NAIH (Hungary) - NAIH-2727-2/2022.: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 75: Line 75:
}}
}}


The Hungarian DPA imposed a fine of approximately €25,000 on a debt-collecting company, which based its claim to an inheritance of a data subject on unjustified grounds, as well as for multiple and recurring violations of the GDPR.
The Hungarian DPA imposed a fine of approximately €25,000 on a debt management company, who failed to accept a verbal request for erasure.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject submitted to the DPA that the controller purchased a claim on 7 December 2015, based on an inheritance. The Data Subject, following a notice received on 23 June 2021, called the Controller at 11:58 a.m. (first phone conversation) to inform the Controller about the following:
The Controller – a debt management company – aimed to collect a debt left from an heir of a person deceased in 2013.  


* the person – whose inheritance was the basis of the claim – died in 2013, with assets of less than HUF 100,000 (approximately €250), funeral expenses of more than HUF 300,000 (approximately €750), and the heirs are legally liable only up to the amount of the inherited estate,
The Data Subject, following a notice received on 23 June 2021, called to inform the Controller that in his point of view, the claim is not justifiable. Based on the Hungarian Act V of 2013 on the Civil Code, a claim expires after 5 years, and also, heirs are liable only up to the amount of the inherited estate. The Data Subject also asked the Controller to erase all personal data regarding this case.
* even if there had been an estate (in excess of the debt), the claim was time-barred and therefore not enforceable in court, - the Data Subject has no intention of paying the claim out of court.
As no measures were taken by the Controller, the Data Subject called a second time on 15 July 2021, when he requested the Controller to send him the audio recording made earlier. The phone operator of the Controller could not find any reference to the first phone conversation and informed the Data Subject that the request for erasure must be submitted in writing.  


The Data Subject attached the following documents to his claim:
After the Controller received the inquiry of the DPA, it claimed that it had initiated the proceedings against the Data Subject based on an administrative error It was determined in an internal review that the Data Subject's verbal request for erasure was fully justified and the Controller's phone operator failed to register is as a complaint.


* a screenshot of an outgoing call,
As a result, the Controller has notified the Data Subject that it irretrievably deleted the related personal data from its records, while retaining a copy of the order of the public notary about the estate(including name, date and place of birth of the Data Subject, as well as his mother's name) based on its legal obligation to keep records under Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises and also with regard to the legal obligation on the basis of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]].
* the Controller's letter dated 11 June 2021, titled “Information and demand for payment”,
* a letter from the Controller informing the Data Subject that it is closing the case and will delete any personal data relating to the Data Subject within 3 working days, while retaining a copy of the probate order for record-keeping purposes as required by law,
* the audio recording of a phone conversation (second phone conversation) with the Controller on 15 July 2021 at 18:03, where the Data Subject requested the Controller to send him the audio recording made earlier (first phone conversation). The Data Subject further referred in this audio to the fact that he had also submitted a request for deletion of his personal data during the first phone call and asked on what grounds his personal data would not be deleted, but the administrator of the Controller could not find any reference to the first phone conversation and referred to the fact that requests for deletion of personal data must be submitted in writing.


According to the Data Subject, the Controller was fully aware, after the purchase of the claim, that it could not pursue it in court, and that it is clearly not by accident that the Controller has not even tried to enforce it until now. The Data Subject claimed that this is precisely the infringement in relation to data management: the Controller is able to harass the Data Subject until the end of time, since the Controller itself decided not to start legal proceedings within the limitation period. The data processing by the Controller is therefore unlawful, since the purpose of the processing (legitimate interest) did not exist even before the limitation period. Therefore, the processing for contact customer identification purposes – related to the data processing based on legitimate interest – cannot be lawful and fair.


The Data Subject also suggested that the way the Controller handled the contact request on 15 July 2021 (or more precisely, neglected it, as it did not even record the verbal claim) is against data protection provisions as well. In its phone call to the Controller, the Data Subject also specifically alleged that the Controller, by the processing of the data at issue, had prolonged the Data Subject's grieving process, as the Controller's letter of request had upset him at a time when he was calming down in his grief.
The Controller claimed that it had initiated the proceedings against the Data Subject based on an administrative error. According to the Controller's procedure for the administration of estates – where the value of the estate is less than the costs of obtaining the estate –, the Controller shall promptly arrange for the case to be closed. Unfortunately, the case was not closed. It was determined in an internal review that the Data Subject's verbal objection was fully justified and the Controller's phone operator failed to record the Data Subject's verbal objection as a complaint and instead requested that the objection be sent in writing. The Data Subject did not contact the Controller in writing.
As a result, the Controller has closed the case and has irretrievably deleted the related personal data from its records. The Controller has notified the Data Subject of the closure of the case and that it will delete all personal data within 3 working days, while retaining a copy of the probate order (including name, date and place of birth of the Data Subject, as well as his mother's name) based on its legal obligation to keep records under Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises with regard to the legal obligation on the basis of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. A copy of the notification was sent to the Data Subject, together with a screenshot confirming the deletion, and has been forwarded to the DPA.
=== Holding ===
=== Holding ===
The DPA consulted the written procedure on data processing available on the website of the Controller, which separates the processing of data in the area of debt recovery from the processing of phone conversations in the context of lending activities. In the context of debt recovery, the purposes include: documenting reconciliations, legal declarations, requests (e.g. instalment agreements) in relation to debt management, ensuring the accountability of the Controller, bringing and defending legal claims, providing both parties with evidence for enforcement.
During the proceedings, the Controller referred to two independent administrative errors. One was the initiation of debt collection process against the Data Subject, and the other was the failure of the phone operator to treat the Data Subject's call as a request for erasure. In the DPA's view, the reference to an administrative error does not relieve the Controller from its liability, given that it is the controller within the meaning of [[Article 4 GDPR#7|Article 4(7) GDPR]]. The initiation of the debt collection process was an internal decision of the Controller, involving several employees, therefore it can be considered a major negligence on the Controller’s part.
 
The legal basis for processing is [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] in the context of debt recovery. The duration of the processing is determined based on Act V of 2013 on the Civil Code, according to which the limitation period is 5 years. The Controller referred to the retention of complaints under Section 288 of Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises only for phone conversations in connection with its lending activities.


(In the present proceedings, the DPA did not examine the limitation of claims in relation to the data processing of the Controller, as it is not within the competence of the DPA. It is a matter for the courts to decide on this preliminary question. The Controller has registered a claim against the Data Subject in respect of which the Data Subject has not submitted a court decision stating that it does not exist, so that legitimate interest in the processing of the claim registered by the Data Subject may in principle exist.)
In the DPA's view, human error cannot be accepted as a ground for excuse, because the Controller is responsible for the proper management of its workflows and its employees.


In the DPA's view, the reference to an administrative error does not relieve the Controller from its liability as controller, given that the Controller is the controller within the meaning of [[Article 4 GDPR#7|Article 4(7) GDPR]].
The DPA also emphasized that the Controller did not discover the administrative error by itself, but by the two separate phone calls and the DPA proceedings initiated by the Data Subject.


On the identity of the controller: the Controller also invoked two independent administrative errors in the context of the case complained of. One administrative error related to the initiation of debt recovery proceedings against the Data Subject, and the other related to the failure of the phone operator to treat the Data Subject's phone call as a complaint or a request from a data subject. The two “administrative errors”, which occurred independently of each other, constitutes a major negligence. The launching of the debt recovery procedure is an internal decision, the launching of a process that implies the performance of tasks and the drafting and sending of a claim letter by several persons, can be considered a major negligence as well.
The Controller also failed to provide the phone recordings to the DPA. The DPA therefore concluded that the Controller, after becoming aware of the DPA’s proceedings, deleted the audio material, the retention of which would have been justified for the purposes of the proceedings, in particular based on the principle of accountability, and would therefore have had a legal basis under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].  


On the processing for debt management purposes: the Controller admitted that it processed the personal data of the Data Subject for debt management purposes by mistake and contrary to its policies describing its processes. However, the DPA emphasized that the Controller did not discover the administrative error by itself, but by the two separate phone calls and the DPA procedure initiated by the Data Subject. Pursuant to [[Article 17 GDPR#3b|Article 17(3)(b) GDPR]], a data subject's request for erasure cannot be complied with if the processing of personal data is required by law. The Controller is lawfully processing the probate order (and the personal data of the Controller therein) based on [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]].
The Data Subject was informed by the phone operators that the request for erasure had to be made in writing. Since the GDPR does not impose any formal requirements for the submission of a data subject request, the Controller is not entitled to do so and, by refusing to accept the data subject request, it has breached [[Article 12 GDPR#1|Article 12(1) GDPR]] as well.


On the audio recording: it is accepted as a fact that the Data Subject had a phone conversation with the Controller, as the Controller in its response to the DPA, submitted that the matter had been reviewed and that it had been found that the Controller's phone operator had erred in failing to register the Data Subject's verbal complaint. However, the Controller failed to provide this recording to the DPA. It can therefore be concluded that the Controller, in its review of the DPA's order, listened to the audio recording and drew conclusions from it, and that there was an audio recording of the conversation between the Controller and the Data Subject. This is further supported by the fact that the Controller's phone operator, during a call on 15 July 2021, noted, “I see that you had a consultation with us earlier on 23 June 2021, with our colleague, so you would like to request this recording.” In view of the above, it can therefore be concluded that the Controller, after becoming aware of the DPA proceeding, deleted audio material. The retention of which would have been justified for the purposes of the proceeding, in particular in view of the principle of accountability, and would therefore have had a legal basis under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].  
The DPA held that, pursuant to [[Article 17 GDPR#3b|Article 17(3)(b) GDPR]], a data subject's request for erasure cannot be complied with, if the processing of personal data is required by law. The Controller was lawfully processing the personal data included in the order of the public notary about the estate based on [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. Apart from this, any procession of personal data was unlawful.


On the verbal request of the Data Subject: the GDPR allows the provision of information verbally in response to a data subject's request, as [[Article 12 GDPR#1|Article 12(1) GDPR]] specifically provides for this. Nevertheless, during the phone calls, the Data Subject was informed by the operators that his request for erasure had to be made in writing. Since the GDPR does not impose any formal requirements for the submission of a data subject request, the Controller is not entitled to do so and, by refusing to accept the data subject request submitted during the recorded phone conversation on formal grounds, it has breached [[Article 12 GDPR#1|Article 12(1) GDPR]].


On erasure of personal data and access request: the Controller stated that the Controller's employee (phone operator) was negligent by failing to record the Data Subject’s complaint and instead requested that the objection be sent in writing. In the DPA's view, human error cannot be accepted as a ground for excuse because the Controller, as the data controller, is responsible for the proper management of the workflow in its area of activity.
== Comment ==
== Comment ==
''Share your comments here!''
''Share your comments here!''

Revision as of 07:57, 22 June 2022

NAIH - NAIH-2727-2/2022.
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 12(1) GDPR
Article 12(4) GDPR
Article 13 GDPR
Article 15(3) GDPR
Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises (Hpt.)
Act V of 2013 on the Civil Code (Ptk.)
Type: Complaint
Outcome: Partly Upheld
Started: 14.06.2021
Decided: 11.02.2022
Published: 11.02.2022
Fine: 10000000 HUF
Parties: n/a
National Case Number/Name: NAIH-2727-2/2022.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: Hungarian DPA (in HU)
Initial Contributor: Abel Kaszian

The Hungarian DPA imposed a fine of approximately €25,000 on a debt management company, who failed to accept a verbal request for erasure.

English Summary

Facts

The Controller – a debt management company – aimed to collect a debt left from an heir of a person deceased in 2013.

The Data Subject, following a notice received on 23 June 2021, called to inform the Controller that in his point of view, the claim is not justifiable. Based on the Hungarian Act V of 2013 on the Civil Code, a claim expires after 5 years, and also, heirs are liable only up to the amount of the inherited estate. The Data Subject also asked the Controller to erase all personal data regarding this case. As no measures were taken by the Controller, the Data Subject called a second time on 15 July 2021, when he requested the Controller to send him the audio recording made earlier. The phone operator of the Controller could not find any reference to the first phone conversation and informed the Data Subject that the request for erasure must be submitted in writing.

After the Controller received the inquiry of the DPA, it claimed that it had initiated the proceedings against the Data Subject based on an administrative error It was determined in an internal review that the Data Subject's verbal request for erasure was fully justified and the Controller's phone operator failed to register is as a complaint.

As a result, the Controller has notified the Data Subject that it irretrievably deleted the related personal data from its records, while retaining a copy of the order of the public notary about the estate(including name, date and place of birth of the Data Subject, as well as his mother's name) based on its legal obligation to keep records under Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises and also with regard to the legal obligation on the basis of Article 6(1)(c) GDPR.


Holding

During the proceedings, the Controller referred to two independent administrative errors. One was the initiation of debt collection process against the Data Subject, and the other was the failure of the phone operator to treat the Data Subject's call as a request for erasure. In the DPA's view, the reference to an administrative error does not relieve the Controller from its liability, given that it is the controller within the meaning of Article 4(7) GDPR. The initiation of the debt collection process was an internal decision of the Controller, involving several employees, therefore it can be considered a major negligence on the Controller’s part.

In the DPA's view, human error cannot be accepted as a ground for excuse, because the Controller is responsible for the proper management of its workflows and its employees.

The DPA also emphasized that the Controller did not discover the administrative error by itself, but by the two separate phone calls and the DPA proceedings initiated by the Data Subject.

The Controller also failed to provide the phone recordings to the DPA. The DPA therefore concluded that the Controller, after becoming aware of the DPA’s proceedings, deleted the audio material, the retention of which would have been justified for the purposes of the proceedings, in particular based on the principle of accountability, and would therefore have had a legal basis under Article 6(1)(f) GDPR.

The Data Subject was informed by the phone operators that the request for erasure had to be made in writing. Since the GDPR does not impose any formal requirements for the submission of a data subject request, the Controller is not entitled to do so and, by refusing to accept the data subject request, it has breached Article 12(1) GDPR as well.

The DPA held that, pursuant to Article 17(3)(b) GDPR, a data subject's request for erasure cannot be complied with, if the processing of personal data is required by law. The Controller was lawfully processing the personal data included in the order of the public notary about the estate based on Article 6(1)(c) GDPR. Apart from this, any procession of personal data was unlawful.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-2727-2 / 2022. Subject: Partial application
                                                                   decision and termination
                                                                   order
History: NAIH-5732/2021.




   The National Data Protection and Freedom of Information Authority (hereinafter referred to as the Authority) […]
at the request of the applicant (hereinafter referred to as the “Applicant”) (hereinafter referred to as the
hereinafter referred to as the “Applicant”)
data protection authorities

take the following decisions in the procedure:

I. 1. In its decision, the Authority shall issue the Applicant's application on 25 May 2018
in so far as it seeks to establish the unlawfulness of its subsequent processing

                                          gives place and


I.2. finds that the Applicant has violated

    - the processing of personal data by natural persons
       the free movement of such data and repealing Directive 95/46 / EC
       Regulation (EU) No 2016/679 (hereinafter referred to as the GDPR or General
       Article 5 (1) (a) and (b) of the Data Protection Regulation,
    - Article 5 (2) of the GDPR,

    - Article 6 (1) of the GDPR,
    - Article 12 (1) and (4) of the GDPR,
    - Article 13 of the GDPR, and
    - Article 15 (3) of the GDPR.

II. The Authority shall include in the Applicant's request a decision on the information

CXII of 2011 on the right to self-determination and freedom of information Act (a
hereinafter: Infotv.) pursuant to Section 61 (2)

                                           rejects.


III. Unlawful processing of the Applicant's personal data in its order
the period prior to 25 May 2018
and the deletion of your personal data

                                         terminates.


ARC. In its decision, the Authority shall inform the Applicant ex officio about the unlawful data processing carried out by it
because of

                              10,000. 000 HUF, ie ten million forints

                                      data protection fine

obliges to pay.

                                              * * *, The data protection fine governing the initiation of judicial review

after the expiry of the time limit or, in the case of a review, 15
the settlement forint account of the collection of centralized revenues of the Authority within days
(10032000-01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104
0425 0000 0000). When transferring the amount, NAIH-5732/2021. JUDGE.
number should be referred to.

   If the Applicant fails to meet the obligation to pay the fine within the time limit, it shall be delayed

must pay a supplement. The rate of the late payment interest is the statutory interest, which is in arrears
equal to the central bank base rate valid on the first day of the calendar half-year concerned. The fine and the
in the event of non-payment of the late payment allowance, the Authority shall order enforcement of the decision.

V. In view of the fact that the time limit has been exceeded, the Authority shall, by order,
Payment of HUF 10,000, ie ten thousand forints, by the Authority to the Applicant - in writing

by bank transfer or postal order.

                                              * * *

I., II. and IV. Decision III. administrative appeal against the order
it has no place, but it is addressed to the Metropolitan Court within 30 days of the communication

may be challenged in an administrative action. The application shall be submitted to the Authority,
electronically, which forwards it to the court together with the case file. Against the order
in a lawsuit, the court acts in a simplified lawsuit. Not in full personal exemption
for the beneficiaries, the fee of the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to record material fees.
Legal representation is mandatory in proceedings before the Metropolitan Court.



                                          EXPLANATORY STATEMENT

I. Procedure

I.1.At the request of the Applicant, the Infotv. Pursuant to Section 60 (1), on June 24, 2021
data protection authority proceedings have been initiated.


The application did not contain the sound recording referred to by the Applicant, which confirms that
The applicant did not explain that the
The form in which the Applicant (written or telephone) was rejected by the Applicant concerned
nor did he substantiate his rejection
The Applicant, and therefore the Authority, did not attach a court decision establishing the statute of limitations to his application
and NAIH-5732-2 / 2021. In his order no.
5732-2 / 2021. in a document registered under number.


I.2.The Authority shall notify the Applicant in accordance with NAIH-5732-4 / 2021. notified the procedure in order no
and called for a statement for the first time in order to clarify the facts,
with reference to CL of 2016 on General Administrative Procedure. Act (a
hereinafter: Ákr.), to which the Applicant's reply was received on 16 August 2021
to the Authority (NAIH-5732-5 / 2021).


On the basis of the Applicant's statement, the Authority considered that the clarification of the statement
it is again necessary to invite the Applicant to make a statement in order to clarify the facts,
and issues essential to the disclosure of the circumstances of the case
In its reply, the Applicant did not detail the data management objected to by the Applicant
operations and the examination of new circumstances has become warranted and will therefore be re-declared
called for clarification of the facts in his order of 10 September 2021, to which
the Applicant sent a letter to the Authority by letter dated 24 September 2021

(NAIH-5732-9 / 2021).
                                                                                               2, The Applicant in its response to the previous statements contradictory statements

did not specify how the Applicant's personal data was deleted, therefore the Authority
for the third time in its order of 14 October 2021, called on the
Applicant. (NAIH-5732-10 / 2021.) The deadline given by the Applicant for this call is the last one
In a letter dated
requested an extension of 15 days, but did not give reasons for its request. THE
The Authority granted the request for an extension in part, giving it 9 days
allowed an extension of the deadline. However, the Applicant day, so 11

delayed the request by one day and argued that the
order partially granting the application for an extension 10.11.2021. on the day of
for delivery to the Applicant.

I.3. The Authority has issued NAIH-5732-15 / 2021. s. notified the Applicant in its file that
the evidentiary procedure has been completed. The Authority shall issue an order to that effect as evidenced by the return receipt
Applicant 25.11.2021. The deadline for submitting declarations was reached on 03.12.2021.

day has passed. The Applicant did not send a statement to the Authority.

II. Clarification of the facts

II.1. In his application and rectification, the applicant stated the following:

II.1.1. In his application, the applicant requested:


- the investigation of the data processing of the Applicant,
- finding of unlawful data processing,
- erasure of unlawfully processed data,
an instruction from the controller to bring its data processing operations into line with the
data protection provisions,
- examine the data processing practices of the Requested, in particular the "real purpose"

with regard to data management, and
- the decision made against the Applicant by Infotv. Pursuant to Section 61 (2)
to the public.

II.1.2. The following documents / screenshots were attached to the application by the Applicant
in copy:


    - screenshot of an outgoing call (to […]),
    - on 11.11.2021. letter of information and request for payment dated
    - a letter from the Applicant [….] notifying the Applicant,
       to close the Applicant's case and to the Applicant as a trader
       deleted personal data will be deleted within 3 working days, at the same time the transferor
       keep a copy of the order due to the registration obligation required by law.


In addition to the above, the Applicant shall, in the framework of the rectification of deficiencies, on the day at 18:03
attached the audio of a telephone conversation. This sound recording was made by the Applicant,
and in this requested the Applicant to send the previously recorded sound recording (23.06.2021)
for you. The Applicant further referred in this audio recording to the former
He also submitted a request for cancellation during the telephone call and asked to do so
the reasons why your personal data will not be deleted, but the administrator will not do so
found a reference in its records and argued that it should be in writing the applications concerned

to submit. The Applicant's administrator was unable to provide information on the Applicant's question
provide information on the legal or other provisions under which the data subject is not complying
requests only if received in writing. At the beginning of the recording, the clerk a
Applicant's personal information includes the mother's birth name, as well as the Applicant's birth name
requested the provision of a place and time, which the Applicant later accused of
as he questioned why this was necessary.

                                                                                                3, The audio recording testifies that in addition to the above, the Claimant and the Claimant are the claim

he talked about its legitimacy and enforceability. The Applicant argued that the inheritance was not
covers the debts of the testator, and the Applicant, as heir, is not obliged to settle the
for the debts of the testator if the value of the inheritance exceeds the debts. According to the Applicant
the Applicant, as a receivables management company, should be aware of this. The Applicant
and also accused the Applicant of failing to enforce the
claim and is now trying to recover it illegally.


II.1.3. In its request to the Authority, the Applicant detailed the data processing complained of
According to the following:

The Applicant stated that the Applicant had purchased a claim on 7 December 2015, which was
It demands from the petitioner the title of “inheritance”. Received by the Applicant on 23.06.2021, a
Following a summons registered with the applicant at case number […], at 11:58 a.m. by telephone
informed the Applicant of the following facts of which the Applicant was aware:

    - the original obligor died in 2013, with assets under HUF 100,000, over HUF 300,000
       funeral expenses, and the heirs are liable only to the extent of the estate,
    and that, even if there had been a will (in excess of the debt),
       the claim is time-barred and therefore not enforceable in court,
    - the Applicant does not intend to pay the claim out of court.

The Applicant also referred in its application that it had informed the Applicant that the

his right to enforce his claim ceased and drew the Applicant's attention
that the Applicant is aware of this (since the Applicant 's data are only available to the
made it possible to obtain an inheritance order) and requested the deletion of the personal data of the data subject.

According to the Applicant, the Applicant affected the Applicant's application without giving reasons
he rejected. The Administrator of the Requested has stated that he will continue to handle the data and
attempted to collect additional information about the Applicant.


The Petitioner also argued that the Claimant's claim was already time-barred and therefore outstanding
personal data of the Applicant could no longer be processed with reference to a claim
however, he did not attach a court decision to his application in this regard.

According to the Applicant, the Applicant is fully aware of the claim after the purchase
was that he could not enforce the claim in court. The Applicant is clearly not

accidentally failed to enforce the claim in the 5 years since the assignment. The Applicant
According to the
The Applicant may harass the Applicant until the end of the time, as it is up to the Applicant to decide
that he will not bring legal proceedings within the limitation period.

The processing of the data requested by the applicant is therefore manifestly unlawful, since the purpose of the processing is legitimate
interest) did not exist even before the limitation period. It follows directly from this that

that derivative data processing related to the enforcement of a legitimate interest (contact
for customer identification purposes) cannot be legal or fair.

The Applicant also referred to the fact that the conduct as the Applicant is
handles the request on the basis of the testimony of the audio recording made on 15 July 2021 (i.e.
more precisely, as it does not even record oral indications), obviously
contrary to data protection provisions.


In his telephone call to the Applicant, the Applicant specifically referred to the fact that a
Applicant with the infringed data management of the Applicant's mourning process in the wrong direction
affected, for the Applicant's letter of formal notice upset him just as he was in mourning
calmed down.


                                                                                               4, II.2. The Requested NAIH-5732-5 / 2021. According to the statement in the file:


The Applicant shall transfer the case from the date of assignment, at the request of the Authority
reviewed and found that:

On 07 December 7, 2015, […] assigned the claim to the Applicant. The Applicant a
Pursuant to [….],
was registered as the legal heir of the Applicant on 20 September 2016.
on the day.


The Applicant has initiated recovery proceedings against the Applicant due to an administrative error. THE
According to the requested probate procedure, if one is final
the amount of the value of the estate indicated in the transfer order is less than
costs related to the acquisition of the estate, the Applicant shall take immediate action against the
closing the case. Unfortunately, the case was not closed in the Applicant's case.


Upon review of the case, it was found that the Applicant's oral complaint
was fully substantiated and the staff member of the Requested Telephone Operator failed to
when he did not accept the submissions made by the Applicant as an oral complaint, he instead requested it in writing
send the objection. The Applicant did not contact the Applicant in writing.

Due to the above, the Applicant has closed the case and the Applicant, as a party to the transaction and
has deleted his / her related personal data from his / her register in an irreversible manner. THE

Applicant has notified the Applicant that the case has been closed and that, as a party to the transaction
all personal data will be deleted, this will be done within 3 working days, the order of transfer of the estate
a copy of it shall, however, be retained by the Applicant with respect to that prescribed by law
registration obligation. A copy of the notice sent to the Applicant and the cancellation
The Applicant forwarded the screenshot to the Authority.

According to the Applicant, in the event of a statute of limitations, he shall proceed as follows:


Act V of 2013 on the Civil Code (hereinafter: the Civil Code) 6:23. § as
provides that a time - barred claim may not be enforced in court
this does not affect the existence of an obligation to provide the service. It's outdated
claim, therefore, the Civil Code. rights, which are granted by the Applicant as the right holder
may not be taken into account ex officio. If it is
at the request of the person concerned, the court shall examine all the circumstances of the enforcement of the claim

in which case the Applicant shall terminate the processing and the data shall be processed
deletes data.

II.3. The Requested NAIH-5732-9 / 2021. s. the following information in its declaration
provided by:

Deletion of data of the Applicant's previously processed personal data

in view of the fact that the Applicant is not in a position to provide accurate information, the Applicant
can generally declare that the debtors are personally identifiable as well as contact
manages your data.

The transfer order and the personal data contained therein (Applicant
name, place and date of birth, name of mother) of the Applicant on credit institutions and financial
CCXXXVII of 2013 on enterprises is a legal obligation with regard to Section 258 of the Act

with reference to Article 6 (1) (c) of the GDPR. The Applicant does not
has the audio material of the conversation with the Applicant, as the Applicant is
In addition to the personal data indicated in the transfer order, the Applicant is all
has deleted his personal data as he has closed the transaction as referred to above.



                                                                                               5, The Applicant further substantiated by documentary evidence that the purchase of
his claim, in which […] was entered in the Register of the Claimant as his legal heir

the Applicant, has not expired until the detection of the administrative error in view of the fact that the old Civil Code.
a written request for the performance of a claim shall be deemed to be an act interrupting the limitation period
summons, as well as the recognition of the debtor's debt, the settlement of the claim by agreement
amendment and judicial enforcement.

II.4. The Requested NAIH-5732-13 / 2021. s. In its statement registered in the document, the Applicant
provided the following information:


The personal data of the Applicant was deleted on 11 August 2021. The Authority stated
to send telephone conversations with the Applicant
a copy of his audio recording, given that they are covered by the Complaints Management Regulations (8/2020).
(X.01.) 8.2. for 5 years, the Applicant replied as follows:

In its first reply to the Authority, the Applicant stated that the telephone operator

A staff member failed to do so when the Applicant's oral objection was not presented orally
instead, he asked the Applicant to send his complaint in writing.
In view of the fact that no sound recording was found in the Applicant's register,
which was recorded as an oral complaint in connection with the Applicant and in writing
nor was it filed, the Applicant did not take care of the statutory
retention of a complaint.


The Applicant has also stated that, as amended by the previous order, the Applicant is personal
with regard to the processing of his data, that, as he has a legal obligation to
make a backup copy of the registration system, therefore the personal data of the Applicant
it is still stored as a backup. Access to this personal information
limited and may not be used for purposes other than providing backup.

The obligation to make a backup is the responsibility of financial institutions, insurers and

reinsurers, as well as investment firms and commodity exchange service providers
42/2015 on the protection of the (III.12.) (Hereinafter:
Government Decree) 5 / B. § d) for the Applicant.

The deadline for extending the deadline in the letter sent by the Applicant on the last day of the deadline for the call
applied to the Authority for an extension of 15 days
however, he did not substantiate his request. The Authority took into account that the Applicant

not previously missed a deadline. However, in the Authority’s view, the deadline
The request for an extension was not duly substantiated as the Applicant did not indicate the
the reasons for his request and the fact that he was at the time of the Authority's third call
necessary because the Applicant did not respond fully to previous calls or
in some places his statement was also contradictory.

In view of the above, the Authority considered the 15 - day extension to be excessive, as

Applicant did not provide any reason that would have clearly prevented it from doing so
11/5/2020 comply with the order by the day. The Authority shall request an extension
granted the request in part by granting an extension of 9 days. THE
However, it was applied for on 15.11.2021. on the day before, so he complied with the request by 11 days,
and argued that the Authority granted the request for an extension in part
Order of 10/11/2017 was served on the Applicant on the day that the Authority
provided that the deadline for submitting the declaration was 05.11.2021. until the day

extended it.

II.5. The Authority consulted the data management information available on the Applicant's website,
which reads as follows:



                                                                                              6, II.5.1. In connection with the recovery of a claim, the personal data of the Applicant shall be given priority
referred to in Article 6 (1) (f) of the GDPR.


II.5.2. In connection with data management during voice recording, the following
included

The Data Protection Information of the Applicant separates it in the field of debt collection
data management (point 11) and in connection with lending activities
telephone conversation (point 12).


In the context of debt collection, the following objectives have been set, inter alia:
reconciliations, legal statements, requests related to receivables management (eg installment payment
agreement), ensuring the accountability of the data controller, legal claims
submission, protection, ensuring proof of enforcement related to both parties
for.


The legal basis for data processing is Article 6 (1) (f) GDPR with recovery of claims
context. The duration of data processing is regulated by Act V of 2013 on the Civil Code. (the
hereinafter referred to as the Civil Code) limitation period 6.21-6.25. Was determined on the basis of §
limitation period 5 years).

The Applicant is the Hpt. For the retention of a complaint pursuant to Section 288 only with its lending activity
telephone conversations.


III. Applicable legal provisions

The GDPR should be applied to personal data in a partially or fully automated manner
non-automated processing of personal data
which are part of a registration system or which are part of a
intended to be part of a registration system. For data processing covered by the GDPR, the

Infotv. Pursuant to Section 2 (2), the GDPR shall apply with the additions indicated therein.

According to Article 5 (1) (a) and (b) of the GDPR:

Personal information:
(a) be processed lawfully and fairly and in a manner which is transparent to the data subject
("legality, fairness and transparency");

(b) collected for specified, explicit and legitimate purposes and not processed
in a way incompatible with those objectives; in accordance with Article 89 (1)
does not constitute incompatibility with the original purpose for the purpose of archiving in the public interest,
further processing for scientific and historical research or statistical purposes
("Purpose limitation");

Under Article 5 (2) of the GDPR, the controller is responsible for complying with paragraph 1

and be able to demonstrate such compliance (‘accountability’).

Article 6 (1) of the GDPR:

(c) the processing of personal data is lawful insofar as it relates to the controller
necessary to fulfill a legal obligation.


(f) the processing of personal data is lawful if the processing is
necessary for the legitimate interests of the controller or of a third party, unless
the interests or fundamental rights of the data subject take precedence over those interests; and
freedoms which require the protection of personal data, in particular where the data subject is a data subject
child.


                                                                                              7 Under Article 12 (1) to (6) of the GDPR:


The controller shall take appropriate measures to ensure that the data subject is provided with:
all information on the processing of personal data referred to in Articles 13 and 14
and 15-22. and Article 34 shall be concise, transparent, comprehensible and easy to use
provide in an accessible form, in a clear and comprehensible manner, in particular:
for any information addressed to children. The information is in writing or otherwise
- including, where applicable, the electronic route. Oral at the request of the person concerned
information may be provided provided that the identity of the data subject has been otherwise established.


(2) The controller shall facilitate the processing of the data subject in accordance with Articles 15 to 22. exercise of their rights under this Article. Article 11 (2)
In the cases referred to in paragraph 15-22, the controller shall to exercise their rights under this Article
may not refuse to comply with his request unless he proves that the person concerned
unable to identify.

3. The controller shall, without undue delay, but in any case upon receipt of the request,

inform the data subject within one month of the following an application under Article
measures taken. If necessary, taking into account the complexity of the application and the
number of applications, this time limit may be extended by a further two months. The deadline
extension of the request by the controller indicating the reasons for the delay
inform the data subject within one month of receipt. If the electronic is concerned
the information shall be provided, if possible by electronic means,
unless the person concerned requests otherwise.


If the controller does not act on the data subject 's request without delay, but
shall inform the data subject no later than one month after receipt of the request
the reasons for not taking action and the fact that the person concerned may lodge a complaint with one of the
supervisory authority and may exercise its right of judicial review.

5. The information provided pursuant to Articles 13 and 14 and Articles 15 to 22 and Article 34

All information and action taken pursuant to this Regulation shall be provided free of charge. If concerned
The application is manifestly unfounded or, in particular because of its repetitive nature, excessive
data controller:
(a) involves the provision of the requested information or information or the taking of the requested action
charge a reasonable fee taking into account administrative costs, or
(b) refuse to act on the application.
The burden of proving that the request is manifestly unfounded or excessive is on the controller.


6. Without prejudice to Article 11, where the controller has reasonable doubts as to the application of Articles 15 to 21, article
the identity of the natural person submitting the application under
may request the information necessary to confirm his identity.

Pursuant to Article 15 (3) of the GDPR, the controller is the personal data subject
provide a copy of the data to the data subject. For additional copies requested by the data subject

the controller may charge a reasonable fee based on administrative costs. If that
submitted the application electronically, the information was widely used
shall be provided in electronic format, unless otherwise requested by the data subject.

Pursuant to Article 17 (1) GDPR, the data subject has the right to request the controller
delete personal data concerning them without undue delay and the data controller
shall be required to provide the personal data of the data subject without undue delay

delete if one of the following reasons exists:
(a) personal data are no longer required for the purpose for which they were collected or for other purposes
treated;
(b) the data subject withdraws the authorization provided for in Article 6 (1) (a) or Article 9 (2) (a);
consent to the processing, and there is no consent to the processing
other legal basis;

                                                                                               8, (c) the data subject objects to the processing pursuant to Article 21 (1) and is not
priority legitimate reason for the processing, or Article 21 (2) is concerned

protests against data processing on the basis of
(d) personal data have been processed unlawfully;
(e) personal data are required by the law of the Union or Member State applicable to the controller
must be deleted in order to fulfill an obligation;
(f) the collection of personal data through the information society referred to in Article 8 (1)
in connection with the provision of related services.


Pursuant to Article 17 (3) of the GDPR, paragraphs 1 and 2 do not apply if
data management required:
(b) the Union or Member State law applicable to the controller governing the processing of personal data

or in the public interest or in the exercise of official authority vested in the controller
Article 21 of the GDPR
Under paragraph 1, the person concerned is entitled, for reasons related to his own situation
object at any time on the basis of Article 6 (1) (e) or (f)
including profiling based on those provisions. In this case
the controller may no longer process personal data unless the controller proves that
that the processing is justified by compelling legitimate reasons which take precedence

enjoy the interests, rights and freedoms of the data subject or which have legal claims
related to the submission, enforcement or protection of

Other administrative or judicial remedies under Article 77 (1) GDPR
without prejudice to this, any person concerned shall have the right to lodge a complaint with a supervisory authority,
in particular, the place of habitual residence, the place of employment or the place of the alleged infringement

in the Member State of residence if the data subject considers that the personal data concerning him or her
breach of this Regulation.

Under the corrective power of the supervisory authority under Article 58 (2) (b) GDPR
acting:

(b) reprimands the controller or the processor if he or she is acting in a data-processing capacity
has infringed the provisions of this Regulation;

(i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case
in addition to or instead of the measures referred to in this paragraph;


The Ákr. Under Section 17, the authority has the powers and competencies at all stages of the proceedings
ex officio. If you notice any of its deficiencies and it can be established beyond doubt in the case
competent authority shall transfer the case, failing which the application shall be rejected
or terminate the proceedings.

Pursuant to Section 46 (1) of the Act, the authority shall reject the application if

(a) there is no statutory condition for instituting proceedings and this law does not
it has no other legal consequences.

Pursuant to Section 47 (1) of the Act, the authority shall terminate the proceedings if
(a) the application should have been rejected but the reason for it was to initiate the procedure
came to the attention of the authority.


Infotv. Pursuant to Section 38 (2b), the Authority shall provide personal data in Section (2)
the role of litigant in the proceedings and the
in non-litigious proceedings, by a court in accordance with the rules applicable to them
data processing operations shall not be covered by paragraph 3
exercise their powers.



                                                                                                9, Infotv. Enforcement of the right to the protection of personal data pursuant to Section 60 (1)
To that end, the Authority shall, at the request of the data subject, initiate a data protection authority procedure and

may initiate ex officio data protection proceedings.

Infotv. In its decision made in the data protection authority proceedings pursuant to Section 61 (1) a
Authorities
  a) in connection with the data processing operations specified in Section 2 (2) and (4) a
May apply the legal consequences set out in the GDPR,
  b) in connection with the data processing operations specified in Section 2 (3)

  (ba) establish the unlawful processing of personal data,
  bb) order the correction of inaccurate personal data,
  (bc) order the blocking, erasure or blocking of personal data which have been unlawfully processed
destruction,
  bd) prohibit the unlawful processing of personal data,
  […]
  (bg) impose a fine,


Infotv. Pursuant to Section 71 (1), during the proceedings of the Authority - for the conduct thereof
to the extent and for the time necessary - may process all personal data as well as by law
data covered by the obligation of professional secrecy and professional secrecy
which are dealt with in order to ensure the efficient conduct of the proceedings
required.


Infotv. 75 / A. § pursuant to Article 83 (2) - (6) of the General Data Protection Regulation
exercise the powers set out in paragraph 1 in accordance with the principle of proportionality,
in particular by providing for the law or regulation on the processing of personal data
Requirements laid down in a binding act of the European Union
Article 58 of the General Data Protection Regulation
in particular by alerting the controller or processor.


Infotv. Pursuant to Section 61 (2), the Authority may order its decision - the data controller,
and the publication of the identity of the processor,
if
  (a) the decision affects a wide range of persons,
  (b) it was made in the context of the activities of a public body, or
  (c) the gravity of the infringement justifies disclosure.


Infotv. Pursuant to Section 61 (5), the Authority in deciding whether it is justified to
the imposition of a fine pursuant to paragraph 1 (b) (bg) and the amount of the fine
account of all the circumstances of the case, in particular the infringement
the size of the population involved, the gravity of the infringement, the imputability of the conduct and the
whether the personal data relating to the processing of personal data have previously been established against the infringer
infringement.


Section 169 (1) - (2) of Act C of 2000 on Accounting (hereinafter: the Accounting Act)
pursuant to paragraph
1. An undertaking shall draw up accounts for the financial year and a report on them
supporting inventory, valuation, general ledger extract, as well as the logbook or other information required by law.
for at least 8 years in a legible form in accordance with the requirements of
keep.
(2) The accounting document supporting the accounting accounts directly and indirectly

(including general ledger accounts, analytical and detailed records), at least 8
shall be retrievable in a legible form for a period of one year and may be retrieved by reference to the accounting records
way to preserve.

Pursuant to Section 166 (1) of the Accounting Act, an accounting document is any such document
issued or made by a natural person in a business or other relationship with the farmer

                                                                                              10, a document issued by a person or other economic operator (invoice, contract,
agreement, statement, credit institution statement, bank statement, legal provision, other

document which may be classified as such), whatever its printing or other method of production, which:
supports the accounting of the economic event.

A Hpt. Pursuant to Section 288 (1), the financial institution and the independent intermediary shall ensure that
the client is subject to the conduct or activities of a financial institution and an independent intermediary, or
orally (in person, by telephone) or in writing (in person, by telephone)
or by any other document provided by post, post, facsimile, e-mail). THE

the rules on complaint handling should also apply to the person providing the service
contact an independent financial institution for the purpose of using
does not use the service.

A Hpt. Pursuant to Section 7 (1), a financial institution is a credit institution and a financial undertaking.

A Hpt. Pursuant to Section 9 (1), it is a financial enterprise

  a) a financial institution which, in accordance with Section 3 (1) (d) and (e) and Section 8 (2)
one or more financial services,
or operates a payment system, and

A Hpt. Under Section 3 (1), financial services for the following activities are business-like
in HUF, foreign currency or currency:
  ….

  (l) receivables purchasing activity.

A Hpt. 67 / A. § (1), the activity of financial service provider - the additional financial
may only be performed using an IT system
line, which ensures the closure of system components and prevents IT
unauthorized access to the system and unauthorized modification. IT
the system must also comply with the general information security confidentiality requirements.

To this end, the credit institution shall provide administrative, physical and logical arrangements
compliance with the general information security confidentiality requirements.

Government Decree 5 / B. § d), the IT system complies with Hpt. 67 / A. § (1)
of the Bszt. § 12 (12) - (14), the Fsztv. 12 / A. § and the Bit. Section 94 (4) -
(6), with the closure of the system components, to the IT system
to prevent unauthorized access and unauthorized modification, and

general information security confidentiality requirements if the live operation system
the data backup and recovery policy ensures a secure restore of the system; and
backup-restore has been tested with frequency and documented according to the relevant regulations.

ARC. Decision:

IV.1. Data management prior to May 25, 2018


On 07 December 7, 2015, […] assigned the claim to the Applicant. The Applicant a
[…] On the basis of a final transfer order (hereinafter: transfer order) […]
was registered as the legal heir of the Applicant on 20 September 2016.
on the day.

However, in spite of the above, the Authority will only process data after 25 May 2018

examined the Applicant for the following reasons:

In the present proceedings, the Authority will only deal with the data processing of the Requested until May 2018
Made in connection with the data management after the 25th day of the day, so the Ákr. Section 47 (1)
The Authority shall submit a request in accordance with paragraph 1 (a) before 25 May 2018
terminated the procedure in the part concerning the examination of his data processing, as the request did not

                                                                                             11, complied with Infotv. Section 60 (2), as the applicant
the general data protection regulation was not yet applicable in this part of the data processing period,

Thus, the Authority may not initiate official data protection proceedings upon request.

IV.2. The issue of limitation of a claim

According to the Applicant, the claim that the Applicant intends to collect against him has already taken place
expired, however, the Applicant disputed this and argued that the Civil Code. 6:23. § (4)
limitation may not be taken into account ex officio in judicial or administrative proceedings.


In the present proceedings, the Authority shall limit the limitation period of the claim in respect of the data processing of the Requested
did not examine it, because the judgment of Infotv. Pursuant to Section 38, Paragraphs (2) - (2a), a
Authority. It is for the courts to decide this question.

The Applicant has registered a claim against the Applicant in connection with which the
The applicant did not attach a court decision finding that it did not exist,

therefore, with regard to the claim registered by the Applicant, the data processing a
a legitimate interest may in principle exist.

IV.3. Person of the data controller

According to the data of the company register, the main activity of the Applicant is a receivables management activity.


The Authority has established, on the basis of the Applicant's statements, that the data processing under consideration
the purpose of the processing in connection with the above - mentioned activity in the case in question, and
assets are determined independently by the Applicant and therefore pursuant to Article 4 (7) of the GDPR
data controller in connection with the processing of the Applicant's personal data.

In the Authority 's view, the reference to an administrative error does not exempt
Claimant from the responsibility of the controller, given that Article 4 (7) of the GDPR

the Applicant qualifies as a data controller. The Applicant is the one who organizes the
the process of data management and establishes its conditions. The most important feature of a data controller
is that it has substantive decision-making power and responsibility for data management
for fulfilling all the obligations set out in the General Data Protection Regulation.

The Working Party on Data Protection set up under Article 29 of the Data Protection Directive (hereinafter
Working Party on Data Protection) 1/2010 on the concept of "controller" and "processor".
He also stated in his opinion that “Ultimately, the company or body needs to
be held responsible for the processing of data and arising from data protection legislation
unless there are clear indications that a natural person is a
responsible. […] However, even in such cases where a specific natural person is appointed,

to ensure compliance with data protection principles or to process personal data, that is
the person will not be a data controller but a legal entity (company or
acting on behalf of the public body, which remains responsible for the principles in its capacity as data controller
in the event of a breach. "

The Applicant carried out two independent proceedings in connection with the case complained of
also referred to an administrative error. One of the administrative errors is against the Applicant
the other administrative error related to the initiation of the recovery procedure is the telephone
omission by the operator, as a result of which the Applicant did not make a telephone call
treated as a complaint or a claim by a data subject. The two were realized independently
"Administrative error" means a high degree of negligence, as if it occurred in the first case

administrative error, in which case it would be viable that the Applicant’s first indication
so, following his phone call on June 23, 2021, action will be taken to correct this, however
this was not done, not even at the time of the Applicant's second telephone call (15 July 2021)
the Applicant was instructed to investigate this case because of an administrative error in the
conditions.


                                                                                              12, the initiation of the recovery process is an internal decision, the initiation of a process involving several persons
presupposes the performance of duties and the preparation and sending of a letter issued, which is why this

can be assessed as a high degree of negligence and negligence.

IV.4. Management of the Applicant's personal data


ARC. 4.1. Data management for receivables management purposes

The Applicant acknowledged that it was in error and in its claims management business processes
Controlled by the descriptive regulations, the Applicant handled the claim for personal purposes
as the Applicant was registered as the heir as a trader, as a debtor a
in his register, even though his estate did not cover the debts of the testator, and

based on this, the Civil Code. nor, accordingly, on the basis of the Applicant's internal regulations
may be required to pay the debt to the heir.

The Applicant with the debtor and his successors in title on the basis of the assignment agreement
became the holder of a claim against (his heirs) in order to enforce the claim,
and had a legitimate interest in the processing of personal data necessary for that purpose
in principle, the purpose of the data processing can be established on the basis of legal regulations and the purpose of data processing is lawful

it counts as.

Article 5 (1) (b) of the GDPR states, among the principles of data processing, that personal data
data may be collected for lawful purposes and may not be processed for that purpose
in a compatible manner.

From the local government competent by the Applicant according to the debtor's place of residence 20.09.2016. on the day

from an acquired disposition order, in which the Applicant is named as heir,
it is clear that the amount of debts exceeds the amount of active assets. Of this
notwithstanding the order, it sent payment orders to the Applicant after receipt of the order
He applied to settle the debt.

The Civil Code. Pursuant to Section 7: 96 (1), the heir for the debt of the estate with the objects of the estate
and is liable to the creditors for their benefits, therefore the Authority considers that the Applicant a

The applicant's personal data was unlawfully processed for the purpose of claim management
infringed Article 5 (1) (b) of the GDPR from the entry into force of the GDPR, ie May 2018
From the 25th day to the date of deletion of the Applicant's personal data, ie 21 August 2021.
until the day.

According to the Applicant's statement, the Applicant was deleted on 21 August 2021
personal data processed for the purpose of claims management after detecting an administrative error

the case was not closed due to. However, the Authority concluded from the facts that it did not
the Applicant detected the administrative error, but the Applicant reported it to the Applicant
also made two telephone calls and initiated data protection official proceedings
Authority, therefore the Applicant's attention was drawn to the fact that the Civil Code
recovery proceedings may not be instituted in respect of that claim. Of this
however, the Applicant did not take action until after receiving the Authority's order
to examine the data management, as the Applicant stated in a letter dated 11 August 2021

stated that “Our company, at the request of the T. Authority, has referred the matter for assignment
reviewed and found the following with effect from. […] Review of the case
On the basis of this, it was found that the Applicant's oral complaint was in full
was well-founded and an employee of our telephone operator failed to take it
instead of submitting the submissions made by the Applicant as an oral complaint, in writing
objection. […]
As a result of the above investigation, our Company has closed the case and the

Applicant as a transaction operator and related personal data in a non-retrievable manner
deleted from its register. "

                                                                                             13, IV.4.2. The legal basis for the processing of the Applicant's personal data for claims management purposes


According to the Data Protection Information of the Applicant, the data processing for the purposes of receivables management is regulated by Article 6 of the GDPR.
Article 1 (1) (f), ie with reference to a legitimate interest.

A IV.4.1. Due to the provisions of point 1
the priority of the legitimate interest in the processing of the data with the rights and interests of the Applicant
therefore could not rely on Article 6 (1) (f) of the GDPR in this case.
With regard to this purpose of data processing, the Applicant is referred to in Article 6 (1) of the GDPR

nor did it have a specific contractual legal basis (Article 6 (1) (b) GDPR),
in view of the fact that the Applicant, as a concessionary claim for management purposes
only a legal basis under Article 6 (1) (f) of the GDPR can be accepted for the processing of personal data. THE
Mansion Kf.V.39.291 / 2020/5. upheld by judgment of 14 September 2020,
In its final judgment, the Authority shared this view on the applicability of the contractual legal basis
position. The Metropolitan Court of the European Data Protection Board, 2/2019. in its recommendation no
considered the performance of the contract as a legal basis

should be interpreted narrowly and does not automatically cover non-compliance data processing,
or that only by sending a reminder of payment or the normal course of the contract
the processing of data relating to the diversion may fall under the legal basis of the performance of the contract, the original
however, this is not the case for data processing for the purpose of receivables management after the termination of the contract
applicable.

The additional legal bases set out in Article 6 (1) of the GDPR, ie point (a) a

consent, point (c) is not applicable due to a lack of legal obligation, Article 6 (1) GDPR
Paragraph 1 (e) may not be invoked by the Applicant at all, given that it does not
it carries out an activity in the public interest and does not have a public authority license.

On the basis of the above, it can be concluded that the Applicant has been in force since the entry into force of the GDPR, ie 2018.
from 25 May to the date of deletion of the Applicant's personal data, ie 21 August 2021.
has been in breach of Article 6 of the GDPR for the purposes of debt management for the purposes of

Article 1 (1).

ARC. 4.3.Reservation obligation required by law

ARC. 4.3.1. Legacy transfer order

The transfer order and the personal data contained therein (Applicant

name, place and date of birth, name of mother) of the Applicant on credit institutions and financial
CCXXXVII of 2013 on enterprises with regard to Section 258 of the Act (hereinafter: Hpt.)
with reference to Article 6 (1) (c) of the GDPR.

A Hpt. Pursuant to Section 258 (1), a financial institution is subject to business-like activities
records in Hungarian - in accordance with the provisions of Hungarian accounting legislation
in a manner suitable for both supervisory and central bank control.


Section 166 (1) and Section 169 of Act C of 2000 on Accounting (hereinafter: the Act)
Pursuant to paragraphs 1 to 2, personal data shall be removed from the termination of the business relationship, respectively
shall be recorded and kept by the data controller for 8 years from the execution of the transaction order.

An application for cancellation pursuant to Article 17 (3) (b) GDPR is not
can be fulfilled if the processing of personal data is required by law.


In view of the above, it can be concluded that the Applicant has failed to comply with Article 6 (1) (c)
therefore lawfully treats a transfer order (and
personal data of that Applicant).



                                                                                             14, However, the law only imposes an obligation to store, not the stored personal data
can be used.


IV.4.3.2. Sound recording

According to the data management information of the Applicant, it was conducted with the data subjects
telephone conversations are recorded and preserved by the Civil Code. during the limitation period specified in THE
The Applicant argued that there was no such audio material in connection with the Applicant
available to you.


It can be accepted as a fact that the Applicant had a telephone conversation with the Applicant, as
the Applicant is NAIH-5732-4 / 2021. In his statement of order No
that, at the request of the Authority, the case was reviewed and it was established that
The Applicant's administrator made a mistake because he did not receive the Applicant's oral complaint
registered as a complaint. It can be concluded from this that the Applicant a
during the review carried out by the Authority, he heard the data subject

sound recording and drew conclusions from it, so there was a sound recording that a
Recorded conversation between Applicant and Applicant. This is also supported by the fact that the Applicant
During a call on 15 July 2021, his administrator remarked:
with us earlier, with your colleague, you will want to request this recording. ”

In view of the above, it can be concluded that the Applicant is aware of the present data protection authority proceedings
deleted the audio material, the preservation of which is the procedure

would have been justified, in particular with regard to the principle of accountability, and therefore
It would also have had a legal basis under Article 6 (1) (f) GDPR. Besides other
would have been justified for the purpose of maintaining it, since if the review had established that
complaint was also made during the conversation, the Hpt. Section 288 also provides for such preservation
obligation.

Not about the preservation of the audio material of the telephone conversation with the Applicant

care is also controversial because the Applicant himself acknowledged that the Applicant
he also made a complaint during the first telephone conversation, which - the Applicant
due to the omission of his employee, he did not adjudicate. He was affected by such “complaints”
may be classified as an application taking into account different criteria. THE
The Applicant stated that he had submitted an application to the Applicant, establishing this
it would also have been necessary to preserve the sound material in question at a later date
in order to prove whether the Applicant has lawfully classified the complaint in question as

the non-affected application. Not about preserving the audio of a phone conversation
care actually covers cancellation as it is known for Requested telephone conversations
related to its data management information and considering that based on it
all initiated by the parties concerned to the Customer Service of the Applicant
automatically records a telephone conversation (this is also indicated by the machine voice during the call),
therefore, he also had to record telephone conversations with the Applicant.


The Applicant does not record the preservation of the audio material of the telephone conversation with the Applicant
did not examine whether it was obliged under Article 5 (2) of the GDPR
retained and did so by the time it was deleted by the present data protection authority
proceedings were pending, so in any case the Applicant had to expect that
the applicant must be able to deal with the Authority's claims against the Authority.

In view of the above, the Authority found that by continuing with the Applicant

canceled telephone conversations and was thus unable to call the Authority
infringed Article 5 (2) of the GDPR.

The Authority also mentions here that the Applicant is also involved in the purchase of receivables
financial institution Hpt. Pursuant to § 288, he is also obliged to keep it with the recovery of claims
complaints received in this context, so the Data Protection Information of the Requested

                                                                                             15, is incorrect, as it refers only to Hpt.
To the obligation to keep a complaint under § 288. Obligations prescribed in the Credit Institutions Act

non-compliance with the conservation obligation
the Authority cannot make any findings because it also performs financial consumer protection tasks
It is within the competence of the Magyar Nemzeti Bank. However, the Authority erred in the Request
with regard to its information management information note, the
The applicant also infringed Article 12 (1) of the GDPR and Article 13 of the GDPR.

ARC. 5. Requests concerned


Pursuant to Article 12 (1) of the GDPR, the controller must take appropriate measures
in order to ensure that the information on the data subject 's application is concise, transparent, comprehensible and
in an easily accessible form and in a clear and comprehensible manner. The
information shall be provided in writing or by other means, including, where appropriate, by electronic means
to specify.


IV.5.1. Oral requests can also be made orally

4/2020 sent by the Applicant to the Authority. (05.06.) Data Management
Document entitled Procedures for Telephone Recovery Experts 5.1. according to point if
the data subject generally objects to the processing of all his data, the existence of the claim, then
it is primarily for the administrator to argue that the claim exists in the records
that the Applicant has an appropriate legal basis for the personal

in connection with the processing of personal data and shall inform the data subject that the
on what legal basis it handles personal data. If the argument is unsuccessful,
in which case it is necessary to arrange for the erasure of all that can be done on the surface. The
other data not to be erased on the interface may be communicated to the data subject,
that your complaint will be investigated and that you will be informed in writing that your application has been processed.

The GDPR does not rule out the possibility of providing oral information to the data subject upon request, as the GDPR

Article 12 (1) provides for this separately. Nevertheless, the Applicant has telephone calls
during which the operators provided information that they had to submit their request for cancellation in writing.
As the GDPR does not apply in relation to the submission of applications by interested parties
form, therefore the Applicant is not entitled to do so either, and by the fact that the fixed
the acceptance of a request made by a person by telephone during a call for reasons
in breach of Article 12 (1) of the GDPR.


IV.5.2. Deletion of personal data and request for access

Like the withdrawal of consent, it is a protest by the GDPR concerned under Article 21
the exercise of his right also gives rise to an obligation to cancel. In this case, the data controller only
further processing of personal data on compelling legitimate grounds.

The Applicant alleges that during the telephone conversation he was informed of his application

rejects the administrator and insists that the data subject submit his / her request in writing to the
To the applicant. The Applicant did not make it available to the Authority with the Applicant
telephone conversations, claiming that he does not store such conversations, but a
Applicant with the Administrator of the Applicant 2021. 07.15. on the day of the call
made a sound recording. This audio recording refers to the previous one, 20/20/2021. continued on
a telephone conversation and a request made by the data subject in connection therewith, in connection with which the
The Applicant's Administrator shall inform the Applicant that the requests concerned must be made in writing

to submit. However, this only applies to the cancellation request because the Applicant in this
in the conversation on 20.06.2021. the audio of the conversation on the day
asked for his release. The administrator, after reconciling the necessary data, informed that
will be sent. In view of the fact that the Authority referred to the made on
due to the lack of audio material, the request for protest and cancellation referred to by the Applicant a
was unable to examine its performance and did not make any findings in that regard.

                                                                                             16, however, the requested audio material was not sent to the Applicant, despite the fact that

data reconciliation and identification took place and the telephone administrator recorded the request, thus
Applicant has violated the Applicant's right of access under Article 15 (3) GDPR,
as he did not reply at all and thus did not explain the reason for the Applicant
the failure of the Applicant to comply with a request for access, including Article 12 (4) of the GDPR
violated.

The Applicant stated that the Applicant’s employee (telephone operator)

committed an omission by failing to record the Applicant's complaint, instead requesting it in writing
send the objection. In the Authority 's view, the following cannot be accepted as grounds for exemption
human negligence, because the Requested as a data controller is responsible for his / her activities
for the careful organization of workflows that include stakeholder applications
receipt and response within the deadline.

IV.6. The principle of transparency


The Applicant acknowledged NAIH-5732-13 / 2021 during the data protection authority proceedings. number
in his reply letter that he keeps a backup copy of the Applicant's personal data, however
did not inform the Applicant in its letter dated 10.08.2021, only about the cancellation and
on the custody of a transfer order.

A Hpt. 67 / A. § (1) with the IT systems used by financial service providers

requirements for financial institutions to use IT
Government Decree 5 / B. § explains in more detail, i.e
determines how the requirements prescribed in the Credit Institutions Act must be complied with a
financial undertakings. One such criterion is that the live system data backup and
restore system to ensure a safe restore of the system, and this requires
to back up the system. Backups, copies
preparation is a prerequisite for the secure operation of the IT system as well as the Applicant

continuing to purchase receivables, and therefore in backups
The legal basis for the processing of personal data contained in Article 6 (1) of the GDPR
obligation under paragraph 1 (c).

The policy of the Requested backups and their handling is not public
stakeholders, including the Applicant. The Applicant did not inform the Applicant
that your personal information is still included in the backup and in what cases

backups may be used or when you permanently delete them
backups to the Requested. However, this is not acceptable because it is a complete data management process
the transparency set out in Article 5 (1) (a) of the GDPR
the data subject of the fact of the data processing and the important data processing related to it
circumstances must be communicated in all cases.

Due to the above, the Applicant violated Article 5 (1) (a) of the GDPR

principle of transparency.

IV.7. Applicant's comments on the request for an extension of the deadline

The Authority emphasizes that Ákr. does not expressly provide for an application for an extension of time
in the context of its assessment and thus does not provide for it in certain cases
required. Given that the Applicant did not even explain why he was requesting a

extension and could not, in principle, expect the Authority to grant his request,
furthermore, the Applicant can only blame himself for the request for an extension of the time limit
written on the last day of the deadline for completion of the call. In the opinion of the Authority
if, due to any justifiable circumstance, the controller is unable to comply with the
shall inform the Authority, stating the exact circumstances.


                                                                                            17, IV.8. Request for publication of the decision against the Applicant


The Authority rejected the Applicant by disclosing the decision against the Applicant
application of this sanction is either a right of the Applicant or a legitimate one
does not directly affect the interests of the Authority, such a decision of the Authority shall not confer any right or obligation on it
consequently, this legal consequence, which falls within the scope of the public interest,
With regard to the application of the Act, the Applicant does not qualify as a customer Pursuant to Section 10 (1),
and since the Ákr. Does not comply with Section 35 (1), request in this regard
this part of the application shall not be construed as an application.


IV.9. Legal consequences

IV.9.1. The Authority granted the Applicant's request in part and Article 58 (2) GDPR
(b) condemns the Applicant for violating:

- Article 5 (1) (a) and (b) of the GDPR,

- Article 5 (2) of the GDPR,
- Article 6 (1) of the GDPR,
- Article 12 (1) and (4) of the GDPR,
- Article 13 of the GDPR, and
- Article 15 (3) of the GDPR.

III.9.2. As a result of the above infringements, it has become necessary to establish a legal consequence, which a

Authority acting in accordance with a statutory discretion.

The Authority examined of its own motion whether a data protection fine against the Applicant was justified.
imposition. In this context, the Authority will comply with Article 83 (2) of the GDPR and Infotv.75 / A. §
ex officio considered all the circumstances of the case and found that in the present proceedings
in the case of an infringement detected, the warning is neither a disproportionate nor a dissuasive sanction,
it is therefore necessary to impose a fine.


In imposing the fine, the Authority took the following factors as aggravating factors
take into account:

    1. The violation is serious because the Applicant has committed several violations of principles. (GDPR
       Article 83 (2) (a)


    2. The infringement is serious as the Applicant's sphere of interest was significantly affected by the fact that
       the Applicant tried to collect a claim against him, for the fulfillment of which the Civil Code. 7:96. §
       Under paragraph 1. The gravity of the infringement is aggravated in particular by the fact that
       the applicant's mourning process in connection with the deceased relative was aggravated by the
       He applied that the Applicant had to deal with a case that he already had
       considered closed by law, considering the Civil Code. related provisions. The Applicant a
       In his telephone call to the Applicant, he specifically referred to the Applicant

       the unlawful data processing affected the Applicant's mourning process in the wrong direction,
       for he was disturbed by the letter of summons of the Requested just when he was in mourning
       calmed down. For reasons attributable to the Applicant, the Applicant had to indicate several times
       to the Applicant that for the purpose referred to it (claim management) the Applicant
       you may not lawfully process your personal information. (GDPR Article 83 (2) (a))

    3. Illegal data processing for a long time (25 May 2018 and 11 August 2021)

       until the deletion of the unlawfully processed personal data). (Article 83 (2) GDPR
       paragraph (a)

    4. The violation caused by unlawful data processing by the Requested is partly intentional
       because of its obligation under Article 5 (2) of the GDPR


                                                                                               18, its fulfillment can not be traced back to the telephone operator's failure to act.
       (GDPR Article 83 (2) (b))


    5. The Applicant canceled the telephone conversations with the Applicant, his employees
       relied on an error instead of accepting liability, for which reason it can be concluded that it did not
       cooperated with the Authority. (Article 83 (2) (f) GDPR)

    6. The Authority has previously condemned the Applicant several times in the GDPR
       as follows:


              - Article 12 (2) of the GDPR and Article 5 (1) of the GDPR
                NAIH / 2019/1841. Resolution No
                also for breach of Article 5 (1) (a) of the GDPR.
                3957-1 / 2021 and NAIH / 2020/308 due to violation of Article 15 of the GDPR.
                and


              - a violation of Article 6 (1) of the GDPR has already taken place in the Applicant
                NAIH / 2019/2566/8, NAIH / 2020/5552, NAIH / 2020/152/2.
                and NAIH-3957-1 / 2021. in decisions no
                data on the basis of an inappropriate legal basis.

       The Authority emphasizes here that NAIH / 2019/1814. laid down in Decision No
       The violation of Article 5 (1) (a) GDPR is equally a security breach

       the Authority has already done so
       condemned the Applicant earlier.

       A NAIH / 2019/2566/8. and NAIH / 2020/5552. was not included in decisions no
       line of fines, while NAIH / 2020/152/2. HUF 1,000,000 in Resolution No.
       a data protection fine was imposed, and NAIH-3957-1 / 2021. number
       HUF 1,000,000 in the resolution, NAIH / 2019/1841. in Resolution No. 500,000 HUF, a

       NAIH / 2020/308. to pay a data protection fine of HUF 2,000,000
       the Applicant was bound by the Authority. (GDPR Article 83 (2) (e) and (i))

In view of the fact that the Applicant has repeatedly applied the same provisions of the GDPR, Article 5 of the GDPR
In the case of Article 1 (1) (a), it infringed more than one, quantified three cases
as set out above, the Authority will therefore
and the fact that in the present proceedings there has been an infringement of eight provisions of the GDPR

It took particular account of the imposition of fines and, in that regard, the
Significantly higher than the data protection fines previously imposed on the applicant
decided to impose a fine of

According to the Applicant's 2020 report, the pre-tax profit was HUF […]. The imposed
the data protection fine shall not exceed the maximum fine that may be imposed. (GDPR Article 83 (5) (a))
point)


By imposing a fine, the Authority's specific preventive purpose is to encourage the Applicant
to review your data management practices and ensure that personal information is provided in the future
the right to data protection.

Infringements committed by the Applicant are punishable under Article 83 (5) (a) of the GDPR.
higher category of fines. Nature of the infringements

the maximum amount of the fine that may be imposed under Article 83 (5) (a) and (b) of the GDPR 20
EUR 000 000 or up to 4% of the total worldwide turnover in the preceding business year.

With regard to the imposition of a fine, the Authority follows Article 83 (2) GDPR
did not take into account the provisions of the Directive because they were not relevant in the present case: c), d), g), h),
points j), k).

                                                                                             19, V. Other issues:


The powers of the Authority shall be exercised in accordance with Infotv. Section 38 (2) and (2a), its jurisdiction is
covers the whole country.

The decision is based on Ákr. 80.-81. § and Infotv. It is based on Section 61 (1). The decision is based on Ákr. 82.
§ (1), it becomes final with its communication. The Ákr. Section 112 and Section 116 (1)
and § 114 (1) by way of an administrative action against the decision

there is room for redress.
                                                * * *
The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a
hereinafter: Kp.). A Kp. Pursuant to Section 12 (2) (a), the Authority
The administrative lawsuit against the decision of the Criminal Court falls within the jurisdiction of the court. Section 13 (11)
The Metropolitan Court shall have exclusive jurisdiction pursuant to On civil procedure
on the 2016 CXXX. Act (hereinafter: Pp.) - the Kp. Pursuant to Section 26 (1)

applicable - legal representation in a lawsuit falling within the jurisdiction of the tribunal pursuant to § 72
obligatory. Kp. Pursuant to Section 39 (6), unless otherwise provided by law, the application
has no suspensory effect on the entry into force of the administrative act.

A Kp. Section 29 (1) and with this regard Pp. Applicable in accordance with § 604, electronic
CCXXII of 2015 on the general rules of public administration and trust services. Act (a
hereinafter referred to as the Customer's legal representative pursuant to Section 9 (1) (b) of the E-Administration Act

obliged to communicate electronically.

The time and place of the submission of the application is Section 39 (1). THE
Information on the possibility of requesting a hearing is provided in the CM. Section 77 (1) - (2)
based on. The amount of the fee for an administrative lawsuit shall be determined in accordance with Act XCIII of 1990 on Fees. law
(hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee is
Itv. Section 59 (1) and Section 62 (1) (h) shall release the party instituting the proceedings.


If the Applicant does not duly prove the fulfillment of the required obligation, the Authority shall:
it considers that it has failed to fulfill its obligations within the prescribed period. The Ákr. According to § 132, if a
the obligor has not complied with the obligation contained in the final decision of the authority, it shall be enforceable.
The decision of the Authority Pursuant to Section 82 (1), it becomes final with the communication. The Ákr.
133, unless otherwise provided by law or government decree
- ordered by the decision-making authority. The Ákr. Pursuant to § 134 - enforcement if law,

a government decree or, in the case of a municipal authority, a local government decree otherwise
does not have - the state tax authority implements it.

In the course of the procedure, the Authority exceeded the Infotv. One hundred and fifty days according to Section 60 / A (1)
administrative deadline, therefore Ákr. Pursuant to Section 51 b), it pays ten thousand forints to the Applicant.

dated Budapest, February 11, 2022



                                                                  Dr. Attila Péterfalvi
                                                                         President
                                                                   c. professor










                                                                                                20.21