NAIH (Hungary) - NAIH-373-31/2023
From GDPRhub
| NAIH - NAIH-373-31/2023. | |
|---|---|
 | |
| Authority: | NAIH (Hungary) |
| Jurisdiction: | Hungary |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 12(1) GDPR Article 13(1) GDPR Article 13(2) GDPR Article 14(2) GDPR Article 17(1)(b) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 05.09.2022 |
| Decided: | 24.11.2023 |
| Published: | 16.01.2024 |
| Fine: | 500000 HUF |
| Parties: | Pitagorasz Oktatási Stúdió Kft |
| National Case Number/Name: | NAIH-373-31/2023. |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Hungarian |
| Original Source: | NAIH homepage (in HU) |
| Initial Contributor: | lszabo |
The DPA fined a controller for several infringements in handling the data of minors and parents: no proper and documented legal basis, information was confusing, partly untrue and not properly given, data were retained after consent was withdrawn.
English Summary
Facts
Following several compaints, the DPA launched an "ex officio" investigation. The controller (Client 1, Pitagorasz Oktatási Stúdió Kft) organises preparation courses for entry exams to secondary schools. It sent letters to students of different age (who are probably interested in applying for an entry exam), addressed to the students but mentioning that they are destined (also) to their caretakers. The addresses were received from the official government register, quoting as purpose market research. There is a law enabling this, but since 2019, this is not possible for direct marketing in respect of private individuals. The letters were sent after the registration to the courses was closed. Parents were informed about the source of the data at the bottom of the letters, and that the use of the data was terminated when the letter was forwarded. The information on the letter and in the legal basis could give the impression that this was an official communication and based on a legal obligation. The letter itself did not contain a market research questionnaire and could not be returned by mail. It hinted to an on line questionnaire which could be filled in. The privacy statement was not provided, it was only mentioned that it is available on the homepage of the controller (not a specific link to the statement itself). The information on the privacy statement mixed the processing of addresses used for sending the letters, the processing of registrations and of responses to the on line questionnaire. Different pieces of information (registration form, privacy statement etc.) contained differing information as to the legal basis of processing. The information given for consent was incomplete. The DPA acquired information from the provider of a mailing software and database used. It was established that this provider did not have access to the personal data, was neither controller, nor processor. The DPA investigated the database and found data of different groups of data subjects in it, including those who filled in the on line questionnaire, registrants and even lecturers. Not all data were collected on line, some were entered into the database manually. The fact of consent was not indicated at all data subjects whose data were processed based on consent. An assessment of interest was not conducted for the processing based on legitimate interest. Data of data subjects who meanwhile withdrew consent (were inactive) were not removed in time and were found in the database. Controller also enabled registrations to a newsletter and to send information about course organisation but did not separate the consent to these two different purposes.
Holding
The controller infringed the principles of - accountability as it did not prove the existence of legitimate interest in processing the data of the addressees of the mailing - lawfulness as the legal basis of the mailings was not proven - purpose limitation in respect of some mailings as the purpose was different from what was stated - fairness as it stated a wrong reason for requesting the data from the official register - lawfulness in respect of sending the newsletters - transparency as it did not provide appropriate information to the registrants - the rights of the data subjects by not deleting their data when consent was withdrawn. The DPA ordered the controller to permanently delete the data stored in its database of the data subjects who unsubscribed from the newsletter, or whose contact information was unsuccessful, in a documented manner, levied a fine and ordered to publish the decision. Alleviating circumstances were mainly that during the investigation, the practice was already discontinued and that the reason of the infringement was negligent and not intentional. The large volume of data processed and that data of minors were processed, were aggravating circumstances as well as that the processing was oriented to generating profitable business.
Comment
This decision is instructive in how coherent and careful a controller has to be when deciding on processing, its legal basis and the information given, in particular when handling consent. Indicating on the mailing address the name of the minor but also that the mail is addressed to the caretaker was not reprimanded but the fact that data of minors were processed was considered as an aggravating circumstance. The controller would not h hade the right to acquire the data from the register, had it indicated that it wants to send direct marketing and not market research questionnaires.
Further Resources
Law CXIX of 1995 on the management of name and address data for the purpose of research and direct business acquisition, § 3, subsection (1) point d)
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
DECISION
The National Data Protection and Freedom of Information Authority (hereinafter: the Authority) initiated ex officio data protection official proceedings against Pitagorasz Oktatási Stúdió Kft. (Cg. 01-09-309194; hereinafter: Client1) to investigate the legality of its data management practices for market research and direct marketing purposes - in the procedure in which the Authority involved [...] Zrt. (hereinafter: Client2) as a client - makes the following decisions:
1. The Authority states that Customer 1 did not prove the existence of his legitimate interest in the handling of the name and address data of the minors requested from the personal data and address register, therefore Customer 1 handled the requested personal data without a legal basis, thus violating the right of natural persons to handle their personal data the basic principle of accountability according to Article 5 (2) of Regulation (EU) 2016/679 on the protection and free flow of such data and the repeal of Directive 95/46/EC (hereinafter: general data protection regulation or GDPR), and Article 6 (1) of the GDPR.
2. The Authority finds that Customer 1 violated the principle of purpose limitation according to Article 5 (1) point b) of the General Data Protection Regulation during its data management in connection with its postal inquiries in 2020 and 2021.
3. With regard to the management of the name and address data requested by Customer 1 in 2020 and 2021, the Authority determines that the basic principle of fair data management contained in Article 5 (1) point a) of the General Data Protection Regulation has been violated with regard to the purpose of the data management.
4. In connection with the data management related to the postal inquiries of Customer 1, the Authority determines that Customer 1 has violated Article 12 (1) and Article 14 (1) points a) and c) of the General Data Protection Regulation, as well as Article 14 ( the provisions of points b), c) and e) of paragraph 2.
5. The Authority finds that Customer 1 has violated Article 6 (1) of the GDPR in connection with the data management related to sending the newsletter.
6. In relation to Customer 1's data management related to sending newsletters, the Authority determined that Customer 1 violated Article 12 (1) and Article 13 (1) c) and (e) and (2) d) of the GDPR.
7. The Authority determined that Customer 1, by not deleting the personal data of the data subjects who revoked their subscription despite the withdrawal of their consent, is in violation of Article 17(1)(b) of the GDPR.
8. On the basis of Article 58, Paragraph 2, Point d) of the GDPR, the Authority instructs Customer 1 to permanently delete the data stored in its database of the data subjects who unsubscribed from the newsletter, or whose contact information was unsuccessful, in a documented manner.
9. Due to the above data protection violations, the Authority obliges Customer 1 to pay a data protection fine of HUF 500,000, i.e. HUF five hundred thousand.
10. The Authority NAIH-8386-1/2022. and NAIH-8386-2/2022. terminates the seizure of databases ordered in orders no.
11. The Authority terminates the official data protection procedure initiated ex officio against Customer 2.
Within 30 days of the expiration of the legal remedy deadline against this decision, Customer 1 must certify the fulfillment of the obligation stipulated in point 8 above in writing to the Authority, together with the submission of supporting evidence. CXII of 2011 on the right to information self-determination and freedom of information. Act (hereinafter: Infotv.) Section 61 (6), the data affected by the disputed data processing may not be deleted or destroyed until the expiry of the legal deadline for challenging the decision, or until the final decision of the court in the case of an administrative lawsuit.
The fine according to point 9 above must be paid within 30 days from the date this decision becomes final to the HUF account for the collection of centralized revenues of the Authority (10032000-01040425- 00000000 Centralized collection account IBAN: HU83 1003 2000 0104 0425 0000 0000). When transferring the amount, "NAIH-373/2023 BÍRS." number must be referred to. If Customer 1 does not fulfill his obligation to pay the fine within the deadline, he is obliged to pay a late fee. The amount of the late fee is the legal interest, which is the same as the central bank base rate valid on the first day of the calendar semester affected by the delay.
In the event of non-payment of the fine and late fee, or non-fulfillment of the obligation according to point 8 above, the Authority will order the execution of the decision.
No procedural costs were incurred in the procedure.
There is no place for administrative appeals against the decision, but it can be challenged in an administrative lawsuit within 30 days from the date of notification. The statement of claim must be submitted electronically1 to the Authority, which forwards it to the court together with the case documents. The request to hold a hearing must be indicated in the statement of claim. For those who do not benefit from the full personal tax exemption, the fee for the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to file a tax record. Legal representation is mandatory in proceedings before the Metropolitan Court.
The Authority will publish this decision on the Authority's website, indicating the identification data of Customer 1.
JUSTIFICATION
I. Procedure and clarification of the facts
1. Cases of precedent
(1) The Authority received several reports in which the processing of data for the purpose of market research and direct marketing inquiries sent by post to Client 1's minor children - or their legal representative (name of addressee on the shipment: X.Y.'s legal representative) - was objected to. The whistleblowers complained that Client 1 sent an advertising inquiry by post to minor children or their legal representatives, contrary to the purpose of market research. They also submitted that the inquiries did not contain a market research questionnaire at all, or that it could only be completed online. Received at the Authority on September 5, 2022, NAIH-7276-1/2022. according to the report filed at number 1, the letter mailed to the notifier contained a market research questionnaire, however, according to the notifier's point of view, the request is misleading, as it is aimed at direct marketing purposes, and "Information from the Office of Education on admissions..." is written on the envelope, which also gives the impression that as if the person concerned had received an official notification.
(2) Based on the reports, several investigations were launched against Customer 1, in connection with which, during the investigation of the facts, it was established that the legality of Customer 1's data management practices (legal basis, information, storage of personal data, ensuring the exercise of the rights of the affected parties, purpose of data management, etc.) were not sufficiently clarified.
(3) For this reason, the Authority ex officio initiated an official data protection procedure to investigate the legality of Customer 1's data management practices for market research and direct marketing purposes.
(4) Infotv. Based on Section 71(2), the Authority has used the facts and other evidence contained in the following documents, which were created in previous investigation procedures related to Customer 1, in this procedure:
(i) NAIH/2020/6537/1 by the Authority. registered stakeholder complaint.
(ii) NAIH-172-1/2021 by the Authority. the reply letter and its attachments containing the statements of Customer 1 filed under
(iii) NAIH-5200-1/2021. registered stakeholder complaint.
(iv) NAIH-6956-1/2021. registered stakeholder complaint.
(v) NAIH-7276-1/2022. registered stakeholder complaint.
(5) Customer 1 NAIH-172-1/2021. no., dated January 4, 2021, made the following statements relevant to the decision and attached documents:
(i) Customer 1, on the basis of his statement and the attached documents, requested name and address data in the context of the request for data provision from the personal data and address register to the Personal Data and Licensing Department of the Personal Registration and Administration Department of the Ministry of the Interior (hereinafter: BM). According to the data request dated February 17, 2020 attached by Customer 1, the data request was made on 06.01.2006. and 31.08.2011. it covered the name and address data of citizens born between
According to the contents of the request, the purpose of data use is market research related to admission preparation courses organized by Customer 1.
BMSZAE/773-2/2020 dated February 24, 2020. in its decision No. 1, it granted the request for data provision by Customer 1 and allowed it to use group data provision from the register of citizens' personal data and residential addresses. According to the decision, "The scope of data affected by the permit covers the name and address data of minors selected on the basis of the identity criteria according to the application (age - born between 01.06.2006 and 31.08.2011 - and the name of the settlement).", and "The applicant is the postal on the envelope, after the surname and first name of the minor, the text "legal representative" must also be indicated."
(ii) The data was provided by BM on an electronic data carrier. Based on the handover report made at the time of data transfer - a copy of which Customer 1 attached to his reply letter - the number of transferred records: 33,185.
(iii) Duration of data management: based on the decision of the BM, the provided data can be used for 6 months from the last consultation. According to Customer 1's statement, the consultation with BM took place on March 11, 2020, when the data was transferred, and then when the letters were mailed, on August 17, 2020, the transferred data were destroyed, because the purpose of the data request was fulfilled by mailing the letters.
(iv) Parents were informed about the source of the data at the bottom of the letters, and that the use of the data was terminated when the letter was forwarded.
(v) In response to the Authority's question as to the purpose and legal basis for which the data is processed, Customer 1 stated that the data was requested for the purpose of starting market research activities prior to and related to the admission preparation course, and since the BM released the data, therefore, the release of the data was not restricted by the legal representative of the data subject.
(vi) The transferred data was personally received by the representative of Customer 1 on a flash drive, and a
until mailing letters, or he kept it in his personal safe until the data was destroyed.
Since Customer 1 has no other employees, none other than the executive had one
possibility to access the data.
(vii) No data transfer took place.
(viii) In response to the Authority's question as to when and how information is provided to the persons concerned and to the legal representatives who returned the registration form, Customer 1 stated that no one had returned the form in the letter because, as the letter shows, the it could be used during registration, personal appearance and on-site tuition payment. Furthermore, the postal address where they should send it was not given, so they could only pay the tuition in person, because they did not provide a bank account number.
2. This official data protection procedure
(6) The Authority NAIH-8386-1/2022. in its order no. notified Customer 1 of the procedure of the data protection authority and invited him to make a statement in order to clarify the facts, and in the order simultaneously seized the databases containing personal data managed by Customer 1, as well as the log files related to the operation of these databases.
(7) The Authority NAIH-8386-2/2023. s. in his order, in addition to notifying him of the official data protection procedure, he included Customer 2 as a client in the procedure as his rights and legitimate interests are directly affected by the case and invited him to make a statement in order to clarify the facts.
5
2.1 In relation to the issues contained in the Authority's inquiries in this data protection official procedure, Customer 1 made the following statements relevant to the decision:
(8) The decision of the BM authorizing group data provision is a kind of framework license, which was later referred to in reference to the individual data requests for specific, designated settlements.
(9) In response to the Authority's question as to why the BM divided its data provision into age groups, and why it separated the ages from each other as indicated in the acceptance protocol, Customer 1 stated that the previously referenced BMSZAE/773-2/2020. authorization decision no. 01.06.2006 and 31.08.2011. it applied to those born between, but since for Customer 1 only the probably eighth, sixth and fourth grade students were relevant - as the possibility of admission could have affected them - therefore when submitting the settlement list, Customer 1 narrowed down the birth time intervals.
01.06.2006 - 30.04.2007 between the dates of birth of the then presumably eighth graders, 06.01.2008-04.30.2009. between the then presumably sixth graders, 06.01.2010-04.30.2011. date of birth, there are probably fourth-graders at the time. BM split the database into parts - at the request of Customer 1 - because the different age groups did not receive exactly the same letter.
(10) In response to the Authority's question as to the meaning of the phrase "randomly selected" in the letter sent to the children's legal representatives in August 2020, Customer 1 stated that there is no information from which they could know what grade the person concerned is in, i.e. . the supposed eighth grader can be a seventh or ninth grader.
(11) The data issued on the basis of the licensing decision of the BM included the name and address suitable for mailing. The data was destroyed after the letters were sent to the post office, was not handed over to anyone and was not used several times, about which the data subjects were also informed in a letter sent to the data subjects, in addition to the fact that the data management information can be found on the website www.pitagorasz.hu.
(12) The purpose of this market research is to assess Customer 1's admission preparation course opportunities,
assessment of parental needs.
(13) In response to the Authority's invitation to present its market research activities to prove the existence of the market research objective, Customer 1 made the following declarations: Customer 1 is a family business, as a result, company-related decisions are made "in the family circle". According to his statement, it would not be practical for them to prepare a research plan, notes, and report on these decisions. Since they have no legal obligation to do so, they did not prepare a research plan, nor a market research study. The results were discussed among themselves and the work continued based on it. However, a market research data management plan was prepared, about which the affected parties were informed in the mail sent as follows:
"Dear Parent!
This information was prepared for you by Pitagorasz Oktatási Stúdió Kft.
Our registered office: 1028 Budapest Szilágyi Erzsébet utca 30. We would like to inform you that the source of your data is the Personal Registration Data Provision and Licensing Department of the Personal Registration and Administration Department of the Ministry of the Interior.
We would like to inform you that we do not store the data used, we do not forward them, and after sending the letter to the post office - by the time you receive it - we have already deleted it.
The purpose of this market research is to assess the possibilities of Pitagorasz Oktatási Stúdió Kft.'s admission preparatory courses and to learn about parents' needs.
Legal basis for data management: CXIX of 1995 on the management of name and address data for the purpose of research and direct business acquisition. § 3, subsection (1) point d) of the Act.
You can view the data management statement of Pitagorasz Oktatási Stúdió Kft. at www.pitagorasz.hu.
(14) According to Customer 1, the legal basis for data management is Article CXIX of 1995 on the management of name and address data for the purpose of research and direct business acquisition. § 3, subsection (1) point d) of the Act.
In relation to this previous statement, Customer 1 later stated that
the legal basis for the temporary processing of the data received from BM is Article 6 (1) point f) of the General Data Protection Regulation. Customer 1 has a legitimate interest in market research, because market research provides the information on the basis of which admission preparation courses can be organized in accordance with parental expectations, such as which form of education is most popular and what content expectations parents have regarding the preparation courses. As a result of the market research, Customer 1 can create an effective content structure and curriculum.
According to the statement of Customer 1, the legal basis for data management was incorrectly stated in the information contained in the letter sent to the affected parties, with the content described in point (13), because it is actually the legitimate interest. According to his statement, the error was caused by the legal basis for data use specified in the BM's decision authorizing the data request.
(15) According to the statement of Customer 1, they did not prepare an interest assessment study, but based on their consideration, they came to the conclusion "that it is more correct to examine this extensively than to risk work, energy, organization and funds that will not be favorably received by the parents. Based on a new concept, the development of the new course material and its video and IT background required a minimum of 900-1000 hours of teaching and IT work, which we had to do on our own, in addition to our usual daily operational tasks."
According to the statement of Customer 1, it is their legitimate interest to be thoroughly informed before carrying out this work.
(16) After March 11, 2020, Customer 1 submitted a request for data to the BM in 2021 and 2022, for which data requests the BM issued BMSZAE/537-1/2021. and BMSZAE/617-1 /2022. approved in its decisions no. (17) BM BMSZAE/617-1/2022. 29,003 records were received by Customer 1 on an electronic data carrier with a receipt protocol based on the licensing decision no. These persons were contacted with the market research letter.
(18) The name and address data requested from BM were destroyed in all cases after posting, so personal data is not processed in this connection after posting.
(19) The legal representatives of the different age groups are approached with different market research mailings. One side of the letter contains the 4 questions with which the stakeholders were contacted. Those concerned could fill out the questionnaire online, practically anonymously, but they could also choose to return the questionnaire by post, which only a few people used.
The letters received were destroyed by Customer 1, the answers to the questions were processed and considered. The returned questionnaires did not contain any data, only the checked answers, so Customer 1 did not have access to any data of the senders, according to his statement.
(20) The digital questionnaire is continuously available at the top of the www.nyolcadikosok.hu, www.hatodikosok.hu and www.negyedikesek.hu pages marked on the questionnaires sent out by mail for each age group. To fill out the questionnaire, you only need to enter an e-mail address, which is a requirement of the mail system, but it can also be a fictitious address, because the answers given on the questionnaire are important, the respondent's data, which was also included on the online questionnaire, is not. 430 people filled out the questionnaire.
(21) The letters are mailed by making etiquette labels from the data received from the BM, and then after sticking them on the envelopes, the letters are sent as certified mail. A postal letter was sent to each of the address data received from BM.
(22) In the fall of 2020, as a result of the Covid epidemic, a change of direction was necessary, which is why Customer 1 decided to carry out extensive market research in order to find out parents' ideas about the acceptable method of admission preparation for them. The results of the market research formed the basis of the following decisions:
Based on the answers to question 2 of the sent out questionnaire (Would you like to choose an online admissions preparation instead of or in addition to the classroom preparation), those interested were given the opportunity to follow the classroom work online. It was implemented so that in addition to the traditional preparatory visit, the students could review the preparatory material in the classroom on video at home at any time.
Based on the answers received to question 3 of the sent out questionnaire (Do you think it would help your preparation if you could familiarize yourself with the previous years' admission tasks and see their solutions and explanations on video?), an online interface was created, which presents the previous years' admission tasks on video to those interested. .
Based on the answers received to question 4 of the sent out questionnaire (Do you consider it necessary to repeat the mathematics and Hungarian language material of the previous academic year in the framework of the preparatory sessions?), the idea that the mathematics and Hungarian language material of the previous academic year should be repeated in the framework of the preparatory sessions was rejected. , because the parents did not have a significant need for this.
(23) According to Customer 1's statement, in the 2020-2021 school year approx. He sent out 29,500 letters, the market research questionnaire to approx. 400 people filled it out. No enrollment took place in the given academic year because the advertised courses had to be canceled due to the covid epidemic. Despite this, the market research questionnaires were sent out because they were independent of the preparatory courses of the current academic year.
(24) In the 2021-2022 school year, approx. 25,000 letters - attached as a sample at the Authority's invitation - were sent out, the market research questionnaire was sent to approx. 500 people completed it by post and online. In the academic year, for the preparation for admission approx. 650 people registered. It takes approx. 540 people applied, after sending out the market research letters - presumably not in connection with it - in the last week approx. on 110.
(25) In the 2022-2023 school year, approx. 29,000 letters - also attached as a sample at the Authority's invitation - were sent out, the market research questionnaire was sent to approx. 300 people completed it by post and online. In the academic year, for the preparation for admission approx. 570 people registered. It takes approx. 490 people applied, after sending out the market research letters - presumably not in connection with it - in the last week approx. 80 of us.
(26) Customer 1 also noted that the mailing of the market research forms fell almost at the same time as the start date of the advertised courses, barely ahead of it, which proves that it served real market research purposes and not the direct marketing purposes assumed by the informants. The preparatory courses started in the first half of September, so their announcement began months earlier with advertisements on the Internet and social media, because in this way it is possible to gather enough interested people to be able to start the courses. According to customer 1, it would be too late to start a direct marketing mail advertisement 8-10 days before the start of the courses to recruit students, and in addition, the mail sent out only contains questions about parental needs, purchase offers, incentives, enrollment options, etc. is not.
(27) Customer 1 attached its data management information as an attachment to its response letter dated January 18, 2023, which was also available on Customer 1's website. According to the provisions of this document, the scope of this "Data Management Statement" covers only the data provided to Customer 1, which is necessary for the use of the website, and is intended to protect the personal data and other data provided on the www.pitagorasz.hu website and made available to the website operators (Customer 1) defines the principles and rules for its management.
According to the data management statement, the legal basis for data management is the "Voluntary consent of the user that the personal data provided while using the website will be used, and Infotv. Paragraph (1) of § 5 and CVIII of 2001. Act 13/A. § (3)". The purpose of data management is solely to facilitate contact with users and customers, where appropriate, to provide personalized services and to send newsletters. (28) Customer 1 amended its data management information sent as described in the previous point and which is also available on Customer 1's website during the official procedure, about which it notified the Authority in its statement sent on March 21, 2023, and at the same time sent a copy of it to the Authority and informed that now the information sent is also available on the website.
(29) Customer 1 also submitted that it did not entrust the market research to an external market research company due to its higher costs, instead they carried out the market research themselves, so their financial resources allowed for a wider survey. The necessary developments have been made in the past, and this method of market research will not be used in the future.
(30) On the website www.pitagorasz.hu it is possible to subscribe to the newsletter. In this case, the newsletter is sent until the person concerned unsubscribes from it. Every newsletter has an unsubscribe link. Due to the change of subscribers to the newsletter and occasional unsubscribes, the actual number of people on the newsletter list is approximately 1,000 in an academic year. At the request of the Authority, Customer 1 attached one text sample of his newsletter sent out in each academic year, i.e. a total of three samples of his newsletter.
(31) The legal basis for data management in connection with the sending of newsletters is that the data subject has given his consent to the data management and subscribed to the newsletter in accordance with the data management regulations. The purpose of data management is to keep in touch via the newsletter, in order to occasionally remind parents of important education-related information (e.g. the order of the school year, the deadline for applying for admission and the method of application, order of the admission procedure, etc.).
(32) Interested parties may only subscribe to the newsletter if they have read the data management policy and declared that they have read and accepted it.
(33) Customer 1 joined the Webpigeon mail system on February 1, 2013. The connection took place on an online interface, in connection with which no contract was concluded, Customer 1 attached a copy of the e-mail he received from Webgalamb upon signing up. According to the statement of Customer 1, he cannot fulfill the seizure ordered by the Authority in the prescribed manner, because the Web Pigeon mail system runs on the server of Customer 2, who is also its maintainer, where the voluntarily provided data of the subscribers is received and the periodic newsletters are started from there. According to his statement, Customer 1 does not have access to these logs by purchasing the Web Pigeon email software, he only sees the user interface.
(34) Customer 1 has attached a copy of the excel databases that contain the list of those registered on the website www.pitagorasz.hu in 2019/2020 and 2020/2021. and 2021/2022. for the academic year. The attached tables saved and store the following data about the subscribers:
- e-mail address, IP address, subscription time, status (active/bounced), ID (6-digit identifier for all subscribers), subscription URL, 2019/2020/2021. from September, what grade is the student in, which part of Hungary does he live in?
In the last column of the tables, the 2019/2020. for the academic year, there is a column "I accept the data management statement", but it is empty for all subscribers.
The 2020/2021. in the academic year and 2021/2022. for those registered during the academic year
"I have read and accept the data management policy. To the Pythagoras
Oktatási Stúdió Kft. send a newsletter for marketing purposes and direct business
contact me: I agree." text is included.
(35) According to the statement of Customer 1, when a data subject who previously subscribed to the newsletter unsubscribes - which the data subject can do using the unsubscribe link found in the newsletter - Customer 1 has nothing to do, the Webpigeon mail system automatically deletes it immediately by clicking on the unsubscribe link, and the subscriber is thus permanently removed from the database. in such a way that Customer 1 is not even aware of the identity of the concerned person who unsubscribes.
If sending a letter to a subscriber is unsuccessful, in this case the Webpigeon system will indicate this, and this data will be permanently deleted and thus removed from the database.
(36) According to Customer 1's statement, contrary to what is stated in the data protection information, Customer 2 is not a data processor, Customer 1's Web Pigeon software and its data are only stored on their server.
(37) The Authority CL. of 2016 on the general administrative order. based on § 76 of the Act (hereinafter: Ákr.), invited the clients to make a statement. After exercising his right to inspect the documents, Customer 1 stated that he immediately reviewed his data protection policy after the initiation of the procedure and had a new policy drawn up as a result. According to his statement, the practice of sending inquiries by mail based on data requests from the BM as a method of market research has been discontinued since the Authority's procedure and will not be used in the future.
2.2 The Authority invited Customer 2 to make a statement in order to clarify the facts. Customer 2 stated the following in relation to the questions contained in the Authority's inquiries:
(38) Contract concluded with Customer 1 on February 1, 2013. [...] Kft. is not the legal predecessor of Customer 2, but to their knowledge, the previous contract was concluded online with Customer 1.
(39) Customer 2 has a relationship with Customer 1 with regard to the Webgalamb 8.1.0 software, the contract is concluded with an online order for all software versions and a contract concluded between absent parties. Most recently, a contract for the Webgalamb WG8+ software was concluded with Customer 1 on December 6, 2020, based on the order number 593763 placed at 12:59 p.m., a copy of which he attached to his statement.
The related license agreement is available on Customer2's website and was accepted by Customer1 in advance before use. Customer 2 also sent the reference to the documents/contracts that he concluded with Customer 1 through an absentee contract, such as the data management information sheet and the document entitled General User Terms and Legal Statement.
(40) Customer 1 provides hosting services for the Webgalamb 8.1.0 online newsletter program available at […], which is practically the same as hosting a website. The activity carried out there is carried out by Customer 1 himself, Customer 2 does not provide any data recording, data management, editing or other support, Customer 2 does not have access to the system, and the source of the data stored there is unknown. The basic functionality of the Webpigeon software – similar to other newsletter editing programs – is that after installation on any web server with the appropriate version number, a subscription form can be created using the functions found in the program with parameters freely compiled by the user of the program (e.g. name, e-mail address, etc.) and subscription fields, as well as freely defined declaration requests (data management declaration, acceptance of GTC, etc.). After that, the subscription form created in this way can be integrated into the website, through which subscribers can be collected among the readers of the given subscription group. In the program, letters, circulars, information letters, and newsletters can be edited and sent out on a schedule and in groups. Several panels can be integrated into the newsletter, including data change link, unsubscribe link, etc. The subscriber database, i.e. the range of readers, can be exported to and imported from other programs in CSV and XLS format. The software has password-protected single-user operation, known only to the owner of the program, and the creators do not have remote or other access to it. The subscription forms are imported, exported, and the newsletters are edited, managed and sent by the owner of the program with exclusive access and authority.
(41) Customer 1 or Customer 1's subscriber to the referenced system records and edits the data of the individuals/companies concerned, including personal data, without the assistance of Customer 2, so Customer 2 does not have accurate information about this.
(42) Ügyfél2 hands over the purchased software with a completely empty database, i.e. without personal data, to all market participants. The installation is typically carried out by the customer himself or by an expert appointed by him. After successful installation, only the administrator (Customer1) has access to the single-user product. Entering it, he creates the type of data handled, the wording of his letters, collects, manages and stores the data and related statistics. Therefore, Customer 2 does not manage or know the personal data, as they are entered into the system independently of Customer 2 and are managed by the administrator, i.e. Customer 1, independently of Customer 2. Therefore, all activities are performed by the administrator and he also manages the data. During the use of the Webgalamb product (software/license) and newsletter service, Customer 2 is only a data transmitter/intermediary - so it is not considered a data controller or data processor - and it does not handle any personal data on behalf of its customers - such as Customer 1 - that is related to Customer 1's customers applies to your newsletter subscribers. With regard to these persons, Customer 1 is considered a data controller.
(43) On the website https://pitagorasz.hu/ operated by Customer 1, it is also possible to sign up for a newsletter, for which the following information and data are required: e-mail address, indication of what grade the student will be in from September 2023 , which part of Hungary you live in (indicate the county), and it is also mandatory to mark the checkbox before the "I agree" statement, on the basis of which consent the subscriber consents to Customer 1 sending a newsletter for marketing purposes and contacting him for direct business purposes.
(44) According to Customer 2's statement, in accordance with the provisions of the Authority's order, the entire database of the web hosting stored by Customer 1 stored in their system at pitagorasz.chr.hu was prepared so that it fully contains the data stored in the system, no changes were made to it. The database file is the complete data backup (dumb) of the live database also used by Customer 1, which includes both the database structure, switch tables, possible log files, and all its tables, columns and rows. Customer 2 made the saved database available to the Authority in password-protected ZIP format with an online download option via a channel protected by an https SSL 3.1 certificate.
3. During the analysis of the saved database, the Authority noticed the following facts:
(45) The database is called relational type, which means that through the connections (relationships) between the individual tables, it is possible to determine how the individual data are related to each other, whether there is a logical connection between them, whether they are related, or whether some data depends on some other data. The logical frame of the database, the so-called is described by its scheme.
The schema of the resulting database - although the table names, column names, and between them
clear logical connections would justify it - it does not contain such logical connections.
For this reason, the actual internal relationships of the database and the way it is used cannot be fully mapped, they can only be inferred if the relationships between the individual tables allow it.
(46) The number of data tables of the saved database was greater than that named by Customer 2
at the number of "most important boards".
(47) The [...] data plate was not included in the list of Customer 2. At the same time, the table contains 583 lines, which, based on the name and data content of the table, contain the unsuccessfully addressed e-mail addresses and the information related to the unsuccessful sending. More important data in the table:
- mail: e-mail address of the addressed user
- date: according to the logic of the table and the entire database, the unsuccessful sending
date
- error: code of the error that caused the unsuccessful mail sending
- id: unique identifier of the sent message or the addressed user
- send_date: time of sending the message
- info_sub: is related to the error column and provides a short description or some additional information about the cause of the error phenomenon, e.g. where the error value is "5", there is "queue too long" in the info_sub field.
(48) According to the description of Customer 2, the […] board is the board containing the registration field data, that is, the board containing the questions asked on the interface providing the registration for persons wishing to sign up.
It contains a total of 196 unique values, which include, for example, the following questions:
- e-mail address
- phone number
- parent's phone number
- surname and first name
- how many first-graders now and how many first-graders will be from September
- Place of birth
- language
- town name, zip code, street, house number, door, floor
- school name, zip code
- director's name
- PIR
- tax number
- where does he teach?
- Registration number E.V.
In addition to the questions asked on the newsletter subscription interface on Customer 1's website, and the data that can be entered there, the table also contains additional questions/data, such as customer satisfaction questions (e.g. "How were they able to use this online option", "What did you not like" "What did you like ", "What else would help them in an online system", "Did you miss repeating the previous academic year's material item by item", "How many points did you get in math", "How many points did you get in Hungarian", "How was this year's admissions", "Did you attend e on Pitagorasz Online admission preparation", "Did they use the video monitoring of the sessions on the site pitagoraszonline.hu", "Observation, comment about the preparation", "To what extent did the preparation of Pitagorasz Studio meet your expectations"), as well as persons approached as tutors also targeted questions (e.g. "Where does he teach", "Registration number E.V.", "Tax number").
(49) According to the description of Customer 2, the [...] board is "letters edited by the administrator (name, subject, wording, number of sendings, number of readings, which group it belongs to, date of creation)".
The table contains several columns recording date values, of which the "date" column contains 2,074 rows since January 1, 2020, while the "datetime" column contains 4,058 rows. (50) The [...] table is also named in Customer 2's response, according to its description, it is the "database of subscribed readers, contains the e-mail address, the e-mail address of the subscriber at the time of subscription, their date, a unique session, which at the time of subscription in an encrypted hash format used to identify the reader, the subscriber's group to which he requested to subscribe, his ID, and whether his status is active or deleted."
The date of the earliest subscription was 01.25.2013 12:50:37. The total number of subscribers is 229,307.
(i) Active column role and values: The "active" column in the table has 3 different ones
can have the following values: 0, 1, and 2. Their distribution:
- Number of subscribers with value "0": 2,723
- Number of subscribers with value "1": 217,242
- Number of subscribers with a value of "2": 9,342
"0" and "1" can be interpreted as logical FALSE and TRUE values, respectively, which is the standard notation for whether a property or state exists or not. Thus, e.g. can indicate whether a user is active or not. At the same time, the value "2" cannot be interpreted in this form.
The data of subscribers marked with "0", i.e. inactive, is available in the database with the same content as the active ones, so inactivity in this sense does not involve actual data deletion, so the e-mail and IP addresses of these subscribers can still be found in this table .
(ii) Values of "status_log", "mod_log", "datum", "mdatum" and "ipdatum" columns: these columns contain various timestamps that indicate various events affecting users and their data.
The values of the "status_log" column contain more detailed information:
- date: date values, specified as YYYY-MM-DD HH:DD:MM
- method: listed with two types of values, "subscribe" and "admin"
- status: the value of which is 1 in all filled cells
The "subscribe" value of the "method" parameter indicates that these lines store user subscriptions. Among the "date" parameters, there are several with values of 2023-05-25, for which the value of the "method" parameter is "subscribe", so probably a subscription to the database was made on this date.
(51) The Authority called on Customer 1 to make a statement regarding the following questions: What is the role of the "Active" column in the [...] data table of its database, and what exactly does it represent, as well as under what conditions and how will "0", " 1” and “2” values for each record in the database.
According to Customer 1's statement, the value "0" means "inactive", so e.g. when one of your colleagues temporarily does not work with them, they are deactivated, so you will not receive any more letters. The value "1" means that the subscriber is "active". you can subscribe and receive newsletters based on your own decision. The value "2" means that your mail bounced due to some error (e.g. lost e-mail address, technical error, etc.). This data will be permanently deleted.
(52) In response to the Authority's inquiry, Customer 1 stated in relation to the data content of the [...] data table that the requested data did not come from subscribing to a newsletter. In the Web Pigeon software, it is also possible to store data that does not come from subscribing to a newsletter.
The telephone number, parent's telephone number, surname and first name, address data were collected from parents whose children attend mathematics education, and this is necessary for the billing data, and contact by telephone is justified in the case of their child.
The tax number, where you teach, registration number E.V., place of birth, residential address also do not come from subscribing to the newsletter, but apply to those teaching colleagues who run classes as self-employed within the framework of Pitagorasz Stúdió and are paid for their work on the basis of their invoices. Their data is also stored in the Webpigeon system.
These data therefore do not come from subscribing to the newsletter, their legal basis was the consent of the data subject and the specific purpose agreed with them in each case. The name and zip code of the school and the name of the principal come from the publicly accessible database of the Office of Education and are also stored in the Webgalamb system.
Certain schools are occasionally notified about their programs in a newsletter.
4. Facts established in connection with the newsletter subscription on the Customer 1 website https://pitagorasz.hu
(53) On December 12, 2022, the Authority subscribed to a test newsletter under the subscription window available on the above page of Customer1.
i. To subscribe to the newsletter, the following data and information were required:
e-mail address; From September 2022, what grade will the student be in; which part of Hungary do they live in; E-mail address again.
ii. In addition to the above, "I have read and accept the data management policy. In order for Pitagorasz Oktatási Stúdió Kft. to send a newsletter for marketing purposes and to contact you for direct business purposes:*" appears as a mandatory part of the text, and although the "I agree" check box is not pre-ticked, you can finalize the subscription by marking it, i.e. giving your consent .
iii. As soon as the person concerned clicks on the sign-up button, a confirmation message will appear in the browser, and a message will also be sent to the e-mail address provided during registration that the sign-up was successful.
II. Legal provisions applicable in the case
(54) Pursuant to Article 2 (1) of the General Data Protection Regulation, the General Data Protection Regulation must be applied to the processing of personal data in a partially or fully automated manner, as well as to the non-automated processing of personal data that are part of a registration system , or which they wish to make part of a registration system.
(55) According to recital (32) of the General Data Protection Regulation, data processing may only take place if the data subject gives his voluntary, specific, informed and clear consent by means of a clear affirmative action, for example a written - including electronic - or verbal statement to the for the management of personal data concerning natural persons. Such consent is also considered if the data subject ticks a relevant box when viewing an internet website, makes relevant technical settings when using services related to the information society, as well as any other statement or action that, in the given context, constitutes the consent of the data subject clearly indicates the planned handling of your personal data. Silence, a pre-ticked box or inaction therefore does not constitute consent. Consent covers all data processing activities carried out for the same purpose or purposes. If the data management serves several purposes at the same time, then consent must be given for all data management purposes. If the data subject gives his consent after an electronic request, the request must be clear and concise, and it must not unnecessarily prevent the use of the service for which the consent is requested.
(56) According to recital (39) of the General Data Protection Regulation, the processing of personal data must be legal and fair. It must be transparent for natural persons how their personal data is collected, used, accessed or otherwise handled, as well as in connection with the extent to which personal data is or will be handled. The principle of transparency requires that information and communication related to the management of personal data be easily accessible and comprehensible, and that it is formulated in clear and simple language. This principle applies in particular to informing the data subjects about the identity of the data controller and the purpose of the data management, as well as to further information aimed at ensuring fair and transparent handling of the personal data of the data subject, as well as to the information that the data subjects have the right to receive confirmation and information about the data processed about them. The natural person must be informed about the risks, rules, guarantees and rights related to the management of personal data, as well as how he can exercise the rights he is entitled to in connection with data management. The specific purposes of personal data management must first of all be explicitly formulated and legal, and also defined at the time of collection of personal data. Personal data must be suitable and relevant for the purpose of their management, and the range of data must be limited to the minimum necessary for the purpose. And for this, it must be ensured that the storage of personal data is limited to the shortest possible period. Personal data can only be processed if the purpose of data processing cannot be reasonably achieved by other means. In order to ensure that the storage of personal data is limited to the necessary period, the data controller establishes deletion or regular review deadlines. All reasonable steps must be taken to correct or delete inaccurate personal data. Personal data must be managed in a way that ensures an appropriate level of security and confidentiality, including in order to prevent unauthorized access to personal data and the tools used to manage personal data, as well as their unauthorized use.
(57) According to recital (47) of the General Data Protection Regulation, the data controller - including the data controller with whom the personal data may be disclosed - or the legitimate interest of a third party may create a legal basis for data processing, provided that the interests, fundamental rights and freedoms of the data subject are not priority, taking into account the reasonable expectations of the data subject based on his relationship with the data controller. Such a legitimate interest can be discussed, for example, when there is a relevant and appropriate relationship between the data subject and the data controller, for example in cases where the data subject is a client of the data controller or is employed by it. In order to establish the existence of a legitimate interest, it is necessary to carefully examine, among other things, whether the data subject can reasonably expect, at the time and in connection with the collection of personal data, that data processing may take place for the given purpose. The interests and fundamental rights of the data subject may take precedence over the interests of the data controller if the personal data are processed under circumstances in which the data subjects do not expect further data processing. Since it is the task of the legislator to determine by law the legal basis on which public authorities may process personal data, the legal basis supporting the legitimate interest of the data controller cannot be applied to data management carried out by public authorities in the performance of their duties. The absolutely necessary processing of personal data for the purpose of preventing fraud is also considered a legitimate interest of the data controller concerned. The processing of personal data for direct business purposes is also considered to be based on a legitimate interest.
(58) According to Article 4, Point 1 of the General Data Protection Regulation, "personal data: any information relating to an identified or identifiable natural person ("data subject"); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as a name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable."
(59) According to Article 4, Point 2 of the General Data Protection Regulation, "data management": any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, organization, segmentation, storage, transformation or change , query, insight, use, communication through transmission, distribution or otherwise making available, coordination or connection, restriction, deletion or destruction;
(60) According to Article 4, Clause 11 of the General Data Protection Regulation, "the consent of the data subject": the voluntary, specific and clear declaration of the will of the data subject based on adequate information, by which the data subject indicates by means of a statement or an act clearly expressing the confirmation that he gives his consent to manage personal data concerning him;
(61) According to Article 5 (1) of the General Data Protection Regulation, personal data: a) must be handled legally and fairly and transparently for the data subject ("legality, fair procedure and transparency"); b) it is collected only for specific, clear and legitimate purposes, and they are not handled in a way that is incompatible with these purposes; in accordance with Article 89 (1), further data processing for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes is not considered incompatible with the original purpose ("purpose limitation"); d) they must be accurate and, if necessary, up-to-date; all reasonable measures must be taken to promptly delete or correct personal data that is inaccurate for the purposes of data processing ("accuracy");
According to paragraph (2), the data controller is responsible for compliance with paragraph (1) and must also be able to prove this compliance ("accountability").
(62) Pursuant to Article 6 of the General Data Protection Regulation, the processing of personal data is only legal if and to the extent that at least one of the following is fulfilled:
a) the data subject has given his consent to the processing of his personal data for one or more specific purposes;
b) data management is necessary for the performance of a contract in which the data subject is one of the parties, or it is necessary for taking steps at the request of the data subject prior to the conclusion of the contract;
c) data management is necessary to fulfill the legal obligation of the data controller;
d) data processing is necessary to protect the vital interests of the data subject or another natural person;
e) data processing is in the public interest or is necessary for the execution of a task performed in the context of the exercise of public authority delegated to the data controller;
f) data management to enforce the legitimate interests of the data controller or a third party
necessary, unless the interests of the person concerned take precedence over these interests
interests or fundamental rights and freedoms that make personal data protection
necessary, especially if a child is involved.
Point f) of the first subparagraph cannot be applied to data management carried out by public authorities in the performance of their duties.
(63) According to Article 7 (1) of the General Data Protection Regulation, if the data processing is based on consent, the data controller must be able to prove that the data subject has consented to the processing of his personal data.
(64) Pursuant to Article 12 (1) of the General Data Protection Regulation, the data controller shall take appropriate measures in order to provide the data subject with all the information referred to in Articles 13 and 14 regarding the processing of personal data and Articles 15-22. and Article 34 provide each and every piece of information in a concise, transparent, understandable and easily accessible form, clearly and comprehensibly worded, especially in the case of any information addressed to children. The information must be provided in writing or in another way, including, where applicable, the electronic way. Verbal information can also be provided at the request of the data subject, provided that the identity of the data subject has been verified in another way.
(65) Paragraphs (1)-(2) of Article 13 of the General Data Protection Regulation:
(1) If the personal data concerning the data subject is collected from the data subject, the data controller shall provide the data subject with all of the following information at the time of obtaining the personal data:
a) the identity and contact details of the data controller and - if any - the representative of the data controller;
b) contact details of the data protection officer, if any;
c) the purpose of the planned processing of personal data and the legal basis of data processing;
d) in the case of data management based on point f) of Article 6, paragraph (1), the legitimate interests of the data controller or a third party;
e) where applicable, recipients of personal data, or categories of recipients, if any;
f) where applicable, the fact that the data controller wishes to transfer the personal data to a third country or international organization, and the existence or absence of the Commission's compliance decision, or in Article 46, Article 47 or Article 49 (1) in the case of data transfer referred to in the second subparagraph of paragraph 1, indicating the appropriate and suitable guarantees, as well as referring to the methods for obtaining a copy of them or their availability.
(2) In addition to the information mentioned in paragraph (1), the data controller informs the data subject of the following additional information at the time of obtaining the personal data, in order to ensure fair and transparent data management:
a) on the period of storage of personal data, or if this is not possible, on the criteria for determining this period;
b) the data subject's right to request from the data controller access to personal data relating to him, their correction, deletion or restriction of processing, and to object to the processing of such personal data, as well as the data subject's right to data portability;
c) in the case of data processing based on point a) of Article 6 (1) or point a) of Article 9 (2), the right to withdraw consent at any time, which does not affect the legality of data processing carried out on the basis of consent before the withdrawal;
d) on the right to submit a complaint to the supervisory authority;
e) whether the provision of personal data is based on legislation or a contractual obligation or is a prerequisite for the conclusion of a contract, as well as whether the data subject is obliged to provide the personal data, and the possible consequences of failure to provide data;
f) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including profiling, as well as, at least in these cases, comprehensible information on the logic used and the significance of such data management and the benefits for the data subject has expected consequences.
(66) Paragraphs (1)-(2) of Article 14 of the General Data Protection Regulation:
(1) If the personal data were not obtained from the data subject, the data controller shall provide the data subject with the following information:
a) the identity and contact details of the data controller and - if any - the representative of the data controller;
b) contact details of the data protection officer, if any;
c) the purpose of the planned processing of personal data and the legal basis of data processing;
d) categories of personal data concerned;
e) recipients of personal data, or categories of recipients, if any;
f) where applicable, the fact that the data controller wishes to forward the personal data to a recipient in a third country or to an international organization, and the existence or absence of the Commission's compliance decision, or in Article 46, Article 47 or Article 49 In the case of data transfer referred to in the second subparagraph of paragraph (1), the indication of suitable and suitable guarantees, as well as a reference to the methods for obtaining a copy of them or their availability.
(2) In addition to the information mentioned in paragraph (1), the data controller provides the data subject with the following additional information necessary to ensure fair and transparent data management for the data subject:
a) the period of storage of personal data, or if this is not possible, the criteria for determining this period;
b) if the data management is based on point f) of paragraph 1 of Article 6, on the legitimate interests of the data controller or a third party;
c) the data subject's right to request from the data controller access to personal data relating to him, their correction, deletion or limitation of processing, and to object to the processing of personal data, as well as the data subject's right to data portability;
d) in the case of data management based on point a) of Article 6 (1) or point a) of Article 9 (2), the right to withdraw consent at any time, which does not affect the legality of data management carried out on the basis of consent before the withdrawal;
e) the right to submit a complaint addressed to a supervisory authority;
f) the source of the personal data and, where appropriate, whether the data comes from publicly available sources; and
g) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including profiling, as well as, at least in these cases, comprehensible information regarding the logic used and the significance of such data management and the benefits for the data subject has expected consequences.
(67) Based on Article 14 (3) of the General Data Protection Regulation, the data controller shall: (1) and
Provide the information in accordance with paragraph (2) as follows:
a) taking into account the specific circumstances of the handling of personal data, within a reasonable period of time from the acquisition of the personal data, but within one month at the latest;
b) if the personal data is used for the purpose of contacting the data subject, at least during the first contact with the data subject; obsession
c) if it is expected that the data will be communicated to another recipient, at the latest when the personal data is communicated for the first time.
(68) Nytv. Section 17, subsection (1) and subsection (2), point a):
(1) The bodies of the registry shall provide data under the conditions and limits defined in this law - at the request of the citizen, legal person or organization without legal personality, in case of proof of the purpose and legal basis of the use.
(2) Data from the register can be provided according to the following grouping:
a) name and address data (information about the address);
(69) Nytv. According to § 19:
(1) Any citizen, legal person or organization without legal personality is entitled to request the provision of data in accordance with Section 17, Subsection (2), point a) upon proof of the purpose and legal basis of use:
a) in order to enforce his right or legitimate interest,
b) for the purpose of scientific research,
c) sample required to start public opinion polls and market research, and
d)
(2) Persons entitled to request data based on points b) and c) of paragraph (1) may request data according to the following selection criteria:
a) for the purpose of scientific research, according to the data specified in points a)-e), g)-h) and k) of § 11, paragraph (1) of the Act,
b) for the purpose of public opinion research and market research, according to points c)-d), h) and k) of Section 11 (1),
c)
(3) In the case of a data request based on points b) and c) of paragraph (1), the applicant must properly prove his/her right to perform the activity specified therein and to request the data.
(4) The application must be refused if
a) the release of the data has been blocked by the citizen, unless he has given permission for the release of the data on a case-by-case basis;
b) the applicant did not or did not adequately prove the purpose of using the data, as well as its legal basis;
c) the stated purpose does not affect the applicant's right or legitimate interest, or violates the privacy rights of the citizen affected by the data;
d) ninety days have not yet passed after the registration of the newborn's data.
(5)
(6)
(70) CXIX of 1995 on the management of name and address data for the purpose of research and direct business acquisition. Act (hereinafter: Kktv.) according to Article 2, paragraph (1), point 3, market research: examination of the consumer habits of the affected party.
The Kktv. According to Section 2, Paragraph 1, Point 4 of its text version valid until April 25, 2019, Direct business acquisition (direct marketing): the set of informational activities and additional services carried out by the method of direct inquiry, the purpose of which is to sell products or services, provide or XLVIII of 2008 on the basic conditions and certain limitations of economic advertising, which is directly related to sales promotion. transmission of advertising to consumers or trading partners (hereinafter referred to as: customers) according to point d) of § 3 of the Act (hereinafter: Grt.).
(71) For data management under the scope of the General Data Protection Regulation, Infotv. According to Section 2 (2), the general data protection regulation must be applied with the additions contained in the provisions indicated there.
(72) Infotv. Pursuant to Section 60 (1), in order to assert the right to the protection of personal data, the Authority shall initiate a data protection official procedure at the request of the data subject and may initiate a data protection official procedure ex officio.
(73) Infotv. According to § 61, paragraph (1), point a), in the decision made in the official data protection procedure, the Authority shall refer to Infotv. You may apply the legal consequences defined in the general data protection regulation in connection with the data management operations defined in § 2, paragraph (2).
(74) Infotv. According to Section 61 (2), the Authority may order the publication of its decision - by publishing the identification data of the data controller or data processor - if the decision affects a wide range of persons, it was made in connection with the activities of a body performing a public task, or the gravity of the infringement is made public justifies bringing.
(75) Infotv. Pursuant to § 71, paragraph (2), the Authority may use documents, data or other means of proof legally obtained during its proceedings in other proceedings.
(76) Infotv. 75/A. §, the Authority exercises its powers contained in paragraphs (2)–(6) of Article 83 of the General Data Protection Regulation, taking into account the principle of proportionality, in particular that the regulations regarding the processing of personal data – defined in legislation or in a binding legal act of the European Union – in the event of a first violation, in accordance with Article 58 of the General Data Protection Regulation, measures are taken to remedy the violation, primarily by warning the data controller or data processor.
(77) GDPR Article 58 (2) points b), d) and i): Acting within the supervisory authority's corrective powers:
b) condemn the data manager or the data processor if their data management activities violated the provisions of this regulation;
d) instructs the data manager or the data processor to bring its data management operations into line with the provisions of this regulation - in a specified manner and within a specified period of time;
i) imposes an administrative fine in accordance with Article 83, depending on the circumstances of the given case, in addition to or instead of the measures mentioned in this paragraph
III. Decision
1. The subject of this official data protection procedure
(78) The Authority received a number of reports, in which the informants objected to the data processing in connection with the market research and direct marketing inquiries of Customer 1 addressed to minor children and addressed to their legal representative, sent by mail.
(79) The Authority initiated ex officio proceedings to investigate whether Customer 1 complies with the provisions of the General Data Protection Regulation during this data management practice.
(80) According to the company register, Customer 1 was founded on January 16, 2018. His main activity is m.n.s. other education, its activities also include market and public opinion research.
(81) The Authority NAIH-8386-1/2022. according to the provisions of order no.
(82) The data management period of Customer 1 examined in this procedure is the period from January 1, 2020 to November 8, 2022.
(83) Customer1 operates the website https://pitagorasz.hu/, where it is possible to subscribe to the newsletter, and Customer1 also operates several sub-sites (www.felvizsga.hu, www.oldjukmeg.net, www.nyolcadikosok.hu, www .matekozz.hu, www.tandijbefizetes.hu, www.pitagoraszonline.hu, www.pitagorasz.shp.hu), most of which navigate the user of the site to the main website www.pitagorasz.hu, or the entry interface of the online preparation, directly to the opens the preparatory course application interface.
2. Brief summary of the examined data management activity
(84) Customer 1 manages the name and address data of the persons concerned - minor children - in connection with inquiries sent by post. Customer 1 requested the name and address data from BM in order to find the minors concerned.
(85) Customer 1 requested name and address data from BM every year. According to the attached application copies, Customer 1 applied to the BM three times within the examined data management period with a request for data provision. According to what was indicated in the data request requests, and also according to the statement made by Customer 1 at the request of the Authority, Customer 1 requested the name and address data in order to start the market research activity related to the admission preparation courses organized by him. In relation to his requests, Customer 1 received the name and address data of 33,185 data subjects as a result of his February 2020 data request, 61,770 data subjects as a result of his April 2021 request, and 29,003 data subjects as a result of his May 2022 request from the BM.
(86) The postal inquiries sent by Customer 1 in August 2020 contained information about Customer 1's admission preparations and an enrollment data sheet. The letters sent out contained the following information: "Dear Madam, Sir! We would like to inform you that your child's name and address were randomly selected from the records of the Personal Documents Department of the Ministry of the Interior for the purpose of mailing educational information. The use of the data has been terminated by forwarding this letter. We inform you that the provision of data is voluntary, so you have the right to request the termination of the use of your data for the specified purpose."
(87) One, received by the Authority on September 1, 2021, NAIH-6956-1/2021. complaint filed, and based on the sample letter attached by Customer 1, one page of the two-page letter sent by Customer 1 in August 2021 indicated the purpose of the request - according to the sample letter attached by Customer 1 - that "the purpose of our current letter is to learn the parents' opinion that the Which preparation of Pitagorasz Stúdió will be well received by interested parents. Please go to www.hatodikosok.hu, where you will find all the information about this, as well as about the six-grade high schools and the admission procedure!" The second page of the letter contained information related to data management with the content described in point (13).
(88) On one side of the postal letters sent by Customer 1 in September 2022, there were 4 questions, in which Customer 1 was interested in the needs of the contacted parents regarding the enrollment preparation, and on the other side of the letter there was information related to data management with the content described in point (13) about the admission preparation of Customer 1 after information.
(89) According to the statement of Customer 1, the legal basis for processing the data received from BM is the legitimate interest according to Article 6 (1) point f) of the General Data Protection Regulation. The purpose of the market research is to assess the possibilities of the preparatory course for admission and to assess the needs of parents.
(90) On the website https://pitagorasz.hu/ operated by Customer 1, it is also possible to subscribe to a newsletter.
3. Customer 1's data management practices related to postal inquiries
3.1. Legal basis for data management
(91) Based on his statement and the attached documents, Customer 1 requested the name and address data used for sending postal inquiries from the citizens' personal data and address register.
(92) During the examined data management period, Customer 1 applied to BM three times with a request for data.
(93) According to the attached copies of the data request request, Customer 1, in his request dated February 17, 2020, his request dated April 7, 2021 and his request dated May 9, 2022, also "related to the admission preparation courses organized by us to start market research" indicated the purpose of data use.
(94) In its decisions, the BM granted Customer 1's requests for data provision and allowed Customer 1 to use group data provision from the register of citizens' personal data and residential addresses. Based on the attached document copies, Customer 1 submitted a data request request to the BM once a year, in which he requested the name and address data of minors who were likely to be in the fourth grade, sixth grade, and eighth grade in the given academic year, specifying birth date intervals.
(95) At the request of the Authority, Customer 1 stated with regard to the purpose of its data management that it requested the data for the purpose of starting market research activities prior to and related to the admission preparation course, and since the BM released the data, the release of the data to the data subject is legal was not restricted by his representative.
(96) Based on the definition of the GDPR, the name and address are personal data of the data subject, while any operation performed on the data, such as the collection, storage and use of the data, is considered data processing.
(97) For the legality of data management, the data controller must have a legal basis in accordance with Article 6 (1) of the GDPR.
(98) According to the statement of Customer 1, the legal basis for processing the data received from BM is the legitimate interest according to Article 6 (1) point f) of the GDPR. (99) In the case of data management based on point f) of Article 6, paragraph (1) of the GDPR, the data controller must carry out an interest assessment. This is also supported by recital (47) of the GDPR, according to which the existence of the legal basis of legitimate interest must be verified by weighing interests. In this context, the data controller must examine the necessity of data management. The processing of personal data must be directly related to the goal to be achieved: the goal must be examined with a precise, complex and fact-based analysis, particularly whether there is a less restrictive means for the goal to be achieved, whether there are other alternatives that protect the privacy of the affected parties less restrictive means. The legitimate interest of the data controller and the third party must be determined as accurately as possible based on a fact-based, specific investigation of the given data controller. The interest must be real and current. The basic element of the consideration of interests is the assessment of the interests and expectations of the data subjects, attention must be paid to the status, legal and actual situation of the data subjects, as well as their reasonable expectations regarding data management. The interest assessment is a detailed analysis of why the data controller's legitimate interests proportionately limit the rights of the data subjects, and why the data controller's interests take precedence over the data subjects' rights. In the absence of such a consideration of interests – in view of the violation of the principle of accountability – there can be no question of legal and transparent data management. In the assessment of interests, the person of the data controller must be clearly defined, and it is the responsibility and task of the data controller to accurately document and justify the above.
(100) According to the constant and consistent practice of the Authority, the data controller is responsible for the legality of the data processing carried out by it. Due to the nature of the legal basis according to Article 6 (1) point f) of the General Data Protection Regulation, in the case of this legal basis, the data controller must be able to indicate precisely which legitimate interest of the data controller is the basis for the processing of specific personal data, and why, in view of this interest, the data management, at the same time you must be able to confirm and prove that it takes precedence over the legitimate interest of the data subject and his right to the protection of personal data.
(101) The Authority points out that the obligation of the data controller to prove that the conditions for the legality of data processing - the data processing from the beginning - they exist continuously. The fact that the data subject's personal data is handled and this is not harmful to him does not mean adequate consideration, i.e. that the data controller has fully taken into account the aspects, interests, fundamental rights and freedoms of the data subject. The application of the consideration of interests is always accompanied by the requirement that the data controllers must ensure that specific guarantees are incorporated. Finally, it must be determined why the data controller's or a third party's legitimate interests proportionately limit the data subject's rights. The consideration of interests must be carried out not afterwards, but before data management. The data controller can only reasonably trust that it complies with the legal requirements of data management in all respects, if it can fulfill its verification obligation and can demonstrate the existence of these conditions in a manner that provides sufficient certainty for the Authority, the court in charge, and the data subject. .
(102) It follows from this that if the data controller cannot prove that the data processing objected to by the data subject in the examined period would have met the data protection requirements, it does not fulfill the basic requirement of accountability, thus violating Article 5 (2) of the General Data Protection Regulation . Data managers must implement all data management operations in such a way that they can prove at any moment how they complied with data protection regulations.
The principle of accountability can therefore not only be interpreted at the process level in general, it also applies to all specific data management activities and the management of the personal data of a specific data subject.
(103) Pursuant to Article 5 (2) of the General Data Protection Regulation, on the basis of accountability, the data controller is obliged to document and record the data processing in such a way that its legality can be proven afterwards. It is an important requirement arising from the principle of accountability that the documentation be prepared with reference to the data controller and its data management, because the mere literal acceptance of the legal texts does not reveal why the given data management is necessary.
(104) According to the Authority's point of view, it is not acceptable that, according to its statement, Customer 1 based its data management on the legal basis of legitimate interest, but according to its statement, it did not carry out an interest assessment at all, and as a result it could not present it to the Authority, nor did it prove the existence of its legitimate interest.
(105) On the basis of the above, the Authority established that Customer 1, by not proving the existence of its legitimate interest in handling the name and address data of the minors requested from the personal data and address register, therefore handled the requested personal data without a legal basis, violated Article 5 of the GDPR. the basic principle of accountability according to Article (2) and, in view of this, Article 6 (1), since it unlawfully handled the personal data of minors without a valid legal basis.
3.2. Purpose of data management in connection with postal inquiries
(106) During the examined data management period, Customer 1 sent a letter by mail three times, once a year, using the name and address data requested from BM, to the legal representatives of minors concerned.
(107) The data processing carried out in connection with these inquiries of Customer 1, i.e. the postal inquiries sent in 2020, 2021 and 2022, shall be considered as separate data processing.
(108) Nytv. According to Section 19 (1) point c), any legal person is entitled to request the provision of name and address data, with proof of the purpose and legal basis of use, in order to compile a sample necessary for starting public opinion polls and market research.
In all data request requests sent to the BM, including those submitted in 2020, 2021 and 2022, Customer 1 indicated the purpose of data use was market research related to the admission preparation courses organized by him.
(109) According to the principle of purpose-bound data management according to Article 5 (1) point b) of the General Data Protection Regulation, personal data may only be collected for a specific, clear and legitimate purpose, and they may not be processed in a manner incompatible with these purposes. Furthermore, according to the provisions of recital (39), the specific purposes of personal data management must be explicitly stated and legal, and must be defined at the time of collection of personal data.
(110) According to his statement, Customer 1 requested the personal data in order to start his related market research activities prior to the admission preparation course, so Customer 1 indicated market research as the purpose of data use, and Customer 1 also indicated this in his request to BM as the purpose, for which you want to use the requested data.
(111) According to Customer 1's statement, the market research provides the information on the basis of which they can organize admission preparatory courses in accordance with parental expectations, such as: which form of education is the most popular, what content expectations parents have regarding the preparatory courses.
(112) Contrary to this, in the informative part of the inquiry letter sent to the stakeholders in August 2020, Customer 1 indicated the purpose of using the requested data was the mailing of educational information.
(113) In the information sheet on the second page of the postal letter sent in August 2021, Customer 1 stated that "The purpose of this market research is to assess the admission preparation course options of Pitagorasz Oktatási Stúdió Kft., to learn about parents' needs.", while Customer 1 also states the same on the first page of the letter , that "The aim of our current letter is to get to know the parents' opinion, which preparation of the Pitagorasz Education Studio will be received by interested parents.". However, based on the sample letter attached by Customer 1, the inquiry letter sent to the parents did not contain a series of questions related to this, but based on the sample letter, only the following: "Please go to the website www.hatodikosok.hu, where everything about this, as well as the six-grade high schools and the admission process you will find information!” However, a reference to what exactly "getting to know the parents' opinion" entails, how this goal can be achieved, or any invitation to ask parents to go to the indicated page and fill out the questionnaire online who, was not.
(114) It can therefore be concluded that Customer 1 handled the data requested in 2020 and 2021 for the purpose of mailing educational information, as stated in the information provided in the letter, contrary to the purpose of use of the requested data indicated in the request for data sent to the BM. respectively, based on its content, the letter sent to the affected parties was the promotion of the activities of Customer 1, i.e. it contained information about the admission preparation courses held by him, their location and time, enrollment information directly on the letter or by means of page marking in the letter.
(115) The purpose must be explained in a clear, obvious, understandable language in such a way that the affected parties are aware of all the essential circumstances of the data management, the specific purpose and the range of data aligned with it, as well as the process of managing their personal data. This expectation of the data controller follows from the principle of transparency and fair data management according to Article 5 (1) point a) of the General Data Protection Regulation, and the conditions for the enforcement of the data subject's rights can be derived from this.
(116) Since April 26, 2019, Act CXIX of 1995 on the management of name and address data for the purpose of research and direct business acquisition. the scope of the law does not extend to natural and legal persons who require or handle name and address data for the purpose of contacting them directly for business acquisition. The Kktv. according to its previous definition, direct business acquisition (direct marketing) is the set of informational activities and additional services carried out by the method of direct inquiry, the purpose of which is directly related to the sale, service or sales promotion of products or services, Grt. Forwarding of advertising to consumers or commercial partners according to point d) of § 3.
(117) Although it was possible to fill out the questionnaire online during the examined period through some of Customer 1's websites (www.negyedikesek.hu, www.hatodikosok.hu, www.nyolcadikosok.hu), the marked postal inquiries did not at all emphasize that the The purpose of Customer 1's postal inquiries would be to have as many people as possible fill out the indicated questionnaire - in fact, the letter sent in August 2020 does not even mention the questionnaire - and on the basis of which Customer 1 could have assessed the parental needs related to admissions. By opening the websites indicated in the letters mailed in 2021, the interested party can read about the need for the admission preparation course held by Customer 1 and its practical process, and at the top of the pages, above the main information, there is the link "QUESTIONNAIRE about the preparers", through which the questionnaire can be opened online and can be filled out.
(118) Based on the available information, the Authority established that Customer 1 did not use the data requested from the personal data and address register in 2020 for the purpose of data use indicated in the request for data, and in terms of the content of the sent letter, it corresponds to a request for direct business acquisition (direct marketing) , because it advertised the recruitment preparations of Customer 1, in terms of its content, no information referring to market research could be found. Furthermore, the purpose indicated in the information placed in the letter itself - mailing of educational information - did not indicate the real purpose of the data management, but as if Customer 1 had requested the name and address data from BM for the purpose stated in the information in the first place, although the Nytv. data usage does not allow data requests for this purpose.
(119) According to the Authority's finding, it is also not possible to identify whether the purpose of market research existed in relation to the postal inquiries sent in August 2021, based on the details in point (113), the purpose of these postal inquiries, according to the Authority's point of view, was direct business acquisition (direct marketing), despite that the information about data management on the sent letter called the inquiry market research.
(120) The Authority concludes that based on the above, Customer 1 violated the principle of purpose limitation according to Article 5 (1) point b) of the General Data Protection Regulation during its data management in connection with its postal inquiries in 2020 and 2021.
3.3 Fairness of data management
(121) The purpose must be explained in a clear, obvious, understandable language in such a way that the affected parties are aware of all the essential circumstances of the data management, the specific goals and the range of data corresponding to them, as well as the process of managing their personal data. This expectation of the data controller follows from the principle of transparency and fair data management according to Article 5 (1) point a) of the General Data Protection Regulation.
Compliance with the principle of purposefulness consists of two main parts: on the one hand, it includes the choice of a clear and at the same time legal purpose, and on the other hand, the processing of personal data in a way that is compatible with the purpose.
The expectations arising from these are the following:
- A concretely defined goal declared before the start of data management. In the present case, this was completely absent when the interested parties were contacted by post, and the information provided by Customer 1 in the letters of inquiry was misleading and incorrect.
- Legitimate purpose in accordance with the legal basis and in connection with data management. In the present case, Customer 1 did not base its data processing related to postal inquiries on a valid legal basis in Article 3/3.1. as explained in point 2, furthermore, the definition of the purpose of data management (data use) cannot be considered real during most of the examined data management period (during inquiries sent in 2020 and 2021).
- Comprehensible communication to the target group, in a way that is not ambiguous or misleading. In the present case, no adequate information was given to the affected parties - especially about the purpose of the data management and its legal basis - based on the available information, it can be established that Customer 1 did not use the requested data for the purpose of data use indicated in the data request, the purpose of the market research in 2020 and Your mail solicitations in 2021 were actually direct marketing.
- In the case of additional goals, the appropriate interpretation of the compatibility test, which usually assumes a high degree of similarity between the earlier and later goals. In the present case, compatibility of goals did not arise, so compliance with this condition is irrelevant.
(122) As a result of what has been explained in points (106)-(117), the Authority further determines that Customer 1 did not indicate a real purpose as the purpose of using the requested data during his data request from the personal data and address register in 2020 and 2021 , thereby misleading the parties involved and the Ministry of the Interior regarding the real purpose of the data management, violated the principle of fair procedure according to Article 5 (1) point a) of the General Data Protection Regulation.
3.4. Information provided during the postal inquiry
(123) According to Article 12 (1) of the General Data Protection Regulation, the Customer1 as a data controller is obliged to take appropriate measures in order to provide the data subjects with all the information mentioned in Articles 13 and 14 regarding the processing of personal data and 15 -22. and provide each piece of information according to Article 34 in a concise, transparent, comprehensible and easily accessible form, clearly and comprehensibly worded.
(124) The system of appropriate information in the General Data Protection Regulation serves to ensure that the data subject is aware of which personal data will be handled by which data controller and for which purpose, and how. This is essential in order to be in a position to meaningfully exercise your data subject rights.
(125) During the investigated data management, Customer 1 contacted the legal representatives of the minors concerned by mail in such a way that - in the letters sent in 2020 and 2021 - he sent information about the service he provided, i.e. the preparation for admission. In the case of the postal inquiry sent in August 2020, the letter itself contained the most important information about the preparers, as well as a data sheet for enrolling in the preparer, while in the case of the postal inquiry sent in August 2021, the letter generally described the activities of Customer 1 in relation to the preparer and referred to the website for the age group addressed in the letter through a link more specific information is available there. The inquiries mailed in 2022 included, in addition to information about the admission preparation course held by Customer 1, a series of 4 questions about the needs of the parents concerned regarding admission preparation courses.
(126) The principle of transparent data management contained in Article 5 (1) point a) of the General Data Protection Regulation requires that the data subject be informed of the fact and purpose of data management. Therefore, one of the essential conditions for the legality of data management is that the data controller properly informs the data subject about all the important circumstances of data management.
(127) Articles 13-14 of the General Data Protection Regulation. articles determine the content of the information that must be provided during the processing of personal data. Different rules apply to this (content and deadline) depending on whether the data was obtained from the data subject or not, while Article 12 of the General Data Protection Regulation provides guidelines for the formal requirements of the information.
(128) Since Customer 1 contacted the minor data subjects or their legal representatives by means of postal inquiries using the data provided by the BM – i.e. after collecting the personal data not from the data subject but from another source – Customer 1 is subject to Article 14 of the General Data Protection Regulation. by taking into account the provisions of Article
(129) Based on the complaints received by the Authority, as well as the sample letters attached by Customer 1, the inquiries sent in each year during the examined data management period had different contents, and the information on the letters also had different contents in 2020, 2021 and 2022 on sent letter types.
(130) In addition to the content described in point (113) posted by Customer 1 in August 2020
the letter contained the following information:
"Dear Madam, Sir! We would like to inform you that your child's name and address were randomly selected from the records of the Personal Documents Department of the Ministry of the Interior for the purpose of mailing educational information. The use of the data has been terminated by forwarding this letter. We inform you that the provision of data is voluntary, so you have the right to request the termination of the use of your data for the specified purpose."
(131) The Authority established that the information provided by Customer 1 in the information letter sent by post to the minors (their legal representative) in August 2020 did not contain the most important information contained in Article 14 of the General Data Protection Regulation:
(i) The information sheet did not specifically name who could be considered a data controller, and from the content of the entire letter, it was not possible to determine who/what organization the admissions preparer described in the letter was actually connected to. The letter itself, which was sent by post, and the text on the letter only referred to websites, which the person concerned could open to access the websites managed by Customer 1. In addition, the letter and the information did not contain the contact details of the data controller, at most it was possible to infer from the sender of the letter which data controller the letter received by post or the admission preparation advertised in it could be contacted [GDPR Article 14 (1)a)].
(ii) The prospectus did not provide information on the legal basis of the data management, nor on its purpose. The text of the information only referred to the purpose of the BM data request, in relation to which the Authority finds that it did not correspond to reality, because in the requests submitted to the BM, Customer 1 indicated as the purpose of the data use the market research related to admission preparation courses [GDPR Article 14 ( 1) c)].
In addition to the above, the information sheet did not contain the most important information necessary to ensure transparent data management:
(iii) In its response to the Authority, Customer 1 stated that its data management is based on Article 6 (1) point f) of the General Data Protection Regulation, however, the information provided in the letter does not provide any information in this regard, nor does it mention the legal basis of legitimate interest, nor otherwise, it does not provide information on the legal basis of data management [GDPR Article 14 (2) b)].
(iv) The information sheet did not provide information about the data subject's rights either, it only contained that "the provision of data is voluntary, so you have the right to request the termination of the use of your data for the specified purpose.", however, this cannot actually be answered by a single, general data protection regulation nor to a specific data subject right [GDPR Article 14 (2) c)]. This sentence of the information also contradicts the sentences preceding it. On the one hand, it suggests that the data subject provides his personal data ("the provision of data is voluntary..."), even though the personal data was requested from BM by Customer 1, and on the other hand, in the previous sentence, the data controller informs that the use of the data has been terminated by forwarding the letters - According to Customer 1's statement to the authorities, the data requested from BM were deleted after the postal inquiries were sent - then based on the content of the following sentence, the data subject may request the deletion of personal data.
(v) The prospectus did not provide information on the right of data subjects to submit a complaint to the supervisory authority [GDPR Article 14 (2) e)]. (132) The Authority established that, based on the details detailed above, the information placed in the request sent by post in August 2020 addressed to the minor data subjects and their legal representatives by Customer 1, on the one hand, did not provide the data subjects with information on all the essential circumstances of the data management, and on the other hand, it did not provide clear information on the to those concerned, thereby violating Article 12 (1) and Article 14 (1) points a) and c) and Article 14 (2) points b), c) and e) of the GDPR.
(133) The letter sent by Customer 1 in August 2021 and September 2022 contained the following information:
"Dear Parent!
This information was prepared for you by Pitagorasz Oktatási Stúdió Kft.
Our headquarters: 1028 Budapest Szilágyi Erzsébet utca 30.
We would like to inform you that the source of your data is the Personal Registration Data Provision and Licensing Department of the Personal Registration and Administration Department of the Ministry of the Interior.
We would like to inform you that we do not store the data used, we do not forward them, and after sending the letter to the post office - by the time you receive it - we have already deleted it.
The purpose of this market research is to assess the possibilities of Pitagorasz Oktatási Stúdió Kft.'s admission preparatory courses and to learn about parents' needs.
Legal basis for data management: CXIX of 1995 on the management of name and address data for the purpose of research and direct business acquisition. § 3, subsection (1) point d) of the Act.
You can view the data management statement of Pitagorasz Oktatási Stúdió Kft. at www.pitagorasz.hu.
(134) The Authority established that the information included in the information letter sent by Customer 1 to the minors (their legal representatives) in September 2022 by post did not contain the most important information contained in Article 14 of the General Data Protection Regulation:
(i) The prospectus did not specifically name who can be considered a data controller. Although the information sheet mentioned the name of Customer 1 as the creator of the information sheet and his contact information (headquarters), the only conclusion that can be drawn from it is that Customer 1 is the data controller in connection with the data processing under investigation [GDPR Article 14 (1) a)].
(ii) The prospectus did not inform the data subjects about the legal basis for the processing of personal data. The information also contains a legal reference, which gives the impression, in a deceptive way, that the handling of the personal data of the recipient of the letter as a data subject is necessary to fulfill the legal obligation contained in the referenced law, i.e. its legal basis is GDPR Article 6 (1) c) would be the fulfillment of a legal obligation according to point [GDPR Article 14 (1) c)].
In addition to the above, the information sheet did not contain the important additional information necessary to ensure transparent data management:
(iii) In its response to the Authority, Customer 1 stated that its data management is based on Article 6 (1) point f) of the General Data Protection Regulation, however, the information provided in the letter does not provide any information in this regard [GDPR Article 14 (2) b) ].
(iv) The prospectus did not provide any information regarding data subject rights [GDPR Article 14 (2) c)].
In the notification, the data controller provided only enough information on which website the data subject can access the data management statement, which is also misleading for the data subjects, as the data subjects do not necessarily think that the data controller is referring to its data management information from the term "data management statement" under this term.
(v) The prospectus did not provide information on the right of data subjects to submit a complaint to the supervisory authority [GDPR Article 14 (2) e)].
(135) The Authority reviewed the document entitled "Data Management Statement" published on the website of Customer 1 during the examined data management period, to which Customer 1 refers as a data protection information sheet in its statement to the Authority. Regarding the document, the Authority found that it did not contain any information regarding the data management of Customer 1 in connection with the postal inquiry.
(136) The Authority established that, based on the details detailed above, the information provided by Customer 1 to the minor data subjects or their legal representatives in the request sent by post in August 2021 and September 2022, on the one hand, did not provide the data subjects with information on all the essential circumstances of data management, and on the other hand, did not provided clear information to the data subjects, thereby violating Article 12 (1) and Article 14 (1) points a) and c), as well as Article 14 (2) b), c) and e) of the GDPR points.
3.5. Customer 1's data management practices in connection with sending newsletters
3.5.1. Legality of data management, actors of data management
(137) Customer 1 in I.4. as described in point 1, the website operated by it https://pitagorasz.hu provided the opportunity to sign up for the newsletter - or at the time the Decision was made - to subscribe to the newsletter.
(138) According to Customer 1's declaration and the information provided in its data management information, the newsletter is sent with the assistance of the data processor, Customer 2, because the newsletter sender service is operated through the Webpigeon mail system provided by Customer 2.
(139) Customer 2 provides hosting services for the Webgalamb 8.1.0 online newsletter program available at […] for Customer 1. Customer 2 - according to its declaration and described in point (40) - does not provide data recording, data management, editing or other support to Customer 1, Customer 2 is only a data transmitter/broker when using the Webgalamb product (software/license) and newsletter service, and its customers - thus does not manage any personal data on behalf of Customer 1 that refers to Customer 1's customers/customers/newsletter subscribers.
(140) Mandatory data to subscribe to the newsletter: e-mail address, what grade the student will be in from the given academic year, which part of Hungary he/she lives in (specific county is required) and re-entering the e-mail address. In addition, in order to successfully sign up, it is necessary to check the box before "consent", according to which the person concerned consents to Customer 1 sending him a newsletter for marketing purposes and contacting him for direct business purposes.
(141) However, based on the excel databases attached by Customer 1 containing the list of subscribers to the website www.pitagorasz.hu, Customer 1 actually stores the following personal data about subscribers:
e-mail address, IP address, subscription time, status (active/bounced), ID (6-digit identifier for all subscribers), subscription URL, 2019/2020/2021. from September, what grade is the student in, which part of Hungary does he live in?
In addition, the 2020/2021. in the academic year and 2021/2022. for those who signed up during the academic year, he also recorded the fact of consent to data management in the excel database.
(142) Based on the definitions of Article 4, points 1 and 2 of the GDPR, the e-mail address, IP address, ID, subscription URL and other information collected in relation to the data subject are, among other things, the personal data of the data subject, while any processing carried out on the data operation, such as the collection, recording, storage, organization and use of data, is considered data management.
For the legality of data management, the data controller must have a legal basis in accordance with Article 6 (1) of the GDPR.
(143) In its statement to the Authority, Customer 1 indicated consent as the legal basis for data processing in connection with subscribing to the newsletter. (144) During the examined data management period, in the document called "Data management statement" (hereinafter: information), which can be downloaded via the link embedded in the newsletter subscription window on the website of Customer 1, according to the information given under the subheading "Data management information related to the sending of newsletters and personalized advertising", "The data management the legal basis is the user's voluntary consent to use the personal data provided while using the website, and Infotv. Paragraph (1) of § 5 and CVIII of 2001. Act 13/A. § (3)." The purpose of data management related to the sending of the newsletter is: "exclusively to facilitate contact with users, to provide personalized services where appropriate, and to transmit new and current information". According to the information sheet, in connection with the sending of the newsletter, the name, e-mail address and residential address (county, city level) of the subscribers are managed by Customer 1 until the consent of the data subjects is revoked, or until the data deletion request is made by the data subject.
(145) In order to subscribe to the newsletter provided on the website of Customer 1 - verified by the test subscription carried out by the Authority, described in point (53) - the data subjects have given or will give their consent, i.e. for the subscription to be successful, it is necessary that after the mandatory provision of personal data, the subscriber by ticking the box before "I consent", you declare that you consent "to Pitagorasz Oktatási Stúdió Kft. sending a newsletter for marketing purposes and contacting you for direct business purposes".
(146) According to the statement of Customer 1, the purpose of data management is to maintain contact through the newsletter, i.e. to remind parents of important education-related information.
(147) According to the statement placed on the sign-up interface, the purpose of data management is to send newsletters for marketing purposes and to send inquiries for the purpose of direct business acquisition, and it is indicated as information in the sign-up window - as if indicating what kind of newsletters to expect - that "If you request, then regularly and we will notify you free of charge of any information that is important to you. /academic schedule, further education information, admission information, deadlines, learning opportunities, etc.../".
(148) Based on Article 6 (1) point a) of the GDPR, the data subject may give informed consent to the processing of his personal data for specific purposes. However, for this to be valid, the consent must comply with other general rules of the GDPR, such as the data management principles according to Article 5 (1) and (2) of the GDPR and the conditions specified in the definition according to Article 4, point 11, as well as the Restrictions according to Article 7 GDPR.
(149) According to Article 5 (1) point b) of the GDPR, personal data may only be collected for specific, clear and legitimate purposes, and they may not be processed in a way that is incompatible with these purposes. For this reason, the planning of data management and the identification of a sufficiently specific purpose during the informing of the affected parties are also prerequisites for legal data management. Recital (32) of the GDPR further emphasizes that if the data management serves several purposes at the same time, the consent must be given separately for all data management purposes. If the data controller does not attempt to ask for consent separately for each purpose, there is a lack of freedom of decision.
(150) Customer 1 collected the personal data collected in connection with the subscription to the newsletter based on the above for several different purposes (marketing/direct business acquisition and general information related to education, but only requested the consent of the data subjects for data processing for marketing and direct business acquisition purposes) . In this regard, the Authority also emphasizes that direct business acquisition is an umbrella concept, the specific implementation of which must be indicated as a goal, for example, sending advertisements about own or third-party products/services on a given channel.
(151) According to the Authority's point of view, the legality of the processing of the data subjects' personal data can be established if the data subject was able to separately consent to the processing of his personal data for all data processing purposes
(152) Article 4, point 11 of the GDPR defines the concept of "consent of the data subject" as one of the legal grounds for processing personal data. In this regard, Recital (32) of the GDPR provides further guidance, according to which data processing can only take place if the data subject gives his voluntary, specific, informed and clear consent with a clear affirmative act, for example a written - including electronic - or oral statement for the management of personal data concerning natural persons. The consent covers all data management activities carried out for the same purpose or purposes. If the data management serves several purposes at the same time, then consent must be given for all data management purposes.
(153) In the present case, the information of the data subjects about the purposes of the data management is not sufficiently transparent, clear and realistic, not least because one of the data management purposes is highlighted in the consent statement in the subscription window, while the data subjects are informed about a different data management purpose in the information sheet, on the basis of which no it can be determined what the actual intention of the data controller is regarding the purpose of data management.
(154) This is confirmed by Regulation (EU) 2016/679 on consent according to Regulation No. 5/2020. guideline No. 259, which was issued as its predecessor, according to which the data controller who requests consent for various different purposes must provide a separate consent option for each purpose, so that the data subjects can give specific consent for specific purposes. (155) The legality of processing the personal data of the data subjects can therefore be established if the data subject has received adequate information regarding the purpose or purposes for which the personal data is actually collected, and the data subject has given separate, i.e. clear and specific, consent to the processing for all purposes. for data management. It is not possible to dispute the possibility of the affected parties to subscribe to a newsletter for the purpose of contact, i.e. general information and information related to education, but in addition they can freely decide whether they wish to also receive newsletters for marketing/direct business acquisition purposes from the data controller.
(156) Given that giving consent in the manner explained above is not a clear and concrete statement of the will of the data subjects, it cannot be considered a valid legal basis for data management, based on this, Customer 1 has violated Article 6, Paragraph 1.
3.5.2. Information about data management in connection with sending newsletters
(157) Pursuant to Article 12(1) of the GDPR, the Customer1, as a data controller, is obliged to take appropriate measures in order to provide the data subjects with all the information referred to in Articles 13 and 14 regarding the processing of personal data and 15-22 ., and provide each and every piece of information in accordance with Article 34 in a concise, transparent, understandable and easily accessible form, clearly and comprehensibly worded.
(158) The system of appropriate information in the GDPR serves to ensure that the data subject is aware of which of his personal data will be handled by which data controller and for which purpose and how. This is essential in order to be in a position to meaningfully exercise your data subject rights.
(159) In the absence of adequate information, by definition, the data subject is not in a position to properly exercise his data subject rights and to give actual consent to something that he is not fully aware of.
(160) In the case of data management based on Article 6, Paragraph 1, point a) of the GDPR, based on Article 4, Point 11 of the GDPR, the data controller is obliged to provide information on the basis of which informed consent can be given, not only before the start of data management, but also before consent is obtained.
(161) The data subject's consent to data processing can only be valid if it is requested for a specific purpose(s) - which can be given separately for each purpose - and appropriate information is provided before that, which puts the data subject in a position to make an appropriate decision about granting consent, and meets all other validity requirements set out in the GDPR. Article 12 (1) of the GDPR specifically imposes a performance obligation on the data controller, i.e. it must provide assistance to the data subject in such a way that he or she can exercise all of the data subject's rights in an informed manner.
(162) As explained above, the obligation to provide information is not a mere "paperwork" obligation in the GDPR. The purpose of the information is to put the data subject in such a position that he is in a suitable decision-making position regarding the exercise of his rights as a data subject. If it does not objectively achieve this for the average data subjects, then it will not comply with the GDPR.
(163) Since Customer 1 obtained the personal data it manages in connection with the subscription to the newsletter - the personal data provided on the interface provided during the subscriptions - from the data subjects, taking into account the provisions of Article 13 of the GDPR, Article 13 (1) related to the management of their personal data for the data subjects and (2) must be made available to the data subjects at the time of obtaining the personal data. (164) According to the Authority's findings, the information provided by Customer 1 on data management is not clear to the parties concerned, the information available on the newsletter subscription interface is not completely identical to the information contained in the data management information referred to on the interface, available during the examined data management period:
(i) The purpose of data management indicated in the pre-formulated consent statement available on the registration interface (marketing and direct business acquisition purpose) is not the same as the purpose of data management specifically indicated in the information regarding newsletter sending in the data management information, since the purpose of sending the newsletter is primarily indicated as "facilitating contact" , in addition, the personalized provision of certain services and the transmission of new and current information are also indicated as goals.
(ii) The mandatory data to be provided on the registration interface is not the same as the range of managed data indicated in the information about newsletter sending in the data management information sheet, and based on the content of the database provided to the Authority during the investigation of the situation, Customer 1 stores a much wider range of data types than this.
(iii) In the data management information sheet, Customer 1 is also Infotv. referred to its provisions when specifying the legal basis for data management, and the information also referred to legislation that is no longer in force, as legislation taken into account when handling users' data. that it hasn't been updated in years. In numerous decisions and resolutions, the Authority explained that compliance with the GDPR is not necessary at one time, one day, but rather a regularly recurring, continuous compliance obligation. The Authority also notes that the data protection information sheet, which was otherwise not examined in the present data protection official procedure, and modified by Customer 1 during the procedure, still indicates the seat of the Authority from years ago.
(iv) The prospectus described the data processor used by Customer 1 during its data management, but since December 2020, Customer 1 has not used the services of the company indicated in the prospectus for sending newsletters and data storage, but the services of Customer 2.
(165) The data management information published by Customer 1 during the examined data management period is also not transparent, according to the Authority's findings. At the beginning of the information, the data controller highlighted the legal basis of the data management, its purpose, what kind of data it manages, and then, after the definitions taken from the law, which are otherwise unnecessary in terms of the adequacy of the information, it again informed about the legal basis of the data management - misleading the affected parties by listing several legal bases - however, it was not possible to determine which data management activity this information related to, as the information sheet then listed the individual data management activities performed by it without a clear systematization - in relation to them, highlighting the legal basis and purpose of the data management, the scope of the data managed in connection with it, and the duration of the data management. Those concerned could therefore only find more specific information regarding data management for specific purposes when reviewing the complete, multi-page information sheet. (166) Given that the legal basis chosen by Customer 1 was the consent of the data subject, it must be based on, among other things, adequate prior information in order to be valid.
(167) Based on Article 12 (1) of the GDPR, Customer 1 was obliged to take appropriate measures in order to provide the data subject with all the information referred to in Articles 13 and 14 regarding the processing of personal data and Articles 15-22 . and Article 34 in a concise, transparent, comprehensible and easily accessible form, clearly and comprehensibly worded in your information, which the interested parties intending to subscribe to the newsletter can access before signing up.
(168) In view of the above, the Authority established in the operative part that Customer 1 violated Article 12 (1) and Article 13 (1) c) and (e) and (2) d) of the GDPR since it did not provide transparent and clear, factual information to the data subjects regarding newsletter subscription and newsletter sending during the examined data management period.
3.5.3. Customer 1's data deletion practices in connection with sending the newsletter (169) According to Customer 1's statement, it is possible to subscribe to the newsletter based on the details detailed above. According to the statement of Customer 1, the newsletter is sent until the person concerned unsubscribes from it. Every newsletter has an unsubscribe link, to prove this, Customer 1 has attached a text sample of the newsletter sent out in each academic year, i.e. three sample newsletters.
(170) The Authority - I.4. when analyzing the database saved by Customer 2 and made accessible to the Authority, presented in detail in point 2, found that its table named [...] - in accordance with the statement of Customer 2 - contains the data of the subscribed readers, thus including the e-mail address, when subscribing, the subscriber e -mail address, their date, a unique session that was used to identify the reader at the time of subscription in an encrypted hash format, the subscriber's group to which he requested to subscribe, his ID, and whether he is active or deleted.
The "Active" column of the data table shows the status of subscribers, which column can have 3 different values: "0", "1" and "2".
Based on the Authority's findings, the data of subscribers marked with "0" in the column, i.e. inactive, can be accessed in the database with the same content as the active ones, i.e. the e-mail addresses and IP addresses of these subscribers can be found in the table in the same way.
(171) In response to the Authority's related question about how to proceed when a data subject who previously subscribed to the newsletter unsubscribes, or in the case of multiple unsuccessful mailings to a subscriber, Customer 1 confirmed in his statement that when a data subject who previously subscribed to the newsletter unsubscribes, the Web Pigeon mailing system immediately clicks the unsubscribe button. automatically deletes the unsubscriber in such a way that they will not even know about the identity of the unsubscriber. In case of unsuccessful mail sending, the Webpigeon system indicates this fact and these data are also permanently deleted and removed from the database.
Based on Customer 1's statement, in the "Active" column of the referenced data table, a value of "0" indicates inactive subscribers, while a value of "2" indicates those subscribers whose mail bounced due to some error. This data will be permanently deleted according to your statement.
(172) Based on Article 17(1)(b) of the GDPR, the data subject has the right to have the data controller delete the personal data concerning him without undue delay, and the data controller is obliged to delete the personal data concerning the data subject without undue delay delete it if the data subject withdraws the consent that forms the basis of the data management in accordance with Article 6 (1) point a), i.e. in this case unsubscribes from sending the newsletter.
(173) Based on the principle of accuracy contained in Article 5(1)(d) of the GDPR, the data controller must take all reasonable measures in order to immediately delete or correct inaccurate personal data for the purposes of data management.
(174) According to the Authority's point of view, if, during the sending of the newsletter, Customer 1 notices that the sending of the newsletter to an e-mail address was unsuccessful due to its unavailability, it must ensure that both the e-mail address of the previously subscribed affected person and the personal data managed in connection with it by Customer 1 on the immediate deletion of data. (175) Based on the analysis of the database and the statement of Customer 1, the Authority concludes that, contrary to Customer 1's statement, the data with the field values "0_ás" and "2" in the "active" field in the referenced data table are still available in the data table [...] of the database, which means , that the data of the affected persons with a value of "0" marked as "inactive" by Customer 1, and with a value of "2" related to bounced emails are all included in the database, the e-mail address of all of them is stored in the database table, while the With the exception of 2 people, the IP address is also stored in the data table. (176) Based on the above, Customer 1 continues to process the personal data of the data subjects who revoked their subscription despite the withdrawal of their consent, thereby violating Article 17, Paragraph 1, Point b) of the GDPR.
ARC. Legal consequences
(177) The Authority, bearing in mind that Customer 1 continues to manage the personal data of the data subjects who revoked their subscription in its database despite the withdrawal of their consent - i.e. after their unsubscription - and also continues to process the personal data of the data subjects to whom the newsletter was unsuccessfully sent in its database, the Authority ordered Customer 1 on the basis of point d) of Article 58 (2) of the GDPR to permanently delete the personal data stored in its database of the data subjects who unsubscribed from the newsletter sending, or whose contact details the newsletter sending was unsuccessful. (178) Infotv. 75/A. §, the Authority exercises its powers contained in paragraphs (2)-(6) of Article 83 of the GDPR, taking into account the principle of proportionality, especially with the first-time application of the regulations for the processing of personal data - defined in legislation or in a binding legal act of the European Union in the event of a violation, in accordance with Article 58 of the GDPR, measures are taken to remedy the violation, primarily by warning the data controller or data processor.
(179) In this context, the Authority is required by Article 83 (2) of the General Data Protection Regulation and Infotv. 75/A. considered all the circumstances of the case based on §. Considering the circumstances of the case and the nature of the data management, the Authority found that in the case of the violation revealed during this procedure, the warning is not a proportionate sanction, therefore the Authority decided to impose a fine on Infotv. Subject to § 61 (1) point a) on the basis of Article 58 (2) point i) of the General Data Protection Regulation.
(180) With regard to the necessity and amount of the fine, the Authority took into account that the last published net world market turnover (net sales revenue) of the Obligor was HUF 55,839,000 in the year 2022 (for the year 2021: HUF 44,647,000; for 2020: HUF 13,874,000). The maximum possible fine is EUR 20 million based on Article 83 (5) points a) and b) of the General Data Protection Regulation.
(181) When determining the amount of the fine, the Authority took into account the provisions of the European Data Protection Board's Guideline No. 4/2022 (hereinafter: Guideline) 3, which contains the calculation aspects of the imposition of administrative fines according to the General Data Protection Regulation. In view of this, the amount of the fine was determined based on the following criteria:
(i) The income of Customer 1, calculated in forints, is in the income range below 2 million euros.
(ii) Based on the Guidelines, in the case of violations falling under the category of fines according to Article 83 (5) of the General Data Protection Regulation - in the case of a violation that is the subject of the fine and judged to be relatively minor overall - the maximum static fine is between 0 and 8,000 EUR (approx. 3,000,000 HUF) is between
(iii) The fine amount of HUF 500,000 established for Customer 1 is the annual world market turnover (sales) of approx. 0.895 %.
(182) When determining the amount of the data protection fine, the Authority considered the following as mitigating circumstances:
(i) With regard to the established violation, Customer 1 acted negligently (GDPR Article 83 (2) point b).
(ii) The Authority has not previously established a relevant data protection violation against Customer 1 (GDPR Article 83 (2) point e)
(iii) When determining the amount of the fine, the Authority evaluated as a mitigating circumstance the statement of Customer 1 to the effect that this method of market research – i.e. sending a postal inquiry based on a data request from BM – has been discontinued and will not be used in the future. (GDPR Article 83 (2) point f)
(iv) The Authority exceeded Infotv. 60/A. administrative deadline according to § (1), the reason for this was the difficulty of clarifying the facts.
(183) When determining the amount of the data protection fine, the Authority took into account the following aggravating circumstances:
(i) As a result of the data provision requests submitted in 2020, 2021 and 2022, Customer 1 received the personal data (name and address data) of a significant number of affected persons, a total of nearly 124,000 minors, from BM (GDPR Article 83 (2) point a));
(ii) Customer 1's data processing was directed at relationship-type personal data, and within this it covered the name and address data of minor children, as well as e-mail address, IP address, ID, subscription URL and other related information collected about the data subject in connection with sending the newsletter, as the processing of personal data (GDPR Article 83 (2) point (g)).
(iii) Due to the illegality of the data management, Customer 1 could have made a greater profit, since the activity of Customer 1 is to advertise the central admission preparation courses aimed at the parents of minor children who are about to continue their education. The lack of adequate information put the data subjects in such a situation that they could not properly learn about and exercise their rights, so the risk of being unable to exercise their rights as a data subject is even greater (GDPR Article 83 (2) point k)).
(184) When deciding on the legal consequences, the Authority did not consider the points of Article 83 (2) of the General Data Protection Regulation not detailed above to be relevant in the present case.
(185) The amount of the data protection fine was determined by the Authority acting within its statutory discretion.
(186) This IV. based on the aspects specified in point 1 and all the circumstances of the case, the Authority considered the amount of the fine to be proportionate from the point of view of special and general prevention. This consideration does not bind the Authority in other cases, the legal consequence - as highlighted in paragraphs 145-146 of the Guidelines - is determined in each case based on the individual circumstances.
(187) Due to the large number of people involved, the Authority publishes the decision with the identification data of Customer 1 and the names of the websites it operates.
A. Other questions:
(188) This decision is based on Art. 80-81 § and Infotv. It is based on paragraph (1) of § 61. The decision is in Art. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. Based on § 112 and § 116, paragraph (1), and § 114, paragraph (1), there is room for legal redress against the decision through a public administrative lawsuit.
(189) The rules of administrative litigation are determined by Act I of 2017 on the Administrative Procedures (hereinafter: Act). The Kp. On the basis of § 12, paragraph (1), the administrative lawsuit against the Authority's decision falls under the jurisdiction of the court, the lawsuit is referred to in the Kp. On the basis of § 13. (3) point a) point aa) paragraph, the Metropolitan Court is exclusively competent. The Kp. On the basis of § 27, paragraph (1) point b), legal representation is mandatory in a lawsuit within the jurisdiction of the court. Cp. According to paragraph (6) of § 39 - unless the law provides otherwise - the submission of a claim does not have the effect of postponing the entry into force of the administrative act.
(190) The Kp. Paragraph (1) of § 29 and, in view of this, Pp. CCXXII of 2015 on the general rules of electronic administration and trust services, applicable according to § 604. Act (hereinafter: E-Administration Act) § 9, paragraph (1), point b), the client's legal representative is obliged to maintain electronic contact.
(191) The time and place of filing the statement of claim is specified in Kp. It is defined by § 39, paragraph (1). Information about the possibility of a request to hold a hearing can be found in Kp. It is based on paragraphs (1)-(2) of § 77. The amount of the fee for the administrative lawsuit is determined by Act XCIII of 1990 on fees. Act (hereinafter: Itv.) 45/A. Section (1) defines. Regarding the advance payment of the fee, the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the party initiating the procedure.
(192) Infotv. According to § 38, paragraph (2), the Authority's task is to monitor and facilitate the enforcement of the right to the protection of personal data and the right to access data of public interest and public interest, as well as to facilitate the free flow of personal data within the European Union. Pursuant to paragraph (2a) of the same §, the tasks and powers established for the supervisory authority in the general data protection decree shall be exercised by the Authority in accordance with the provisions of the general data protection decree and this law with respect to legal entities under the jurisdiction of Hungary. The Authority's jurisdiction covers the entire territory of Hungary.
Dated in Budapest, according to the electronic signature
Dr. Habil. In the absence of President Attila Péterfalvi:
dr. Tamás Bendik
general vice president
1 The NAIH_K01 form is used to initiate the administrative lawsuit: NAIH_K01 form (September 16, 2019) The form can be filled out using the general form filling program (ÁNYK program). https://www.naih.hu/kozig-hatarozat-birosagi-felulvizsgalata
2 https://e-beszamolo.im.gov.hu
3 Guidelines 04/2022 on the calculation of administrative fines under the GDPR (Version 2.0.). Online:
https://edpb.europa.eu/system/files/2023-06/edpb_guidelines_042022_calculationofadministrativefines_en.pdf
