NAIH (Hungary) - NAIH-4177-………./2021: Difference between revisions

From GDPRhub
(Great summary overall, I appreciate how clear it is and how it links the legal issues to the law really well. I mainly made some small grammar/formatting changes, such as fixing the paragraphs (a problem caused by the form used to submit decisions) and changing some present tense verbs to the past tense.)
No edit summary
Line 56: Line 56:
}}
}}


The Hungarian DPA held that the use of a motion-detecting camera to record large areas of a public space in an apartment complex was in breach of the GDPR, because neither the household exemption nor the resident who installed the camera's legitimate interest could be invoked.  
The Hungarian DPA held that the use of a motion-detecting camera to record large areas of a public space in an apartment complex was in breach of the GDPR, because neither the household exemption nor the legitimate interest of the resident who installed the camera could be invoked.  


== English Summary ==
== English Summary ==

Revision as of 14:23, 27 October 2021

NAIH (Hungary) - NAIH-4177-………./2021
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 2(2)(c) GDPR
Article 6(1) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 58(2) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 13.09.2021
Published: 22.10.2021
Fine: None
Parties: n/a
National Case Number/Name: NAIH-4177-………./2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Tapir

The Hungarian DPA held that the use of a motion-detecting camera to record large areas of a public space in an apartment complex was in breach of the GDPR, because neither the household exemption nor the legitimate interest of the resident who installed the camera could be invoked.

English Summary

Facts

A tenant of a flat in an apartment complex argued that the motion-detecting camera installed in the complex by another tenant was unlawfully processing their personal data, since it partially recorded public spaces of the building. Moreover, the complainant also questioned whether the single sticker the defendants placed on the wall satisfied the information provision obligations under Article 13 GDPR.

The defendants argued that the camera was used to protect their belongings, such as their door and gas/electricity meters, and therefore fell under the 'legitimate interest' legal ground under Article 6(1)(f). Finally, they noted that after reviewing the recordings captured by the camera, they made sure to delete them on a daily basis.

Holding

The Hungarian DPA noted that the legitimate interest legal basis under Article 6(1)(f) could indeed be invoked for the protection of private property, including for the monitoring of public spaces under limited circumstances, as noted in point 27 of the EDPB in Guidelines 3/2019 on processing of personal data through video devices. However, the DPA held that this legal ground was not applicable in this case, since the camera's angle also captured areas that were not relevant for the purpose of protecting private property, and the defendant's activity therefore did not fulfil the requirements for necessity and proportionality.

Moreover, the DPA recalled that in the CJEU - C‑212/13 - František Ryneš, the CJEU ruled that the exception for 'purely personal or household activity' under Article 2(2)(c) must be interpreted narrowly, and therefore does not apply to the recording of public spaces.

Subsequently, the DPA ordered the defendant to either restrict the viewing angle of the camera, use blurring or masking technologies achieving the same effect, change the location of the camera, or cease its use altogether. The DPA also noted that one sticker warning that the camera is in use does not fulfil the provisions regarding information to be provided under Article 13 GDPR. However, the DPA did not deem it necessary to impose any fine, given that it was a first offence that caused only limited harm.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-4177- ………. / 2021. Subject: Decision initiated
                                                        in official proceedings




                                       DECISION

Before the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority) […]
applicant ([…] hereinafter referred to as “Applicant”) […] (hereinafter referred to as “Applicant1”) and […]
hereinafter referred to as "Applicant2") ([…], hereinafter together referred to as "Applicants")

In the data protection authority proceedings initiated following the request received on the 16th day, the Authority has the following
makes decisions:

In its decision, the Authority partially upheld the applicant 's request and found that:
Applicants violated the processing of personal data of natural persons
the free movement of such data and Directive 95/46 / EC

Article 6 of Regulation (EU) 2016/679 (hereinafter: GDPR) repealing Directive
And Article 13 (1) to (2) of the GDPR.

II. The Authority instructs the Applicants to comply with Article 30 of this Decision from the date on which it becomes final
within 11 days, terminate the illegal camera surveillance and take their data processing operations
comply with legal provisions by:

    (a) the angle of view of the affected camera is adjusted and, if necessary, to the camera
       an appropriate masking, distortion function is used, or

    (b) reassemble the camera to a position from which Applicants are only legally
       they can observe observable areas, or

    c) disassemble the camera.


III. The Authority 's decision to impose a data protection fine on the applicant' s request, and
rejects the part concerning the deletion of personal data.

There is no administrative appeal against this decision, but it is from the communication
within 30 days of the application to the Metropolitan Court in an administrative lawsuit
can be challenged. The application must be submitted to the Authority, electronically, which is the case

forward it to the court together with its documents. Indicate the request for a hearing in the application
must. For those who do not receive a full personal exemption from judicial review
the fee of the procedure is HUF 30,000, the lawsuit is subject to the right to record material fees. Before the Metropolitan Court
legal representation is mandatory in proceedings.



                                       EXPLANATORY STATEMENT

I. Facts

On 16 April 2021, the Applicant submitted an application to the Authority stating that the
Applicants have installed a camera on […] real estate (hereinafter: Real Estate) with which
they make unauthorized images or sound recordings forming part of the common area of the Property

from the staircase. On the one hand, the Applicant complained about the lack of information provided, as only
identified a “camera-monitored area” sticker. The Applicant in connection with data management
emphasized that the data subjects did not consent to the data processing and that the data processing was carried out by the
Applicants are likely to do so without a legal basis. To the best of the Applicant's knowledge, it is
Property camera is a Xiaomi Mi 360 type wireless security camera. THE 2



Applicant further submitted that the fact that the camera was operated was acknowledged by a clerk

in the minutes of the proceedings for the protection of property, and the event also proves that
during which the Applicant1 questioned the
Applicant in connection with the previous day's recording of the camera.

The Applicant has made it probable that in addition to the Applicant1, the Applicant2 is also liable
can be established in connection with unlawful data processing, as it is the co-owner of the Applicant1.


In view of the above, the Applicant addressed the following requests to the Authority:
- prohibit the Applicants from operating the camera system;
- call for the dismantling of the illegally operated camera system;
- order the Applicants to delete the data;
- impose a fine on the Applicants.

In order to clarify the facts, the Authority in its orders dated 28 April 2021 63.

§ called on the Applicants to make a statement.

It was sent to the Authority by order of the Applicant1 in a reply letter received on 4 May 2021
information. Applicant1 submitted that on the basis of a joint decision with Applicant2
we installed a Mi Home Security Camera 360 ° camera facing the stairs of the condominium. THE
Based on the link indicated by applicant1, the camera has the following features: 1080P FHD
resolution, 360 ° viewing angle, infrared night mode, motion detection and conversation

function (two-way audio). The Applicant1 stated that the camera camera shots were wifin
sent to the Applicants' telephone, masking is not applied by the Applicants. THE
camera was justified by the Applicant1 on the grounds that it was in the stairwell directly in front of the door
shoes and were concerned that the person who had used the garage door regularly in the past
spat, changed the position of the plants periodically, or partially eliminated them, next time
it damages the electric gas meter or the door. Data processor based on the declaration of the Applicant1
does not work, no data transfer will take place, and only Applicants will be allowed to record

have access to. Applicant1 indicated that the camera was recording a few seconds of video,
if it detects movement. These recordings are deleted several times a day with Applicant2
together so no storage takes place. Applicant1 added that it was about the Applicant
recording was also canceled that day. In addition, Applicant1 recorded that the camera was fitted
notified the Joint Representative who supported and approved it, or at the front door of the building a
a sticker was affixed at the same time as the camera was put into operation. Finally, the Applicant1
emphasized that, to the best of their knowledge, the Applicant is neither a homeowner nor a landlord.


As a statement filed by the Applicant2 on 5 May 2021, it was forwarded by the Applicant1
and requested the Authority to take it into account
decision or requested the rejection of the application in view of the Applicant's ownership.

Subsequently, the Authority repeatedly invited the Applicants to make a statement in accordance with Ákr. Section 63
and sent a rectification to the Applicant as the Authority found that the application was not

contained the facts and arguments in support of the allegations of alleged infringement
evidence that it did not include the exact location of the Applicant’s property
information.

In its supplementary submission, the Applicant stated as follows. He stated that the […]
lives in real estate, the apartment is owned by his wife’s family. In his opinion, his apartment
ownership is not relevant, only the quality of the data subject matters in the data protection

when judging issues. He added that there are three apartments in each other in the stairwell
above, and the Applicant’s apartment is located directly below the Applicants residing on the roof level. THE
Applicant stated that he approached his apartment with the disputed camera
does not use stairs, however, the roof exit can also be reached via the stairs monitored by the camera 3



(immediately adjacent to the camera and its technical condition must be checked periodically), and

a window in common ownership at the stairs opposite the camera for views
use for access. In addition, the Applicant stated that it was more cloudy in the evening
the stagnant camera from the reflection of the window on the mezzanine floor at the stairwell lamp extinguished for days
standing in the line of its own front door, it is clearly visible, from which, in the Applicant 's view, the
it follows that in such cases the impugned camera will also see the Applicant's front door. The Applicant
in his view, the condominium co-representative is not entitled to by any resident of the condominium
approve the installation of a camera that you want to operate illegally, you cannot decide to do so yourself

authorization. The Applicant further stated that in his opinion the impugned camera was
through a window on the mezzanine floor, you can also see the busy Turkish road, and since the camera
Based on what was presented by the applicants, it is high resolution, so about the people traveling there
may record without authorization. The Applicant submitted that there was no guarantee that the
Applicants will actually delete the unauthorized data after the recordings have been made.

In their joint statement, the Applicants presented the following. The Applicants consider

stated that an application saves the notifications to the memory card, hence to a separate folder
the data will not be saved. A screenshot was attached to support their statement. THE
According to the applicants' statement, the legal basis for data processing is the General Data Protection Regulation
Article 6 (1) (f) for the purpose of promoting their property and personal protection, as
on 5 August 2020, the Applicant threatened him with a knife (no action was taken).
He attached a copy of the decisions in support of their statement. It is also attached to the Property
side view drawing and the content of the correspondence exchanged with the common representative. Finally, the Candidates consider

stated that the cabinet under the installed camera only belongs to the Applicants' apartment
electricity and gas meter.

Following the Applicants' reply, the Applicant lodged a request for access to the file, which was
by sending the documents by post.

The Applicant submitted the following statement in connection with the submitted documents. The Applicant

The Conseil d 'État submitted that, because of the wording, correspondence with the Joint Representative did not prove that the
consent to camera recordings and cannot be considered lawful either, as it is common
representative is not entitled to authorize on its own without the decision of the residents. The Applicant
He added that the property protection proceedings relied on by the Applicants were not in the present case
relevant because, on the one hand, it has already been properly assessed by the acting body by rejecting the
submission. On the other hand, the facts presented by the Applicants cannot be justified by any resident
operation of a camera intended to be operated illegally in the common condominium area.


Subsequently, in order to clarify the facts, the Authority again invited the
Applicants are listed in the Ákr. 63.


In their joint submission, the Applicants stated as follows. Candidates attached
the balancing test with the addition that since the ongoing proceedings it has been

experienced the following:
    non-greeting was replaced by an arrogant wide grin;
    - when the Applicants pass in front of the Applicant's apartment, from within the Applicant
       knocks loudly on the door;
    - if they accidentally meet on the street and cross the road in front of the Applicant's car
       the engine is started by the Applicant.


The Authority highlights the following part of the content of the interest balance test attached by the Applicants:
"The area in front of the door can otherwise be closed with a separate grille, which allows access to the roof
stairwell, but this is not the only way to approach the roof. The first
in front of the attic apartment of the staircase there is the same roof access that anyone can only then 4



to get up that one of the residents let him in. […] And […] decided to keep the grid open because

for in an emergency I do not want to delay the ascent, and they trust the unwritten
as a rule, whoever wants to get to the roof speaks to them. The part under the roof ramp (which is directly
at our entrance) are also treated as private because of the above ”.

Given that the Applicants have not been subjected to atrocities since the camera was installed, it is
that dismantling the camera would perpetuate past inconveniences and increase
a sense of threat. Applicants described the location of the two properties and the camera

the area observed by. In this regard, the Applicants highlighted that if
someone who wants to look out of the affected window does not necessarily get into the camera 's field of view, and
observation does not extend beyond the designated area, not pedestrians passing by on Turkish Road
detected, and the resolution of the transmitted image is not sufficient to capture pedestrians. THE
Applicants submitted that they had never seen one belonging to their apartment in the last five years
to look at the Applicant at a stairway, and the Applicant’s window is larger and essentially
it is associated with the same sight. The Applicants attached the deed of incorporation of the condominium with which

In this connection, it was stated that the deed did not designate the exact location of the joint ownership, thus
In the absence of such a rule, the unwritten rule applies that the part directly in front of the apartment, the garden,
stairs are treated as private property. Where the ground floor apartments are located in front of the garden
would like to take advantage of other residents on a regular basis or want to admire the view from the first, closed staircase,
it would do so in consultation with the owners living there. The Applicants added to the roof driveway
can be approached through the observed area, directly from the area in front of the Applicants,
as they leave the grille in front of their direct entrance open. The Applicants stated that a

the technical condition of the roof was not checked in the five years preceding the submission, or two
times professionals worked on the roof after prior consultation and once came to assess the
roof for bidding, so condominium residents don’t use the roof. If necessary
would check that the Joint Representative would notify the Applicants who are temporarily
I would dismantle the camera during the inspection.

The memorandum of association attached by the Applicants states: “IN THE JOINT PROPERTY

RESIDUAL PARTS: I / A residential plots II / Basic and rising walls, pillars, staircase walls, chimneys,
ventilation horns […] III. Intermediate and closing slab (without cover) […] VII / Stair structures
with cover and railing ’.

In their last submission, the Applicants supplemented their statement to the extent that:
are concerned that the Applicant has become acquainted with personal information obtained during previous official proceedings
used data in the present proceedings, despite the fact that the data were provided by

The applicant was not invited by the Authority. In addition, the Applicants were presented with the camera
twice since the application, the camera has sensed that the Applicant has been in his field of view, both
times, the recordings were deleted along with the telephone recording that the Applicant had
mentioned as the recordings do not prove the Applicant’s confused manifestations. The Applicants
According to the statement of the Applicant, the window in the partially monitored area in question
did not use it to view the view until the date of their submission. Finally, the Applicants recorded that
that the roof gangway is not suitable for an escape route, it can only be through a gangway with a separate ladder

to get to the roof, however, the ladder upstairs is not specially placed for this purpose and is official
not marked as an escape route either.

II. Applicable legal provisions

Article 2 (1) of the GDPR applies to all or part of personal data
automated processing of personal data and the processing of personal data

automated part of a registration system,
or which are intended to be part of a registration system. Covered by the GDPR
Infotv. Pursuant to Section 2 (2) of the General Data Protection Decree there
shall apply with the additions indicated. 5





Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data
To that end, the Authority shall, at the request of the data subject, initiate a data protection authority procedure and
may initiate ex officio data protection proceedings.

Unless otherwise provided in the GDPR, the data protection authority procedure is general
CL of 2016 on administrative order. (hereinafter: Ákr.)
apply with the exceptions specified in the Infotv.


Pursuant to Article 2 (2) of the GDPR, the Regulation does not apply to personal data
treatment if it:
  (a) carried out in the course of activities outside the scope of Union law;
  (b) by Member States in the course of activities covered by Chapter 2 of Title V of the TEU;
  (c) by natural persons exclusively in the course of their personal or domestic activities;
  (d) the prevention, investigation, detection and prosecution of criminal offenses by the competent authorities

or to enforce criminal sanctions, including public security
protection against and prevention of such threats.

According to recital 18 of the GDPR, the Regulation does not apply to personal data
data by a natural person exclusively in the context of a personal or domestic activity
which cannot be brought about by any professional or business activity
context. For example, correspondence,

directory and community activities in the context of those personal and domestic activities
networking and online activities. This Regulation shall apply
however, to data controllers and processors whose personal data are so personal
or the means to manage it in the context of a home activity.

According to Article 4 (1) of the GDPR, personal data are identified or identifiable as natural
any information about the person ("data subject"); identifiable natural person who

directly or indirectly, in particular by means of an identifier such as a name, number,
location data, online identification or physical, physiological, genetic,
one or more factors relating to his intellectual, economic, cultural or social identity
identifiable on the basis of.

According to point 2 of this article, the processing of personal data or data files
any operation or set of operations carried out in an automated or non-automated manner,

such as collecting, recording, organizing, sorting, storing, transforming or altering, querying,
made available for inspection, use, communication, transmission, distribution or otherwise
harmonization or interconnection, restriction, deletion or destruction.

Pursuant to Article 4 (7) of the GDPR, a controller is a natural or legal person
public authority, agency or any other body involved in the processing of personal data
defines its goals and means independently or together with others; if the purposes of the data processing and

determined by Union or Member State law, the controller or the controller
Union or Member State law may also lay down specific criteria for the designation of

Pursuant to Article 5 (2) of the GDPR, the controller is responsible for compliance with paragraph 1,
and must be able to demonstrate this compliance ("accountability").

Pursuant to Article 6 of the GDPR, the processing of personal data is limited to that and to that extent

lawful if at least one of the following is met:
  (a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes
treatment;
  (b) processing is necessary for the performance of a contract to which one of the parties is a party;



or to take action at the request of the data subject prior to the conclusion of the contract

required;
  (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
  (d) the processing is in the vital interests of the data subject or of another natural person
necessary for its protection;
  (e) the processing is in the public interest or a public authority conferred on the controller
necessary for the performance of the task carried out in the exercise of
  (f) processing for the legitimate interests of the controller or of a third party

necessary, unless those interests take precedence over those interests
or fundamental rights and freedoms which require the protection of personal data,
especially if the child is affected.

Under Article 13 (1) to (2) of the GDPR:

1. Where personal data concerning a data subject are collected from the data subject, the controller
provide the data subject with the following information at the time the information is obtained.
each of the following information:

(a) the identity and contact details of the controller and, if any, of the controller 's representative;

(b) the contact details of the Data Protection Officer, if any;
(c) the purpose of the intended processing of the personal data and the legal basis for the processing;

(d) in the case of processing based on Article 6 (1) (f), the controller or a third party
  legitimate interests of a party;

(e) where applicable, the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller is in a third country or an international organization

 personal data to the Commission and the Commission’s decision on compliance.
 in Article 46, Article 47 or Article 49 (1).
 appropriate and suitable guarantees in the case of the transfer referred to in the second subparagraph of
 and the means by which copies may be obtained or
 reference to the possibility of

2. In addition to the information referred to in paragraph 1, the controller shall
in order to ensure fair and transparent data management,
inform the data subject of the following additional information:

(a) the period for which the personal data will be stored or, if that is not possible, that period
  aspects of its definition;

(b) the data subject's right to request from the controller the processing of personal data concerning him or her.
  rectification, erasure or restriction of their use and may object
  against the processing of such personal data and the right to the data portability concerned.
  about;

(c) data based on Article 6 (1) (a) or Article 9 (2) (a);
  in the case of treatment, the right to withdraw the consent at any time, which is not
  affects the lawfulness of data processing carried out on the basis of consent before withdrawal;

(d) the right to lodge a complaint to the supervisory authority;
(e) that the provision of personal data is required by law or by a contractual obligation
  based on or a precondition for concluding a contract and whether the person concerned has a personal obligation

  data and the possible consequences for the
  lack of support;

Act CXXXIII of 2003 on condominiums Section 25 (hereinafter: Condominium Act)
(1), the monitoring of parts of the building, premises and areas in common ownership



electronic monitoring system with a closed system technical solution for

hereinafter referred to as "camera system"), the General Assembly of all property
co-owners with a majority of at least two-thirds of the shares
may decide by a vote. […]

Infotv. 60 / A. § (1), the administrative procedure in the data protection authority is the administrative
deadline one hundred and fifty days.


Infotv. Pursuant to Section 61 (1) (a), it was taken in a data protection authority proceeding
In its decision, the Authority Data management specified in Section 2 (2)
defined in the General Data Protection Regulation
may apply legal consequences.

Pursuant to Article 58 (2) (b) GDPR, the supervisory authority shall condemn the controller
or the processor if his data processing activities have infringed the provisions of this Regulation,

or under the corrective power of the supervisory authority under point (d) of the same paragraph
acting by instructing the controller to carry out its data processing operations, where appropriate in a specified manner
and within a specified period, in accordance with the provisions of this Regulation.


III. Decision


III.1. The identity of the controller

Pursuant to Article 4 (7) of the GDPR, a controller is a natural or legal person […] who a
determine the purposes and means of the processing of personal data, either individually or in association with others
[…].

According to Article 26 (1) of the GDPR, if the purposes and means of data processing are two or more

jointly defined by the controller, they shall be considered as joint controllers.

The Applicants in their declaration to the Authority - as the operator of the camera system
Have clearly identified themselves as data controllers and, according to the Applicants' statement,
camera was installed themselves, therefore, as determining the purpose and means of data management
Article 4 (7) of the GDPR and Article 26 (1) of the GDPR
considered by the Authority to be a joint controller.


All this does not change the fact that in consultation with the common representative of the Condominium in advance
became the fact that in the current situation real estate camera surveillance may be warranted, as Condominium
TV. Pursuant to Section 25 (1), only at least two-thirds of all ownership shares
the camera shall be deemed to have been approved with the affirmative vote of the majority of the co-owners
operation.


III.2. Legality of camera data management

Under the GDPR, the image of the data subject is considered personal data. Affected by the identified or
identifiable natural person. According to all this, if based on a recording
natural person can be identified, then the image is taken as personal data, the image is taken
considered as data management.


The Authority notes that in the course of the proceedings it is not relevant that the Applicant
owns or otherwise owns the apartment. All you need to consider is that
whether it can be related to data processing, i.e. whether it is included in the camera’s field of view.
In the present case, the Authority finds that the Applicant is considered to be concerned, as in two cases




camera captured (even if for a short time) the Applicant, as well as by operating the camera on it
the possibility still exists.


The use of cameras, depending on their position and angle of view, may be suitable for
to observe another private area, or a public area, associated with another property
make recordings that may violate the personal identity of persons observed by the camera
rights, privacy.


The angle of view of cameras should not normally be directed at a public area because it is for surveillance purposes only
it is possible in a narrow circle, as this activity may infringe on the privacy of the observed person
by handling your personal information even against your will.

Under Article 2 (2) (c) of the GDPR, they do not fall within the scope of the Regulation and therefore do not

the GDPR rules apply to the processing of personal data if it is carried out by natural persons
carried out exclusively in the course of their personal or domestic activities (so-called "household data management").
Examples of personal or domestic activities are given in recital 18 of the GDPR,
thus, it qualifies as such in the context of correspondence, directory storage, personal and home activities
social networking and other online activities. Important
                                                                                                     1
however, to emphasize that, as the Court of Justice of the European Union in the so-called Rynes judgment
the exception for private data processing should be interpreted narrowly.
For the purposes of this Decision, camera surveillance, in so far as the data processing
also extends to persons outside the private property of the shooter
exception.


This practice has been maintained by the European Data Protection Board for the use of video
in its Guideline 3/2019 on in-depth data management. The guidelines, in addition to
flattens that it is generally a camera designed to monitor its own area
monitoring system may extend to the border of the area, recognizes that, in exceptional cases,

a situation may arise where the scope of the camera surveillance cannot be reduced to one’s own
within this area, as this would not provide sufficiently effective protection. Appropriate
technical or organizational measures (such as those not relevant to the purpose of the monitoring).
obscuring the area or filtering the observed part by IT means).
the individual is entitled to extend the camera surveillance to his own territory.

let your immediate surroundings.

However, in the event that the individual does not employ the camera in the field of view of another
private area - who obscures solutions, or who specifically monitors another private area
already operates a camera system, it becomes a data controller, and its activity does not qualify

private data management, so it should apply to GDPR data controllers
all the requirements set out in

Thus, by applying masking, the area monitored by the camera can be narrowed to the area that
is in the possession of the controller. However, if the angle of view of the cameras is

outside the privacy of the person performing the data management with the system - for example, in a public area, a condominium
jointly owned territory or territory owned by another third party,
it cannot be considered as a “personal or home” activity covered by the above exception.

In the present case, the memorandum of association actually states that the walls of the staircase, the

walls, ventilation chimneys, and intermediate and closing slabs are common areas. A Ha-
as the forecourt is not separately owned and the intermediate and
closing slabs can be considered as a common area and therefore cannot be considered as private area. The Authority


1C 212/13. Case No - http://curia.europa.eu/juris/document/document.jsf?docid=160561&doclang=EN
2https: //edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201903_video_devices_en_0.pdf Chapter 3.1.2, point 27 9



further notes that part of the public space is also observed through the window, as it is

a section of road falls within the scope of the camera.

The Authority notes that it is presumably not regular to be exclusively for the Applicant
third parties appear on the stairs leading to the roof, as well as the use of the exit leading to the roof
unlikely without prior notice, so Applicants have the opportunity to turn off the camera.
in case of signal.


However, this does not change the fact that the Applicants have jointly owned and operated
and the management of public data falls within the scope of the GDPR, which
In this case, the condition of lawfulness of the data processing is one of those laid down in Article 6 of the GDPR
existence of a legal basis.

The Authority invited the Applicants to indicate the legal basis for their data processing.
on the basis of which the Applicants invoked Article 6 (1) (f) of the GDPR

at the same time as attaching a balancing test.

According to the Authority, the consent of the stakeholders and the Condominium TV. Section 25 (1)
in the absence of a decision under Article 6 (1) (f) of the GDPR
legal basis, but its application requires an indication of an appropriate legitimate interest. Of this
However, in order to apply it, the controller must examine the circumstances, the necessity and the
proportionality as well.


The Authority also points out that in order to make a complaint to attach evidence
may be a legitimate aim, but in the Authority’s view it is not
the common area of the condominium is continuously, to a greater extent (the entire forecourt of the property, stairs).
observation.

The Authority finds that the harassment and trespass identified by the Applicants

prevention of crime, intimidation of the perpetrator and evidence of harassment and trespassing as data
could be enforced in such a way that the camera were
relve that instead of the entire forecourt of the apartment only the door of the property and its immediate surroundings
would record. In this way, it would be possible to prevent anyone from potentially infringing
and that there are no adequate means available to the
for you. Accordingly, the Authority may, in accordance with Article 6 (1) (f) of the GDPR,
pot in its present form is not considered lawful.


It should also be emphasized that the Applicants, due to the angle of view of the camera, not only
area, but also the public area visible through the window, for which the
Applicants did not submit a separate balancing test and use a different legal basis
nor was it marked.

The legislation referred to - primarily the GDPR - does not allow an individual

systematically, with the assistance of himself or others, systematically, for several months
monitor the public space, the individuals who are active there,
therefore, the observation is contrary to the principle of lawful data management due to the above.

Given, therefore, that no proper legal basis has been established either in advance or during the proceedings
and, due to the scale of the observation, the Authority considers that the data processing

exceeded what was necessary and proportionate, as no fact came to light in the course of the
on the basis of which the need to monitor the public space or the common space is
therefore the Authority found that the
Article 6 (1) of the GDPR. 10



In view of the above, the Authority has condemned the infringement under Article 58 (2) (b) of the GDPR.

Applicants because their data processing activities violated the provisions of the GDPR. THE
The Authority also ordered, pursuant to Article 58 (2) (d) of the GDPR, that a
Applicants will bring their data management operations in line with the provisions of the GDPR.

III.3. Informing stakeholders about camera surveillance

Stakeholders in accordance with Article 13 (1) and (2) of the GDPR

information on the circumstances of the data processing must be provided. In the case of camera surveillance, the preliminary
information already needs to be provided as a first step when entering the observed area - that’s the thing
due to its nature - at that time it was located outside the observed area (front door, gate)
brief information by means of a pictogram is necessary and sufficient, but at the same time
as a second step, you must necessarily complete at least one available on site
complete (longer and detailed) prospectus. The latter information on the availability of the outsourced
Information should be given on a “pictogram” (one of its functions is actually this: the area

warnings on unavoidable data management upon entry and the necessary full information
availability of this information) and make this information available to the data subject upon request
should be released.

Applicants affixed a pictogram to the camera, however, in addition
no further data management information in accordance with Article 13 (1) and (2) of the GDPR
provided.


The Authority found that the circumstances of the data processing covered by the GDPR were:
Applicants therefore failed to provide adequate information, in breach of Article 13 of the GDPR
Paragraphs 1 and 2.


III.4. Legal consequences, other issues


The Authority examined of its own motion whether data protection against the Applicants was justified
imposition of a fine. In this context, the Authority will comply with Article 83 (2) of the GDPR and Infotv. 75 / A. §-the
considered all the circumstances of the case of its own motion and found that the present proceedings
The imposition of a fine for an infringement detected in the course of
that the Applicants are individuals, not previously found to have violated the GDPR
and the infringement in the individual case concerned only the Applicant and its surroundings. Of which a

Authority was also able to draw a thorough conclusion that even without imposing a data protection fine
the request formulated by the Applicant that the Applicants as data controllers a
in the future, in accordance with the rules of the GDPR. The Authority points out that
the application of a data protection fine to the Applicant's right or legitimate interest
does not directly affect, such a decision of the Authority shall not confer any right or obligation on it
consequently, this legal consequence, which falls within the scope of the public interest,
the Applicant shall not be considered a customer with regard to the imposition of fines

CL of 2016 on General Administrative Procedure. Section 10 (1) of the Act (hereinafter: the Act)
or, as the Ákr. Does not comply with Section 35 (1) in this regard
there is no place to file an application, this part of the petition cannot be interpreted as an application.

In addition, due to the fact that the Applicants have already deleted the recordings of the Applicant, the Authority
does not order the deletion of personal data.


ARC. Other issues

The competence of the Authority is limited by the Infotv. Section 38 (2) and (2a), its jurisdiction is
covers the whole country. 11





The decision is based on Ákr. 80.-81. § and Infotv. It is based on Section 61 (1). The decision is based on Ákr. 82.
§ (1), it becomes final with its communication. The Acre. § 112 and § 116 (1),
or pursuant to Section 114 (1), it has a place in an administrative lawsuit against the decision
redress.
                                               * * *

The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a

hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by a decision of the Authority
The administrative lawsuit against the court falls within the jurisdiction of the court. Section 13 (3) a)
The General Court has exclusive jurisdiction under subparagraph (aa) of

A Kp. Pursuant to Section 27 (1) (b), it is an administrative matter within the jurisdiction of the tribunal
legal representation is mandatory in litigation. A Kp. According to Section 39 (6) - unless otherwise provided by law
the application of the application is deferred until the administrative act takes effect

does not apply. A Kp. Section 29 (1) of the Civil Procedure Code of 2016
CXXX. Act (hereinafter: Pp.) applicable pursuant to § 604, electronic administration and
CCXXII of 2015 on the general rules of trust services. Section 9 (1) b) of the Act
the legal representative of the client is obliged to keep in touch electronically.

The time and place of filing the application is set out in the Act. Section 39 (1). THE
Information on the possibility to request a hearing in connection with the decision

It is based on Section 77 (1) - (2). In connection with the order, the court in a simplified lawsuit
out-of-court procedure in accordance with Kp. § 124 (2) c) and Kp. Section 124 (5)
based on paragraph

The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. law
(hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee is
Itv. Section 59 (1) and Section 62 (1) (h) shall release the party initiating the proceedings.


If the Applicant does not duly demonstrate the fulfillment of the required obligations, the Authority shall:
considers that it has not fulfilled its obligations within the prescribed period. The Acre. According to § 132, if a
Applicant has not complied with its obligation under the Authority 's final decision,
executable. The decision of the Authority Pursuant to Section 82 (1), the notification becomes final
becomes. The Acre. Section 133 of the Enforcement - unless otherwise provided by law or government decree
ordered by the decision-making authority. The Acre. Pursuant to Section 134, the enforcement of the

carried out by a state tax authority. Infotv. Pursuant to Section 61 (7) in the decision of the Authority
to perform a specific act, conduct, tolerance or
the Authority shall enforce the decision in respect of the standstill obligation
implements.

Budapest, September 13, 2021


                                                                  Dr. Attila Péterfalvi
                                                                         President
                                                                   c. professor