NAIH (Hungary) - NAIH-7058-5/2022
|NAIH - NAIH-7058-5/2022|
|Relevant Law:||Article 6(1) GDPR|
Article 7(2) GDPR
Article 7(4) GDPR
Article 12(1) GDPR
|National Case Number/Name:||NAIH-7058-5/2022|
|European Case Law Identifier:||n/a|
|Original Source:||NAIH (in HU)|
|Initial Contributor:||Abel Kaszian|
The Hungarian DPA fined a news service 2,000,000 HUF (approx. €5,080) for processing personal data without valid consent. Data subjects who signed up for the controller's newsletter were automatically signed up to electronic marketing and a prize draw without being sufficiently informed nor being able to give granular consent.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller is a news service provider. Data subjects subscribed to its service to receive daily news and updates through a newsletter. It was not clarified whether this was a paid service. The controller relied on Article 6(1)(b) GDPR to process the data for the newsletter.
The controller also processed personal data for electronic direct marketing (eDM) and a prize draw. The eDM emails were sent to everyone who subscribed to the service. The prize draw was advertised by the controller in the period between 24 February 2022 to 24 March 2022. The controller wanted to offer the prize draw's prize to all service subscribers. Therefore, all the service users were subscribed to the prize draw and there was no way for them to opt out of the prize draw.
On 24 June 2022, the DPA opened an ex officio investigation into a controller's services. According to the facts uncovered by the DPA, between January 1, 2021 and May 17, 2022, all subscribers who registered online for the news service were automatically subscribed to eDM. A single checkbox on the website was used to accept the Terms of Service (TOS) - a condition of the subscription - and to subscribe to eDM. At the time of subscription. In other words, it was not possible to subscribe to the service through the website alone without subscribing to eDM. In its defense, the controller argued that the data processing could be legitimized through legitimate interests.
Holding[edit | edit source]
The DPA decided that the controller's conduct was in breach of the GDPR.
First, the DPA rejected the controller's argument that, in the absence of other suitable legal grounds, the processing may have been done on the legal basis of legitimate interest. The DPA emphasized that controllers are obliged to decide in advance on the legal basis for processing, to weigh the legitimate interest against the rights of the data subject pursuant to Article 6(1)(f) GDPR, to document this, and to inform the data subjects accordingly, including about the right to object. In the absence of this, an ex-post change of the legal basis would generally, as well as in the present case, constitute an unfair processing for the data subjects, and the balancing of interests would not lead to a positive result for the controller. As a matter of principle, the DPA stated that it is not up to the data subject or the DPA to identify the appropriate legal basis before the processing starts. Rather, by virtue of the principle of privacy by design and by default, it is the sole responsibility of the controller.
Second, the DPA held that the controller did not sufficiently inform data subjects about their rights. It emphasized that, under Article 12(1) GDPR, a controller must provide the data subject with the necessary assistance to enable him or her to exercise all data subject rights in an informed manner. The information obligation is not a mere "paperwork" obligation, but is intended to enable the data subject to make an informed choice about the processing and to exercise his or her data subject rights. In order to be capable to fully exercise their rights (such as their right to withdraw consent), it is necessary to know exactly when and under what conditions data processing based on the data subject's consent for the purpose of eDM will cease. Such information was not provided. The duration for which personal data would be processed for eDM was not sufficiently clear and unambiguous. Therefore the DPA found the controller in breach of Article 12(1) GDPR.
Third, the DPA decided that the data processing was not based on consent, as the controller did not fulfil the conditions of Article 7 GDPR. Consent was neither sufficiently informed. Referring to the European Data Protection Board's Guideline 5/2020, the DPA explained that any information that may be relevant to a typical data subject's decision must be provided. According to the DPA this includes the duration of processing in the case of eDM. Data subjects typically subscribe to a large number of newsletters over the course of their lives, which are difficult for them to keep track of. Therefore, the DPA was of the opinion that the time of the cessation of e-mailing in the case of eDM is important information for data subjects. Moreover, according to Article 7(2) and 7(4) GDPR, consent must be granular. To use consent as a legal basis, controller must not bundle different incompatible processing purposes. This was violated in the present case. Consent would have to be given separately for the subscription service, the eDM, and the prize draw. The investigation of the DPA showed that the controller had not complied with these criteria.
Consequently, the DPA found the data processing to be unlawful. The processing violated Article 7(2) GDPR, Article 7(4) GDPR and Article 6(1)(a) GDPR. The controller was fined 2,000,000 HUF (approx. €5,080). In determining the height of the fine, the DPA took into account some mitigating circumstances, namely, that the controller cooperated with the DPA during the proceedings, acknowledged the infringement and remedied it for the future in the present proceedings, conducted internal training, and that the infringement only concerned the data subjects' email address data and not any other data or sensitive data. An aggravating circumstance was that the data processing continued for an extended period of time.
Comment[edit | edit source]
On a weekly basis, the controller had sent eDM unlawfully to thousands of data subjects who had subscribed to its services. The fact that the data subjects were able to subsequently object to the eDM or to subsequently withdrawn their consent in the online account linked to the service does not alter the invalidity of the consent.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.