NAIH (Hungary) - NAIH-2857-20/2021
|NAIH (Hungary) - NAIH-2857-20/2021|
|Relevant Law:||Article 5(1) GDPR|
Article 5(2) GDPR
Article 6(1) GDPR
Article 12(1) GDPR
Article 13 GDPR
Article 58(2)(d) GDPR
Article 83(2) GDPR
|National Case Number/Name:||NAIH-2857-20/2021|
|European Case Law Identifier:||n/a|
|Original Source:||NAIH (in HU)|
Hungarian DPA fines car importer €13,500 (HUF 5,000,000) for sending client satisfaction surveys without a lawful legal ground, and breaching the principles of transparency, accountability and data minimisation in the process.
English Summary[edit | edit source]
Facts[edit | edit source]
A data subject submitted a complaint to the Hungarian DPA after receiving unsolicited e-mails regarding their satisfaction with a car repair service they used earlier. The repair service claimed that it was not the controller in the case, as the communications were sent by another entity, the importer of a specific car brand to Hungary ('importer'). NAIH therefore expanded the inquiry to this importer on its own motion (ex officio). The importer argued that processing personal data for the purpose of ensuring consumer satisfaction was its legitimate interest under Article 6(1)(f) of the GDPR, for which it also conducted the necessary legitimate interest assessment. The importer provided data processing information to the data subjects via printed documents at the reception of the car repair service, and claimed that employees at the service were also tasked to provide information about the processing orally. However, in this specific case, the data subject was only informed that the provision of their e-mail address is not compulsory, but was not provided information regarding the processing to be conducted by the importer regarding surveying client satisfaction either orally or in writing, and was not asked for their consent in this regard. NAIH subsequently expanded the inquiry to the general data protection practices of the importer.
Holding[edit | edit source]
NAIH established that for the purposes of sending the client satisfaction survey e-mails, the importer was to be deemed the data controller, as it was solely responsible for deciding the nature, tools and purposes of processing. The repair shop acted merely as processor for the importer. As such, NAIH rejected the original complaint against the repair shop, as it did not act as the controller for the data. However, the Authority expanded the investigation, ex officio, to the importer. In this regard, NAIH held that the importer was in breach of Articles 5(1)(a), 5(2), 12(1) and 13 of the GDPR, for not providing sufficient information regarding the processing in a transparent, clear and comprehensive manner. The DPA also held that the importer had no legal ground for processing the data under 6(1) GDPR. NAIH argued that the legitimate interest legal ground was not applicable for processing data for the purpose of sending of the satisfaction surveys, because the necessary prerequisites explained in Recital (47) of the GDPR regarding reasonable expectations and other guarantees have not been fulfilled. The Authority especially emphasised that the data subject had no opportunity to express prior objection to the processing of their data. Finally, NAIH also examined, ex officio, whether the importer's overall data processing practices raised any data protection concerns. The DPA noted that as a general practice, the importer did not disclose in its e-mails that it acted as the data controller, where it obtained the data from, and from where the data subject can obtain more information regarding the processing. NAIH also argued that the importer was in breach of the data minimisation principle, because the processing of the data subjects' address, age, gender, telephone number and car registration identifiers were not necessary for the purposes of conducting client satisfaction surveys. When it comes to remedies and penalties, the Authority decided that there was no further action necessary in the individual case brought by the data subject. However, NAIH decided to impose a fine of €13,500 (5,000,000 HUF) under Article 83(2) for the general data processing practices of the importer, and ordered it to bring its processing operations into compliance with the GDPR under Article 58(2)(d).
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.