NAIH (Hungary) - NAIH-7058-5/2022

From GDPRhub
NAIH - NAIH-7058-5/2022
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 6(1) GDPR
Article 7(2) GDPR
Article 7(4) GDPR
Article 12(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 24.06.2022
Decided: 15.11.2022
Published: 16.11.2022
Fine: 2000000 HUF
Parties: n/a
National Case Number/Name: NAIH-7058-5/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Abel Kaszian

The Hungarian DPA fined a news service 2,000,000 HUF (approx. €5,080) for processing personal data without valid consent. Data subjects who signed up for the controller's newsletter were automatically signed up to electronic marketing and a prize draw without being sufficiently informed nor being able to give granular consent.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller is a news service provider. Data subjects subscribed to its service to receive daily news and updates through a newsletter. It was not clarified whether this was a paid service. The controller relied on Article 6(1)(b) GDPR to process the data for the newsletter.

The controller also processed personal data for electronic direct marketing (eDM) and a prize draw. The eDM emails were sent to everyone who subscribed to the service. The prize draw was advertised by the controller in the period between 24 February 2022 to 24 March 2022. The controller wanted to offer the prize draw's prize to all service subscribers. Therefore, all the service users were subscribed to the prize draw and there was no way for them to opt out of the prize draw.

On 24 June 2022, the DPA opened an ex officio investigation into a controller's services. According to the facts uncovered by the DPA, between January 1, 2021 and May 17, 2022, all subscribers who registered online for the news service were automatically subscribed to eDM. A single checkbox on the website was used to accept the Terms of Service (TOS) - a condition of the subscription - and to subscribe to eDM. At the time of subscription. In other words, it was not possible to subscribe to the service through the website alone without subscribing to eDM. In its defense, the controller argued that the data processing could be legitimized through legitimate interests.

Holding[edit | edit source]

The DPA decided that the controller's conduct was in breach of the GDPR.

First, the DPA rejected the controller's argument that, in the absence of other suitable legal grounds, the processing may have been done on the legal basis of legitimate interest. The DPA emphasized that controllers are obliged to decide in advance on the legal basis for processing, to weigh the legitimate interest against the rights of the data subject pursuant to Article 6(1)(f) GDPR, to document this, and to inform the data subjects accordingly, including about the right to object. In the absence of this, an ex-post change of the legal basis would generally, as well as in the present case, constitute an unfair processing for the data subjects, and the balancing of interests would not lead to a positive result for the controller. As a matter of principle, the DPA stated that it is not up to the data subject or the DPA to identify the appropriate legal basis before the processing starts. Rather, by virtue of the principle of privacy by design and by default, it is the sole responsibility of the controller.

Second, the DPA held that the controller did not sufficiently inform data subjects about their rights. It emphasized that, under Article 12(1) GDPR, a controller must provide the data subject with the necessary assistance to enable him or her to exercise all data subject rights in an informed manner. The information obligation is not a mere "paperwork" obligation, but is intended to enable the data subject to make an informed choice about the processing and to exercise his or her data subject rights. In order to be capable to fully exercise their rights (such as their right to withdraw consent), it is necessary to know exactly when and under what conditions data processing based on the data subject's consent for the purpose of eDM will cease. Such information was not provided. The duration for which personal data would be processed for eDM was not sufficiently clear and unambiguous. Therefore the DPA found the controller in breach of Article 12(1) GDPR.

Third, the DPA decided that the data processing was not based on consent, as the controller did not fulfil the conditions of Article 7 GDPR. Consent was neither sufficiently informed. Referring to the European Data Protection Board's Guideline 5/2020, the DPA explained that any information that may be relevant to a typical data subject's decision must be provided. According to the DPA this includes the duration of processing in the case of eDM. Data subjects typically subscribe to a large number of newsletters over the course of their lives, which are difficult for them to keep track of. Therefore, the DPA was of the opinion that the time of the cessation of e-mailing in the case of eDM is important information for data subjects. Moreover, according to Article 7(2) and 7(4) GDPR, consent must be granular. To use consent as a legal basis, controller must not bundle different incompatible processing purposes. This was violated in the present case. Consent would have to be given separately for the subscription service, the eDM, and the prize draw. The investigation of the DPA showed that the controller had not complied with these criteria.

Consequently, the DPA found the data processing to be unlawful. The processing violated Article 7(2) GDPR, Article 7(4) GDPR and Article 6(1)(a) GDPR. The controller was fined 2,000,000 HUF (approx. €5,080). In determining the height of the fine, the DPA took into account some mitigating circumstances, namely, that the controller cooperated with the DPA during the proceedings, acknowledged the infringement and remedied it for the future in the present proceedings, conducted internal training, and that the infringement only concerned the data subjects' email address data and not any other data or sensitive data. An aggravating circumstance was that the data processing continued for an extended period of time.

Comment[edit | edit source]

On a weekly basis, the controller had sent eDM unlawfully to thousands of data subjects who had subscribed to its services. The fact that the data subjects were able to subsequently object to the eDM or to subsequently withdrawn their consent in the online account linked to the service does not alter the invalidity of the consent.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

File number: NAIH-7058-5/2022 Subject: decision


The National Data Protection and Freedom of Information Authority (hereinafter: Authority)
On August 31, 2022, official data protection proceedings were initiated ex officio by....……………….

(head office: ………………………………..; hereinafter: Customer) January 1, 2021 and 2022
in the period between June 24, the "………………" service (hereinafter: Service)
related to the provision and continuation of electronic direct marketing (hereinafter: EDM).
in connection with its data management, to check that the above data management complies with
e on the protection of natural persons with regard to the management of personal data
and on the free flow of such data, as well as outside the scope of Directive 95/46/EC
Regulation 2016/679/EU on the placement of data (hereinafter: general data protection regulation)

its provisions. The Authority made the following decisions in the above official data protection procedure

I. The Authority determines that the Client did not provide adequate information to the persons concerned
in relation to the duration of the EDM, as well as in view of the lack of separate specific consent
the legal basis for EDM data processing specified by the Customer was invalid during the period under review,
with this, the Customer violated Article 6 (1), Article 7 of the General Data Protection Regulation

(2) and (4) and Article 12 (1).

II. The Authority based on Article 58 (2) point d) of the General Data Protection Regulation
ex officio instructs the Customer to provide appropriate information to those concerned, who are
automatically subscribed to EDM specifically about the fact that it is
contrary to the information received at the time of subscription, it was not valid separately for EDM
their possibility to contribute and how exactly they can unsubscribe from EDM.

CXII of 2011 on the right to information self-determination and freedom of information.
Act (hereinafter: Infotv.) to challenge the decision based on Section 61 (6).
until the expiration of the open deadline for filing an action, or in the case of an administrative lawsuit, the court
until a final decision, the data affected by the disputed data management cannot be deleted or not
can be destroyed.

III. The Authority ex officio the Customer due to the above data protection violations

                             HUF 2,000,000, i.e. two million forints
                                    data protection fine

                                  obliged to pay.

The II. the fulfillment of the obligation prescribed by the Customer towards this decision
must be in writing within 30 days of the expiration of the legal remedy deadline - the supporting document
together with the presentation of evidence - to prove it to the Authority. EDM data management
based solely on the express and appropriate information given separately to the EDM
it can be continued with respect to those who gave their consent.

The III. fine according to point 30 days from the date of this decision becoming final

within the Authority's centralized revenue collection forint settlement account 2

(10032000-01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000
0104 0425 0000 0000) must be paid. When transferring the amount, "NAIH-7058/2022
FINE.” number must be referred to.

If the Customer does not fulfill his obligation to pay the fine within the deadline, he is in default
is obliged to pay a penalty. The rate of penalty is the legal interest, which is
is the same as the central bank base rate valid on the first day of the relevant calendar semester.

Non-payment of the fine and late fee, or the above II. obligation according to point
in case of non-compliance, the Authority orders the implementation of the decision.

There is no place for administrative appeal against the decision, but only from the announcement
within 30 days from the date of issue, with a letter of claim addressed to the Capital Tribunal
can be challenged in a lawsuit. The claim must be submitted to the Authority electronically, which

forwards it to the court together with the case documents. The request for the holding of the trial is submitted by the
must be indicated in the application. For those who do not receive full personal tax exemption
the fee for the judicial review procedure is HUF 30,000, the lawsuit is subject to the right to record the fee. THE
Legal representation is mandatory in proceedings before the Metropolitan Court.


I. Procedure and clarification of the facts

I.1. History matters

1.1. On June 24, 2022, the Authority ex officio issued history number NAIH-6003/2022
initiated an audit (hereinafter: Authority Audit) of the provision of the Customer Service
and general data management related to the continuation of EDM in 2021 and 2022
in connection with his practice.

1.2. The Authority sent the documents created during the Authority Inspection to Infotv. Paragraph (2) of § 71

can be used in this procedure based on

1.3. During the Authority Inspection, the Client requested and received what he requested from the Authority
after a deadline extension, within the extended deadline - July 22, 2022
in his reply letter sent to NAIH-6003-4/2022, the following, the decision

made relevant statements in terms of:

   (i) According to the status in force at the time of initiation of the Authority Inspection, the subscriber
   made a statement in which he stated the general terms and conditions (a
   hereinafter: General Terms and Conditions) and of which statement it was a part
   Also a contribution to EDM. According to the Customer's statement, he noticed that it was not

   provided the possibility of subscribing without participating in the prize draw, and for this
   he changed his practice in view. The Customer is …………. on a web interface (a
   hereinafter: Website) placed a separate checkbox on June 28, 2022. With this
   simultaneously amended the provisions of the General Terms and Conditions, in which it is clearly separated
   contract according to Article 6 (1) (b) of the General Data Protection Regulation
   for its fulfillment, or according to Article 6 (1) (a) of the General Data Protection Regulation

1 The NAIH_K01 form is used to initiate an administrative lawsuit: NAIH_K01 form (16.09.2019) The form is
can be filled out using a general form filling program (ÁNYK program). 3

Data management related to EDM emails. In support of this, the Customer
attached by ……………. modified version of the GTC for the product.

(ii) The prize draw available on the Website is February 24, 2022 and March 24, 2022.
took place between The Customer wanted all of its customers to win the prize
opportunity, thus linking the prize draw with the subscription. With this
at the same time, the Customer provided the option to unsubscribe in all EDM e-mails,
and also provides the opportunity for this in the personal customer account. The Customer noticed that it was not
provided the possibility of subscribing without participating in the prize draw, and for this

he changed his practice in view. In the future, the Customer will participate in prize games
clearly separates participation from the subscription as data management and manages it separately, and
in all cases, it clearly ensures the data subject's independent data subject rights

(iii) Subscribers of the winners listed in the regulations of the prize draw available on the Website
his image and audio recording were not published, but the image and audio recording were
Not made by customer.

(iv) The Data Controller performs news service (news agency) activities (Main activity:
………………………………………..…………..). Those involved specifically for that
register for the service to receive daily news and current affairs on a daily basis
they get it. The daily "newsletters" are therefore essentially not in the traditional sense,
inquiries for marketing purposes, but news summaries, i.e. the essence of the service. The
the legal basis for data management in this regard is Article 6 (1)(b) of the General Data Protection Regulation

fulfillment of the contract according to paragraph
(v) EDM e-mails, on the other hand, promote the Data Controller's products and services,
thus they are completely different from the daily news summaries. Legal basis for data management
in this case, in Article 6 (1) (a) of the General Data Protection Regulation

registered contribution. In addition, the data controller provided in all newsletters a
the option to unsubscribe, and the option to send newsletters is also available in the customer account
to unsubscribe.

(vi) EDM e-mail is sent to those who are the data controller
registered for its service or purchased a product from it. In the latter case as well
registration is required. In connection with the registration, the data controller is general
data management information and the GTC for the product in this regard
information. The Customer has, and is currently already, clarifying its data management information
provided by Article 7 of the GDPR, European Data Protection Board 5/2020. guidelines and the
a separate consent is required in light of official practice. It's about the modifications

The customer also provides separate information on his website, in the customer account, and embedded in the EDM e-mail
(vii) During the period of the Authority Inspection, the Customer shall register with a

to use your service or to buy your product (or for these
related registration). The Customer then sent it until the unsubscribe date
information about its products and services for those concerned. With this
simultaneous unsubscribe option in all EDM e-mails and on the customer account
provided through As described above, the Customer is the automatic subscriber
terminated its system, and this is also stated in the General Terms and Conditions and the data management information
led him through

(viii) To the question of what is the reason for the discrepancy that it is available on the Website
data management information section number 10 regarding data management ("EDM sending"
titled) says that the duration of EDM data management is until the user unsubscribes
it lasts for 3 working days after its deletion, while according to the General Terms and Conditions, the user has to register on the 4th

   consents to the information and offers of the Customer's own services directly
   as long as the user unsubscribes from the message, that is
   The customer replied that in the case of news summaries, the data management is the subscription
   expires upon expiry. In the case of newsletters, data management ceases upon unsubscribing.
   In case of unsubscribing, the newsletter will no longer be sent to the person concerned.

   Given that this provision of the General Terms and Conditions was not precisely defined by it
   data management, so the Customer clarified this and the related data management information.

   (ix) To the question of what is the reason for the discrepancy that V.2 of the General Terms and Conditions according to point it is
   subscription is renewed if the user makes a declaration to this effect during registration,
   while at the bottom of the registration interface, according to the small print information, for the Service a
   access is provided by a renewable subscription, and there is no separate checkbox for this,

   the Customer replied that in view of the fact that GTC V.2. point inaccurately
   states, the renewal regulations have been modified by the Customer and with this on all surfaces
   brought it into line. He informed about the amendment as indicated in subsection I.1.3.(vi) above

   (x) During the examined period, .... thousand people subscribed to the Service and they typically paid weekly
   received an EDM email.

   (xi) In support of the above, the Customer attached the modified ………… General Terms and Conditions,
   as well as the modified data management information.

   (xii) In the first half of August 2022 of the Customer in connection with the marketing area
   also organizes internal data protection training, and starting in August, the built-in
   takes into account the principle of data protection, it reviews all its data management repeatedly.

1.4. Since the amendment was important in terms of clarifying the facts in the examined period
exploration of the prior state and the exact timing of the amendments, the Authority further
asked the Customer clarifying questions about the facts. During the Authority Inspection, the Authority
The Customer's inquiry was received on August 16, 2022 at number NAIH-6003-6/2022
in his reply letter, the following is relevant for the decision and not previously
made detailed statements and indicated clarifications:

   (i) between January 1, 2021 and May 16, 2022 for the Service
   during subscription, acceptance of the Terms and Conditions for the service is given to EDM
   it was also classified as consent, i.e. it could only be declared at the same time.

   (ii) The Customer changed its practices on May 17, 2022. The purpose of the change is EDM
   was to create an independent data management consent for data management, but a
   during development, the text of the consent to the General Terms and Conditions and the EDM and the checkbox
   they slipped together, i.e. it was not properly implemented. So it is from then on
   data controller until June 27, 2022 (ordering the Authority Inspection on June 24, 2022
   until the order is received by the Customer) still requested acceptance of the General Terms and Conditions with a checkbox

   and consent to EDM. The Customer will implement this merger on June 28, 2022
   discontinued, and the modified online system has been available since then. This Customer is the following
   supported by documents:

     • GTC 14.10.2020-23.06.2021
     • GTC 2021.06.24.-2022.05.17
     • GTC 18.05.2022 - 27.06.2022
     • Order process ………….
     • Information on data management 5

     • Checkbox screen saver (17.05.2022 - 28.06.2022)

   (iii) It was not possible for the subscriber not to accept the rules of the prize draw
   away or stay out of it. In connection with participation in the prize draw
   you couldn't protest, you couldn't avoid it. This is done by the Customer with the following documents
   supported in addition to those attached to the previous point:

     • Sweepstakes regulations
     • "Become a ………… subscriber" EDM

   (iv) In the examined period, the General Terms and Conditions did not include the EDM e-
   provisions regarding emails. The General Terms and Conditions are only the contract
   regulated "newsletters" with content closely related to its performance, which
   however, they are content recommendations in all cases. By the Authority, I.1.3 above. in point (viii).
   the referenced GTC provision was included in the GTC together with the change to the GTC,
   when the Customer separates the EDM contribution as indicated previously

   wanted to regulate, but due to a development error, this was done incorrectly
   for implementation.
   (v) If the affected user deletes his entire profile, in that case the Customer

   deletes all data. Since this includes the email address, no further EDM message
   will be sent.
   (vi) The renewal is indicated in the same font size, in a way that is easily identifiable,
   as well as resignation. After the initiation of the official inspection, the Customer shall provide the text


1.5. The Customer is subject to I.1.3 above. on the basis of your answers detailed in point during the Authority Inspection

admitted that his practices were not adequate in terms of data protection law, so he changed them. THE
Authority's ex officio official data protection procedure of the violation and its legal consequences
in order to determine the obligation of the Authority. The purpose of this official data protection procedure
the period between January 1, 2021 and the start of the Authority Inspection (June 24, 2022)
classification of data management, however, in determining the legal consequences, the Authority
takes into account the data management implemented by the Customer during the procedure

1.6. In view of the above, the Authority's 2016 CL.
Act (hereinafter: Act) was closed by the Authority based on point a) of § 101, paragraph (1)
Inspection and ex officio initiated the current data protection official procedure indicated in the header

I.2. This data protection official procedure

2.1. In this data protection official procedure, the Customer, upon request of the Authority, 2022.
In his reply letter received on September 12, sent under number NAIH-7058-2/2022, the following
made statements relevant to the decision:

   (i) The Customer maintains the statements made during the Authority Inspection.

   (ii) The Customer requests to take into account that after the initiation of the Authority's inspection, the
   reviewed and transformed its data management practices and compliance deficiencies
   eliminated and did everything to mitigate their consequences, and
   continuously monitors data protection compliance. In this context, he modified and
   attached the General Terms and Conditions, the data management information, and the screen saver in the new 6

   about separate checkboxes on the Website. According to the Customer's point of view, it is general
   legitimate interest according to Article 6 (1) point f) of the data protection decree is also a legal basis
   the general data protection regulation (47) could have applied to EDM data management
   based on its preamble. Furthermore, according to the Customer's point of view, the shortcomings
   were the results of careless and unintentional conduct and the Authority had not previously

   established a violation of the law against the Customer, and during the procedure the Customer was enhanced
   has cooperated to the extent of discovering and remedying the violation, which is the violation
   significantly reduced its impact on those involved. In addition, the Customer requested it
   to take into account that the processing of special category or criminal data is not
   happened. The Customer also attached the change of information to those concerned
   general notification text.

   (iii) In 2021, the Customer achieved sales revenue of HUF …… billion.

2.2. According to the information sent by the Customer on ePaper on September 30, 2022, at the Customer
On September 28, 2022, from 10:30 a.m. to 12:30 p.m., internal training took place at
in the following topics:

   (i) Background of the training: NAIH examination and its exact background

   (ii) Data management tasks and responsibilities within the data controller's organization

   (iii) The role of normative regulation, sources of law, case law

   (iv) The role of data protection principles and legal bases

   (v) Preferred legal grounds: consent and legitimate interest, terms of use with examples

   (vi) Data protection aspects of sending newsletters and sweepstakes

   (vii) Legal cases and examples and practical cases related to the operation of the data controller

   (viii) Stakeholder rights and their promotion

2.3. The Akr. Based on § 76, no such evidence or statement arose from the Authority
During the inspection and the present case, which would not come from the Customer, so the Authority is the Customer
concluded the evidence without inviting him to make a repeated statement.

II. Legal provisions applicable in the case

According to Article 2 (1) of the General Data Protection Regulation, the general data protection
regulation must be applied to personal data in part or in whole in an automated manner
processing, as well as the non-automated processing of data that
are part of a registration system or which are a registration system
want to be part of.

You are identified as "personal data" on the basis of Article 4, point 1 of the General Data Protection Regulation
any information relating to an identifiable natural person ("data subject"), including
also the online ID.

According to Article 4, point 2 of the General Data Protection Regulation, "data management" is personal
any 7 performed on data or data files in an automated or non-automated manner

operation or a set of operations, such as collection, recording, organization, segmentation, storage,
transformation or change, query, insight, use, transmission of communication,
by means of distribution or other means of making available, coordination or
connection, restriction, deletion or destruction.

Based on Article 4, point 4 of the General Data Protection Regulation, "profiling" is personal data
any form of automated processing during which personal data
to evaluate certain personal characteristics related to a natural person,
especially for work performance, economic situation, health status,
for personal preferences, interest, reliability, behavior, residence
used to analyze or predict characteristics related to location or movement.

Pursuant to Article 4, point 7 of the General Data Protection Regulation, "data controller" is the natural or
legal entity, public authority, agency or any other body that is personal
determines the purposes and means of data management independently or together with others. If that
the purposes and means of data management are determined by EU or member state law, the data manager
or special considerations for the appointment of the data controller by the EU or the Member States
can also be determined by law

Pursuant to Article 4, point 11 of the General Data Protection Regulation, it is "the consent of the data subject".
of the will of the person concerned, based on voluntary, specific and adequate information and clear
declaration by which the relevant statement or confirmation is unambiguously expressed
indicates by action that he gives his consent to the processing of his personal data.

According to Article 6 (1) point a) of the General Data Protection Regulation, it may be legal to
processing of personal data, if the data subject has given his consent to a or

for its management for several specific purposes.

According to Article 6 (1) point f) of the General Data Protection Regulation, it may be legal to
processing of personal data, if the data processing is authorized by the data controller or a third party
necessary to assert its interests, unless priority is given to these interests
interests or fundamental rights and freedoms of the data subject that are personal
data protection is necessary, especially if the person concerned is a child.

According to recital (47) of the General Data Protection Regulation, the data controller –
including the data controller with whom the personal data may be disclosed - or one
the legitimate interest of a third party can create a legal basis for data processing, provided that the data subject is involved
his interests, fundamental rights and freedoms do not take priority, taking into account that
the reasonable expectations of the data subject based on his relationship with the data controller. About such a legitimate interest
it can be the case, for example, when there is a relevant and appropriate relationship between the data subject and the

between data controllers, for example in cases where the data subject is a customer of the data controller
is in its application. In any case, to establish the existence of a legitimate interest
it must be carefully examined, among other things, that the data subject is personal data
at the time of its collection and in connection with it, can you reasonably expect that
data may be processed for the given purpose. The interests and fundamental rights of the data subject take precedence
may enjoy against the interest of the data controller if the personal data are in such circumstances
between which the data subjects do not expect further data processing. Since

it is the task of the legislator to define in legislation what the public authorities are like
can process personal data on a legal basis, supporting the legitimate interest of the data controller
no legal basis can be applied, carried out by public authorities in the performance of their duties
for data management. Personal data is absolutely necessary to prevent fraud
its handling is also considered a legitimate interest of the data controller concerned. Personal data direct
its processing for the purpose of acquiring business can also be considered based on legitimate interest. 8

Based on Article 7 (2) of the General Data Protection Regulation, if the consent of the data subject
given in the context of a written statement that also applies to other matters, a
request for consent in a way that is clearly distinguishable from these other cases
must be presented in an understandable and easily accessible form, with clear and simple language. The

any part of such statement containing the consent of the affected person which violates e
decree does not have binding force.

Based on Article 7 (4) of the General Data Protection Regulation, during its determination,
whether the consent is voluntary should be taken into account as much as possible
the fact, among other things, that the fulfillment of the contract - including the provision of services
also - whether consent to the processing of personal data which

they are not necessary for the performance of the contract.

Based on Article 12 (1) of the General Data Protection Regulation, the data controller is compliant
takes measures in order to allow the data subject to process personal data
all relevant information mentioned in Articles 13 and 14 and Articles 15-22 and Article 34
according to each information is concise, transparent, comprehensible and easily accessible
provide it in a clear and comprehensible form, especially to children

for any information received.

Based on Article 13 (1) and (2) of the General Data Protection Regulation, if the personal
data were obtained from the data subject, the data controller makes the data available to the data subject
following information:

   a) the identity of the data controller and, if any, the representative of the data controller and
   your contact details;

   b) contact details of the data protection officer, if any;

   c) the purpose of the planned processing of personal data and the legal basis of data processing;

   d) based on point f) of Article 6 (1) of the General Data Protection Regulation
   in the case of data management, the legitimate interests of the data controller or a third party;

   e) where appropriate, recipients of personal data, or categories of recipients, if any;

   f) where appropriate, the fact that the data controller is in a third country or international
   organization wishes to forward the personal data to, and the Commission
   the existence or absence of a compliance decision, or general data protection
   regulation in Article 46, Article 47 or Article 49 (1) second
   in the case of data transfer referred to in subsection, the appropriate and suitable guarantees
   designation, as well as methods for obtaining a copy of i.e. or those
   reference to your contact information;

   g) on the duration of storage of personal data, or if this is not possible, on this
   aspects of determining the duration;

   h) on the data subject's right to request from the data controller the personal data relating to him
   access to data, their correction, deletion or restriction of processing, and

   may object to the processing of such personal data, as well as the data subject
   about your right to data portability;

   i) point a) of Article 6 (1) of the General Data Protection Regulation or Article 9 (2)
   in the case of data management based on point a) of paragraph 9. consent at any time

   the right to withdraw, which does not affect consent before the withdrawal
   the legality of data processing carried out on the basis of;

   j) on the right to submit a complaint to the supervisory authority;

   k) that the provision of personal data is legal or contractual
   whether it is based on an obligation or a prerequisite for the conclusion of a contract, as well as whether the person concerned
   whether you are required to provide personal data, and how it is possible
   failure to provide data may have consequences;

   l) automated referred to in Article 22 (1) and (4) of the General Data Protection Regulation
   the fact of decision-making, including profiling, and at least in these cases
   understandable information on the applied logic and that such data management
   what significance it has and what expected consequences it has for the person concerned.

Based on Article 13(4) of the General Data Protection Regulation, Article 13(1)-(3)
it does not have to be applied if and to what extent the data subject already has the information.

Based on Article 26 (3) of the General Data Protection Regulation, the data subject is (1)
regardless of the terms of the agreement referred to in paragraph
in relation to and against each data manager according to this regulation


For data management under the scope of the General Data Protection Regulation, Infotv. Section 2 (2)
according to paragraph of the general data protection regulation in the provisions indicated there
must be used with included additions.

Infotv. Validation of the right to the protection of personal data based on § 60, paragraph (1).

in order to do so, the Authority initiates an official data protection procedure at the request of the data subject and
may initiate official data protection proceedings ex officio.

Infotv. According to § 61, paragraph (1), point a), it was made in the official data protection procedure
in its decision, the Authority issued Infotv. Data management defined in paragraph (2) of § 2
in connection with operations defined in the general data protection regulation
may apply legal consequences.

Infotv. Pursuant to § 71, paragraph (2), the Authority lawfully acquired during its procedures
can use documents, data or other means of proof in other proceedings.

Infotv. 75/A. Based on § 83 of the General Data Protection Regulation, Article 83 (2)–(6)
exercises its powers in accordance with the principle of proportionality,
especially with the fact that you are in the legislation regarding the handling of personal data

The regulations defined in the mandatory legal act of the European Union are being implemented for the first time
in case of violation, to remedy the violation - with Article 58 of the General Data Protection Regulation
in accordance with - takes action primarily with the warning of the data manager or data processor.

It is ordered by the Authority based on Article 58 (2) point d) of the General Data Protection Regulation
the data manager or the data processor to perform its data management operations - where applicable
in a specified manner and within a specified period of time - is brought into line with this regulation

with its provisions.

On the basis of Article 58 (2) point i) of the General Data Protection Regulation, the Authority has the 83.
imposes an administrative fine in accordance with Article, depending on the circumstances of the given case
in addition to or instead of the measures mentioned in this paragraph. 10

Based on Article 83 (1) of the General Data Protection Regulation, all supervisory
authority ensures that due to the violation mentioned in paragraphs (4), (5), (6) of this regulation
the administrative fines imposed on the basis of this article are effective in each case,
be proportionate and dissuasive.

According to Article 83 (2) of the General Data Protection Regulation, administrative fines
depending on the circumstances of the given case, Article 58 (2) of the General Data Protection Regulation
must be imposed in addition to or instead of the measures mentioned in points a)-h) and j) of paragraph
When deciding whether it is necessary to impose an administrative fine or a
sufficiently in each case when determining the amount of the administrative fine
the following should be taken into account:

   a) the nature, severity and duration of the infringement, taking into account the one in question
   the nature, scope or purpose of data processing, as well as the number of data subjects affected by the breach
   affected, as well as the extent of the damage they suffered;

   b) the intentional or negligent nature of the infringement;

   c) damage suffered by data subjects on the part of the data controller or data processor
   any measures taken to mitigate;

   d) the extent of the responsibility of the data controller or data processor, taking into account the
   technical and
   organizational measures;

   e) relevant violations previously committed by the data controller or data processor;
   f) the remedy of the violation with the supervisory authority and the possible negative nature of the violation
   extent of cooperation to mitigate its effects;

   g) categories of personal data affected by the infringement;

   h) the manner in which the supervisory authority became aware of the violation, in particular
   whether the data controller or the data processor has reported the breach, and if so,
   in what detail;

   i) if against the relevant data manager or data processor previously - in the same a
   subject matter - ordered referred to in Article 58 (2) of the General Data Protection Regulation
   one of the measures, compliance with the measures in question;

   j) whether the data manager or the data processor has observed general data protection
   for approved codes of conduct under Article 40 of the Decree or the general
   for approved certification mechanisms under Article 42 of the Data Protection Regulation; as well as

   k) other aggravating or mitigating factors relevant to the circumstances of the case,
   for example, financial gain as a direct or indirect consequence of the infringement
   or avoided loss.

In the absence of a different provision of the general data protection regulation, the data protection authority
for procedure in the Acr. provisions shall be applied with the deviations specified in Infotv.

III. Decision

III.1. Data management between January 1, 2021 and May 17, 2022 11

1.1. In case of online registration for the Service on the Website, the revealed facts and
based on the Customer's express declarations, all subscribers are automatically also on the EDM
signed up. A checkbox was used on the Website to accept the General Terms and Conditions of the Service
(which is a condition of the subscription) and to subscribe to EDM. Not at the time of registration
it was only possible to register for the Service via the Website for EDM

without signing up.

1.2. The General Terms and Conditions did not contain a provision on EDM.

1.3. Data management for the examination period attached to document No. NAIH-6003-6/2022
based on the table on page 15 of the information, the legal basis for data processing is the data subject
had his consent, and the Customer also stated this during the procedure, as written in point I.1.3.(v) above

according to The Authority's declaration of the Client that a legitimate interest may have existed
would have, for the following reasons, he did not consider it relevant when clarifying the facts. Data management
the data controllers are obliged to decide its legal basis in advance, Article 6 of the General Data Protection Regulation
To weigh up between the legitimate interest and the rights of the data subject according to point f) of paragraph (1).
and to document, and about this and, among other things, the right to protest, the affected parties accordingly
to inform. In the absence of all of these, the legal basis can be modified afterwards in general and in this case
would also be unfair data management to the affected parties, and the consideration of interests is the above

considering the circumstances, it would not lead to a positive result, so legitimate interest is the legal basis
cannot exist. It is not the responsibility of the person concerned, nor of the Authority, to identify the appropriate legal basis
before the start of data management, this is the built-in and default data management
due to its principle, it is the sole responsibility of the data controller. For this reason, the Authority investigated only that
also in the present case, that the legal basis for consent indicated by the Client to the affected parties
was it valid.

1.4. Regarding the examination period, attached to document No. NAIH-6003-6/2022
based on the table on page 18 of the data management information, the duration of data management a
lasts until withdrawal of consent. Compared to this, according to the Customer's statement, the Service
cancellation automatically terminates the EDM data management separately from the EDM consent
without withdrawal. The EDM consent could be revoked at any time through the Service
related online account settings.

1.5. The data management information did not indicate that there was a possibility that a
In addition to registering for the service, the person concerned does not subscribe to the EDM.

1.6. Subscribers to the Service on February 24, 2022 and March 24, 2022 will automatically
they also took part in a prize draw, however, the additional data processing described there (image and
audio recording) did not take place and the prize draw has already closed.

III.2. Data management between May 18, 2022 and June 24, 2022

2.1. Based on the Customer's declaration according to point I.1.4.(ii), the Customer after May 17, 2022
period, he wanted to change the giving of consent to the EDM, however, this
was not implemented in practice.

2.2. The Authority has actually implemented and indicated in the information sheet for those concerned
examines data management, not data management that has not actually taken place. So the above
despite the fact that the EDM contribution on the Website remains unchanged in practice
could only be given with the acceptance of the General Terms and Conditions, in this regard, May 18, 2022 and May 18, 2022.
between June 24 and the period before that, the substantive difference influencing the decision
It was not. 12

2.3. The General Terms and Conditions contained a provision regarding EDM from May 18, 2022, however
this information was not clear based on what was described in points I.1.3.(viii) and I.1.4.(iv) and
was not fully consistent with the data management information, thus the duration of data management
clear and adequate information still did not meet the requirements

requirement. For legal compliance, EDM's data management practices
the need for its basic modification, the Customer shall refer to I.1.3 above. his answers detailed in point
based on the Authority's invitation, it was recognized, and its practice can also be seen on its website
modified after June 24, 2022, however, this is a violation of previous years
does not affect the fact. From this point of view, it is not relevant that the above applies to the Customer's website
According to his statement in point I.1.4.(ii), what he wrote in his General Terms and Conditions was not included for technical reasons, since
in the absence of actual implementation, it was not perceptible in reality and was only examined

affected a small part of the period (about one month of the year and a half). Since the General Terms and Conditions 18 May 2022
the amendment applied since did not improve the transparency of the information from the previous period either
and accuracy, regarding the information between May 18, 2022 and June 24, 2022 and
between January 1, 2021 and May 17, 2022, the decision
there was no significant substantive difference, so the provisions of III.1 above apply accordingly.
was written in point

2.4. Due to the above, the Authority treated January 1, 2021 and 2022 uniformly in its decision.
between May 17 and the period between May 18 and June 24, 2022, since the
there was no significant difference influencing the decision. In the justification, if necessary, a
Authority marks those findings that do not apply to the entire period.

III.3. The information is provided in the entire examined period

3.1. According to Article 12 (1) of the General Data Protection Regulation, the Customer - as a
data controller responsible for data management under investigation - obligation to take appropriate measures
in order to ensure that, for the data subjects, the 13.
and all the information mentioned in Articles 14 and 15-22. and each according to Article 34
information in a concise, transparent, understandable and easily accessible form, clearly and
provide it in a comprehensible way.

3.2. The system of appropriate information in the general data protection regulation serves to
so that the data subject can be aware of which personal data, which data controller and
for which purpose and for how long will it be treated. This is essential to be in a position to
to be able to meaningfully exercise its stakeholder rights.

3.3. Data management based on point a) of Article 6 (1) of the General Data Protection Regulation

based on Article 4, point 11 of the General Data Protection Regulation, not only the data management
beginning, but before obtaining consent, the data controller is obliged to
to provide information based on which informed consent can be given, which is not possible a
3.2 above. in the absence of any of the basic information written in point.

3.4. In relation to the legal basis of data subject consent according to the General Data Protection Regulation
it is important to emphasize that it does not mean that the data controller is subject to other legal obligations

apply it as a general authorization regardless of conditions. For data management
stakeholder consent can only be valid if it is provided by the general data protection
according to the wording of Article 6 (1) point a) of the decree for specific purpose(s) - per purpose
can be specified separately - is obtained and appropriate information is provided beforehand, which is such
puts the person concerned in a position to make an appropriate decision about the consent
and complies with all other provisions of the General Data Protection Regulation 13

validity requirement. Article 12 (1) of the General Data Protection Regulation
According to
can exercise his/her rights as a data subject in an informed manner.

3.5. As explained above, the obligation to provide information is not a mere "paperwork2"
is an obligation in the General Data Protection Regulation. All in the preamble
contained, all the articles of the general data protection regulation require the achievement of results
when determining the obligations of a data controller, not just a specified minimum

proof of effort on the part of the data controller. The aim of the information is to put you in such a situation
brings the data subject to be in the right decision-making position with the data management and the data subject
in connection with the exercise of your rights. Part of this is exactly when and under what conditions
data processing based on the consent of stakeholders related to EDM will cease.

3.6. In all cases, the EDM consent could easily be revoked, but not this one
aggravates the illegality of the Customer, but does not make the consent valid in itself
despite the non-fulfillment of the other conditions.

3.7. Due to the above, it can be concluded that in the examined period, the Customer used the EDM
provided on the duration of personal data processing in connection with
information violated Article 12 (1) of the General Data Protection Regulation,
as it was not sufficiently clear and unambiguous regarding the duration of data management,

Between May 18, 2022 and June 24, 2022, the General Terms and Conditions were also contradictory

III.4. The legality of EDM-related data management in the examined period

4.1. The above III.1.3. on the basis of what was explained in point 1, the Authority is responsible for data management related to EDM
only the consent indicated by the Customer in the information is the legal basis

investigated. In the absence of adequate information, as a general rule, it was based on consent
data management in itself is illegal. This is supported by the European Data Protection Board
Also paragraph 62 of the 5/2020 Guidelines (hereinafter: 5/2020 Guidelines). Accordingly
if the data controller does not provide accessible information, the user has control over the data

its provision becomes apparent and consent becomes an invalid basis for data management.
The basic requirement of easy accessibility is confirmed by Guideline 66 of 5/2020.
and also paragraph 67. 5/2020 regarding information regarding consent
Paragraph 63 of the guidelines also emphasizes that consent based on information

the consequence of not complying with relevant requirements is that a
consent will be invalid and the data controller may violate the general data protection regulation
Article 6.

4.2. Based on paragraph 64 of Directive 5/2020, in order for the consent to be informed

be based on, the data subject must be informed about certain key elements. That's why it is
The European Data Protection Board believes that valid consent requires at least a
the following information is required:

2 For example, the beginning of recital (39) of the General Data Protection Regulation: "The processing of personal data shall be lawful and
it should be fair. For natural persons, it must be transparent that the information concerning them is personal
how their data is collected and used, how it is viewed or in what other way it is handled, as well as
in connection with the extent to which personal data is or will be managed. [...]"
3 Guideline No. 5/2020 of the European Data Protection Board on consent pursuant to Regulation (EU) 2016/679: 14

 (i) the identity of the data controller - this was fulfilled in this case;

 (ii) the purpose of each data processing operation for which consent is sought – this
       fulfilled, but for the purpose of EDM, only the General Terms and Conditions, which are a condition for the provision of the Service
       it was possible to consent with its acceptance;

 (iii) what type of data will be collected and used - this is fulfilled, that is
       according to the data management information, only the email address was processed;

 (iv) the existence of the right to withdraw consent - this has been fulfilled;

 (v) where applicable, to use the data for automated decision-making

       relevant information in accordance with point c) of Article 22 (2) - this is present
       not relevant in this case;

 (vi) the compliance decision for data transmissions and described in Article 46
       possible risks arising from the lack of adequate guarantees - this is not the case in this case

4.3. At the end of the above list, the European Data Protection Board specifically indicates that it is
based on Article 13 of the General Data Protection Regulation, it is only a minimum requirement, but in addition
it is necessary to provide all information that may be important to a typical stakeholder
decision, such as the duration of data management in the case of EDM. Those involved typically
they subscribe to a number of newsletters in their lifetime that are difficult for them to keep track of by heart.
The termination of sending emails based on the EDM is the termination of the Service (a
Deleting an account related to a service) can be important information for those concerned.

4.4. It is important to choose the right legal basis and fulfill its conditions. The present
in the case related to the duration of EDM data management, III.1.4 above. and III.2.3. in points
detailed information is not a problem in itself in the absence of other factual elements
would result in the invalidity of the legal basis in the specific case, however, the Authority is all
examined the circumstances together and took this into account in his decision.

4.5. All according to Article 6 (1) point a) of the General Data Protection Regulation
legal text ("for one or more specific purposes"), as well as 7 of the General Data Protection Regulation.
into law based on the provision of discrimination from other cases according to paragraph (2) of Article
conflicting if consent cannot be given separately for using the Service
required for GTC and EDM. During the examined period, the Customer did not fulfill this condition
completed, so in the case of subscriber … thousand affected persons, it was given to the EDM in the examined period
consent was invalid, based on this the management of the email address for sending EDM

was illegal on a weekly basis. It does not change the consent detailed above
its validity condition is that the affected parties could have objected to the EDM afterwards,
or the consent could later be withdrawn in the online account connected to the Service.

4.6. According to paragraph 26 of Directive 5/2020, "Article 7 of the General Data Protection Regulation
paragraph (4) of Article 4 states, among other things, that they are expressly undesirable
shall be considered the situation in which the consent to the acceptance of the contract conditions is given

"connected" or "set as a condition" for the performance of a contract or service
consent to the processing of personal data that is not necessary a
to fulfill the contract or the service. If consent is given in such a situation, no
considered voluntary ((recital 43)). Paragraph 4 of Article 7 thereof
strives to ensure that the purpose of processing personal data is not hidden
provision of a service contract and not be linked to a service 15

for the provisions of the contract, for which service these personal data are not
are necessary. The General Data Protection Regulation thereby ensures that personal data
management, for which consent is requested, should not directly or indirectly become a contract
compensation. The two legal bases for the lawful processing of personal data, i.e. a
consent and the contract cannot be combined and cannot obscure one another.".

4.7. In the present case, the subscription to EDM during the period under review is inseparable
connection to the subscription to the Customer's online service is contrary to the 5/2020
With the prohibition explained in paragraph 26 of the guidelines, and Article 7 of the general data protection regulation
(4) is completely disregarded.

4.8. Due to the above, it can be concluded that during the examined period, the Customer is with EDM

violated Article 6 (1) of the General Data Protection Regulation
and paragraphs (2) and (4) of Article 7.

ARC. Legal consequences

1. The Authority complies with Article 58 (2) point i) and Article 83 (2) of the General Data Protection Regulation

may impose a data protection fine instead of or in addition to the other measures.
In case of violation of the General Data Protection Regulation, Article 58 of the General Data Protection Regulation.
on the basis of point d) of paragraph (2) of Article, it is necessary to oblige the data controller to
brings data management into line with the general data protection regulation. In view of this, the above
III.1. on the basis of what was explained in point
the Customer, so that the data subjects can decide on their data subject rights based on adequate information
about its practice. Furthermore, the above III.1.3. for reasons detailed in point, according to the relevant part

the Authority instructed the Client to - the above I.2.1.(ii) previously sent by the Client
in addition to the general information according to point - provide more specific information to those concerned
who subscribed automatically to EDM on the fact that it
contrary to the information received at the time of subscription, it was not valid separately for EDM
their possibility to contribute and how exactly they can unsubscribe from EDM.

2. On the question of whether the imposition of a data protection fine is justified, the Authority

made a decision based on statutory discretion, taking into account Infotv. Section 61 (1)
to paragraph a), Infotv. 75/A. 83 of the General Data Protection Regulation.
(2) and Article 58 (2) of the General Data Protection Regulation, which
based on this, the conviction in itself would not be a proportionate and dissuasive sanction, therefore
a fine must be imposed.

3. Regarding the necessity and amount of the fine, the Authority took into account that

Customer's net sales in 2021 .... was a billion forints. Based on this, a fine is possible
the maximum was …………… Ft.

4. When determining the amount of the data protection fine, the Authority as a mitigating circumstance
took into account the following:

   (i) The infringement …. was realized with regard to a thousand stakeholders, and also with the information
   related infringement was in itself minor. (general data protection regulation
   Article 83(2)(a)

   (ii) The breach was negligent. (Article 83 (2) of the General Data Protection Regulation
   point b) 16

   (iii) The Customer cooperated with the Authority during the procedure, acknowledged the violation and a
   during the present procedure, he rectified it for the future and held internal trainings. (general data protection
   Regulation Article 83 (2) point c)

   (iv) The Authority has not previously established any relevant data protection provisions against the Client

   infringement and did not order any measures. (General Data Protection Regulation Article 83 (2)
   paragraph e)

   (v) The violation only affected the email address data of the data subjects, other data or sensitive data
   data was not affected. (General Data Protection Regulation Article 83 (2) point g)

5. When determining the amount of the data protection fine, the Authority as an aggravating circumstance

took into account that the data management continued for a longer period of time. (general
Article 83 (2) point b) of the Data Protection Regulation

6. The imposition of fines serves both special and general prevention, since they are the opposite
in this case, the data controllers of the extremely widespread direct marketing type of data management could draw it
as a conclusion that such activity can be carried out even in the absence of a valid legal basis
without a significant disadvantage, with a profit. In accordance with the general prevention goal, the Authority a
publishes an anonymized version of this decision on the website of the Authority.

A. Other questions

1. Infotv. According to § 38, paragraph (2), the Authority is responsible for the protection of personal data,
and the right to access data of public interest and public interest
control and promotion of the validity of personal data in the European Union
facilitating its free flow within. Infotv. According to Section 38 (2a), the general

tasks and powers established for the supervisory authority in the data protection decree
general data protection for legal entities under the jurisdiction of Hungary
is exercised by the Authority as defined in the decree and this law. The Authority
its jurisdiction covers the entire territory of Hungary.

2. The Art. Based on § 112, subsections (1) and (2), § 114, subsection (1) and § 116, subsection (1)
the decision can be appealed through an administrative lawsuit.

                                              * * *

3. The rules of the administrative procedure are laid down in Act I of 2017 on the Administrative Procedure
hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority
the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13, paragraph (3).
Based on point a) subpoint aa), the Metropolitan Court is exclusively competent. The Kp. Section 27 (1)

according to paragraph 1, legal representation is mandatory in administrative proceedings before the tribunal. The Kp.
According to paragraph (6) of § 39, the submission of a claim is an administrative act
does not have the effect of postponing its entry into force.

4. The Kp. Paragraph (1) of Section 29 and, in view of this, CXXX of 2016 on the Code of Civil Procedure.
applicable according to § 604 of the Act, electronic administration and trust services
CCXXII of 2015 on its general rules. according to § 9 (1) point b) of the Act, the

the client's legal representative is obliged to maintain electronic contact. The submission of the statement of claim
time and place of Kp. It is defined by § 39, paragraph (1). Request to hold the hearing
information about the possibility of the Kp. It is based on paragraphs (1)-(2) of § 77. 17

5. The amount of the fee for the administrative lawsuit is determined by the XCIII of 1990 on fees. law
(hereinafter: Itv.) 45/A. Section (1) defines. From the advance payment of the fee
the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the person initiating the procedure

6. If the Customer does not adequately certify the fulfillment of the prescribed obligations, the Authority
considers that the obligations have not been fulfilled within the deadline. The Akr. According to § 132, if
the Customer did not comply with the obligation contained in the Authority's final decision, that is
can be executed. The Authority's decision in Art. according to § 82, paragraph (1) with the communication
becomes permanent. The Akr. Pursuant to § 133, enforcement - if you are a law
government decree does not provide otherwise - it is ordered by the decision-making Authority. The Akr. 134.
pursuant to § the execution - if it is a law, government decree or municipal authority

the local government decree does not provide otherwise - the state tax authority
undertakes. Infotv. Based on § 61, paragraph (7), contained in the Authority's decision,
to carry out a specific act, to perform a specific behavior, to tolerate or
regarding the obligation to stop, the Authority will implement the decision

dated: Budapest, according to the electronic signature

                                                             Dr. Attila Péterfalvi
                                                              c. professor