NAIH (Hungary) - NAIH-6752-10/2023: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=NAIH-6752-10/2023 |ECLI= |Original_Source_Name_1=Nemzeti Adatvédelmi és Információszabadság Hatósághoz |Original_Source_Link_1=https://gdprhub.eu/index.php?title=File:Naih-6752-10-2023_felszolitas-4.pdf |Original_Source_Language_1=Hungarian |Original_Source_Language__Code_1=HU |Original_Sour...")
 
mNo edit summary
Line 71: Line 71:
}}
}}


The Hungarian DPA found three joint controllers to have breached [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], [[Article 9 GDPR#1|Article 9(1) GDPR]], as well as Article 12 and 13 GDPR for having unlawfully contacted a data subject after they had signed up to support a political movement.
The Hungarian DPA found three joint controllers to have breached [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], [[Article 9 GDPR#1|Article 9(1) GDPR]], as well as [[Article 12 GDPR|Article 12]] and [[Article 13 GDPR|13 GDPR]] for having unlawfully contacted a data subject after they had signed up to support a political movement.


== English Summary ==
== English Summary ==
Line 89: Line 89:
Regarding the content of the privacy policy, the DPA noted that it did not deliver adequate information on all the actual processing purposes. It did not provide data subjects with clear and detailed information on what they were exactly consenting to. For example, when signing up, some details were mandatory to insert, and the privacy policy did not elucidate the reasons. The DPA further added that the privacy policy lacked information on the activities of each one of the joint controllers and legal persons involved in the data processing.
Regarding the content of the privacy policy, the DPA noted that it did not deliver adequate information on all the actual processing purposes. It did not provide data subjects with clear and detailed information on what they were exactly consenting to. For example, when signing up, some details were mandatory to insert, and the privacy policy did not elucidate the reasons. The DPA further added that the privacy policy lacked information on the activities of each one of the joint controllers and legal persons involved in the data processing.


Based on the above, the DPA concluded that the joint controllers did not provide the data subject with clear, adequate and fair information on all material circumstances of the processing of personal data, nor any information on the data management, in violation of the Article 13(1) and (2) GDPR. The joint controllers further failed to provide information on their processing of personal data, infringing [[Article 12 GDPR#1|Article 12(1) GDPR]].
Based on the above, the DPA concluded that the joint controllers did not provide the data subject with clear, adequate and fair information on all material circumstances of the processing of personal data, nor any information on the data management, in violation of the [[Article 13 GDPR|Article 13(1) and (2) GDPR]]. The joint controllers further failed to provide information on their processing of personal data, infringing [[Article 12 GDPR#1|Article 12(1) GDPR]].


Consequently, the DPA found that the consent of the data subject to the processing lacked the elements necessary to establish the legal basis since the consent was not informed. As a consequence, the joint controllers processed personal data without a valid legal basis, violating [[Article 6 GDPR|Article 6 GDPR]]. Since the data provided by the data subject were also sensitive data: the processing violated [[Article 9 GDPR#1|Article 9(1) GDPR]] as well. Lastly, considering that the Association did not respond to the several requests made by the DPA, it also breached the duty to cooperate under [[Article 31 GDPR|Article 31 GDPR]].
Consequently, the DPA found that the consent of the data subject to the processing lacked the elements necessary to establish the legal basis since the consent was not informed. As a consequence, the joint controllers processed personal data without a valid legal basis, violating [[Article 6 GDPR|Article 6 GDPR]]. Since the data provided by the data subject were also sensitive data: the processing violated [[Article 9 GDPR#1|Article 9(1) GDPR]] as well. Lastly, considering that the Association did not respond to the several requests made by the DPA, it also breached the duty to cooperate under [[Article 31 GDPR|Article 31 GDPR]].

Revision as of 14:11, 16 February 2024

NAIH - NAIH-6752-10/2023
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 9(1) GDPR
Article 12(1) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 26(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 20.12.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: NAIH-6752-10/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Hungarian
Original Source: Nemzeti Adatvédelmi és Információszabadság Hatósághoz (in HU)
Initial Contributor: ar

The Hungarian DPA found three joint controllers to have breached Article 6(1)(a) GDPR, Article 9(1) GDPR, as well as Article 12 and 13 GDPR for having unlawfully contacted a data subject after they had signed up to support a political movement.

English Summary

Facts

A data subject complained to the Hungarian DPA that between 14 and 20 September 2021, they received unsolicited telephone inquiries via SMS and telephone calls from two phone numbers by LINK Mobility Kft. The SMS message, especially, contained a hyperlink to a website that allowed the data subject to support a political movement, specifically to support the election of Karácsony Gergely as prime minister.

The DPA then contacted LINK Mobility Kft to request information. According to the statement of LINK Mobility Kft., the SMS messages were sent to the data subject via VCC Live Hungary Kft, a company that provides software usage, product support and other alternative telecommunication services to companies operating a customer service. For further information regarding the SMS messages, VCC Live Hungary Kft re-directed the DPA to Datadat Ltd, which tasked its subcontractor Datadat GmbH to send the SMS messages. Datadat GmbH explained that it had sent the SMS messages to another customer, the association Ninety-Nine Movement (the Association), the sole controller.

Holding

In the context of the processing under investigation, the DPA found that the purpose was to send an additional registration link for the day of the pre-election vote. However, the DPA found that the means of data processing was the Association, Datadat Kft. and Datadat GmbH together. Each acted on behalf of the other through a chain of interdependence since they decided together to send the message to the data subjects in the form of an SMS. Therefore, as a result of its investigation, the DPA established the Association, Datadat Kft. and Datadat GmbH to be joint controllers for the purposes of the data processing under examination under Article 26(1) GDPR.

Secondly, the DPA acknowledged that the legal basis used for processing personal data by the joint controllers was the data subject's consent pursuant to Article 6(1)(a) GDPR. Considering that the SMS messages sent out always contained a hyperlink to a website with the relevant privacy information and subscription option, any disclosure of data by citizens on the linked interface was voluntary. Furthermore, since the data processed regarded the data subject’s political opinions, it stated that they constituted a special category of personal data within the meaning of Article 9(1) GDPR. As a general rule, the processing of special categories of personal data is prohibited by the GDPR or is subject to strict conditions.

However, the DPA found that the joint controllers had infringed Article 5(1)(a) GDPR for not providing the data subjects with adequate information on the purposes of the processing. On the website, they had not clearly indicated that the data subject's information would be used for further contact, nor explained the specific purposes to which the data subjects consented.

Regarding the content of the privacy policy, the DPA noted that it did not deliver adequate information on all the actual processing purposes. It did not provide data subjects with clear and detailed information on what they were exactly consenting to. For example, when signing up, some details were mandatory to insert, and the privacy policy did not elucidate the reasons. The DPA further added that the privacy policy lacked information on the activities of each one of the joint controllers and legal persons involved in the data processing.

Based on the above, the DPA concluded that the joint controllers did not provide the data subject with clear, adequate and fair information on all material circumstances of the processing of personal data, nor any information on the data management, in violation of the Article 13(1) and (2) GDPR. The joint controllers further failed to provide information on their processing of personal data, infringing Article 12(1) GDPR.

Consequently, the DPA found that the consent of the data subject to the processing lacked the elements necessary to establish the legal basis since the consent was not informed. As a consequence, the joint controllers processed personal data without a valid legal basis, violating Article 6 GDPR. Since the data provided by the data subject were also sensitive data: the processing violated Article 9(1) GDPR as well. Lastly, considering that the Association did not respond to the several requests made by the DPA, it also breached the duty to cooperate under Article 31 GDPR.

Therefore, the DPA ordered the joint controllers to bring their processing operations into compliance.

Comment

Due to the automated translation of the decision, we apologise for any mistakes in the translation of entities or for misunderstandings. Should you note any discrepancy, please do not hesitate to modify this page directly or let us know.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

File history
Click on a date/time to view the file as it appeared at that time.
Date/TimeDimensionsUserComment
current14:07, 16 February 2024 (769 KB)Ar (talk | contribs)
You cannot overwrite this file.File usage
There are no pages that use this file.