NAIH (Hungary) - NAIH-3561-4/2022: Difference between revisions

NAIH - NAIH-3561-4/2022
Authority:	NAIH (Hungary)
Jurisdiction:	Hungary
Relevant Law:	Article 4(7) GDPR Article 28(3)(a) GDPR Article 44 GDPR Article 45 GDPR Article 46 GDPR Article 58(2)(j) GDPR Article 77(1) GDPR Article 83(5)(c) GDPR Section 52 Infotv
Type:	Complaint
Outcome:	Partly Upheld
Started:	12.08.2020
Decided:
Published:
Fine:	n/a
Parties:	Időkép Kft.
National Case Number/Name:	NAIH-3561-4/2022
European Case Law Identifier:	n/a
Appeal:	Not appealed
Original Language(s):	English
Original Source:	NAIH (in EN)
Initial Contributor:	MW

The Hungarian DPA ordered the operator of a weather forecast website to stop transferring data to the US via Google ad services. The DPA held that the website operator used Google Analytics without implementing adequate safeguards for U.S. data transfers as required by Article 46 GDPR.

English Summary

Facts

On 12 August 2020, the data subject visited a weather forecast website operated by the controller that used Google Analytics cookies. The data subject, represented by noyb - European Center for Digital Rights, filed a complaint with the Hungarian DPA (Nemzeti Adatvédelmi és Információszabadság Hatóság - NAIH) alleging that the controller had transferred her personal data, including her IP address, to Google Ireland and ultimately Google LLC in the US. The data subject claimed that, following the Schrems-II judgment, the controller was obligated to stop transferring personal data to the US, as it could no longer base such a transfer on Articles 45 and 46 GDPR.

The data subject requested that the DPA investigate and establish:

1. which personal data were transferred by the controller to Google LLC, the US, or another third country or international organisation,
2. which transfer mechanism under Articles 44, 45, and 46 GDPR the Controller based this transfer on, and
3. whether the applicable Google terms of service complied with Article 28(3)(a) GDPR.

Additionally, the data subject requested that the DPA order the controller to suspend any data flows to Google LLC pursuant to Article 58(2)(j) GDPR. The data subject also asked the DPA to impose an effective, proportionate, and dissuasive fine on the controller and Google pursuant to Article 83(5)(c) GDPR. The data subject emphasized that she was one of potentially thousands of affected users and that the controller had not acted to bring its data processing in line with the GDPR more than a month after the Schrems-II judgment.

In its response to the DPA’s initial inquiry, the controller stated that it no longer used HTML codes or cookies from Google Analytics on its website, having removed them on 24 August 2020 after becoming aware of the possible consequences of the Schrems-II judgment.

The controller claimed it no longer transferred personal data outside the EEA. However, during a test conducted on 27 May 2022, the DPA found that controller’s website still used three cookies linked to Google’s ad service package that transmitted data to the US.

Holding

The DPA stated that it was competent to assess the controller’s GDPR compliance because the controller was based solely in Hungary, offered services exclusively in Hungarian, and conducted no cross-board data processing. However, it was not competent to assess Google Ireland or Google LLC’s GDPR compliance because neither was based in Hungary.

Addressing the complaint, the DPA noted that according to well established EU interpretation, IP addresses are personal data. The DPA also confirmed that, because the controller independently decided on whether it would use services that required the installation of cookies, the controller’s status as “data controller” was correct under Article 4(7) GDPR.

Article 44 GDPR requires that the transfer of personal data to a third country or international organisation for processing may only take place subject to the provisions of Chapter V GDPR. Having found that the controller still transferred personal data to the US without a basis in one of these provisions, the DPA ordered the controller to discontinue the transfers.

With regard to the data subject’s request for an administrative fine, the DPA concluded that the right of a data subject to request a fine could not be inferred from their right to lodge a complaint under Article 77(1) GDPR. It was also not possible to impose a fine as a result of an investigation under Hungarian national law (§ 52 Infotv).

Comment

This is one of the 101 complaints filed in the Summer of 2020 by noyb – European Center for Digital Rights, a privacy NGO.^[1] It is similar to other decisions on the 101 complaints by the Austrian DSB^[2], the French CNIL^[3] and the Italian Garante^[4][5]. The EDPB made a task force to coordinate the response to the 101 complaints.

Further Resources

Share blogs or news articles here!

Official English Text of the Decision

Act CXII of 2011
on the Right of Informational Self-Determination and on Freedom of Information 1
In order to ensure the right of informational self-determination and the freedom of
information, and to facilitate the implementation of the Fundamental Law, pursuant to Article
VI of the Fundamental Law, the Parliament hereby adopts the following Act on the
fundamental rules applicable in connection with the protection of personal data and the
enforcement of the right to access and disseminate data of public interest and data public on
grounds of public interest, and on the authority empowered to monitor compliance with these
rules:
CHAPTER I
GENERAL PROVISIONS
1. Object of the Act
Section 1
The purpose of this Act is to lay down the fundamental rules for data processing activities
with a view to ensuring that the right to privacy of natural persons is respected by data
controllers , and to enforcing of rights to access and disseminate data of public interest and
data public on grounds of public interest.
2. Scope
Section 2
(1) This Act shall apply to all data control and data processing activities undertaken in
Hungary relating to the data of natural persons as well as data of public interest and data
public on grounds of public interest.
(2) The present Act shall apply to both data processing and data process, carried out wholly
or partly, by automated means as well as manually.
(3) Provisions set out in the present Act shall apply if the controller processing personal
data outside the territory of the European Union contracts a data processor with a seat, site,
branch or address or place of residence within the territory of Hungary to perform data
processing, except if this device serves data traffic exclusively within the territory of the
European Union. Such controllers are obliged to designate a representative in Hungary.
(4) Provisions set out in the present Act are not applicable to natural persons processing
data exclusively for their own personal purposes.
(5) Concerning further use of public sector information, provisions in derogation from this
Act may be established by another act concerning the procedures and conditions for the
disclosure of data, the consideration payable therefore, and as regards remedies.
3. Definitions
Section 3
1 Updated: 11-10-2013 by NAIH
For the purposes of this Act:
1. ‘data subject’ shall mean any natural person directly or indirectly identifiable by
reference to specific personal data;
2. ‘personal data’ shall mean data relating to the data subject, in particular by reference to
the name and identification number of the data subject or one or more factors specific to his
physical, physiological, mental, economic, cultural or social identity as well as conclusions
drawn from the data in regard to the data subject;
3. ‘special data’ shall mean:
a) personal data revealing racial origin or nationality, political opinions and any affiliation
with political parties, religious or philosophical beliefs or trade-union membership, and
personal data concerning sex life,
b) personal data concerning health, pathological addictions, or criminal record;
4. ‘criminal personal data’ shall mean personal data relating to the data subject or that
pertain to any prior criminal offense committed by the data subject and that is obtained by
organizations authorized to conduct criminal proceedings or investigations or by penal
institutions during or prior to criminal proceedings in connection with a crime or criminal
proceedings;
5. ‘data of public interest’ shall mean information or data other than personal data,
registered in any mode or form, controlled by the body or individual performing state or local
government responsibilities, as well as other public tasks defined by legislation, concerning
their activities or generated in the course of performing their public tasks, irrespective of the
method or format in which it is recorded, its single or collective nature; in particular data
concerning the scope of authority, competence, organisational structure, professional
activities and the evaluation of such activities covering various aspects thereof, the type of
data held and the regulations governing operations, as well as data concerning financial
management and concluded contracts;
6. ‘data public on grounds of public interest’ shall mean any data, other than public
information, that are prescribed by law to be published, made available or otherwise disclosed
for the benefit of the general public;
7. ‘the data subject’s consent’ shall mean any freely and expressly given specific and
informed indication of the will of the data subject by which he signifies his agreement to
personal data relating to him being processed fully or to the extent of specific operations;
8. ‘the data subject’s objection’ shall mean a declaration made by the data subject objecting
to the processing of their personal data and requesting the termination of data processing, as
well as the deletion of the data processed;
9. ‘controller’ shall mean natural or legal person, or organisation without legal personality
which alone or jointly with others determines the purposes and means of the processing of
data; makes and executes decisions concerning data processing (including the means used) or
have it executed by a data processor 2 ;
10. ‘data’ processing’ shall mean any operation or the totality of operations performed on
the data, irrespective of the procedure applied; in particular, collecting, recording, registering,
classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or
connecting, blocking, deleting and destructing the data, as well as preventing their further use,
taking photos, making audio or visual recordings, as well as registering physical
characteristics suitable for personal identification (such as fingerprints or palm prints, DNA
samples, iris scans);
11. ‘data transfer’ shall mean ensuring access to the data for a third party;
12. ‘disclosure’ shall mean ensuring open access to the data;
2 In effect as of 1st July 2013