NAIH (Hungary) - NAIH-2801-17-2022 (NAIH-8701/2021)

From GDPRhub
Revision as of 13:54, 5 October 2022 by Abel.kaszian (talk | contribs) (edited the title to only one case number)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
NAIH - NAIH-2801-17-2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 16.11.2021
Decided: 08.08.2022
Published: 08.08.2022
Fine: 300000 HUF
Parties: n/a
National Case Number/Name: NAIH-2801-17-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Abel Kaszian

The Hungarian DPA ruled that an audio recording during installation works is unlawful because it violated the principles of purpose limitation, data minimisation, and did not appropriately inform the data subjects. The controller was fined €700.

English Summary

Facts

The controller (a construction company), was doing construction and installation works at the data subject’s house.

During the repair work at the data subject's home, an employee of the controller made a voice recording on his phone. without informing the data subject beforehand. The data subject contacted the controller about the recording and was informed that the worksheet – what is filled and signed detailing the work done at the location –contained information about the voice recording.

The data subject later requested the worksheet and the name and contact details of the controller’s DPO, but received no reply.

Therefore, the data subject filed a complaint with the Hungarian DPA, concerning the voice recording made at his residence without his knowledge. The data subject also indicated that there was no information on the controller’s website about audio recording.

During the investigation, the controller stated that the audio recording was made on a case-by-case basis, decided by the managing director. The purpose is to protect the interests of the customers, especially the elderly, also to hold employees accountable for the proper information provided. The controller indicated the legal basis for the processing under Article 6(1)(a) GDPR (consent of the data subject) and Article 6(1)(d) GDPR (vital interests of the data subject or other natural person). According to the controller, no audio recording was made of the data subject. The controller stated that the purpose of making the occasional audio recording was to properly document what was said at the installation site during the installation work. In some cases, the clients –claimed afterwards that they had not been properly informed about, the details of the installation. despite that this information was recorded in the worksheet. In view of this, the controller decided that in individual cases the installing employee should make an audio recording of what was said during the installation.

Holding

In the DPA's view, Article 5 GDPR sets out the main principles that must be considered when processing personal data and that must be consistently applied in the processing. It follows from the accountability requirement of Article 5(2) GDPR that the controller is responsible for compliance with the data protection principles and must be able to demonstrate such compliance. On this basis, the controller must document and record the processing in such a way that its lawfulness can be demonstrated. The principle of purpose limitation under Article 5(1)(b) GDPR implies that personal data may only be processed for specified, explicit and legitimate purposes.

The DPA also stated that the audio recordings may be suitable to achieve the objectives stated by the controller, but they are also achievable by a worksheet mutually signed by the controller and the client. On this basis, it is not necessary to make an audio recording as there are other ways to achieve the objectives. Moreover, it is not proportionate to record what is said during the installation work, given the unpredictable length of the installation and the content of the conversation. Some unrelated piece of personal information may be recorded as well. The recording is also a tool to monitor employees without proper legal basis.

The DPA also found the breach of the purpose limitation and data minimization principles, as the controller did not carry out an interest test and therefore breached Article 6(1) GDPR.

Article 13(1) GDPR and Article 13(2) GDPR set out the processing circumstances and information that the controller must provide to data subjects. The GDPR does not specify the form of the provided information, but the DPA recommends the written form in line with the principle of accountability. According to the controller’s statement, on the occasion of the two audio recordings, the information was provided orally and the worksheet also contained a short piece of written information. The DPA however concluded that the worksheet did not contain any information on the processing of the data, which constituted a breach of Article 13(1) GDPR and Article 13(2) GDPR.

In overall, the DPA held that the information provided to the data subject by the controller was not sufficient and suggested that the audio recording was not necessary for the purposes. By taking the principle of data minimization into account, a signed worksheet is sufficient in the matter.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

      Case number: NAIH-2801-17/2022. Subject: decision establishing a violation of law
                  (NAIH-8701/2021.)




                                             DECISION



      The National Data Protection and Freedom of Information Authority (hereinafter: Authority) is […]
      Represented by Law Firm (headquarters: […]; acting attorney: [...]; company gate: [...]) (headquarters:
      [...], company registration number: [...]; hereinafter: installation work carried out by the Customer).
      during the recording practice, natural persons a

      on the protection of personal data in terms of processing and that such data is free
      (EU) 2016/679 on the flow and repeal of Directive 95/46/EC
      regulation (hereinafter: general data protection regulation).
      in connection with compliance with the following in the data protection official procedure initiated ex officio
      makes decisions:


      1. The Authority determines that the Customer has violated it

         - Article 5(1)(b) of the General Data Protection Regulation;
         - Article 5(1)(c) of the General Data Protection Regulation;

         - Article 6 (1) of the General Data Protection Regulation;

         - Article 5 (2) of the General Data Protection Regulation;

         - Paragraphs (1)-(2) of Article 13 of the General Data Protection Regulation.

      2. The Authority due to the violations established in point 1

                                 300,000 HUF, i.e. three hundred thousand forints

                                           data protection fine

      obliges the Customer to pay.

      3. The Authority also terminates the seizure ordered in the procedure.


                                                    * * *

      The data protection fine shall be paid within 30 days of this decision becoming final
      Authority's centralized revenue collection target settlement HUF account (10032000-

      01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425
      0000 0000) must be paid. When transferring the amount, NAIH-2801/2022. FINE. for number
      must be referred to.

      If the Customer does not comply with the obligation to pay a data protection fine within the deadline, a

      you must pay a late fee to the above account number. The amount of the late fee is the legal one
      interest, which is the central bank interest valid on the first day of the calendar semester affected by the delay
      equal to the base interest rate.

      In the event of non-payment of the data protection fine and late fee, the Authority orders a

      implementation of the decision.

................................................... ................................................... ................................................... ................................................... ................................................... ..............

      Falk Miksa utca 9-11 Fax: +36 1 391-14100 www.naih.hualat@naih.hu 2



There is no place for administrative appeal against this decision, but from the announcement
within 30 days from the date of issue, with a letter of claim addressed to the Capital Tribunal
can be challenged in a lawsuit. The claim must be submitted to the Authority electronically, which

forwards it to the court together with the case documents. The request for the holding of the trial is submitted by the
must be indicated in the application. For those who do not receive full personal tax exemption
the fee for the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to record the fee. The capital city
Legal representation is mandatory in court proceedings.



                                       JUSTIFICATION



I. Procedure of the procedure

1. On March 31, 2021, a notification was received by the Authority, according to which […] (residential address: […]; the
hereinafter: the complainant) complained against the Customer regarding the installation work carried out in his apartment

in connection with the audio recording that took place in the meantime.

The whistleblower explained that on March 29, 2021, the Customer's employee
during which he made a sound recording with his mobile phone, about which the informant was not informed in advance

informed him. He contacted the Customer by phone with his complaint, where he was informed that
that the worksheet contains the information about the audio recording. The notifier March 29, 2021-
I asked to send the worksheet and the Customer's data protection via e-mail
the name and contact information of his agent, but he did not receive a response to his request. THE
the whistleblower indicated that there is no audio recording on the Customer's website either
           2
information.

In the case, point f) of Article 57 (1) of the General Data Protection Ordinance, respectively
CXII of 2011 on information self-determination and freedom of information. law

(hereinafter: Infotv.) based on point a) of paragraph (3) of § 38. NAIH-3853/2021.
An investigation was launched on file number, during which the Authority dated June 15, 2021, NAIH-3853-
4/2021. in his letter with file number, he addressed the Client with a request to clarify the facts
in order to The Customer's response letter was received by the Authority on July 13, 2021, and the

included:

2. Audio recording related to the installation work carried out by the Customer
it is made on the basis of a case-by-case, unique executive decision, the purpose of which is to protect the interests of customers, mainly
for elderly customers. Another goal is to hold the information accountable

colleagues. Audio recording is not a general practice, it is done on a random basis.

Occasional audio recording has been used since January 2021 based on the decision of the executive.
The Customer's legal basis for data management is Article 6 (1) of the General Data Protection Regulation

according to point a) (the consent of the person concerned), as well as point d) (the person concerned or other natural
vital interest of a person) was marked.

The Client did not send internal regulations or internal procedures for managing recordings

regarding, but briefly gave the following answers to the Authority's questions: the executive
decides on the hiring, the manager instructs the employees to do so, and only hires



1 The NAIH_K01 form is used to initiate the administrative lawsuit: NAIH_K01 form (September 16, 2019)
The form can be filled out using the general form filling program (ÁNYK program).
The form is available from the following link: https://www.naih.hu/kozig-hatarozat-birosagi-felulvizsgalata
2
Download time: 2021.04.21.erelo.hu/adatkezelesi-tajekoztato/ 3


may be prepared by the person entrusted by the executive with this, at the time determined by him, or
in quantity. The manager transfers the recording to a laptop and deletes it from the audio recording device. THE

retention period: the warranty period has expired, i.e. 6 months, after which the manager deletes the recording
from a laptop. The audio recording device is a dictaphone, and the audio recording device is an offline one
laptop in mode that is password protected and known only to the executive.

On the basis of the Customer's statement, before the audio recording is made, orally and in writing
they inform the affected parties, as well as inform them that they have the right to do so at any time
delete the audio recording.


Based on the Customer's statement, no audio recording was made of the whistleblower, only that
it can only be prepared on a case-by-case executive order, and this was not done at the above address.

When asked why they did not respond to the whistleblower's electronic inquiry, that is
The customer stated that he did not receive a letter from the whistleblower at his e-mail address.


3. Based on the answers sent, the Authority considered the audio recording justified
overview of general practice in official data protection proceedings, since
made it likely that in connection with the management of personal data, persons presumably
a violation of rights has occurred or there is a direct threat of it affecting a wide range of
fines may be imposed based on the provisions of the General Data Protection Regulation.

At the same time, the Authority will consider the whistleblower's individual complaint - including the one sent by him

non-response to electronic inquiries and requests for worksheets - the NAIH-
3853/2021. investigated in the investigation procedure started under no. Therefore, the present procedure is individual
not the subject of a complaint.

The Authority is Infotv. In view of Section 71 (2) in this official data protection procedure
was used as evidence by the preceding NAIH-3853/2021. investigation procedure was initiated
legally obtained documents and data, as the Customer was informed about this

dated 26 November 2021, NAIH-8701-1/2021. file number, initiating proceedings
in its execution.


II. Clarification of the facts

1. The Authority dated November 26, 2021, NAIH-8701-1/2021. with order no

notified the Customer of the initiation of the official data protection procedure and to make a statement
called, and also CL of 2016 on general public administrative order. law (a
hereinafter: Ákr.) based on § 108, paragraph (1), ordered by the Customer in NAIH-3853/2021.
stored on a laptop in offline mode referred to in the investigation procedure started at no
reservation of audio recordings.

The reason for the seizure was that if the audio recordings stored by the Customer were to be deleted

would avoid receiving an order ordering the initiation of data protection official proceedings
after, this would endanger the success of clarifying the facts.

2. The Customer appointed a legal representative in the data protection official procedure.

In its letter dated December 16, 2021, the Customer stated that the Authority
after your inquiry sent in the investigation procedure, the investigation and the present

its data management practices affected by official data protection proceedings, and thereafter
stopped the recording of audio recordings during installation work. According to his statement
at the same time, before the termination, audio recordings were made twice
which recordings were also deleted during the review. 4



According to his statement, 31 people worked for the Customer at that time, of which 15 were mechanics. Every month

on average, 140-150 installation jobs take place. The Customer's goal in making the audio recording is
was to properly document it during the installation work at the installation site
what was said. In many cases, his clients – in most cases elderly people –
afterwards they claimed that they did not receive adequate information, for example, about the installation or that
about the cost of materials, the duration of the work, or not how they remembered it
actually said. Even though this information is also recorded on the worksheet
cost, some of the customers questioned the on-site mechanic

the veracity of your information. In view of this, the Customer decided that in individual cases a
have the installer make an audio recording of what was said during the installation, in an appropriate way
can prove that the information has been provided or, where applicable, can hold the
employee, should the customer's complaint prove to be true. In both cases, when
recording was made, based on all the circumstances of the situation (such as the inquiry and the on-site
method of consultation prior to work, the nature of the work, the person using the service
estimated age, the mechanic's proposal and request for recording after the start of the work

about its necessity) the manager considered the necessity of making the audio recording.

At the request of the Authority, the Customer sends on electronic media all the, a
recorded audio recording to the Authority upon receipt of the order, the Customer stated that
due to the previous deletion of the two audio recordings, he cannot fulfill this request.

According to the Customer's statement, it was also presented in the previous investigation procedure

in the statement, he incorrectly indicated the legal basis for data management, and not general data protection
wanted to refer to point d) of Article 6 (1) of the Decree, but to point f) because
in his opinion, according to what was previously presented, they were said during the installation work
had a legitimate interest in its recording.

3. NAIH-2801-2/2022 of the Authority dated February 9, 2022. additional facts with case file no
for its clarification order, the Customer stated in its letter dated February 28, 2022 that

in the two cases where he made audio recordings, he considered them before recording them
the possibilities that may be suitable for the realization of the goal he wants to achieve, and
deemed that the data processing related to the recording of the audio was lawful
legal and official requirements for interest-based data management.
However, he did not prepare a balance of interests test before starting data management.

According to the Customer's statement, he had previously marked it incorrectly on the worksheet

the legal basis for data processing, and not the consent of the data subject, is considered appropriate for data processing
its legal basis, but its legitimate interest.

According to the Customer's statement, the recording was regulated in the following way
its procedure, it did not have any other internal regulations in this connection:

"Regulation:

    - audio recording is made based on executive decision
    - the manager instructs the employee

    - recording can only be made by the employee entrusted with it, by the manager
        at a specified time and in a specified quantity

    - the manager transfers the recording to a laptop and deletes it from the audio recording device
    - at the end of the warranty period, which is six months, the manager deletes the recording from the laptop."


Furthermore, according to the Customer's statement, "during the making of the two audio recordings a
information was given verbally at the site of the installation work, or in writing on the worksheet 5


short information was also included - although unfortunately not in an adequate way - about recording
about the possibility."


The brief information on the worksheet is as follows: "I also agree that on site
the mechanics should make sound, picture and video recordings in connection with the works."

During the review of the data management, the Customer came to the conclusion that the information was not adequate
its form and content, and, among other things, terminated the examined practice with regard to this.


Regarding the seizure, the Customer stated that it had already been ordered by the Authority
at the time of the seizure, it did not store any audio recording that was the subject of the investigation
would have been recorded in connection with data management. There have been two such recordings before
was prepared, however, they were already during the previous investigation procedure of the Authority, on June 15, 2021
deleted it after my request, as no legitimate purpose justified the
further preservation of recordings. Dated 26 November 2021 by the Authority, NAIH-8701-
1/2021. at the time of receipt of his order with file number, none was available

nor audio recording, therefore the Customer could not fulfill his obligation to reserve.
The manager irretrievably deleted the audio recordings in question from his own laptop, etc
the recordings were not stored on the device, and the exact time of deletion was not recorded.

4. The documents of the investigation procedure available to the Authority also contain the following
The contact details of the employee performing installation work at the reporting party, as stated by the customer.


Given that the repair worker has the most accurate information
About the audio recording practice carried out by the customer during installation work,
the Authority considered it justified to summon him for a personal hearing as a witness
to its headquarters.

The repair worker (hereinafter: witness) at the Authority's headquarters on May 5, 2022
submitted that he has been working at his current job, at the Client, since August 2020, and this time

never once did he receive an instruction from his employer to make an audio recording of the
about works, he was not aware that there was such practice at the employer. The witness
according to his statement, no general instructions regarding the recording of audio
they received, to the best of his knowledge, the employer has not drawn up a policy on this. Account detailer
to make it, they used to take a photo to show that the work done was used
the quantity and quality of materials can be verified. In this case, the photograph is taken in all cases
represents the work done. Commission contract / worksheet used by the Customer

in relation to its provision, according to which: "I also agree that on the spot a
mechanics to make sound, image and video recordings in connection with the works" it
stated that this provision only applies to these objects representing the completed works
made - applies to recordings.

The witness also testified that he did not make a sound recording on any occasion
during works.


5. On June 14, 2022, the Client attended a document review at the Authority's headquarters, during which
he got acquainted with all the documents of the procedure, including those prepared from the hearing of the Witness
protocol, and the preceding NAIH-3853/2021. was started and used in the present procedure
investigation procedure documents.



III. Applicable legal provisions

Based on Article 2 (1) of the General Data Protection Regulation, the general data protection
regulation must be applied to the automated processing of personal data in whole or in part 6


processing, as well as those personal data in a non-automated manner
which are part of a registration system or which

they want to make it part of a registration system.

Infotv. Pursuant to § 2, paragraph (2), the general data protection regulation is indicated there
shall be applied with the additions specified in the provisions.

Infotv. According to § 38, paragraph (2), the Authority is responsible for the protection of personal data,
and the right to access data of public interest and public interest

control and promotion of the validity of personal data in the European Union
facilitating its free flow within.

Infotv. Based on Section 38 (2a) of the General Data Protection Regulation, the supervisory
tasks and powers established for the authority under the jurisdiction of Hungary
in the general data protection regulation and this law with regard to legal entities belonging to
is exercised by the Authority as specified.


Infotv. Pursuant to § 38, paragraph (3) point b), according to § 38, paragraphs (2) and (2a)
within the scope of his duties, as defined in this law, in particular at the request of the data subject and
conducts a data protection official procedure ex officio.

Infotv. According to Section 60 (1), enforcement of the right to the protection of personal data
in order to do so, the Authority initiates an official data protection procedure at the request of the data subject and

may initiate official data protection proceedings ex officio.

The Akr. On the basis of § 103, paragraph (1) of this law in ex officio proceedings
its provisions on initiated procedures shall be applied with the exceptions contained in this chapter.

In the absence of a different provision of the General Data Protection Regulation, the application was initiated
for official data protection procedure, Art. provisions shall be applied in Infotv

with certain deviations.

Pursuant to Article 4, point 1 of the General Data Protection Regulation: ""personal data": identified
or any information relating to an identifiable natural person (“data subject”);
the natural person who, directly or indirectly, in particular, can be identified
an identifier such as name, number, location data, online identifier or a
physical, physiological, genetic, intellectual, economic, cultural or social natural person

can be identified based on one or more factors relating to its identity."

According to Article 4, point 2 of the General Data Protection Regulation: ""data management": the personal
any performed on data or data files in an automated or non-automated manner
operation or a set of operations, such as collection, recording, organization, segmentation, storage,
transformation or change, query, insight, use, transmission of communication,
by means of distribution or other means of making available, coordination or

connection, restriction, deletion or destruction."

Based on Article 4, point 7 of the General Data Protection Regulation: ""data controller": the natural
or legal person, public authority, agency or any other body that a
the purposes and means of processing personal data independently or together with others
define; if the purposes and means of data management are determined by EU or member state law
and, the data manager or the special aspects regarding the designation of the data manager

it can also be determined by EU or member state law."

Pursuant to Article 5 (1) b) and c) of the General Data Protection Regulation: "The personal
data: 7


[…]
b) should be collected only for specific, clear and legal purposes, and should not be processed

in a manner inconsistent with these purposes; in accordance with Article 89 (1).
is not considered incompatible with the original purpose for the purpose of archiving in the public interest,
further data management for scientific and historical research purposes or for statistical purposes
("goal-boundness");
c) they must be appropriate and relevant for the purposes of data management, and a
they must be limited to what is necessary ("data sparing");
[…].”


According to Article 5 (2) of the General Data Protection Regulation: "The data controller is responsible for (1)
for compliance with paragraph and must also be able to demonstrate this compliance
("accountability")."

Based on points a), d) and f) of Article 6 (1) of the General Data Protection Regulation: "The personal
the processing of data is only legal if and to the extent that at least the following

one of the following is fulfilled:
a) the data subject has given his consent to the processing of his personal data for one or more specific purposes
for its treatment;
[…];
d) the data processing is for the vital interests of the data subject or another natural person
necessary for its protection;
[...];

f) data management to enforce the legitimate interests of the data controller or a third party
necessary, unless the interests of the person concerned take precedence over these interests
interests or fundamental rights and freedoms that make personal data protection
necessary, especially if a child is involved.
Point f) of the first subparagraph does not apply to the performance of their duties by public authorities
for data management during


Pursuant to Article 13 (1)-(2) of the General Data Protection Regulation: "(1) If the data subject
relevant personal data are collected from the data subject, the data controller is the personal data
provides the following information to the data subject at the time of its acquisition
all of them:
a) the identity and contact details of the data controller and, if any, the representative of the data controller;
b) contact details of the data protection officer, if any;
c) the purpose of the planned processing of personal data and the legal basis of data processing;

d) in the case of data management based on point f) of paragraph (1) of Article 6, the data controller or
legitimate interests of third parties;
e) where appropriate, recipients of personal data, or categories of recipients, if any;
f) where appropriate, the fact that the data controller is in a third country or international
organization wishes to forward the personal data to, and the Commission
the existence or absence of its conformity decision, or in Article 46, Article 47 or
in the case of data transfer referred to in the second subparagraph of Article 49 (1) a

indicating appropriate and suitable guarantees, as well as obtaining a copy of them
reference to the means or their availability.
(2) In addition to the information mentioned in paragraph (1), the data controller is the personal data
at the time of acquisition, in order to be fair and transparent
provides data management, informs the data subject of the following additional information:
a) on the period of storage of personal data, or if this is not possible, this period
aspects of its definition;

b) the data subject's right to request from the data controller the personal data relating to him
access to data, their correction, deletion or restriction of processing, and
may object to the processing of such personal data, as well as the data subject
about your right to data portability; 8


c) based on point a) of Article 6 (1) or point a) of Article 9 (2)
in the case of data processing, the right to withdraw consent at any time,

which does not affect the data processing carried out on the basis of consent before the withdrawal
legality;
d) on the right to submit a complaint to the supervisory authority;
e) that the provision of personal data is a legal or contractual obligation
is a basis or a prerequisite for concluding a contract, as well as whether the person concerned is obliged to a
provide personal data, as well as what possible consequences this may have
failure to provide data;

f) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including
also profiling, and at least in these cases to the applied logic and that
comprehensible information regarding the significance of such data management and
what are the expected consequences for the person concerned."

According to Article 58(2)(b) and (f) of the General Data Protection Regulation: "The supervisory
acting within the authority's corrective powers:

[...];
b) condemns the data manager or the data processor if its data management activities
violated the provisions of this regulation;
[…];
i) imposes an administrative fine in accordance with Article 83, depending on the circumstances of the given case
depending, in addition to or instead of the measures mentioned in this paragraph; and
[…].”


Based on Article 77 (1) of the General Data Protection Regulation, other administrative or
without prejudice to judicial remedies, all interested parties are entitled to file a complaint
with a supervisory authority - in particular your usual place of residence, place of work or
in the Member State where the alleged infringement took place - if, according to the judgment of the data subject, the
the processing of relevant personal data violates this regulation.


Pursuant to Article 83 (2) and (5) of the General Data Protection Regulation: "[…]
(2) The administrative fines, depending on the circumstances of the given case, are subject to Article 58 (2)
must be imposed in addition to or instead of the measures mentioned in points a)-h) and j) of paragraph
When deciding whether it is necessary to impose an administrative fine or a
sufficiently in each case when determining the amount of the administrative fine
the following should be taken into account:
a) the nature, severity and duration of the infringement, taking into account the data management in question

nature, scope or purpose, as well as the number of persons affected by the infringement, as well as the
the extent of the damage they have suffered;
b) the intentional or negligent nature of the infringement;
c) mitigating the damage suffered by the data controller or the data processor
any action taken in order to;
d) the degree of responsibility of the data manager or data processor, taking into account the a
technical and organizational measures undertaken on the basis of Articles 25 and 32;

e) relevant violations previously committed by the data controller or data processor;
f) with the supervisory authority to remedy the violation and the possible negative effects of the violation
extent of cooperation to mitigate;
g) categories of personal data affected by the infringement;
h) the manner in which the supervisory authority became aware of the violation, in particular,
whether the data controller or the data processor reported the violation and, if so, how
with detail;

i) if against the relevant data manager or data processor previously - in the same a
subject - one of the measures mentioned in Article 58 (2) was ordered, a
compliance with said measures; 9


j) whether the data manager or the data processor has complied with Article 40
to approved codes of conduct or approved certification under Article 42

for mechanisms; as well as
k) other aggravating or mitigating factors relevant to the circumstances of the case,
for example, financial gain as a direct or indirect consequence of the infringement
or avoided loss.
[…]
(5) Violation of the following provisions - in accordance with paragraph (2) - at most 20
with an administrative fine of EUR 000,000 or, in the case of businesses, the previous one

shall be subject to an amount of no more than 4% of the total annual world market turnover of a financial year,
by imposing the higher of the two amounts:
a) the principles of data management - including the conditions of consent - of Articles 5, 6, 7 and 9
appropriately;
b) the rights of the data subjects in Articles 12–22. in accordance with Article;
c) personal data for a recipient in a third country or an international organization
44–49. in accordance with Article;

d) IX. obligations according to the law of the Member States adopted on the basis of chapter;
e) the instruction of the supervisory authority according to Article 58 (2), and data management
temporary or permanent restriction or suspension of data flow
failure to comply with its notice or access in violation of Article 58 (1).
failure to provide.
[...]"


Infotv. According to § 71, paragraph (2): "The Authority lawfully acquired during its procedures
document, data or other means of proof can be used in other proceedings."

Infotv. 75/A. on the basis of §: "The Authority is the General Data Protection Regulation Article 83 (2)-(6)
exercises its powers in accordance with the principle of proportionality,
especially with the fact that you are in the law regarding the handling of personal data
The regulations defined in the mandatory legal act of the European Union are being implemented for the first time

in case of violation, to remedy the violation - with Article 58 of the General Data Protection Regulation
in accordance - primarily by warning the data manager or data processor."

Section 9 (2) of Act I of 2012 on the Labor Code (hereinafter: Act)
pursuant to: "The employee's right to privacy can be restricted if the restriction is a
for a reason directly related to the purpose of the employment relationship, it is absolutely necessary and the goal
proportional to its achievement. About the way, conditions and expected limitation of the right to privacy

its duration, and the circumstances supporting its necessity and proportionality a
the employee must be informed in writing in advance."

Mt. 11/A. According to § (1): "The employee is related to the employment relationship
behavior can be controlled. In this context, the employer also provides a technical device
may apply, the employee will be informed of this in advance in writing."


Based on point a) of § 42, paragraph (2) of the Mt.: "Based on the employment contract, the employee
is obliged to perform work under the direction of the employer"

Pursuant to points b) and c) of Section 52 (1) of the Labor Code: "The employee is obliged
[…]
b) during working hours - for the purpose of work, in a state capable of working - the employer
to be available

c) his work personally, with the expertise and care that can generally be expected, a
perform according to the rules, regulations, instructions and customs applicable to your work,
[…].” 10


The Akr. According to § 109, paragraph (1), point a):
shall be terminated if the reason for ordering it has ceased to exist."



ARC. Decision

Based on the definitions of the General Data Protection Regulation, the natural person
voice, as well as the audio recording of the data subject's personal data, on the personal data
and any operation performed is considered data management.



IV.1. Purpose and necessity of data management

Article 5 of the General Data Protection Regulation contains the main principles that a
must be taken into account when handling personal data, and which are constantly
must apply during data management. Article 5 (2) of the General Data Protection Regulation

pursuant to the requirement of accountability according to para
for compliance with data protection principles and must be able to comply
for verification. Based on this, the data controller is obliged to document and record the
data management, so that its legality can be proven afterwards.

Purpose-bound according to Article 5(1)(b) of the General Data Protection Regulation
following the principle of data management, the management of personal data is only defined and clear

and may be done for a legitimate purpose.

According to the Customer's statements, by making the audio recording, on the one hand, the interests of the customers are protected,
furthermore, the aim was to properly document the installation work during the installation
said on the spot, as in many cases the typically elderly customers do so afterwards
they claimed that they did not receive adequate information about, for example, installation or materials
about the cost, the duration of the work, or they did not remember it as it really was

was said. Even though this information is also recorded on the worksheet, it is
some customers questioned the information provided by the on-site mechanic
its authenticity. According to the Customer's opinion, based on the audio recordings, the Customer knows in an appropriate way
prove that the information has been given, or, where appropriate, can hold the
employee, should the customer's complaint prove to be true.

According to the Authority's point of view, audio recordings may be suitable for the purposes referred to

to achieve, however, these goals can be replaced by the one completed by the mechanic and by the mechanic and the customer
jointly signed worksheet, a copy of which is also provided to the client,
thus confirming that both parties recognize what happened during the installation as real. Based on this
making a voice recording is not necessary, as there is another way to achieve the goals. Besides
it is not even proportionate to record what was said during the installation work,
taking into account the length of the installation work that cannot be determined in advance, and the fact that in advance
it is also not possible to determine the content of the conversation, that is given

in this case, information may be recorded that is completely unrelated to the purpose of data management
they are independent. In addition, in relation to the referred data management purpose, it can be established that
it actually also means checking the employees.

Section 52. (1) point c) of the Labor Code stipulates that the employee is obliged to perform his work in the
to perform according to the rules, regulations, instructions and customs applicable to his work, and Mt.
11/A. On the basis of § (1), the employer may also check the employee a

in connection with your employment relationship, even with a technical device, but this is not necessary,
the recording and storage of another person's voice and what is said is disproportionate, a
according to the Authority's point of view, it cannot be reconciled with the referred data management purpose. 11


According to the statements submitted by the Client, this only happened in two cases in practice
audio recording, and according to the Witness' testimony, he never once received instructions to do so

from his employer to make audio recordings of work, and he was unaware that
that there is such practice at the employer.

However, in addition to the two specific cases, the content of the worksheet, according to which the affected person is one
contributes to the fact that the installers on site provide audio, video and
to make a video recording, supports that this data management was a common practice.


The same follows from the text of the regulation cited by the Client, according to which "executives
a sound recording is made based on a decision
    - the manager instructs the employee

    - recording can only be made by the employee entrusted with it, by the manager
        at a specified time and in a specified quantity

    - the manager transfers the recording to a laptop and deletes it from the audio recording device

    - at the end of the warranty period, which is six months, the manager deletes the recording from the laptop."

In addition to all of this, the Customer himself acknowledged NAIH-3853/2021. investigation started
in the procedure that audio recordings are made on a random basis based on the executive's decision,
and then according to the statement submitted in the data protection official procedure - to the procedure of the Authority
- reviewed its data management practice and decided to terminate it,
since, in his opinion, it does not meet the goal it wants to achieve, and it also did not fully comply

in full compliance with the applicable data protection legislation and official requirements. That's why it is
According to the customer's statement, he is investigating the possibilities in any way he can
effectively, but in accordance with the applicable legal provisions and the affected parties
to fully respect your right to the protection of personal data
the goal he wants to achieve.

Compared to these statements of the Client, the Witness stated differently that

was not aware that the Customer was conducting data management practices in accordance with the present case, no
means that other employees besides him (a total of 31 people worked for the Client,
of which 15 were mechanics) would not have been instructed to make an audio recording. Itself
the Customer as a data controller has acknowledged the implementation of the data management practice. At the same time,
in the stage of the official procedure, he knew of only two specific cases, the making of audio recordings
away.


The Authority, because of all this, and also because according to the worksheet "works
the making of sound, image and video recordings in connection" is not clear from the wording
the exact purpose of the data management, through which the information about the data management
appropriate, establishes that the Customer is not clear, not for a specifically defined purpose
recorded the voices of customers during installation work, thereby violating the general
Article 5 (1) point b) of the Data Protection Regulation.


The Authority also establishes Article 5 (1) paragraph c) of the General Data Protection Regulation
also the principle of data saving according to point, considering that the voice of the employees a
its recording is not necessarily necessary due to the reasons explained above to verify that it is indeed
whether the necessary information about the work was given to the clients or not. 12


IV.2. The legal basis of data management and the principle of accountability


1. An additional requirement for the legality of data management is that the data management is general
it may be referred to a legal basis according to Article 6 (1) of the Data Protection Regulation
beer.

The Client uses NAIH-3853/2021 as the legal basis for data management. investigation started
referred to in the procedure according to Article 6 (1) point a) of the General Data Protection Regulation
the legal basis of consent and his vital interest according to point d) of Article 6, paragraph 1,

however, in the official data protection procedure, he clarified what the Customer submitted and
according to his statement, the legal basis for data management is Article 6 (1) of the General Data Protection Regulation
legitimate interest according to point f) of paragraph The Authority therefore belongs to the legal basis of the legitimate interest
checked compliance.

The legal basis of legitimate interest can be legally invoked if the data controller is the data controller
- or a third party - is necessary to assert its legitimate interest, unless such is the case

the interests or fundamental rights of the data subject take precedence over interests and
freedoms.

The legitimate interest must really exist and actually exist (that is, it cannot be fictitious
or assumed). According to Article 5 (2) of the General Data Protection Regulation
in view of the principle of accountability, it is recommended that the data controller record them in writing
cases that establish your legitimate interest. The facts recorded in writing are convincing

they can serve as evidence of the existence of a legitimate interest. The legitimate interest
its existence and the need for data management must be re-evaluated at regular intervals.

It is essential that the data controller has an interest assessment to refer to the legal basis of the legitimate interest
must finish. Carrying out the interest assessment involves a multi-step process, which
During
interest of the data subject, affected fundamental right, and finally based on the weighting, it must be determined,

whether personal data can be processed. If as a result of the consideration of interests
it can be established that the legitimate interest of the data controller precedes the personal data of the data subjects
your right to protection, data processing can be continued on this legal basis.

It is due to the applicable legal provisions and the principle of accountability
the data controller must prove that the data management it carries out is compatible with
with the principle of purpose-bound data management and the outcome of the interest assessment, the data controller is justified

resulted in the primacy of his interest.

According to the Customer's statements, in the two cases when the Customer made a voice recording,
before recording, he considered the options that are the goal he wants to achieve
they may be suitable for implementation, and he considered that by making the audio recording
related data management corresponds to the data management based on legitimate interest
legal and official requirements. However, he did not prepare a balance of interests test

before the start of data management.

The Authority, taking into account the present decision IV.1. to the point in which he established the goal
the violation of the principle of bound data management and data saving, it also states that -
regardless of whether the Customer did not carry out an interest assessment - legitimate purpose and interest,
and, in the absence of unnecessary data processing, on the legal basis of legitimate interest - and other legal basis -
nor could the Client legally base its data management, and as a result, it violated it

Article 6 (1) of the General Data Protection Regulation.

2. Regarding the lack of consideration of interests, the Authority draws attention to the fact that
based on the principle of accountability according to Article 5 (2) of the General Data Protection Regulation 13


during the entire process of data management, the data controller must implement this
data management operations to enable compliance with data protection rules

to prove it. The principle of accountability, so not only in general, at the process level
can be interpreted, all specific data management activities, a specific stakeholder
also applies to the management of your personal data.

The data controller is responsible for the legality of the data management it carries out. General data protection
due to the nature of the legal basis according to Article 6 (1) point f) of the Decree
a data controller that refers to this legal basis must be able to accurately indicate that a

the processing of specific personal data is based on the legitimate interest of the data controller, and on this
in view of the interest, why data management is necessary, and at the same time be able to verify and prove it
it must take precedence over the legitimate interest of the data subject for the protection of personal data
against his right.

In this case, the legal basis indicated as the legal basis for data management and the data management based on it
before the start of practice, the need for data management is in the interests of the affected parties

in the absence of a verifiable, written comparison, the Customer has violated the general
accountability defined in Article 5 (2) of the Data Protection Regulation is a basic principle
requirement as well.


IV.3. Information on data management


An additional requirement of legal data management is that the data subjects are appropriate, transparent and
receive easily understandable information about data management. About that, it is
the following must be taken into account:

Paragraphs (1)-(2) of Article 13 of the General Data Protection Regulation define them
data management conditions, information about which the data controller must inform
those concerned. The form of information is not defined by the General Data Protection Regulation,

however, the Authority recommends the written form for the reason that - accountability
following from its principle - the data controller must prove and justify the - preliminary -
the occurrence of information.

According to the Customer's statement, "at the time of making the two audio recordings, the information a
it was spoken orally at the site of the installation work, and it was also written on the worksheet
brief information - although unfortunately not in an appropriate way - about the possibility of recording."


The brief information on the worksheet is as follows: "I also agree that on site
the mechanics should make sound, picture and video recordings in connection with the works."

In relation to this information, it can be stated that it does not contain data management
no information with which the Customer has violated Article 13 of the General Data Protection Regulation.
(1)-(2) of Article


Regarding the possible verbal information, the Authority notes that it is general
Article 5 (2) of the Data Protection Regulation expressly places the burden of proof on the data controller
also determines whether the data subject has been adequately informed. The
the general data protection regulation does not exclude the possibility of verbal information, however
in the event of a conflicting statement by the concerned party, in the absence of adequate provability, the doubtful situation
the Authority as a general rule based on Article 5 (2) of the General Data Protection Regulation

evaluates it at the expense of the data controller. 14


IV.4. Cancellation of reservation


The Authority dated November 26, 2021, NAIH-8701-1/2021. in the order with file no
the Akr. Ordered on the basis of Section 108 (1) of the offline mode referred to by the Customer
seizure of audio recordings stored on a laptop.

The reason for the seizure was that if the audio recordings stored by the Customer were to be deleted
would avoid receiving an order ordering the initiation of data protection official proceedings
after, this would endanger the success of clarifying the facts.


In relation to the seizure, the Customer stated that the Customer has already been ordered by the Authority
at the time of the ordered seizure, he did not store any audio recordings that were the ones under investigation
would have been recorded in connection with data management. There have been two such recordings before
was prepared, however, they were already during the previous investigation procedure of the Authority, on June 15, 2021
it was canceled by the Customer after his inquiry dated 1st, as it was not justified by any legitimate purpose
further preservation of recordings. Therefore, the Authority dated November 26, 2021, NAIH-870-

1/2021. at the time of receipt of his order with file number, none was available
nor audio recording, therefore the Customer could not fulfill his obligation to reserve.
The manager irretrievably deleted the audio recordings in question from his own laptop, etc
the Customer did not store the recordings on the device, and the Customer does not know the exact time of deletion
recorded it.

The reason for the seizure was thereby eliminated, and since the Authority made a decision on the merits of the case,

the Authority is the Akr. On the basis of point a) of § 109, paragraph (1), the seizure is terminated.


V. Legal Consequences

1. The Authority is the IV of this decision. based on what is written in point of the general data protection regulation
Article 58 (2) point b) states that the Customer has violated the general data protection

Article 5(1)(b) and (c), Article 6, Article 5(2) and the
Paragraphs (1)-(2) of Article 13.

Given that the Customer has terminated the objectionable data management practice, the Authority
does not oblige the Customer to take action.

2. The Authority also examined whether a data protection fine against the Customer was justified

imposition. In this context, the Authority is in accordance with Article 83 (2) of the General Data Protection Regulation and
the Infotv. 75/A. based on §, considered all the circumstances of the case and established that a
in the case of violations discovered during this procedure, the warning is neither proportionate nor not
is a deterrent sanction, therefore a fine must be imposed.

When determining the amount of the fine, the Authority first of all took into account that
the violation committed by the Customer is Article 83 (5) b) of the General Data Protection Regulation

according to point 1, it is classified as a violation belonging to the category of higher fines.

The Authority also took into account that data management with the Customer is hierarchical
also affected employees in a relationship [General Data Protection Regulation Article 83 (2)
paragraph point k)], and that the personal data affected by the violation are the voice of the persons concerned
does not belong to the special category of personal data [general data protection decree 83.
Article (2) point (g)].


The Authority as an aggravating circumstance when determining the amount of the data protection fine
took into account that 15


    - the Customer violated several provisions of the general data protection regulation
       [general data protection regulation Article 83 (2) point a)];

    - the violations committed by the Customer result from gross negligence, since it
       It did not even occur to the customer what the data management practices used by him were
       has implications for the privacy of its employees and customers [general

       Article 83 (2) point b) of the Data Protection Regulation].

The Authority as a mitigating circumstance when determining the amount of the data protection fine
took into account that

    - the Client following the inquiry sent by the Authority in the investigation procedure of the Authority
        reviewed by the investigation or the person concerned by this data protection authority procedure
        data management, and subsequently stopped the recording of audio recordings in the installation
        in the course of works, as a result of the Authority's procedures, the Client decided that
        terminates the practice it also classifies as illegal [general data protection
        Regulation Article 83 (2) points d) and f)];

    - to condemn the Customer for violating the general data protection regulation
        did not take place [General Data Protection Regulation Article 83 (2) point e)];

    - the Authority exceeded the administrative deadline [General Data Protection Regulation Article 83 (2)
       paragraph (k)].

When determining the data protection fine imposed on the Customer, the Authority does not
considered relevant Article 83 (2) c), h), i) and j) of the General Data Protection Regulation

circumstances according to point, as they cannot be interpreted in relation to the specific case.

The net sales revenue of the Customer in 2021 was HUF 130 million, so the
the imposed data protection fine is far from the maximum fine that can be imposed.


VI. Other questions:


The competence of the Authority is set by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is
covers the entire territory of the country.

This decision of the Authority is based on Art. 80-81. § and Infotv. It is based on paragraph (1) of § 61. THE
decision of the Akr. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. § 112,
and § 116, paragraph (1) and (4), point d), and on the basis of § 114, paragraph (1)
a decision can be appealed through an administrative lawsuit.


                                              * * *

The Akr. According to § 135, the debtor is in arrears corresponding to the legal interest
he is obliged to pay a supplement if he does not fulfill his obligation to pay money within the deadline.

Act V of 2013 on the Civil Code 6:48 Based on paragraph (1) of §
in the case of monetary debt, the obligee, starting from the date of default, a
equal to the central bank base rate valid on the first day of the calendar semester affected by the delay

is obliged to pay late interest.

The rules of the administrative trial are set out in Act I of 2017 on the Administrative Procedure
hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority
the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13, paragraph (3).
Based on subparagraph a) of point a), the Metropolitan Court is exclusively competent. The Kp. Section 27
According to point b) of paragraph (1) in a legal dispute in which the court exclusively 16


competent, legal representation is mandatory. The Kp. According to § 39, paragraph (6), the statement of claim
its submission does not have the effect of postponing the entry into force of the administrative act.


The Kp. Paragraph (1) of Section 29 and, in view of this, CXXX of 2016 on the Code of Civil Procedure.
applicable according to § 604 of the Act, electronic administration and trust services
CCXXII of 2015 on its general rules. according to § 9 (1) point b) of the Act, the
the client's legal representative is obliged to maintain electronic contact.

The time and place of submitting the statement of claim is set by Kp. It is defined by § 39, paragraph (1). THE

information on the possibility of a request to hold a hearing in Kp. Paragraphs (1)-(2) of § 77
is based on.

The amount of the fee for the administrative lawsuit is determined by Act XCIII of 1990 on fees. law
(hereinafter: Itv.) 45/A. Section (1) defines. From the advance payment of the fee
the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the person initiating the procedure
half.


If the Customer does not adequately certify the fulfillment of the required payment obligation, a
The authority considers that the obligation was not fulfilled within the deadline. The Akr. § 132
according to, if the Customer has not complied with the obligations contained in the Authority's final decision,
is enforceable. The Authority's decision in Art. according to § 82, paragraph (1) with the communication
becomes permanent. The Akr. Pursuant to § 133, enforcement - if you are a law
government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. 134.

pursuant to § the execution - if it is a law, government decree or municipal authority
the local government decree does not provide otherwise - the state tax authority
undertakes.

Dated: Budapest, August 8, 2022.



                                                               Dr. Attila Péterfalvi
                                                                      president
                                                                c. professor