NAIH (Hungary) - NAIH-2857-20/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH (Hungary) |DPA_With_Country=NAIH (Hungary) |Case_Num...")
 
 
Line 70: Line 70:
NAIH established that for the purposes of sending the client satisfaction survey e-mails, the importer was to be deemed the data controller, as it was solely responsible for deciding the nature, tools and purposes of processing. The repair shop acted merely as processor for the importer. As such, NAIH rejected the original complaint against the repair shop, as it did not act as the controller for the data.
NAIH established that for the purposes of sending the client satisfaction survey e-mails, the importer was to be deemed the data controller, as it was solely responsible for deciding the nature, tools and purposes of processing. The repair shop acted merely as processor for the importer. As such, NAIH rejected the original complaint against the repair shop, as it did not act as the controller for the data.
However, the Authority expanded the investigation, ex officio, to the importer. In this regard, NAIH held that the importer was in breach of Articles [[Article 5 GDPR#1a|5(1)(a)]], [[Article 5 GDPR#2|5(2)]], [[Article 12 GDPR#1|12(1)]] and [[Article 13 GDPR|13]] of the GDPR, for not providing sufficient information regarding the processing in a transparent, clear and comprehensive manner.
However, the Authority expanded the investigation, ex officio, to the importer. In this regard, NAIH held that the importer was in breach of Articles [[Article 5 GDPR#1a|5(1)(a)]], [[Article 5 GDPR#2|5(2)]], [[Article 12 GDPR#1|12(1)]] and [[Article 13 GDPR|13]] of the GDPR, for not providing sufficient information regarding the processing in a transparent, clear and comprehensive manner.
The DPA also held that the importer had no legal ground for processing the data under [[Article 6(1) GDPR]]. NAIH argued that the legitimate interest legal ground was not applicable for processing data for the purpose of sending of the satisfaction surveys, because the necessary prerequisites explained in Recital (47) of the GDPR regarding reasonable expectations and other guarantees have not been fulfilled. The Authority especially emphasised that the data subject had no opportunity to express prior objection to the processing of their data.  
The DPA also held that the importer had no legal ground for processing the data under [[Article 6 GDPR#1|6(1) GDPR]]. NAIH argued that the legitimate interest legal ground was not applicable for processing data for the purpose of sending of the satisfaction surveys, because the necessary prerequisites explained in Recital (47) of the GDPR regarding reasonable expectations and other guarantees have not been fulfilled. The Authority especially emphasised that the data subject had no opportunity to express prior objection to the processing of their data.  
Finally, NAIH also examined, ex officio, whether the importer's overall data processing practices raised any data protection concerns. The DPA noted that as a general practice, the importer did not disclose in its e-mails that it acted as the data controller, where it obtained the data from, and from where the data subject can obtain more information regarding the processing. NAIH also argued that the importer was in breach of the data minimisation principle, because the processing of the data subjects' address, age, gender, telephone number and car registration identifiers were not necessary for the purposes of conducting client satisfaction surveys.
Finally, NAIH also examined, ex officio, whether the importer's overall data processing practices raised any data protection concerns. The DPA noted that as a general practice, the importer did not disclose in its e-mails that it acted as the data controller, where it obtained the data from, and from where the data subject can obtain more information regarding the processing. NAIH also argued that the importer was in breach of the data minimisation principle, because the processing of the data subjects' address, age, gender, telephone number and car registration identifiers were not necessary for the purposes of conducting client satisfaction surveys.
When it comes to remedies and penalties, the Authority decided that there was no further action necessary in the individual case brought by the data subject. However, NAIH decided to impose a fine of €13,500 (5,000,000 HUF) under [[Article 83 GDPR#2|Article 83(2)]] for the general data processing practices of the importer, and ordered it to bring its processing operations into compliance with the GDPR under [[Article 58 GDPR#2d|Article 58(2)(d)]].
When it comes to remedies and penalties, the Authority decided that there was no further action necessary in the individual case brought by the data subject. However, NAIH decided to impose a fine of €13,500 (5,000,000 HUF) under [[Article 83 GDPR#2|Article 83(2)]] for the general data processing practices of the importer, and ordered it to bring its processing operations into compliance with the GDPR under [[Article 58 GDPR#2d|Article 58(2)(d)]].

Latest revision as of 11:03, 21 January 2022

NAIH (Hungary) - NAIH-2857-20/2021
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 12(1) GDPR
Article 13 GDPR
Article 58(2)(d) GDPR
Article 83(2) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 27.10.2021
Published: 15.12.2021
Fine: 5000000 HUF
Parties: n/a
National Case Number/Name: NAIH-2857-20/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Tapir

Hungarian DPA fines car importer €13,500 (HUF 5,000,000) for sending client satisfaction surveys without a lawful legal ground, and breaching the principles of transparency, accountability and data minimisation in the process.

English Summary

Facts

A data subject submitted a complaint to the Hungarian DPA after receiving unsolicited e-mails regarding their satisfaction with a car repair service they used earlier. The repair service claimed that it was not the controller in the case, as the communications were sent by another entity, the importer of a specific car brand to Hungary ('importer'). NAIH therefore expanded the inquiry to this importer on its own motion (ex officio). The importer argued that processing personal data for the purpose of ensuring consumer satisfaction was its legitimate interest under Article 6(1)(f) of the GDPR, for which it also conducted the necessary legitimate interest assessment. The importer provided data processing information to the data subjects via printed documents at the reception of the car repair service, and claimed that employees at the service were also tasked to provide information about the processing orally. However, in this specific case, the data subject was only informed that the provision of their e-mail address is not compulsory, but was not provided information regarding the processing to be conducted by the importer regarding surveying client satisfaction either orally or in writing, and was not asked for their consent in this regard. NAIH subsequently expanded the inquiry to the general data protection practices of the importer.

Holding

NAIH established that for the purposes of sending the client satisfaction survey e-mails, the importer was to be deemed the data controller, as it was solely responsible for deciding the nature, tools and purposes of processing. The repair shop acted merely as processor for the importer. As such, NAIH rejected the original complaint against the repair shop, as it did not act as the controller for the data. However, the Authority expanded the investigation, ex officio, to the importer. In this regard, NAIH held that the importer was in breach of Articles 5(1)(a), 5(2), 12(1) and 13 of the GDPR, for not providing sufficient information regarding the processing in a transparent, clear and comprehensive manner. The DPA also held that the importer had no legal ground for processing the data under 6(1) GDPR. NAIH argued that the legitimate interest legal ground was not applicable for processing data for the purpose of sending of the satisfaction surveys, because the necessary prerequisites explained in Recital (47) of the GDPR regarding reasonable expectations and other guarantees have not been fulfilled. The Authority especially emphasised that the data subject had no opportunity to express prior objection to the processing of their data. Finally, NAIH also examined, ex officio, whether the importer's overall data processing practices raised any data protection concerns. The DPA noted that as a general practice, the importer did not disclose in its e-mails that it acted as the data controller, where it obtained the data from, and from where the data subject can obtain more information regarding the processing. NAIH also argued that the importer was in breach of the data minimisation principle, because the processing of the data subjects' address, age, gender, telephone number and car registration identifiers were not necessary for the purposes of conducting client satisfaction surveys. When it comes to remedies and penalties, the Authority decided that there was no further action necessary in the individual case brought by the data subject. However, NAIH decided to impose a fine of €13,500 (5,000,000 HUF) under Article 83(2) for the general data processing practices of the importer, and ordered it to bring its processing operations into compliance with the GDPR under Article 58(2)(d).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

 Registration number: NAIH-2857-20 / 2021 Subject: Decision





                                   DECISION


Before the National Data Protection and Freedom of Information Authority (hereinafter: the Authority)

……………………. applicant (address: ……………………………………………… .; a
hereinafter referred to as the "Applicant")
(registered office: …………………………………………… .; hereinafter: the Applicant) 2021.
his application for unlawful processing of personal data lodged on 23 February
in which the Authority granted client status
to ………………………………………. ……………………… .. (registered office:
……………………………. ……………………; hereinafter referred to as "the Importer"), and

The Authority extended the subject matter of the customer satisfaction survey carried out by the Applicant and the Importer.
to examine general data management practices related to measurement - the following decisions
brings:

I. The Authority shall request the Applicant to establish that the Applicant
unlawfully transmitted in the absence of adequate individual information and a valid legal basis
The email address of the applicant and the technical identification of his vehicle to the Importer,

rejects.

II. The Authority shall establish ex officio that the importer is provided with appropriate individual information and
handled the Applicant's email address, address and telephone number in the absence of a valid legal basis,
as well as the technical identification data of your vehicle, thus the Importer is the personal identity of the Applicant
violated a
on the protection of individuals with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46 / EC
Article 5 (1) of Regulation (EU) No 2016/679 (hereinafter referred to as the General Data Protection Regulation)
the principle of lawful and transparent data processing in accordance with Article 12 (1)
and Article 13 of the General Data Protection Regulation - concise, transparent, comprehensible and easy to use
the provision of information in an accessible form that is clear and comprehensible
pursuant to Article 5 (2) of the General Data Protection Regulation
accountability and the general data protection regulation as regards the legal basis

Article 6 (1).

III. The Authority will determine ex officio that the Importer is measuring customer satisfaction
for reasons explained in the explanatory memorandum
lawful and transparent data processing in accordance with Article 5 (1) (a) of the Data Protection Regulation
Article 5 (1) (c) of the General Data Protection Regulation
principle of data protection, Article 6 (1) of the General Data Protection Regulation and general

Article 13 of the Data Protection Regulation.

ARC. Due to the above data breaches, the Authority will notify the Importer ex officio

                           HUF 5,000,000, ie HUF 5 million
                                 data protection fine


                               obliges to pay. 2







V. The Authority considers the general data protection regulation in view of the infringing data processing practices
Pursuant to Article 58 (2) (d), the importer shall be required ex officio to
within 30 days of the date of receipt of this Decision

with the provisions of the General Data Protection Regulation in the explanatory memorandum to this decision
as explained above. The fulfillment of this decision by the Importer shall become final
within 30 days of the divorce. in writing - the supporting evidence
to the Authority.

A IV. within 30 days of the final adoption of this Decision
Authority's centralized revenue collection special purpose forint account (10032000-

01040425-00000000 Centralized direct debit IBAN: HU83 1003 2000 0104 0425
0000 0000). When transferring the amount, "NAIH-2857/2021 JUDGMENT." for
should be referred to.

Failure by the Importer to meet its obligation to pay the fine within the time limit shall be delayed
The amount of the late payment allowance is the statutory interest, which is
equal to the central bank base rate valid on the first day of the calendar half-year concerned.


Failure to pay the fine and the penalty payment and the obligation under point V above
in the event of non-compliance, the Authority shall order enforcement of the decision.

There is no administrative appeal against the decision, but it is from the communication
within 30 days of the action brought before the Metropolitan Court in an administrative action
can be challenged. The application shall be submitted to the Authority, electronically, which shall be

forward it to the court together with the case file. The request for a hearing shall be made by:
must be indicated in the application. For those who do not benefit from full personal exemption
the fee of the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to record material fees. The Capital
Legal proceedings are mandatory in proceedings before the General Court.


                                      EXPLANATORY STATEMENT



I. Procedure and clarification of the facts

On February 23, 2021, the Applicant submitted an application received by AVDH with authentication a
To the authority in which he stated that after having been inspected / serviced by the Applicant
your car, gave the Applicant the email address (…………… .. …………….). On this

email address On February 12, 2021, he received an unsolicited email with a request to do so
fill in a satisfaction questionnaire and then send another email by February 19, 2021.
I, in which I was again asked to complete the questionnaire due to a lack of response. Emails a
The chassis number of the applicant's ……………… car was also included. The Applicant is
did not use the unsubscribe link in the emails, but the authority’s procedure
initiated because, in his opinion, emails from a source unknown to him
he should not have received it in the first place, and this illegality cannot be remedied afterwards

asked to find out.

In its application to the Authority, the Applicant requested a declaration that a
Applicant has illegally provided the email address provided by the Applicant during servicing to
surveyor. for. 3





At the request of the Authority, the Applicant received a reply on 5 May 2021, inter alia
He stated that although he also conducts occasional surveys to measure customer satisfaction and
for advertising purposes, however, with regard to specific data processing, it was the Importer

data controller making data management decisions. For this reason, the Importer has this privacy policy
involvement in the regulatory process as a client and further clarification of the facts
necessary for which the Authority, in its opinion of 2 June 2021, NAIH-2857-6 / 2021,
An order dated 31 May 2021 was sent to the Importer.


The Applicant also attached its own data management information to the above reply, which
according to his statement, it is also available in print at the reception or at the customer desk. THE
According to the Applicant, the Applicant and the Importer as well as the manufacturer of the cars
(……………………………., Established in ………………………………………… .., hereinafter referred to as
Manufacturers) engaged in joint economic activities in the field of general data protection
under this Regulation. Interest balance dated 21 December 2020 attached by the Applicant

according to the Applicant as a data controller for market research and customer satisfaction measurement purposes
forward data to the Importer and the Manufacturer. This is confirmed by the Requested “2020.
”.. of the data management information notice, which does not indicate the exact scope
provided that the Importer also transfers the data to …………… .. as a data processor.

In its reply to the Authority's request received on 21 June 2021, the Importer confirmed that

that, in its view, the Importer qualifies for the data processing under investigation
the purpose and means of the data processing shall be determined by the Importer. The Requested
importer brand service partner. In the context of this legal relationship, the Importer and the Applicant
there is close cooperation between them. By the Applicant and the brand partners on the standard
used worksheet refers to the data management information available on the Importer's website
contains a link. The Importer received from the Applicant on January 14, 2021 a

Applicant's contact email address and technical details of the vehicle repair. This data is
The importer has provided a customer satisfaction report to its data processor, …………………….
for transmission to a third party. Importer 's declaration and
According to the data management information available on the importer 's website, the
the legal basis for the processing of data for customer satisfaction surveys is the importer's legitimate interest in
as the sole importer of …………… .. motor vehicles in Hungary

the Hungarian dealership and service partners are of the expected quality
requirements. In this regard, the Importer also has a balancing test
attached to your answer. According to the prospectus, the range of data processed is the customer's wiring and
first name, email address, home address, telephone number, chassis number, registration number of your vehicle,
technical data, the name of the dealer or service center used, the name used

the date of service and the content of any feedback. According to the Importer 's declaration
it is industry practice to measure customer satisfaction.

As the Applicant is responsible for informing and securing the right to object
its reply was not complete and the Authority again requested further clarification of the facts
contacted the Importer and the Applicant.


The importer received the second request from the Authority on 30 July 2021
stated that the individual information of the data subjects would be provided as an annex to the worksheet
printed data management information, this is the expected procedure for brand partners
towards.


The Applicant's second request to the Authority was sent electronically on 28 July 2021 by post
In a submission received on July 30, 2021, he stated that at the reception and the

1https: // ……………………………………… 4





made available at the customer desk by printing the data management information. In addition, the
The importer expects its general procedure to be informed orally about the data processing
the client is provided with the data management when requesting the data and as an attachment to the worksheet
printed version of the prospectus. Verbal information includes, but is not limited to, email
address is optional. In the individual case, according to the Applicant's statement about it

the Applicant was informed orally that the provision of the e - mail address is not mandatory, however
The Applicant did not receive any special information on its use for customer satisfaction measurement. THE
in the present individual case, the Applicant's employee has failed to complete the worksheet,
Applicant's signature and a printed version of the data management information
as an annex to the worksheet. The Applicant attached the unfilled worksheet
which contains a link to the Importer 's website, but is not
in relation to the measurement of customer satisfaction, but specifically the performance of the contract and

data processed in connection with the performance of the service on the basis of a legal obligation
provide a reference as a source of more detailed information on this
data processing. In addition to the survey prepared by the Importer, the Applicant shall also
sent a separate satisfaction survey to the Applicant, against which the Applicant did not
he protested, filling it out and sending it back.

On 12 July 2021, the Authority sent the Applicant a summary of the information disclosed so far

relevant facts.

Based on the replies of the Applicant and the Importer, the individual case could not be considered a
Without examining the general practice regarding the processing of data relating to an applicant,
therefore, on 11 August 2021, the Authority ex officio extended the proceedings to the Applicant and
general data management related to the customer satisfaction measurement performed by the Importer
practice.


The Authority’s general practice and the General Administrative Procedure Act 2016
year CL. (hereinafter: Ákr.) for final declarations pursuant to § 76
given in his reply received on September 2, 2021, the Applicant sent his own separately
questions used in connection with customer satisfaction measurement and the Applicant provided this
personal data to be transmitted to the Importer and stated that
maintains its statements of 4 May 2021 on the issue that

why some of the personal data transmitted is needed to measure customer satisfaction. E
in this respect, it reiterated the balance of interests which did not require each type of data
however, indicated that the exact answer regarding the data transfer was given
is within the competence of the Importer, the Applicant is bound only by the Importer
acted on the basis of his contract. It also claimed that under the contract with the Importer,
had to make a commitment in return for the rights granted to the Applicant in the contract
to meet and control the highest level of customer needs

to ensure data transmission. The minimum requirements, the related framework and
corner points shall be determined unilaterally by the Importer on an annual basis. The Importer shall sign the contract
may terminate unilaterally if the customer satisfaction
the result of the measurement does not meet the values specified by the Importer. For the Manufacturer a
Applicant does not transfer personal data. For the Importer for servicing
information is transmitted in a personal manner, as it considers that
necessary to measure customer satisfaction and improve customer relationships.

identification. In his opinion, improving customer relationships is also in the interest of customers. The Ákr.
Pursuant to § 76, the Applicant maintained his declaration that he had not committed
breach of data protection when the email address of the Applicant was forwarded by the
For importer. In its view, the relationship between the Applicant and the parties concerned is relevant and
there is a proper connection and the data transmitted are not unnecessarily affected or
disproportionately to the privacy of the data subject and the widespread use of the 5





you can expect this because of practice. The Requested in the present case and generally serious resources
mobilize in order to provide its employees with adequate awareness and knowledge
handle customers ’personal information. He highlights his responsibilities among that
has fulfilled its obligation to provide data under its contract with the Importer,
As per importer's expectations. He also asks to take into account that the Authority has not yet done so

established a data breach against the Applicant, did everything in its power to do so
and the current COVID-19 situation for the whole sector is extremely high
had a negative effect. The applicant also states that it qualifies as an SME.

The Authority's general practice and the Ákr. 76. for final declarations
In its reply received on 13 September 2021, the Importer sent
customer satisfaction survey, the questions of which were included in the Applicant

questions from a separate set of questions and other questions, including the gender of the person concerned and
about his age. The Importer also stated that the chassis number of the vehicle (and present
not in the case of service, only the registration number in case of sale of a new vehicle)
manage customer satisfaction measurement to identify which one
the opinion of the customer concerned in relation to the vehicle. According to the Importer 's declaration
the customer's name, email address, telephone number, and home address are all required to complete the questionnaire
contact and, if necessary, further contact based on the answers.

Vehicle breakdown details and service name, location and time of service
his data are necessary to understand what work he was satisfied with and
dissatisfied with the customer. Data handled in relation to customer satisfaction measurement
they are not required for any other purpose, they shall be handled by the Importer only for that purpose. Customers
and the identification of the vehicle is handled independently by the Importer for other purposes,
but not as a result of data transmission. If the customer does not consent to your data
will be forwarded anonymously to the Importer by the surveyor

data processor. Customer identification matters if it is negative
in the event of an opinion, the complaint must be investigated. The Importer is only aggregated towards the Manufacturer
transmits anonymous statistics, not specific personal data. Importer 's declaration
According to it, it receives service data from branded services connected to a natural person
the Importer because that is the only way to perform the customer satisfaction measurement. Attached to the answer
brand service contract copy IV. Confirmed by the Applicant on 2 September 2021
that the transfer is unilateral by the Importer

imposed an obligation on the Applicant and the terms thereof unilaterally by the Importer
is entitled to determine and change, while the Applicant is not entitled to do so. For the answer
copy of the attached brand service contract According to Article V (5), the brand service is obliged to
Establish and keep up-to-date a customer register in the form specified by the importer,
whose data must be communicated to the Importer on a regular and continuous basis
………………. traceability of motor vehicles, current and future
traceability of compliance with regulations, organization of possible recall campaigns

and tracking, organizing public opinion polls among end customers, customers
developing and recommending products and services that best meet your expectations
for the purpose. Regardless, the Importer and the Requested are independent economic operators, independent
act as data controllers. The Ákr. Pursuant to Article 76, the Importer has maintained his declaration that
that he had not committed a breach of data protection, acted in full law and emphasizes that
that you only receive the results of the customer satisfaction measurement from the data processor if
if the customer has consented to the disclosure of his name. The purpose of customer satisfaction measurement

primarily the examination of trends, trends, is not the focus of a given customer's responses
examination, only in case of a negative opinion or complaint. The Importer's data management operations
due diligence and compliance with applicable legislation, so far
no complaints were received about the data processing, and the Authority has not yet acted on this
Regarding importer data management. Nevertheless, a possible legal consequence 6





the importer requests that the current situation of COVID-19 be taken into account
had an extremely negative impact on the sector as a whole, as well as the following circumstances:
    - the nature, scope and purpose of the data processing are not such as to seriously affect the data subject
       would invade his private sphere,
    the persons concerned do not suffer any damage and, moreover, as explained above,

       data management also serves the interests of data subjects,
    - the alleged infringement is negligent,
    the Importer, as data controller, has not previously committed a data breach, such as
       Authority did not establish, Importer was not ordered to general
       one of the measures referred to in Article 58 (2) of the Data Protection Regulation,
       and compliance with the measures in question,
    - the importer cooperated in good faith with the Authority throughout the proceeding,

    - the categories of personal data concerned by the processing do not fall into any particular category
       personal data, nor personal data that is deeply concerned
       would invade his privacy.

The Ákr. Pursuant to Section 76, the Authority summoned the Applicant on 15 September 2021
to submit its final statements, which was invited by the Applicant on 17 September 2021
but did not submit a statement within that 15-day period

or application.

In the absence of any declaration by the Importer, the Authority
Beszamolo.im.gov.hu recorded on the basis of a public online database that the Importer
The annual net sales (turnover) of the company was HUF,, the profit after tax
and was HUF.



II. Applicable legal provisions

According to Article 2 (1) of the General Data Protection Regulation, the general data protection
Regulation should apply to personal data in a partially or fully automated manner
and the non-automated processing of data which
are part of a registration system or are part of a registration system

they want to be part of.

Under Article 4 (1) of the General Data Protection Regulation, "personal data" are identified or
any information relating to an identifiable natural person ("data subject"), including
also the online ID.

Under Article 4 (2) of the General Data Protection Regulation, "processing" is personal

performed on data or files in an automated or non-automated manner
an operation or set of operations, such as collecting, recording, organizing, segmenting, storing,
modification or alteration, querying, viewing, use, transmission of communication,
by distribution or otherwise making available, coordination or
linking, restricting, deleting or destroying.

Under Article 4 (7) of the General Data Protection Regulation, "controller" means a natural or

legal person, public authority, agency or any other body which is personal
determine the purposes and means of data processing, either individually or in association with others.

Under Article 4 (8) of the General Data Protection Regulation, a "processor" is a natural person
or a legal person, public authority, agency or any other body which is
handles personal data on behalf of the data controller. 7






Under Article 4 (10) of the General Data Protection Regulation, a "third party" is a natural person
or a legal person, public authority, agency or any other body which is not
is the same as the data subject, the controller, the processor or the persons who
for the processing of personal data under the direct control of the controller or processor

have been authorized.

According to Article 5 (1) (a) of the General Data Protection Regulation, personal data
be processed lawfully and fairly and in a manner that is transparent to the data subject
("legality, due process and transparency").

Pursuant to Article 5 (1) (c) of the General Data Protection Regulation, the purposes of data processing

they must be appropriate and relevant and necessary
limited (‘data saving’).

Pursuant to Article 5 (2) of the General Data Protection Regulation, the controller is responsible for
shall be able to demonstrate such compliance
(“Accountability”).


According to Article 6 (1) (f) of the General Data Protection Regulation, a
processing of personal data if the processing is lawful by the controller or a third party
necessary to safeguard its interests, unless those interests take precedence
enjoy the interests or fundamental rights and freedoms of the data subject which are personal
data protection, especially if the child concerned.

The first three sentences of recital 47 of the General Data Protection Regulation

the controller, including the controller with whom the personal data may be communicated
Or the legitimate interest of a third party may provide a legal basis for the processing, provided that:
the interests, fundamental rights and freedoms of the data subject shall not take precedence
based on his relationship with the controller. That's right
there may be an interest, for example, where there is a relevant and appropriate relationship between the data subject
and the controller, for example in cases where the controller is a customer
or is employed by it. To establish the existence of a legitimate interest

in any case, it must be carefully examined, inter alia, whether the person concerned:
at the time of and in connection with the collection of personal data
reasonably that the data may be processed for that purpose.

Pursuant to Article 12 (1) of the General Data Protection Regulation, the controller is appropriate
take measures to ensure the processing of personal data by the data subject
all the information referred to in Article 13 and Articles 15 to 22 and Article 34

each piece of information in a concise, transparent, comprehensible and easily accessible form,
in a clear and comprehensible manner, especially for children
for any information.

Article 13 of the General Data Protection Regulation lists the minimum required
information that the controller is obliged to provide to the data subject, if any
personal data relating to the data subject are collected from the data subject:

   (a) the identity of the controller and, if any, of the controller 's representative; and
   contact details;

   (b) the contact details of the Data Protection Officer, if any;

   (c) the purpose of the intended processing of the personal data and the legal basis for the processing; 8





   (d) based on Article 6 (1) (f) of the General Data Protection Regulation
   in the case of data processing, the legitimate interests of the controller or of a third party;

   (e) where applicable, the recipients or categories of recipients of the personal data, if any;

   (f) where applicable, the fact that the controller is in a third country or internationally
   personal data to the organization and the Commission
   the existence or absence of a decision on compliance or general data protection
   Article 46, Article 47 or the second subparagraph of Article 49 (1) of this Regulation
   appropriate and suitable guarantees in the case of the transfer referred to in the first subparagraph
   and the means of obtaining a copy of them

   reference to contact details.
   (g) the period for which the personal data will be stored or, failing that, the

   aspects of determining the duration;
   (h) the data subject's right to request from the controller the personal data concerning him or her

   access to, rectification, erasure or restriction of the processing of data, and
   may object to the processing of such personal data as well as to the data subject
   the right to data portability;

   (i) Article 6 (1) (a) or Article 9 (2) of the General Data Protection Regulation;
   In the case of data processing based on paragraph 1 (a), the consent shall be given at any time
   the right to withdraw the consent, which shall not affect the withdrawal of the consent prior to the withdrawal
   the lawfulness of data processing carried out on the basis of

   (j) the right to lodge a complaint with the supervisory authority;

   (k) whether the provision of personal data is legal or contractual
   whether it is based on an obligation or a precondition for concluding a contract and whether the person concerned
   whether it is obliged to provide personal data and how possible
   they may have consequences for non-reporting;

   (l) the automated data referred to in Article 22 (1) and (4) of the General Data Protection Regulation
   decision-making, including profiling, and at least in these cases
   the logic used and the understandable information that such data management

   what significance it has and what the expected consequences are for the data subject.

Information processing covered by the General Data Protection Regulation
CXII of 2011 on the right to self-determination and freedom of information Act (a
hereinafter: Infotv.) pursuant to Section 2 (2) of the General Data Protection Decree therein
shall apply with the additions set out in the provisions set out in


Infotv. Enforcement of the right to the protection of personal data pursuant to Section 60 (1)
To that end, the Authority shall, at the request of the data subject, initiate a data protection authority procedure and
may initiate ex officio data protection proceedings.

Infotv. Pursuant to Section 61 (1) (a), it was taken in a data protection official proceeding
In its decision, the Authority Data management specified in Section 2 (2)
defined in the General Data Protection Regulation in the context of

may apply legal consequences.

Infotv. Pursuant to Section 71 (2), the Authority has lawfully acquired it in the course of its proceedings
use a document, data or other means of proof in another procedure. 9





Infotv. 75 / A. Pursuant to Article 83 (2) to (6) of the General Data Protection Regulation, the Authority
exercise the powers set out in paragraph 1 in accordance with the principle of proportionality,
in particular by providing that the law on the processing of personal data or the
Requirements set out in a binding act of the European Union
Article 58 of the General Data Protection Regulation

in particular by alerting the controller or processor.

In accordance with Article 58 (2) (d) of the General Data Protection Regulation, the Authority shall issue instructions
the controller or processor to carry out its data processing operations, as appropriate
in a specified manner and within a specified period, bring this Regulation into line
provisions.


Pursuant to Article 58 (2) (i) of the General Data Protection Regulation, the Authority shall
shall impose an administrative fine in accordance with Article 1, depending on the circumstances of the case
in addition to or instead of the measures referred to in this paragraph.

Pursuant to Article 83 (1) of the General Data Protection Regulation, all supervisory
authority shall ensure that any breach of this Regulation referred to in paragraphs 4, 5 and 6
the administrative fines imposed pursuant to this Article are effective in each case,

be proportionate and dissuasive.

According to Article 83 (2) of the General Data Protection Regulation, administrative fines
Article 58 (2) of the General Data Protection Regulation, depending on the circumstances of the case.
shall be imposed in addition to or instead of the measures referred to in points (a) to (h) and (j) of
In deciding whether it is necessary to impose an administrative fine, or a
the amount of the administrative fine in each case

the following must be taken into account:
   (a) the nature, gravity and duration of the infringement, taking into account the nature of the infringement in question
   the nature, scope or purpose of the processing and the number of data subjects affected by the breach

   and the extent of the damage they have suffered;
   (b) the intentional or negligent nature of the infringement;

   (c) the damage suffered by the data subject by the controller or the processor
   any measures taken to alleviate

   (d) the extent of the responsibility of the controller or processor, taking into account its responsibilities
   technical and administrative measures taken pursuant to Articles 25 and 32 of the General Data Protection Regulation
   organizational measures;

   (e) relevant infringements previously committed by the controller or processor;
   (f) with the supervisory authority, remedy the breach and the breach may be negative

   the degree of cooperation to mitigate its effects;
   (g) the categories of personal data concerned by the breach;

   (h) the manner in which the supervisory authority became aware of the infringement, in particular
   whether the breach has been reported by the controller or processor and, if so,
   in what detail;

   (i) if previously against the controller or processor concerned, in the same
   referred to in Article 58 (2) of the General Data Protection Regulation
   compliance with one of those measures; 10





   (j) whether the controller or processor has complied with the general data protection rules
   codes of conduct approved in accordance with Article 40 of this Regulation or the general
   approved certification mechanisms under Article 42 of the Data Protection Regulation; and

   (k) other aggravating or mitigating factors relevant to the circumstances of the case,
   for example, the financial gain obtained as a direct or indirect consequence of the infringement
   or avoided loss.

Pursuant to Article 83 (5) of the General Data Protection Regulation, the following provisions apply

in accordance with paragraph 2
administrative fines or, in the case of undertakings, the full financial year of the previous financial year
up to 4% of its worldwide turnover,
the higher amount shall be charged:

   (a) the principles of data processing, including the conditions for consent, the general data protection
   in accordance with Articles 5, 6, 7 and 9 of this Regulation;

   (b) the rights of data subjects under Articles 12 to 22 of the General Data Protection Regulation. in accordance with Article
   (c) personal data to a recipient in a third country or to an international organization
   Articles 44 to 49 of the General Data Protection Regulation. in accordance with Article

   (d) Article IX of the General Data Protection Regulation. in accordance with the law of the Member States adopted pursuant to this Chapter
   liabilities;

   (e) the supervisory authority in accordance with Article 58 (2) of the General Data Protection Regulation
   temporary or permanent restriction of data processing or
   non-compliance with the request to suspend the flow of data or the general
   breach of Article 58 (1) of the Data Protection Regulation
   failure.


Unless otherwise provided in the General Data Protection Regulation, the application was initiated
for data protection authority proceedings under Ákr. shall apply in the Infotv
with certain deviations.

The Ákr. Pursuant to Section 10 (1), a customer is a natural or legal person, other organization,
whose right or legitimate interest is directly affected by the matter, to whom the

contains official data or has been placed under official control.


III. Decision

1. The subject of the proceedings and the identity of the controller


The subject of the proceedings initiated on the application is whether the Applicant has been treated unlawfully by the Applicant
personal information.

The subject of the ex officio extended procedure shall be the processing of the data by the importer,
For the purpose of the customer satisfaction survey sent to the Applicant via ……………………
examining the lawfulness of data processing in relation to emails in an individual case, in particular
Considering that the Importer has the personal data of the Applicant and the data of the service

whether it was lawfully obtained from the Applicant.

The subject of the ex officio procedure is also the Importer's customer satisfaction survey
examination of its general practice in relation to
general classification of its interests. 11






Based on the available information, it did not occur in relation to the data management under investigation
transfer of personal data to the Manufacturer, so this procedure does not apply to the data management of the Manufacturer
and its extension is otherwise limited to the competent French data protection authority
would be possible with the involvement of


In the absence of such a request, the subject of the proceedings shall not be the Applicant's own
data management for the purpose of customer satisfaction surveys with its own questionnaire, as requested by the Applicant
complaint was not completed, it was completed and returned by the Applicant and the separate data processing,
which is not performed by the Importer. In the present proceedings, the Applicant expressly objects
protested that a person other than the Applicant, to the best of his knowledge,
also processed your personal data, in this respect it is not legally relevant that the

The Applicant also conducted its own survey, which is not disputed by the Applicant.

According to the Applicant's statement of 5 May 2021, it is engaged in a joint economic activity
Importer and Manufacturer (not investigated in this proceeding). The Importer of 21 June 2021
There is a close co-operation between the Importer and the Applicant. THE
Neither the Applicant nor the Importer made such a statement at the repeated request of the Authority
or submitted a document which would support joint data processing and was disclosed in the proceedings

circumstances do not suggest this either.

The data management information of the Applicant is the data transmission for the purpose of the survey (email address, car
identification data, service data) designates the Applicant as the data controller.
The declarations of the Importer and the Applicant as well as on the website of the Importer are also available
decisions regarding the sending of the complained emails
brought by the Importer alone, data management directly related to the sending of emails

the Importer shall be deemed to be the controller.

The Applicant received it on 2 September 2021 and the Importer on 13 September 2021
and the Importer and Applicant attached on 13 September 2021
Part IV of the branded service contract concluded between the and V.
both the measurement of customer satisfaction and the related data set
and the obligation to provide the Requested Data is the sole responsibility of the Importer

it depends on your unilateral decision. Based on this, the Importer can define and modify it at any time
unilaterally the purpose, means and means of data management related to customer satisfaction measurement
way. This is done through a branded service contract, which is governed by Article 28 of the General Data Protection Regulation.
shall constitute a contract defining the processing of data within the meaning of Article 3 (3). The Importer
in the light of all the circumstances of the case, a
Applicant is considered a data processor in the above legal relationship.


In the light of the specific circumstances of the case set out in the grounds of this decision, the present proceedings
In respect of the data processing which is the subject of the data, the Importer shall be the sole data controller, the Applicant
it only acts as a data processor under the brand service contract. The data processor does not
performs independent data management, its activity is considered to be the activity of the data controller, no
acts for an independent purpose and legal basis. According to Article 4 (10) of the General Data Protection Regulation
the data controller and the person in a contractual relationship with him shall not be considered third parties
data processors. Accordingly, it does not qualify as a third party

data transfer is the data processing specified by the Importer
solely in the interest of the Importer (in case of a negative opinion, the interest of the Applicant)
against them) transfers the personal data of the data subjects to the Importer, this is only the Importer
constitutes a movement of data within its sphere of interest. 12





2. Rejection of the application

As explained above, since the request is the transmission of the Data of the Requested,
was intended to establish the illegality of its data processing and the Applicant could not follow
the infringement for which the data controller is responsible as the data subject is not the data subject under investigation

therefore the Authority rejected the request in accordance with the operative part.

However, the Authority examined the data management of the Importer ex officio as set out below
the lawfulness of the data and the general data management relating to the subject matter of the present proceedings
practice.

3. The processing of the Applicant's personal data by the Importer

measurement

3.1. Lack of adequate information

According to Article 12 (1) of the General Data Protection Regulation, the Importer as data controller
shall take appropriate measures to ensure that the person concerned:
all information on the processing of personal data referred to in Article 13 and

15–22. and Article 34 shall be concise, transparent, comprehensible and easy to use
in an accessible form, in a clear and comprehensible manner.

The system of adequate information in the General Data Protection Regulation serves to:
the data subject should be aware of which personal data, which data controller and which
purpose of how you will handle it. This is essential to be in a position to
exercise the rights of the data subject. Article 6 (1) of the General Data Protection Regulation

In the case of data processing based on paragraph 47 (f), the General Data Protection Regulation
There is an increased information requirement under paragraph 1. According to this, the general
In addition to the specific information referred to in Article 13 of the Data Protection Regulation, an additional condition is
that the data subject's reasonable expectation should cover the data processing in question
must be expected and there must be some direct customer or other relationship with the person concerned
and the data controller. Given that in the present case the Importer is the data controller, so
the direct legal relationship between the Importer and the Applicant shall be examined, not the motor vehicle

sales dealership or the relationship between the Applicant and the Applicant. Good
in the absence of information, the data subject is not in a position to be affected
exercise properly. The obligation to provide information does not apply as explained above
means a mere “securitization” obligation in the General Data Protection Regulation. Both a
both the articles of the General Data Protection Regulation
prescribed when defining the obligations of the controller, not just a specific one
proof of minimal effort on the part of the controller. The purpose of the information is to be such

puts the data subject in a position to have his or her rights in the appropriate decision-making position
in connection with the exercise of

When examining individual data processing, the Authority shall establish that the specific
in the present case, whether the relevant information was provided in respect of the Applicant, ie
What information did the applicant receive about the data management? This is done individually, for all cases
the Authority, taking into account the available evidence.


It is also clear from the facts that there is no relationship between the Applicant and the Importer
direct legal relationship, client legal relationship. The fact that the Applicant’s customer is a
and the Applicant is a contractual partner of the Importer, not yet the Applicant
Importer's customer does not automatically create a general data protection regulation (47)
the relationship required under paragraph Without examining the general practice, the present 13





In this case, there would be a substantial, demonstrable relationship between the Applicant and the Importer if the
The applicant would be aware of this activity of the Importer. The Applicant in his application
specifically marked ………………. about the role of Importer by emails
he knew neither from the emails nor from the advance notice. Finding out this
retrieving from an external source is not the data subject's obligation to general data protection

but as part of the data controller obligations as explained above
to put the Applicant in a position to know this reasonably. Issued by the Applicant
an unfilled and unsigned worksheet with a completely different legal basis for a different purpose (not
satisfaction measurement) is by no means a very small reference to data management
appropriate, clear and transparent in accordance with the General Data Protection Regulation
information requirement, the Applicant could not link it in any way
for measuring customer satisfaction.


In the present case, it can be stated that the Applicant under the responsibility of the Importer as
Due to the occasional omission of one of the employees of the data processor, the Applicant did not receive the
the worksheet and the data management information of the Applicant and the Importer as an annex thereto,
nor was he informed orally that he would be caught by a person other than the Applicant
manage the Applicant's email address and certain details. He only got information about it - not that
provably, verbally - that you are not required to provide your email address, but that in itself is not

sufficient information to make an informed exercise of the rights of the data subject and to become acquainted with them
exactly what your email address will be used for and what other data it affects. THE
The information not provided to the Applicant otherwise incorrectly indicated the Applicant
as the data controller of the data transmission.

The Applicant also sent a separate satisfaction survey to the Applicant. The Applicant
This is due to the direct customer relationship between the and Requested and the provision of the email address

was reasonably expected by the Applicant, the Applicant did not object. However the
In the present case, it also follows that - after a survey of the Applicant
already completed - in the absence of adequate information, the Applicant could not reasonably expect
that the Importer, with whom the Applicant had no previous relationship,
will contact you by email with another survey, plus a third party -
……………… .. in addition to an email that did not specifically identify you
neither the Importer nor the Applicant. There was no reference in the emails to the actual sender

(the Importer) and the source of the personal data, and its disclosure is not a
Applicant's role as concerned. On this basis, the Applicant could legitimately believe that
…………………. has obtained his personal data unlawfully, and that is the situation
It was caused by the improper procedure of the importer as data controller. Both the content of the application and the
Based on the facts revealed during the clarification of the facts, the Applicant did not calculate and did not
you could expect to provide your email address and other personal information to the Importer
will be forwarded and will be sought by the Importer. It is alleged that at the Receptionist's Office

the relevant information exists, it was also not reasonably foreseeable that
In the absence of specific information to that effect from the applicant, it is not viable to do so
to base the information on the data subject, it does not meet the increased expectation expressed above and
responsibility. This is especially true for online data management where the right one is concise
providing the information would not have caused any real additional cost in the email.

In addition to the above, Article 5 (2) of the General Data Protection Regulation explicitly states that

the burden of proving that the Applicant is adequate
whether it has been informed. The general data protection regulation does not preclude oral
however, in the event of a statement to the contrary by the data subject
In the absence of proof, the Authority shall issue a decision in accordance with Article 5 of the General Data Protection Regulation.
In principle, at the expense of the controller, in this case the Importer
evaluates. Since, according to the Applicant 's statements, the oral procedure was still pending in the individual case





nor did it cover exactly the purposes for which it would be used
personal data involved in the transfer, taking into account the above
does not fulfill the clear and unambiguous requirements of the General Data Protection Regulation,
the requirement for verifiable information.


In view of the above, the Importer violated the general rule with respect to the Applicant
lawful and transparent data processing in accordance with Article 5 (1) (a) of the Data Protection Regulation
in accordance with Article 12 (1) and Article 13 of the General Data Protection Regulation,
in a transparent, comprehensible and easily accessible form, in a clear and comprehensible manner
the obligation to provide the information set out in this Article and the general data protection rules
the principle of accountability under Article 5 (2) of that Regulation.


3.2. The validity of the legal basis of the data processing is the personal data of the Applicant
respect

In its information and balance of interests, the Applicant indicated that legitimate interest
data transfer as a separate data processing purpose performed by the Applicant
as a legal basis for the activity that the importer has a legitimate interest as a third party in the
………………. as the sole importer of motor vehicles in Hungary,

that the Hungarian dealership and service partners are of the expected quality
requirements. This is also the statement of the Importer of 21 June 2021
confirmed. This in itself is not an illegal interest, but a general privacy policy
appropriate for the existence of a legal basis under Article 6 (1) (f) of
identifying a non-illegal interest is only the first step, in addition to other aspects
must comply with the data processing in order to comply with the general data protection regulation
be a legitimate interest on which data management can be based.


It is also important to point out that data collection and transmission alone is not usually the case
separate data management, only the first operation of a data management process that is substantive
it prepares data management, and without meaningful data management it does not have its own purpose and results. The
the achievement of an objective and a result, in this case an assessment in the interest of the Importer,
data processing operations cannot be examined individually, their legal basis and legality
it depends on whether all data processing operations for a single purpose are lawful, none of them

implements a data breach. Because of data management - given a specific case
due to negligence - the Importer did not inform the Applicant at all, so the prospectus
The incompleteness of the content did not materially affect the information of the Applicant
a matter of general practice.

As regards the legitimate interest in the plea, it is important to emphasize that it does not serve to:
unless otherwise possible, the controller may at any time and for any reason on other grounds

Article 6 (1) (f)
personal information. Although it seems to be the most flexible legal basis for its application
the data controller has significant responsibilities - not just personal data in the strict sense
but also to meet other related warranty obligations
also by undertaking. The general interest is closely linked to the legitimate interest
the principle of accountability enshrined in Article 5 (2) of the Data Protection Regulation, which is
transparency, accuracy and fairness of the processing of personal data

obligation to meet the administrative burden of Not about "paperwork"
it is therefore a question of a substantive task, a statement which is particularly true
in the case of data processing where the controller and the data subject have no direct customers or
other legal relationship. In the absence of adequate guarantees, the rights of the data subject are
the risk of prejudice is such that the result of the balance of interests can only be that
the legitimate interest of the third party is overridden by the rights of the data subject due to the risks involved in the processing. 15






It is very important for data controllers to be aware that they are not involved as well as not
the tasks and responsibilities of the Authority in an official procedure instead of the controller shall be:
identification and justification of the purpose and legitimate interests of the processing. What it is like
for which purpose and for what legitimate interests he wishes to process personal data, the controller must

specifically, broken down into data and target levels, clearly justify, weigh up and guarantee its
create. These guarantees must ensure, inter alia, that the person concerned
be aware of the data processing and still be able to object to the data processing
prior to data processing, especially after a short period of time or once
in the case of data processing - the right to protest is already exhausted, so this right is not actually guaranteed a
for. When sending a one-time satisfaction meter email, it is specifically true that its
the protest has no material effect after it has taken place. The Importer as

it is considered a decision of the data controller that the data processing is in the legitimate interest according to the prospectus
instead of the express consent of the data subject - which is, for example, marketing
According to the worksheet, the legal basis for the requests is
Importer bears.

In the present case, on the basis of the above, it can be concluded that the general data protection
predictability and guarantee as set out in recital 47 of this Regulation

conditions were not met, the Applicant could not object in advance to the data processing,
on the basis of all the circumstances of the individual case, it and its consequences - by the Importer
data management and, in this context, the receipt of an e-mail which did not reveal exactly who
sent - he could not reasonably have foreseen. Appropriate information and, consequently, concerned
in the absence of legal capacity, the legal basis for a legitimate interest is not, irrespective of the other conditions
may be valid for the Applicant.


In view of the above, the Importer is in addition to the above as far as the Applicant is concerned
infringed Article 6 (1) of the General Data Protection Regulation.

4. Importer's data management practices related to customer satisfaction measurement

In this regard, the Authority ex officio examined whether the Importer had customers
whether its general practice of measuring satisfaction raises any data protection issues

a problem which, if detected ex officio, the Authority should call on the controller
to remedy it.

The Authority's explanatory memorandum III.3.1. and III.3.2. The general findings in
the content and importance of the information and the validity of the legal basis for its legitimate interest
the importance of an appropriate relationship between the controller and the data subject
They also apply to the importer's general data management practices.


Based on the facts revealed, the Importer has a contract with substantially similar content
applies provisions with regard to the data management in question with brand partners, such as
The relevant provisions of the brand service contract between the Importer and the Applicant shall be a
Assessed by the Authority as a general practice of the Importer.

It is a common procedure for the Importer to use a data processor, for example

by e-mail via ……………….
to complete a measurement. The data subject may not know from the content of the email that the Importer is in question
the specific person sending the emails, who got the email address and where, and with that
where to find more information. The email "your"
"your dealer" and "email was sent on behalf of"
not only nonsensical (there is no legal entity that ……………… [car brand]) and 16





unsuitable for identifying a data controller, but are clearly misleading as not many
is one of the (unspecified) dealerships, but an Importer as data controller
emails were sent on behalf of. This is confirmed by the fact that up to several years may have elapsed at the time of servicing
since the purchase of the vehicle and not necessarily at the dealership that makes the purchase
all servicing. The importer's obligation as a data controller is not only appropriate

organizational measures to provide prior information, but also to individual stakeholders
Transparency, identification and, to a minimum, are also important in the communication sent to them
the existence of the necessary information to enable the data subject to link that prior
whether you received the e-mail from the person indicated in the information. Because nowadays a lot
spam is common, which is also typically a link to malicious programs
electronic message sent at the request of a person other than the data subject is of paramount importance
clear identification of the consignor and the existence of appropriate information

from prior information.

The email does not contain any information as to the source of your personal information
what was and by whom on what legal basis the Applicant handles exactly which personal data. The
the indication of the chassis number in the email is also personal data stored in connection with a person
unnecessary treatment, which does not give the data subject substantially new information, as he knows if
has recently taken his car into service, but it is unrealistic to expect the chassis number to

identify your car by heart. Neither data management information nor
there was no reference in the emails to information on specific data management,
and the e-mails would not have caused any difficulties with the e-mails
ensure that at least the most basic information is provided at the end of the year (actual consignor as
data controller, legal basis, source, information on the website). Although the emails from the Importer
the data importer is responsible for its activities as if it were a data controller
it would have acted itself, as the General Data Protection Regulation makes the controller general

responsible for compliance.

For the above reasons, data subjects are not even able to exercise their rights and information
they can ask the Importer as only the data processor could be identified in the email,
to which the data subject had no connection. The data processor with data management
was not available in the email.


In considering a legitimate interest, it is also important to do so
supporting that the personal interest is most necessary to achieve the objective pursued by the legitimate interest
data is handled by the data controller. At the request of the Authority, the Importer shall make only a general statement
in relation to its measurement of customer satisfaction
all types of data handled were absolutely necessary, but did not provide any evidence
under.


With regard to the chassis number, the Authority has already explained above that it is unreasonable to expect one
the knowledge of the data subject from the data subject, based on which the given email was automatically narrowed down
for a motor vehicle. However, in addition to suitability, the need is also debatable as an Importer
there was no evidence as to why the person concerned would not remember being a couple
has been in service with your car within one day and, if you have more than one car,
with which. Thus, the transfer of this data to the data processor and its inclusion in the email
for the most part unnecessary and unsuitable to achieve the goal.


The Importer also did not substantiate why an email was required
the address and telephone number of the person concerned. As stated by the Importer
In its response, received on September 13, 2021, the main purpose of customer satisfaction measurement
it is statistical and trend-like, so it is not necessary to identify the data subject. Like that
the Importer has also stated that the identification of the data subject is only required if there is a specific negative 17





formulates an opinion, a complaint and consents to its transmission by name
To the importer. Thus, in relation to the above statistical purpose, the names, addresses and addresses of the respondents
obtaining your phone number from a brand partner is not necessary and appropriate
to achieve this goal.


The above can be said about the age and gender of the data subject requested in the questionnaire
nor, in these respects, did the Importer substantiate that the indicated satisfaction measurement and
how this data would relate to the purpose of complaint handling and why not without it
the objective identified as a legitimate interest is achieved.

In view of the above, the importer should have examined in the interest assessment whether
the collection and storage of certain service data in connection with a specific person is mandatory

whether both statistical and complaint handling purposes are necessary or otherwise available.
For example, if the brand partner only provides aggregate statistics to the Importer
how many service jobs you have done on which parts and whether you are the customer
does not object to this by using the appropriate service
If you send an email address to a separate list, you will receive an email with a link to the questionnaire
it can be posted in the same way - with proper information in the email about why you sent it
in fact - and the complainants have the date of purchase or service on the questionnaire,

based on the brand partner and email address - can be clearly marked for the brand partner,
for which more detailed individual information is required. That contact information is enough for that
request from the person you wish to communicate through the e-mail,
address and telephone number are obviously not required for this. The complaint is named
In the case of this procedure, in contrast to the wording of the questionnaire requesting consent, not only the
name is handled by the Importer, so it is important to indicate that the contact information and
the data subject-specific vehicle data will also be processed by the Importer

in the case of consent. The Authority notes that specifically for the purpose of handling complaints
otherwise, the use of a legal basis for consent is questionable, since in the event of its withdrawal a
the investigation of the complaint is interrupted, however, it is already new after the customer satisfaction survey
data management, which is not the subject of the present proceedings. In the absence of a specific complaint and disclosure
the examination of the specific service conditions that can be linked to the given data subject is the statement of the Importer
is not part of the purpose and therefore does not justify the identification of identifiable data by the Importer
treatment. If the Importer still wishes to process the above personal data, the

in the context of measuring customer satisfaction, it must be able to substantiate it
which he was unable to do in the present proceedings. That is why it is not acceptable either
result of a balance of interests.

Given that the questions asked by the Applicant in its own questionnaire are substantive
were the same as those asked by the Importer (with the exception that the Importer
questions) should be considered in the balance of interests

whether such parallelism is required and with different, overlapping surveys involved
whether bombardment can be avoided by processing less personal data, which also did not arise
consideration of the interests of the Importer.

In this context, the Authority emphasizes the existence of a legitimate interest and legal bases in general
should be considered in the context of the data processing purpose. The fact that the Importer is different for other purposes
The legal basis handles the same type of personal data of the data subjects, so you know them, not yet

automatically authorizes the use of such data for other purposes, up to a maximum of
the legal consequence may be a factor reducing the actual data protection risk
in determining. The same is true of the importer 's argument that earlier
no stakeholder complaint has been received, and many stakeholders have not, due to a lack of transparency
was in a position to know against whom he should exercise his rights as a data subject. 18





In view of the above privacy concerns, they are clearly predominant
risks to the rights of the data subject which have not been properly considered by the Importer.
In doing so, the interests identified by the Importer take precedence
interests or fundamental rights and freedoms that protect personal data
Article 6 (1) (f) of the General Data Protection Regulation

There is no other legal basis under this Regulation for the processing of the data in question
in the form of.

Based on the above, the Importer's practice of measuring customer satisfaction violates
lawful and transparent under Article 5 (1) (a) of the General Data Protection Regulation
accordance with Article 5 (1) (c) of the General Data Protection Regulation
principle of data protection, Article 6 (1) of the General Data Protection Regulation and general

Article 13 of the Data Protection Regulation.


ARC. Legal consequences

As the examined customer satisfaction measurement data management for the Applicant already
terminated, in this regard, an obligation to delete is not necessary for the available information

Based on.

As it does not affect the rights of the data subject under the General Data Protection Regulation, the data subject is concerned
its customer capacity does not cover the issue of imposing a data protection fine. The Authority
examined of its own motion whether it was justified to impose a data protection fine on the Importer.

As to whether the imposition of a data protection fine is justified, the Authority

Acting in accordance with the discretion based on the law, Infotv. Section 61 (1)
paragraph a) of the Infotv. 75 / A. § 83 of the General Data Protection Regulation.
and Article 58 (2) of the General Data Protection Regulation.

The Authority shall rule on the illegality of the individual data processing carried out in respect of the Applicant
considers that no other measure is necessary in the individual application case.


In ex officio proceedings concerning the illegality of a general practice examined ex officio, the Authority shall:
considered the following in relation to the data protection fine.

The Authority did not take this into account as a mitigating circumstance regarding the necessity of the fine
the economic situation referred to by the Importer, as it - indirectly, in terms of annual revenue
only if the fine is necessary, it does not affect the amount of the fine
whether it is necessary to impose a fine is determined by the infringement and its circumstances

in accordance with Article 83 (2) of the General Data Protection Regulation. In this regard, the
In setting the amount of the fine, the Authority took into account that the Importer
profit after tax was ……………………… .. HUF, which is more than ……………………. and 2019.
while net sales revenue decreased by… ..% in 2020
compared to the 2019 level.

The Authority also did not take into account as an attenuating circumstance that the Importer a

It cooperated with the Authority in the proceedings as this Article 31 of the General Data Protection Regulation applies.
would be the obligation of all data controllers and processors under Article
may be considered as an aggravating circumstance.

The Authority also did not consider the importer as an attenuating circumstance
that data subjects do not suffer any harm and, moreover, Article 19





it also serves the interests of data subjects, as personal data is subject to general data protection
unnecessary data which do not take into account the will of the data subject
The use of personal data violates the right to the protection of personal data and in general

unnecessary data security risk, and
presumably in a small number of cases - it is in the interest of the data subject if he or she has a complaint
the data subject may submit it without question if the Importer so requests
forum, there is no need to contact the Importer separately.


The Authority took into account the market weight of the Importer as an aggravating circumstance, the potential 2
the number of stakeholders (which is the CSO 's new …… .. …… .. car sales statistics in Hungary
on the order of at least ten thousand) and that the general practice of importing it
exclusively in Hungary in terms of brand.

The Authority took into account the fact that it was not available as an aggravating circumstance

effective information and redress for those concerned. In this context, the
The small number of complaints received by the authority, as an essential element of the infringement, is that those involved
they have not been adequately informed about the data processing in question and are not necessarily expected to do so,
so they can't protest in large numbers. Importer's data management
Based on its size and market position, it would be expected that the Importer would not be limited to certain
the exercise of the rights of the data subject depends on the individual and unsupervised decision of the administrator.


The Authority took into account as an aggravating circumstance the fact that the infringement lasted for several years
the result of existing, ongoing practice and its design - and the general
redesign in line with the Data Protection Regulation - was in principle ill-considered.

The Authority took into account as a mitigating circumstance the scope of the personal data processed

did not contain personal data belonging to a special category or for other reasons,
and a significant part of the personal data relates to the vehicle owned by the data subject
technical data, and some of the data is handled by the Importer for other purposes anyway, such as
the damage to those affected was not significant despite the size of the group affected.

The Authority took into account as an attenuating circumstance that in the case of an individual complaint a

The applicant, as a data processor, had an error in an individual case
word and assessed the Applicant's statement that it had taken action in similar cases
and to require the Importer to make it mandatory
transmission of data management information to data subjects.


The Authority took into account as an attenuating circumstance the negligence of the infringement,
was not intended to harm the persons concerned or to gain an unlawful advantage, and the designated
interest may, where appropriate, cease to be a legitimate interest if the conditions for data processing are properly met
adapted to the provisions of the General Data Protection Regulation set out in the explanatory memorandum.

The Authority took into account as an attenuating circumstance the fact that the Importer did not previously

has committed a data breach, which has not been identified by the Authority.

As a result of the Authority 's deliberations in relation to the general practice examined, the
In the light of all the circumstances of the case, it is necessary to impose a fine on both the special and the
for general prevention in order to ensure the protection of personal data in the future
the right to protection of human rights.




2https: //www.ksh.hu/docs/eng/xstadat/xstadat_evkozi/e_ode001b.html 20







Based on the above, the Authority considers that the maximum amount that can be imposed is approx.
considered the imposition of a data protection fine of three tenths of a thousand (0.026%)
proportionate and dissuasive in all the circumstances of the case

with regard to.


V. Other issues

The powers of the Authority shall be exercised in accordance with Infotv. Section 38 (2) and (2a) defines its jurisdiction
It covers the entire territory of Hungary.


The Ákr. Section 112 (1) and (2) and Section 116 (1) and Section 114 (1), respectively
the decision is subject to administrative review.


                                            * * *


The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a
hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by decision of the Authority
The administrative lawsuit against the court falls within the jurisdiction of the court Section 13 (3)
Under subparagraph (a) (aa), the Metropolitan Court has exclusive jurisdiction.

A Kp. Pursuant to Section 27 (1) (b), the administrative court within the jurisdiction of the tribunal
legal representation is mandatory in litigation. A Kp. According to Section 39 (6) - unless otherwise provided by law

the bringing of the action for the administrative act to take effect
has no suspensive effect. A Kp. Section 29 (1) and with regard to civil procedure
on the 2016 CXXX. applicable pursuant to Section 604 of the Act (hereinafter: Pp.), the
of 2015 on the general rules of electronic administration and trust services
CCXXII. According to Section 9 (1) (b) of the Act, the customer's legal representative is electronic
obliged to keep in touch.


The time and place of the submission of the application is Section 39 (1). THE
Information on the possibility of requesting a hearing is provided in the CM. Section 77 (1) - (2)
based on.

The amount of the fee for an administrative lawsuit shall be determined in accordance with Act XCIII of 1990 on Fees. law
(hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee
the Itv. Section 59 (1) and Section 62 (1) (h) shall exempt the person initiating the proceedings

half.

If the obligor does not duly prove the fulfillment of the prescribed obligations, the Authority shall:
considers that it has not fulfilled its obligations within the time allowed. The Ákr. According to § 132, if
the Debtor has not complied with the obligation contained in the final decision of the Authority, the
executable. The decision of the Authority With the communication pursuant to Section 82 (1)
it becomes final. The Ákr. Section 133 enforcement - if you are a law

Government decree does not provide otherwise - it is ordered by the decision-making authority. The Ákr. 134.
§ pursuant to the implementation - if by law, government decree or municipal authority
In this case, the decree of the local government does not provide otherwise - the state tax authority
implements. Infotv. Pursuant to Section 61 (7) of the Authority,
to perform a specific act, to behave, to tolerate or to





the Authority shall enforce the decision in respect of the standstill obligation
implements.

Budapest, October 27, 2021







                                                            Dr. Attila Péterfalvi
                                                                  President

                                                             c. professor