organizational measures, such as pseudonymisation, aimed at
data protection principles, such as the effective implementation of data protection;
to meet the requirements of this Regulation and to protect the rights of data subjects
incorporating the necessary guarantees into the data management process.

2. The controller shall implement appropriate technical and organizational measures
to ensure that only personal data is processed by default
necessary for the specific purpose of the processing. This
obligation applies to the amount of personal data collected, the extent to which they are processed,
the duration of their storage and their availability. These measures should in particular
to ensure that personal information is provided by default to the natural person
without the intervention of an indefinite number of persons

for.
3. An approved certification mechanism in accordance with Article 42 may be used to demonstrate this
that the controller complies with the requirements of paragraphs 1 and 2 of this Article
requirements. "

According to Article 58 (2) of the General Data Protection Regulation: “The supervisory authority
acting in its corrective capacity:

(a) warn the controller or processor that certain data processing operations are planned
its activities are likely to infringe the provisions of this Regulation;
(b) reprimands the controller or the processor if he or she is acting in a data-processing capacity
has infringed the provisions of this Regulation;
(c) instruct the controller or processor to comply with this Regulation
the exercise of his rights under this Regulation;
(d) instruct the controller or processor to carry out its data processing operations

bring this Regulation into line with the provisions of this Regulation
with its provisions;
(e) instruct the controller to inform the data subject of the data protection incident;
(f) temporarily or permanently restrict data processing, including data processing
prohibition;
(g) order personal data in accordance with Articles 16, 17 and 18 respectively
rectification or erasure of data and restrictions on data processing, as well as Article 17 (2)

order notification to the addressees in accordance with
with whom or with whom the personal data have been communicated;
(h) withdraw the certificate or instruct the certification body in accordance with Articles 42 and 43
revoke a duly issued certificate or instruct the certification body not to
issue the certificate if the conditions for certification are not or are no longer met;
(i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case
in addition to or instead of the measures referred to in this paragraph; and

(j) order the flow of data to a recipient in a third country or to an international organization
suspension. "

Under Article 83 (2) and (5) of the General Data Protection Regulation:
2. Administrative fines shall be imposed in accordance with Article 58 (2), depending on the circumstances of the case.
shall be imposed in addition to or instead of the measures referred to in points (a) to (h) and (j) of
In deciding whether it is necessary to impose an administrative fine, or a

the amount of the administrative fine in each case
the following must be taken into account :, 9


(a) the nature, gravity and duration of the breach, taking into account the processing in question
the nature, scope or purpose of the infringement and the number of persons affected by the infringement;

the extent of the damage they have suffered;
(b) the intentional or negligent nature of the infringement;
(c) the mitigation of damage caused to the data subject by the controller or the processor
any measures taken to
(d) the extent of the responsibility of the controller or processor, taking into account the
Technical and organizational measures taken pursuant to Articles 25 and 32;
(e) relevant infringements previously committed by the controller or processor;

(f) the supervisory authority to remedy the breach and the possible negative effects of the breach
the degree of cooperation to alleviate
(g) the categories of personal data concerned by the breach;
(h) the manner in which the supervisory authority became aware of the infringement, in particular
whether the controller or processor has reported the breach and, if so, what
in detail;
(i) if previously against the controller or processor concerned, in the same

have ordered one of the measures referred to in Article 58 (2),
compliance with the measures in question;
(j) whether the controller or processor has complied with Article 40
approved codes of conduct or an approved certification in accordance with Article 42
mechanisms; and
(k) other aggravating or mitigating factors relevant to the circumstances of the case,
for example, the financial gain obtained as a direct or indirect consequence of the infringement

or avoided loss.
[…]
5. Infringements of the following provisions, in accordance with paragraph 2, shall be imposed no later than 20
An administrative fine of EUR 000 000 or, in the case of undertakings, the previous
an amount not exceeding 4% of the total annual world market turnover for the financial year,
with the higher of the two:
(a) the principles of data processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9;

appropriately;
(b) the rights of data subjects under Articles 12 to 22. in accordance with Article
(c) personal data to a recipient in a third country or to an international organization
Articles 44 to 49. in accordance with Article
d) the IX. obligations under the law of the Member States adopted pursuant to this Chapter;
(e) the instructions of the supervisory authority pursuant to Article 58 (2) and the processing of data
temporary or permanent restriction of the flow of data

non-compliance with the request or access in breach of Article 58 (1)
failure to provide insurance. "

Infotv. 75 / A. §: “the Authority shall, in accordance with Article 83 (2) to (6) of the General Data Protection Regulation,
exercise the powers set out in paragraph 1 in accordance with the principle of proportionality,
in particular by providing for the law or regulation on the processing of personal data
Requirements laid down in a binding act of the European Union

to remedy the breach - Article 58 of the General Data Protection Regulation.
in particular by alerting the controller or processor
take action. "

The Eht. According to Section 134 (10a) (d): “The subscription contract is also terminated
by mutual agreement of the parties, subject to Section 127 (4) and provided that
that the subscriber contract entered into with the implied conduct is expressed by the implied conduct

by oral or written statement, the oral subscription agreement expressly or
by a written statement, while an express subscription agreement is made in writing
may be terminated by the parties. ", 10



2/2015 on special rules for electronic communications subscriber contracts. (III. 30.)
Pursuant to Section 25 (1) of the NMHH Decree: “Subscribers arriving for telephone customer service
the service provider is obliged to make a sound recording of the complaint and error report, which
in a retrievable manner, except in the case provided for in Section 22 (7), the notification
for a period of 2 years from the date of



ARC. Decision

ARC. 1. Requests for deletion of the Applicant's personal data

1. The Applicant has requested personal data (name, address, telephone number) from the Applicant

deleted from your online directory several times. For the first time in mid-April 2021 a
You have initiated the deletion on your online application, which is not due to a technical issue
resulted in an automatic deletion affecting all of the Applicant’s systems
process did not run properly, so the Applicant's personal data was not deleted
from the inquiry office. Subsequently, on 2 May 2021, the Applicant initiated the cancellation,
which was recorded as a complaint, however, then the complaint was not due to a one-time operator error

was duly recorded in the Applicant's internal records and the complaint
was unjustifiably closed, so the online directory remained available
Applicant 's personal details. The Applicant for the third time on June 25, 2021
initiated the deletion of his personal data from the online directory, given that the
You have not received a response to your request on May 2, 2021 and your personal information is still available
they remained. On this third request, which was also treated as a complaint, the Applicant canceled it

from the online inquiry to the personal data of the Applicant on 5 July 2021.

2. The statement of the Applicant and the inclusion in the inquiry notice sent by him
according to the process description containing the modification of the personal data in the directory
display can be controlled by the data subject, disclosure to the data subject

based on its consent. This is supported by the general available on the Applicant's website
35-36 of Annex 3 to the Data Protection Information
also point. The Applicant therefore - as it acknowledges - bases its consent on the
displaying and disclosing personal data in an online directory.

Consent is defined as defined in the General Data Protection Regulation

should be based on information, be voluntary and have a specific, voluntary
by a clear statement or unequivocal statement
must be a declaration.

In the case of consent-based data processing, the data subject is entitled to consent
withdraw at any time.


On the basis of the statements and documents available to the Authority, the Applicant and the Applicant
Subscribers to the top-up card service established on 30 April 2015
under the contract, the Applicant has not consented to the Applicant being a subscriber
publish the name, permanent address and telephone number of the applicant by the Applicant
reserved and in the national directory.


However, in the case of a re-contract entered into on 12 June 2018 - a statement from the Applicant
according to - the statements given by the Applicant have been modified, according to the register
telephone directory consent was also provided by the Applicant and was therefore included
the personal data of the Applicant in the directory.


1
 […], 11



However, the Authority is of the opinion that all this consent has been given to it

voluntariness and that the Applicant’s statement or confirmation is unambiguous
indicated by express act that he gave his consent to the personal data concerning him
the information provided by the Applicant and the
the screenshot of the system data recorded in the contract is not supported. Those
merely certify that in the part of the register concerning the Applicant in the system data
the field that allows your personal information to appear online has been checked
inquiry office.


It is based on consent within the meaning of Article 7 (1) of the General Data Protection Regulation
in the case of data processing, the controller must be able to prove that
consent to the processing of the personal data of the data subject. The resubmission sent by the Applicant
however, a screenshot of the system data recorded in the contract, provided by the parties
in the absence of a signed contract, does not prove that the consent was given by the Applicant himself
would have.


Accountability under Article 5 (2) of the General Data Protection Regulation
the data controller is responsible for complying with the data protection principles
and must be able to demonstrate such compliance. This is based on the data controller
is obliged to document and record the data processing in such a way that its lawfulness ex post
be demonstrable.


In view of the above, it cannot be proved that it originated from the Applicant
as a result of a voluntary declaration or an act unequivocally expressing confirmation
has been marked in the Applicant's system data in the online directory of his / her personal data
the Authority notes that the
Applicant is unable to demonstrate compliance with data protection principles on this
therefore infringed Article 5 (2) of the General Data Protection Regulation.
the principle of accountability under paragraph 1.


Consequently, it has not been established that the Applicant actually agreed
to disclose your personal data in the Applicant's online directory
that the Applicant would have had for the disclosure
with an appropriate legal basis, the Authority finds that the Applicant has a general data protection
in breach of Article 6 (1) of the Regulation, was disclosed by the Applicant without legal basis
personal information in your online directory.


3. The Applicant classified the Applicant's requests recorded by telephone as a complaint by the Authority
in their opinion, to exercise the rights of the data subject, to delete the personal data of the Applicant
as they specifically requested the deletion of his personal data
Requested from your online directory.

The Authority will accordingly comply with the rules on the erasure of personal data

examined.

The General Data Protection Regulation governs the rights of data subjects
the right to cancel. On this basis, given that the Applicant in his statement and
Annex 3 of the General Terms and Conditions on data management information
35, the processing of personal data available in the online directory
Article 6 (1) (a) of the General Data Protection Regulation

indicated the legal basis for the consent - Article 17 (1) of the General Data Protection Regulation
(b), the data subject shall have the right to request an unreasonable delay at the request of the controller
delete the personal data concerning him without delay, and the controller is obliged to
delete the personal data of the data subject without undue delay if the data subject,


withdraw the basis for processing pursuant to Article 6 (1) (a)
and there is no other legal basis for data processing.


In the present case, even without examining the validity of certain conceptual elements of consent
it can be stated that the Applicant - on the basis of his declaration and registration system - a
managed and published on its consent basis in its online directory
Applicant's personal data after the re-contract dated 12 June 2018. As described above, a
The Authority found that it had not been demonstrated that the Applicant had in fact consented
to disclose your personal data in the Applicant's online directory

however, this fact was only revealed in the present proceedings. The Applicant
When submitting requests for the deletion of personal data, the Applicant shall
was aware that he had disclosed personal information with the consent of the Applicant
and the Applicant requests the withdrawal of this consent. The Applicant is therefore the Applicant
pursuant to Article 17 (1) (b) of the General Data Protection Regulation
is obliged to delete the personal data of the applicants from the inquiry office.


About how to provide information about deleting personal information
the obligations of the controller are detailed in Article 12 of the General Data Protection Regulation.

It can be stated that the Applicant first withdrew his personal data in April 2021
consent to the management of the application and initiated their cancellation by the Applicant online
due to technical or administrative errors only on July 5, 2021
the data protection authority procedure or the requested authority procedure

after becoming aware of it.

On the occasion of the telephone inquiry of the Applicant on 2 May 2021, the preceding one
about two weeks earlier, he initiated his personal information electronically
delete from the online directory. However, on the basis of this information, it can be concluded that
exceeding the deadline, more than two months later, the Applicant's personal
delete your data without extending it for as long as possible

that it would have provided information on the basis of the request
measures. If the Applicant had not indicated his problem by telephone two
On several occasions, the Applicant would not have taken action to comply with the data subject's request
in order to. Consequently, the Authority finds that the Applicant has not complied with the
Applicant's request to delete personal data, in violation of the general
Article 17 (1) (b) of the Data Protection Regulation. The technical error or its clerks
an error does not relieve the Applicant of the responsibility of the data controller.


4. In addition, the Authority has taken into account the finding in point 3 above that
although the Applicant classified the Applicant's requests recorded by telephone as a complaint, they
requests for the deletion of the personal data of the Applicant
Article 12 (2) of the General Data Protection Regulation
rights of the data subject - in the present case, a request for the deletion of personal data
- a provision requiring compliance with it. Based on this, the data controller is obliged

to facilitate the exercise of the data subject's rights. The Applicant's present case is contrary to this
according to which the purpose of deleting the personal data of the Applicant
applications as a complaint. It had to be clear to the Applicant that
that the Applicant must act in accordance with the General Data Protection Regulation in relation to his / her requests,
as the Applicant clearly argued that the online inquiry was personal
requests the deletion of your data - which was preceded by one's own, on the Applicant's online interface
electronic cancellation program initiated by the Applicant and not provided by the Applicant

made a complaint against his service., 13


On the basis of the above, the Authority finds of its own motion that the Applicant has infringed the
Article 12 (2) of the General Data Protection Regulation, as it was not facilitated by the Applicant

deletion of your personal data.

ARC. 2. Partial rejection of the application

On July 5, 2021, the Applicant deleted the Applicant's personal data online
inquiry office. The deletion of personal data was also sent to the Authority by the Applicant in 2021.
Confirmed to the Applicant by letter dated 19 July 2006 […]. The Authority shall:

reviewing his inquiry page, he found that the Applicant's personal data was already true
are not available in the public directory.

The Authority consequently, although the Applicant requested the Authority to call on the
An applicant for the immediate deletion of his personal data in a certified manner shall be disclosed to the public
the Authority rejects the application in this respect as unfounded
has become.



V. Legal consequences

In the Authority's decision, Article 58 (2) (b) of the General Data Protection Regulation
at the request of the Applicant, condemned the Applicant because of his online inquiry
did not delete the Applicant's personal data at his request, in violation of the general

Article 17 (1) (b) of the Data Protection Regulation.

The Authority shall act ex officio in accordance with Article 58 (2) (b) of the General Data Protection Regulation
also condemned the Applicant for failing to comply with Article 5 (2) of the General Data Protection Regulation.
in breach of the accountability requirement under paragraph 1, has not demonstrated that:
Applicant would have actually consented to the personal information of the Applicant online
to be published in its directory. The Authority therefore ex officio

also condemned the Applicant for failing to comply with Article 6 (1) of the General Data Protection Regulation.
disclosed the Applicant's personal data without legal grounds
in your online directory.

The Authority shall act ex officio in accordance with Article 58 (2) (b) of the General Data Protection Regulation
reprimanded the Applicant for not promoting the Applicant's personal data
by recording the Applicant's requests by telephone as a complaint,

in breach of Article 12 (2) of the General Data Protection Regulation, as it does not
facilitated the deletion of the Applicant's personal data.

The Authority examined whether a data protection fine against the Applicant was justified
imposition. In this context, the Authority shall comply with Article 83 (2) and (3) of the General Data Protection Regulation
Infotv. 75 / A. § considered all the circumstances of the case and found that a
in the case of infringements detected in the present proceedings, the warning is neither proportionate nor appropriate

a dissuasive sanction, it is therefore necessary to impose a fine.

In setting the amount of the fine, the Authority took into account, in particular, that:
Infringement by the Applicant under Article 83 (5) of the General Data Protection Regulation
Infringement falling within the higher category of fines pursuant to paragraph 1 (b)
it counts as.


The Authority shall take into account the aggravating circumstance when setting the amount of the data protection fine
took into account that, 14


    - after the active participation of the Applicant, a total of three requests were made
        to delete personal data from an online directory [Article 83 of the General Data Protection Regulation

        Paragraph 2 (a)];
    - the personal data of the Applicant for a long time, from 12 June 2018 to 2021.
        were available without a legal basis in the online directory [general

        Article 83 (2) (a) of the Data Protection Regulation];
    the personal data of the Applicant have become public [Article 83 of the General Data Protection Regulation.
        Article 2 (2) (g)];

    - the Applicant has committed several infringements, [Article 83 (2) of the General Data Protection Regulation
        paragraph (d)];

    - the infringements committed by the Applicant are due to technical negligence
        and administrative errors [Article 83 (2) of the General Data Protection Regulation
        b)];

    - the Authority has on one occasion convicted the Applicant of committing an offense
        data breach - data subject's right under Article 16 of the General Data Protection Regulation
        Infringement of the right of rectification (Decision No […]) [General
        Article 83 (2) (e) of the Data Protection Regulation].


The Authority shall take into account the attenuating circumstance when setting the amount of the data protection fine
took into account that

    - the Applicant offered the Applicant a gross compensation of HUF 5,000 for him
        to alleviate the inconvenience [Article 83 (2) of the General Data Protection Regulation
        paragraph (c)];

    - the Applicant deleted the Applicant as a result of the official data protection procedure
        data from its online directory [Article 83 (2) of the General Data Protection Regulation
        point (f)];

    - the Authority exceeded the administrative deadline [Article 83 (2) of the General Data Protection Regulation
        paragraph (k)].

The Authority will not impose a data protection fine on the Applicant
considered relevant Article 83 (2) (h), (i) and (j) of the General Data Protection Regulation
as they cannot be interpreted in the context of the specific case.

The net sales revenue of the Requested in 2020 is in the order of HUF 284,000.00 million

was so far from the maximum fine that could be imposed.


VI. Other issues

The powers of the Authority shall be exercised in accordance with Infotv. Section 38 (2) and (2a), its jurisdiction is
covers the whole country.


The present decision of the Authority is based on Art. 80-81. § and Infotv. It is based on Section 61 (1). THE
decision of the Ákr. Pursuant to Section 82 (1), it becomes final upon its communication. The Ákr. Section 112
and § 116 (1) and (4) (d) and § 114 (1)
there is an administrative remedy against the decision.

                                              * * *, 15


The Ákr. Pursuant to Section 135, the debtor is in arrears at a rate corresponding to the statutory interest
he is obliged to pay a supplement if he fails to meet his obligation to pay money on time.


Act V of 2013 on the Civil Code 6:48. § (1)
in the case of a debt owed, the debtor shall, from the date of default a
equal to the central bank base rate valid on the first day of the calendar half-year affected by the delay
interest on arrears.

The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a

hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by decision of the Authority
The administrative lawsuit against the court falls within the jurisdiction of the court Section 13 (3)
Pursuant to subparagraph (a) (aa), the Metropolitan Court has exclusive jurisdiction. A Kp. § 27
Paragraph 1 (b) in a dispute in which the tribunal has exclusive jurisdiction
competent, legal representation is mandatory. A Kp. Pursuant to Section 39 (6), the application
has no suspensory effect on the entry into force of the administrative act.


A Kp. Section 29 (1) and, in this regard, Act CXXX of 2016 on Civil Procedure.
applicable in accordance with Section 604 of the Act, electronic administration and trust services
CCXXII of 2015 on the general rules of According to Section 9 (1) (b) of the Act no
the client's legal representative is obliged to communicate electronically.

The time and place of the submission of the application is Section 39 (1). THE
Information on the possibility of requesting a hearing is provided in the CM. Section 77 (1) - (2)

based on.

The amount of the fee for an administrative lawsuit shall be determined in accordance with Act XCIII of 1990 on Fees. law
(hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee
the Itv. Section 59 (1) and Section 62 (1) (h) shall exempt the person initiating the proceedings
half.


If the required payment obligation is not met by the Applicant in an appropriate manner
the Authority considers that it has not complied with the obligation within the time limit. The Ákr.
According to § 132, if the Applicant fails to comply with the obligation contained in the final decision of the Authority
fulfilled, it is enforceable. The decision of the Authority Pursuant to Section 82 (1) a
becomes final upon communication. The Ákr. Section 133 enforcement - if you are a law
Government decree does not provide otherwise - it is ordered by the decision-making authority. The Ákr. 134.
§ pursuant to the implementation - if by law, government decree or municipal authority

In this case, the decree of the local government does not provide otherwise - the state tax authority
implements.

In the course of the procedure, the Authority exceeded the Infotv. One hundred and fifty days according to Section 60 / A (1)
administrative deadline, therefore Ákr. Pursuant to Section 51 b), it pays ten thousand forints to the Applicant
- by choice - by bank transfer or postal order.


Date: Budapest, March 2, 2022


                                                               Dr. Attila Péterfalvi
                                                                      President
                                                                c. professor