NAIH (Hungary) - NAIH-924-10/2021
|NAIH (Hungary) - NAIH-924-10/2021|
|Relevant Law:||Article 5(1)(d) GDPR|
Article 6(1) GDPR
Article 12 GDPR
Article 17(1)(d) GDPR
Article 25(2) GDPR
Article 58(2)(d) GDPR
|Parties:||Magyar Telekom Nyrt|
|National Case Number/Name:||NAIH-924-10/2021|
|European Case Law Identifier:||n/a|
|Original Source:||Decision Nr. NAIH-924-10/2021 (in HU)|
The Hungarian DPA fined a telecommunications company €28,000 (HUF 10,000,000) for sending unsolicited emails to a data subject, despite several requests that his email be deleted, and for making the process by which data subjects can unsubscribe to emails unnecessarily difficult.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant received unsolicited emails from the controller Magyar Telekom Plc., a hungarian telecommunications company. After the receipt of such emails, the complainant requested the controller to delete his email address several times.
The controller continued to send unsolicited messages and required the complainant to register on its webpage to unsubscribe from its newsletter. However, the complainant was unable to unsubscribe from the newsletter since the website asked for customer data, that the complainant (not a customer of the company) could not provide.
The controller argued that the availability of the contact data of the complainant was an individual mistake due to an unknown third party providing their email address. It was therefore not caused by any inadequate internal policies or processes.
Holding[edit | edit source]
The Hungarian DPA found that the controller had not confirmed the entitlement of the third party data provider to use the complainant's data. Moreover, it was the controllers decision to introduce unnecessary obstacles to unsubscribe from their newsletter. In this regard, the controller only deleted the email address after being informed about the DPA's investigation. The DPA hold, that the controller failed to implement measures to facilitate the exercise of data subject rights and fined them approximately €28,000 (10,000,000 HUF) for violating Articles 12(2), and 25(2) GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH-924-10 / 2021 Subject: Decision Former Case NAIH / 2020/8890 Clerk: DECISION Before the National Data Protection and Freedom of Information Authority (hereinafter: the Authority) ………………………… (address: ………………………; postal address: ……………………………………………) to the applicant (hereinafter: the Applicant) in 2020. On December 18, Magyar Telekom Plc. (registered office: 1097 Budapest, Könyves Kálmán körút 36.) unlawful processing of personal data against the applicant (hereinafter: the Requested) a data protection authority procedure was initiated on the basis of his request. The Authority is the Data Protection Authority take the following decisions in official proceedings: 1. The Authority shall request the Applicant to provide the Applicant with the Applicant's email address order it to be canceled because it has become impossible to rejects. 2. The Authority shall establish of its own motion that the Applicant has infringed the Applicant with regard to the processing of personal data by natural persons protection and the free movement of such data and repealing Directive 95/46 / EC Article 5 of Regulation (EU) 2016/679 (hereinafter referred to as the General Data Protection Regulation) Article 6 (1) (d), Article 6 (1), Article 12 (2), (3) and (4), Article 17 (1) and violates the general practice of the Applicant in relation to the above data processing Articles 12 (2) and 25 (2) of the General Data Protection Regulation. 3. The Authority shall issue ex officio pursuant to Article 58 (2) (d) of the General Data Protection Regulation instructs the Applicant to change its data management practices so as to remove customer status regardless of the rights of the data subject, no additional surplus should be required by default a condition which is not necessary to assess the admissibility of the application, unlawfully restricted the possibility for the data subject to exercise his or her rights, in particular contact email addresses. 4. The Authority shall examine the applicant of its own motion HUF 10,000,000, ie HUF ten million data protection fine obliges to pay. Fulfillment of the obligation provided for in Clause 3 from the date on which the Debtor becomes final of this decision must be submitted in writing within 30 days of the to the Authority. The fine referred to in point 4 shall be imposed within 30 days of the date on which this Decision becomes final Authority's centralized revenue collection target forint account (10032000-01040425- 00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000) must be paid. When transferring the amount, "NAIH-924/2021 JUDGMENT." should be referred to. 2 If the Debtor fails to meet its obligation to pay the fine within the time limit, a penalty for late payment obliged to pay. The amount of the late payment allowance is the statutory interest affected by the delay equal to the central bank base rate valid on the first day of the calendar half-year. Failure to pay the fine and the penalty payment or the obligation under point 3 above shall not the Authority shall order the enforcement of the decision. There is no administrative remedy against this decision, but it is from notification within 30 days of the application to the Metropolitan Court in an administrative lawsuit can be challenged. The application must be submitted to the Authority, electronically, which is the case forward it to the court together with its documents. A hearing may be requested in the application. The entire for those who do not receive personal tax exemption, the fee for the administrative lawsuit is HUF 30,000, a subject to the right to record material duty. Legal representation in proceedings before the Metropolitan Court obligatory. Act CXII of 2011 on the right to information self-determination and freedom of information. Act (a hereinafter: the Information Act) pursuant to Section 61 (2) (c) of the Information Act, the Authority It publishes the applicant's identification data anonymised on the Authority's website. EXPLANATORY STATEMENT I. Establishment of the facts and procedure I.1. Facts On 18 December 2020, the Applicant submitted an application to the Authority, in which it that he received an unsolicited e-mail from the Applicant on 13 November 2020 ……………………… email account because it is presumably a third party entered it incorrectly ………………………… address (which is considered identical by the gmail service to all characters before the @ sign version separated by point). For this reason, Applicant on November 13, 2020 is has sent a request for the email address ………………………… .. to the email address email@example.com to delete the email address owned by him, indicating that he is not the Customer of the Requested. Because he received unsolicited emails again on November 17, 2020 and November 24, 2020 from the Applicant, and the Applicant on 20 November 2020 in response to a template login The requesting newsletter sent an unsubscribe link to the Applicant, therefore the Applicant 's request was sent in 2020. reiterated on 24 November, asking for confirmation of the deletion, again indicating that you do not want to unsubscribe from the newsletter, but the Applicant requests the complete deletion of the email address on behalf of. Subsequently, on 8 December 2020, the Applicant again received an unsolicited e-mail from the An application that again asked you to delete your email address on December 11, 2020. For this, the former received a repeat reply from the newsletter about unsubscribing. THE ………………………………… In its reply to Information No. No. Applicant indicated that the unsubscribe reference redirects you to a login page where, as a customer, you cannot proceed. The Requested the customer service response of 12 December 2020 again recommended unsubscribing as a solution claiming that it is not necessary to log in to the link in the unsolicited email when using. Following the submission of the application, on 15 January 2021, the Applicant again received an unsolicited newsletter a From the applicant. The Authority will use the following email unsubscribe links sent by the Applicant 3 examined and they are not logged out but logged in (https://www.telekom.hu/telekomfiok/belepes?0&successUrl=/telekomfiok/telekom-profil) redirected. I.2. Procedure In its application submitted to the Authority on 18 December 2020, the Applicant is a data protection authority initiating the procedure and requesting that the Applicant be ordered to delete the above e-mail address. The Authority asked the following questions to clarify the facts: (i) For what reason did the Applicant fail to comply on 13 November 2020, 24 November 2020, and Stakeholder Lawsuit filed on December 11, 2020, for deletion of email address requests? (ii) Consideration of the above application submitted on 11 December 2020 to which organizational unit belongs to? Support your answer with regulations! (iii) On what basis is it proposed to unsubscribe instead of cancel, the cancellation and unsubscribe how do you differentiate it in practice? Support your answer with regulations! (iv) For what reason does the unsubscribe link in the emails sent to the Applicant not work, why are you redirecting you to a login page? (v) In which databases and which organizational and logical is the e-mail address of the Applicant to be deleted methods to ensure that in the event of a cancellation request, the email address will be deleted from each of them including gmail.com domains or similar addresses are they just a point in the position or absence of different variations? Support your answer with regulations! (vi) In the course of a data protection authority proceeding, the Authority will find an infringement may impose a data protection fine ex officio, therefore present all relevant facts and a circumstance which may be relevant in the possible imposition of a fine, inter alia the value of its total annual worldwide turnover according to its most recently published accounts supported! At the request of the Authority, the Applicant received the letter received on 19 February 2021 as follows made statements: (i) The address ……………………… .. was entered incorrectly by one of their clients in their own electronic as your contact address. For this reason, newsletters sent to this email address do not have such unsubscriptions provided a link that can be used by anyone, but an unsubscribe link to the account will be taken to the unsubscribe interface within the account after mandatory login, so only can be used by the subscriber to unsubscribe. (ii) Within customer service, a special matters group deals with general privacy applications under this Regulation. (iii) Their administrative colleague did not recognize that in the present case it was not one of their clients it is necessary to provide technical assistance as the email address is the same as a customer email therefore did not forward the Applicant's requests to the Special Cases Group. (iv) The Special Affairs Group is aware of the operation of the Gmail Service detailed above the peculiarity of which az. and that ……………………………. email addresses belong to the same account and respond to the requests of the data subject accordingly. (v) The erasure requested by the Applicant was carried out after the request of the Authority. 4 (vi) According to the applicant, neither the misrepresentation of the third party customer nor the The specifics of the Gmail mail system are not the responsibility of the Applicant, so they are not may be assessed at the expense of the Applicant. (vii) Applicant supplemented the Internal Administrator's Manual to be even larger emphasis on the proper handling of cancellation and other data protection requests; and examine the possibility of further steps. (viii) In the opinion of the Applicant, the inconvenience experienced by the Applicant is a rooted in third-party customer misrepresentation and the Gmail mail system which the Applicant has no influence over and is not aware of problem would affect another person and the Applicant would not have any financial or legal disadvantages for him. CL of the Authority on General Administrative Procedure 2016. Act (hereinafter: Act) 76. The Applicant requested access to the file, of which the Authority separately order. Furthermore, the Applicant stated that on 18 January 2021 and 2021. received further emails from the Applicant on 19 January, not thereafter. The Authority Pursuant to Section 76, on 25 March 2021, he invited the Applicant to submit comments and may make a statement in connection with the present proceedings and ex officio in the present proceedings to be taken into account NAIH / 2018/4939 / V, NAIH / 2019/192, NAIH / 2019/5205, NAIH / 2020/4999, Cases NAIH / 2020/6469. The Authority Ákr. Upon request pursuant to Section 76, the Applicant shall history detailed in point In those cases, it stated that they made a significant difference to the present case compared to the fact that the circle of stakeholders is different, the recording of incorrect contact details can be due to other reasons and various stakeholder rights have been enforced in the cases. According to his statement in isolated, individual cases, an error occurred that the complainants did not know about enforce their needs. The Applicant will also take the individual into account when modifying its internal book (Magic Book) experience, and the curriculum for customer service places a special emphasis on the stakeholder exercise their rights. In cases of similarity, individual clerical errors are to be followed was a deviation from the procedure for unauthorized data processing and the requests of the data subject did not led to the proper settlement. According to the requested opinion in case NAIH / 2020/4999 official statement that “Based on the available information, it is not appropriate the lack of technical, organizational measures allowed for prior procedures for consent unauthorized modification of the data. " by managing the contributions of non-customer (non-subscriber) stakeholders they can also be traced back to a non-systemic error. Regarding the requirement to unsubscribe from Telekom branch registration, the Applicant stated that that this is necessary because in some cases a contact may be linked to more than one person, thus, the identification of the appropriate subscription is not possible with the data alone, it needs to be determined also the identity of the subscriber. According to the Applicant's statement, to eliminate and correct individual errors it constantly takes steps that it recognizes the need for. II. Background cases which may be relevant to the subject - matter of the present case ('the case - law') cases) 5 II.1. NAIH / 2018/4939 / V In investigation case NAIH / 2018/4939 / V, the complainant complained that the a third party customer erroneously provided the complainant 's mobile phone number as contact information Entered into a contract with the Applicant, and the Applicant therefore sent it to the complainant several times text messages and unidentified calls made under a third party contract connection. Despite the complainant 's request, the Applicant did not delete this contact details and did not restrict its use. The Claimant relied on an individual clerical error as well as that stated that he had once again drawn the attention of his administrators to the proper handling of the requests concerned, improve its procedure. As the Applicant provided the contact details of the Authority's fact-finding letter canceled upon receipt, it was not necessary to initiate official data protection proceedings, so the Authority closed the investigation and found that the request for cancellation had not been made earlier the Applicant has infringed Article 12 (2) to (4) of the General Data Protection Regulation and Article 17 (1) (d). II.2. NAIH / 2019/192 In investigation case NAIH / 2019/192, the complainant erred in concluding his contract online recorded the complainant's statement concerning the marketing inquiries. The Requested clerk erroneously informed the complainant that a signed statement was required for marketing consent to change the terms of the email address for marketing purposes cessation of treatment, which was excessive for the complainant, and in its absence refused the complainant's request that his email address not be used for marketing purposes. The Authority does not investigate the sending of unsolicited messages, the National Media and Communications Authority authority, the Authority shall comply with the email address data management legislation and the general examined the enforcement of data subjects' rights under the Data Protection Regulation. As the Requested he stated (in retrospect not actually) that the marketing request for consent consent setting canceled by the Authority upon receipt of a letter clarifying the facts, data protection authority proceedings According to the information available, it was not necessary to initiate the procedure terminated the investigation and found that, by failing to comply with the previous request, the Applicant has infringed Article 5 (1) (d) of the General Data Protection Regulation appropriate information in accordance with Article 13 of the General Data Protection Regulation unjustified marketing for data purposes due to general data protection Article 6 of the General Data Protection Regulation and that Articles 12 (2) and 24 of the General Data Protection Regulation Pursuant to Article 1 (1), the controller is responsible for the adequacy of the data processing that the controller provides under Article 5 (2) of the General Data Protection Regulation. THE Applicant also informed the Authority that its systems were similar to the above made changes from May 2018 to eliminate administrative errors. II.3. NAIH / 2019/5205 (NAIH / 2020/2679) The investigation case NAIH / 2019/5205 was initiated because II.2. in the case detailed in point Despite the statement made by the Applicant, the Applicant again sent a marketing email to the II.2. complainant under point email address, and the complainant found in his settings that the marketing consent was in place marked, although the complainant did not change it. According to the Applicant's statement, the cause of the error is not could not be saved in the previous case, probably due to an individual clerk error indicated change in marketing settings. For this reason, the Applicant repeatedly took the a marketing email address management and this can be done from your system at the request of the Authority verified by screenshots. As the Applicant for the violation of the Authority, the facts are clarified upon receipt of the letter, the data protection authority did not initiate proceedings 6 necessary, the Authority terminated the investigation and found that it was Applicant repeatedly infringed Article 5 (1) (d) of the General Data Protection Regulation appropriate information in accordance with Article 13 of the General Data Protection Regulation unjustified marketing for data purposes due to general data protection Article 6 of the General Data Protection Regulation and that Articles 12 (2) and 24 of the General Data Protection Regulation Pursuant to Article 1 (1), the controller is responsible for the adequacy of the data processing that the controller provides under Article 5 (2) of the General Data Protection Regulation. II.4. NAIH / 2020/4999 II.2 above. and II.3. In cases NAIH / 2020/4999, the Authority initiated an official inspection of the Application for direct business acquisition contributions in general the adequacy of its practice, in particular Article 32 of the General Data Protection Regulation to verify compliance with the requirements of The case did not raise any related issues fact or circumstance that it is related to the direct acquisition of business at the Applicant there would be a lack of action on the management of contributions. Available based on the information, the lack of appropriate technical and organizational measures did not allow the unwanted changes to consent data in prior proceedings. II.5. NAIH / 2020/1773 In consultation case NAIH / 2020/1773, Article 57 of the General Data Protection Regulation is concerned Pursuant to paragraph 1 (e), it requested the Authority to inform it of its rights may be exercised if the Applicant treats his e-mail address as if they were a customer, unsolicited receives messages from the Applicant referring to contracts which he has not concluded, and you cannot unsubscribe from these emails. The Authority informed the data subject of the general data protection Article 17 of the General Data Protection Regulation and Article 12 (3) to (4) of the General Data Protection Regulation. obligations under paragraph 1. III. Applicable legal provisions Pursuant to Article 2 (1) of the General Data Protection Regulation, the General Data Protection Regulation shall apply to the processing of personal data in a partially or fully automated manner, and the non - automated processing of personal data which: are part of a registration system or are part of a registration system they want to do. The Infotv. Section 2 (2) according to the general data protection regulation in the provisions indicated therein shall apply with additions. Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data To that end, the Authority shall, at the request of the data subject, initiate a data protection authority procedure and may initiate ex officio data protection proceedings. Infotv. Pursuant to Section 71 (2), the Authority has lawfully obtained a document in the course of its proceedings, data or other means of proof in another procedure. 7 Unless otherwise provided in the General Data Protection Regulation, data protection was initiated upon request for official proceedings under Ákr. shall apply with the exceptions specified in the Infotv. The Acre. Pursuant to § 36, the application is a written or personal statement of the client requesting an official procedure or a decision of the authority on his right or legitimate interest in order to validate. Infotv. Pursuant to Section 60 (2), the application for the initiation of data protection official proceedings is Article 77 (1) for data processing covered by the General Data Protection Regulation may be submitted in a specific case. Pursuant to Article 77 (1) of the General Data Protection Regulation, all data subjects have the right to: lodge a complaint with a supervisory authority if it considers that it is relevant to it the processing of personal data violates the general data protection regulation. According to Article 5 (1) (d) of the General Data Protection Regulation they must be accurate and, where necessary, kept up to date; all reasonable measures must be taken to ensure that personal data are inaccurate for the purposes of data processing deleted or corrected immediately ("accuracy"). Pursuant to Article 6 (1) of the General Data Protection Regulation, the processing of personal data lawful only if and to the extent that at least one of the following is met: (a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes treatment; (b) processing is necessary for the performance of a contract to which one of the parties is a party, or to take action at the request of the data subject prior to the conclusion of the contract required; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) the processing is in the vital interests of the data subject or of another natural person necessary for its protection; (e) the processing is in the public interest or a public authority conferred on the controller necessary for the performance of the task carried out in the exercise of (f) processing for the legitimate interests of the controller or of a third party necessary, unless the interests of the data subject take precedence over those interests or fundamental rights and freedoms which require the protection of personal data, especially if the child is affected. Point (f) of the first subparagraph shall not apply to the performance of their tasks by public authorities data management. According to Article 12 (2) of the General Data Protection Regulation, the controller shall assist the data subject 15–22. exercise of their rights under this Article. According to Article 12 (3) of the General Data Protection Regulation, the controller is unjustified without delay, but in any case within one month of receipt of the request inform the data subject in accordance with Articles 15 to 22. on the action taken in response to a request under Article. Need In view of the complexity of the application and the number of applications, this time limit shall be extended by two further periods may be extended by one month. The extension of the deadline by the data controller shall be the reasons for the delay within one month of receipt of the request. If the data subject has submitted the application electronically, the information shall be provided, if possible, electronically unless otherwise requested by the data subject. 8 According to Article 12 (3) of the General Data Protection Regulation, if the controller does not do so measures at the request of the data subject, without delay, but at the latest at the time of the request inform the data subject of the non-action within one month of receipt and that the person concerned may lodge a complaint with a supervisory authority and may reside with the right to judicial redress. Pursuant to Article 17 (1) (d) of the General Data Protection Regulation, the data subject is entitled to that, at the request of the controller, delete the personal data relating to him without undue delay data, and the controller is obliged to provide personal data concerning the data subject delete without undue delay if personal data have been processed unlawfully. According to Article 25 (2) of the General Data Protection Regulation, the controller is the appropriate technical and implements organizational measures to ensure that, by default, only the processing of personal data for a specific data processing purpose necessary for the This obligation applies to personal information collected the extent of their handling, the duration of their storage and their availability. These are measures in particular need to ensure that personal data is provided by default they cannot be accessed indefinitely without the intervention of a natural person for number of persons. According to Article 57 (1) (a) of the General Data Protection Regulation, the general data protection without prejudice to the other tasks set out in this Regulation, the supervisory authority in its territory monitors and enforces the application of the General Data Protection Regulation. Pursuant to Article 58 (2) of the General Data Protection Regulation, the supervisory authority is corrective acting within its competence: (a) warn the controller or processor that certain data processing operations are planned its activities are likely to infringe the provisions of this Regulation; (b) condemn the controller or the processor if his or her data processing activities has infringed the provisions of this Regulation; (c) instruct the controller or the processor to comply with this Regulation exercise its rights under this Regulation; (d) instruct the controller or processor to carry out its data processing operations, where applicable in a specified manner and within a specified period, in accordance with this Regulation with its provisions; (e) instruct the controller to inform the data subject of the data protection incident; (f) temporarily or permanently restrict the processing, including the prohibition of the processing is; (g) order personal data in accordance with Articles 16, 17 and 18 respectively rectification or erasure of data or restrictions on data processing, and in accordance with Article 17 (2). order notification to the addressees in accordance with with whom or with whom the personal data have been communicated; (h) withdraw the certificate or instruct the certification body in accordance with Articles 42 and 43 revoke a duly issued certificate or instruct the certification body not to issue the certificate if the conditions for certification are not or are no longer met; (i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case in addition to or instead of the measures referred to in this paragraph; and 9 (j) order the flow of data to a recipient in a third country or to an international organization suspension. According to Article 83 (1) of the General Data Protection Regulation, all supervisory authorities ensure that it is referred to in Article 83 (4), (5) and (6) of the General Data Protection Regulation The administrative fines imposed for non-compliance shall be effective and proportionate in each case and be dissuasive. According to Article 83 (2) of the General Data Protection Regulation, administrative fines are granted Article 58 (2) (a) to (h) and (b) of the General Data Protection Regulation, depending on the circumstances of the case shall be imposed in addition to or instead of the measures referred to in point (j). When deciding that whether it is necessary to impose an administrative fine or the amount of the administrative fine In each case, due account shall be taken of the following: (a) the nature, gravity and duration of the breach, taking into account the processing in question the nature, scope or purpose of the infringement and the number of persons affected by the infringement; the extent of the damage they have suffered; (b) the intentional or negligent nature of the infringement; (c) the mitigation of damage suffered by the data subject by the controller or the processor any measures taken to (d) the extent of the responsibility of the controller or processor, taking into account the technical and organizational measures taken pursuant to Articles 25 and 32 of the General Data Protection Regulation measures; (e) relevant infringements previously committed by the controller or processor; (f) the supervisory authority to remedy the breach and the possible negative effects of the breach the extent of cooperation to alleviate (g) the categories of personal data affected by the breach; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor has reported the breach and, if so, what in detail; (i) if previously against the controller or processor concerned, in the same referred to in Article 58 (2) of the General Data Protection Regulation compliance with one of those measures; (j) whether the controller or processor has complied with the general data protection rules approved codes of conduct pursuant to Article 40 of this Regulation or general data protection approved certification mechanisms in accordance with Article 42 of this Regulation; and (k) other aggravating or mitigating factors relevant to the circumstances of the case, such as: financial gain gained or avoided as a direct or indirect consequence of the infringement loss. Pursuant to Article 83 (5) of the General Data Protection Regulation, the following provisions an administrative fine of up to EUR 20 000 000 in accordance with paragraph 2 fines or, in the case of undertakings, the total annual worldwide turnover of the preceding financial year shall not be more than 4%, with the higher of the two amounts to impose: (a) the principles of data processing, including the conditions for consent, are set out in the General Data Protection Regulation In accordance with Articles 5, 6, 7 and 9; 10 (b) the rights of data subjects under Articles 12 to 22 of the General Data Protection Regulation. in accordance with Article (c) the transfer of personal data to a recipient in a third country or to an international organization Articles 44 to 49 of the General Data Protection Regulation. in accordance with Article (d) Article IX of the General Data Protection Regulation. in accordance with the law of the Member States adopted pursuant to this Chapter liabilities; (e) the supervisory authority in accordance with Article 58 (2) of the General Data Protection Regulation temporary or permanent restriction of data processing or the flow of data non-compliance with the request for suspension or general data protection failure to provide access in breach of Article 58 (1) of Regulation Infotv. Pursuant to Article 75 / A, the Authority is required to comply with Article 83 (2) to (6) of the General Data Protection Regulation. exercise the powers set out in paragraph 1 in accordance with the principle of proportionality, in particular: by the law on the processing of personal data or by the European Union in the event of a first breach of the rules laid down in a mandatory act of the in accordance with Article 58 of the General Data Protection Regulation it takes action by alerting the controller or processor. The Basic Law of Hungary VI. According to Article 3 (3), everyone has the right to personal data and the knowledge and dissemination of data of public interest. According to Article 8 (1) of the Charter of Fundamental Rights of the European Union, everyone has the right to benefit from it protection of personal data relating to ARC. Decision of the Authority IV.1. Assessment of an individual infringement The Applicant was canceled by the Applicant upon receipt of the Authority's fact-finding order email address data from its database, therefore fulfilling the request for a cancellation order it became impossible. The Applicant did not have a provision under Article 6 (1) of the General Data Protection Regulation none of the legal bases in connection with the Applicant’s email address and becoming aware of it - despite the Applicant's repeated express indication - did not comply with the general data protection obligation under Article 5 (1) (d) of the Regulation is undoubtedly incorrect expected the cancellation from the Applicant, who, moreover, for reasons falling within the for some reason he was not even able to. The email address holder is easily identifiable as it appears in the correspondence as the sender, so there was no circumstance which is the request of the person concerned would have justified not correcting the error. The Applicant did not respond to the request of the Applicant concerned, the non-client is concerned reference to an unsubscribe reference which cannot be used by the Commission - repeated several times without change Article 12 (3) and (4) of the General Data Protection Regulation or a duly substantiated rejection. Pursuant to Article 17 (1) (d) of the General Data Protection Regulation, the Applicant became obliged would have deleted the contact details immediately at the request of the Applicant, but this has been repeatedly requested nevertheless did not do so and only complied with the Applicant’s request for cancellation when the Authority became aware of the present proceedings, without which the cancellation would not have taken place. 11 In view of the above, the Authority decided on the individual application for cancellation in accordance with the operative part of its own motion Article 5 (1) (d), Article 6 (1), Article 12 (2), (3) and (4) of that Regulation, and a violation of Article 17 (1) (d) in respect of the Applicant. IV.2. The role of general practice in relation to an individual infringement (i) The Applicant's policy regarding the exercise of data subject's rights is contact information respect Article 57 (1) (a) and Article 58 (2) (b) of the General Data Protection Regulation and d), Article 83 (1), (2) and (5), and Infotv. 75 / A of the Authority examined of its own motion in the course of the proceedings the Applicant's general practice affecting the present case part. The Authority has issued the Infotv. Pursuant to Section 71 (2) in any other proceedings may use the resulting document in other proceedings. According to the revealed facts, the Applicant is recording the contact details (telephone number, email address) does not in any way control the right to control the given contact details, or if the contact data, which is considered personal data, is not provided by the person entitled to it, no asks for any proof that you are the owner of the contact details (phone number, email) contributed. The existence of a legal basis under Article 6 (1) of the General Data Protection Regulation is the responsibility of the controller at all stages of data management. For example, entering a one-time code request, which is sent by SMS or email to the given phone number or email address, is can prevent a case similar to all Applicants, and this is the case for a large communications provider in no way a disproportionate obligation. The Applicant is considered a data controller and is obliged to comply with the general data protection regulation this obligation may not be partially transferred by certain administrators and their individual faults or other third parties who have personal data sources. The controller may only process personal data whose source is lawful, if so he is not convinced in any reasonable way, he cannot be released from liability. The Applicant's procedure did not facilitate the exercise of the rights of the Applicant concerned, it is unnecessary for him - and, if applicable, impossible - condition, login to a third party Telekom account in the present case several times from the Applicant. General practice of the Applicant, that in messages sent to the email address assigned to the Telekom account, the unsubscribe link is a takes you to a login page, direct unsubscription is not possible. (ii) Similarities of the present case with prior cases Some parts of the present case and the background cases highlighted by the Applicant are different, however, the identity exists in the relevant details below which are relevant to the present case. The common practice of the Applicant in the present case and in individual antecedent cases is to have a newsletter you do not ask for any proof of the correctness of the given telephone number or e-mail address when signing up, thus, either due to the fault of the third party customer or the Applicant, there may be a wrong contact record data. Following the erroneous recording, there was no correction or deletion of the erroneous data in the individual antecedent cases possible by the data subject who is the owner of the telephone number or email address. In the present case, too, 12 data protection authority proceedings were initiated because the Applicant was unable to delete the email address himself because a condition - login to the Telekom branch - was required by the Applicant, which was impossible to comply with and, despite repeated requests, prior to the Authority 's proceedings, the Applicant did not remedy it. The combination of circumstances detailed above has led to the applicant - and the NAIH / 2018/4939 / V, NAIH / 2019/192, and NAIH / 2019/5205, NAIH / 2020/1773, your rights under the General Data Protection Regulation have been violated. (iii) Consideration of relevant statements made by the Applicant on the above issue Contrary to the statements made during the Requested Procedure, it is detailed in the above paragraphs circumstances do not constitute an unavoidable cause beyond the control of the Applicant, they are a Applicant could have effectively and effectively affected both the data collection and the erasure procedure. In the Authority's view, contrary to the Applicant's allegations, the Applicant's infringement the direct reason was not that a third party misrepresented the Applicant’s contact details to the Applicant, and not a feature of the Gmail system - of which knowledge of the applicant was expressly acknowledged by the Applicant in the present case by letter received on 19 February 2021. Nevertheless, the Applicant 's good practice could have ensured that the Applicant - and the the rights of those involved in background cases. Confirmation and, if not, automatic deletion of the contact details at the time of data collection internationally accepted practice and of a similar type and size to the Applicant telecommunications provider. Applicant's argument that deleting contact information without logging in is specific using contact information does not allow because some contact information for multiple accounts are also incorrect. On the one hand, if several subscribers have data (for example, email address, contact phone number) and is not entitled to dispose of that contact information subscriber requests cancellation, he shall, as a general rule, in the absence of a specifically named subscriber, it is necessary to delete from all accounts, especially if the reason is explicitly that the data is above the data subject did not consent to the use of the data. In addition, for example, if places a unsubscribe link in a newsletter and multiple accounts sent on behalf of an email address, you can place multiple unsubscribe links, which are only the email address will be deleted for each account (although if, as in the present case, it is unauthorized person provided the contact address, this is not relevant either). From the above, it is clear that there is technically no obstacle to resolving them incorrectly without logging in provided contact data cancellations at the request of the data subjects, and therefore at the sole discretion of the Applicant was a restriction based on that in both the present case and the individual antecedent cases led to unnecessary and unlawful processing of personal data. The official decision in case NAIH / 2020/4999 referred to by the Applicant III. point the last paragraph expressly stated that “This official inspection shall be limited to the Client’s its practice in managing direct acquisition contributions legal compliance, a bottleneck in data management and is not considered approval and audit of the Client's general data management practices beyond the above, or certification of conformity. ". The general enforcement of the rights of data subjects shall be carried out by the Authority a In case NAIH / 2020/4999, it was not examined, it was not established, it is the subject of the proceedings specifically the data management compliance of the database managing the contributions was in that whether an unauthorized person could have altered the consent without notice. Accordingly, the applicant 's 13 the data processing detailed in this decision, which is the subject of an ex officio part of the present proceedings in Case NAIH / 2020/4999 they do not affect the findings of the present case. The Authority also does not share the Applicant 's view that the Applicant - and similar cases the persons concerned - do not suffer any pecuniary or legal damage. The general The Data Protection Regulation protects the right to the protection of personal data, which is Basic Law VI. Article 8 (3) of the Charter of Fundamental Rights of the European Union constitutes a fundamental constitutional right. In the relevant legislation - such as General Data Protection Regulation III. for the protection of fundamental rights unnecessarily restricting the rights of those affected, making it impossible with administrative barriers causes damage to fundamental rights even without direct financial loss. Other than the data recording of the Requested and the practical feasibility of the exercise of the rights concerned statements as well as the Applicant’s internal tutorials not addressing the above issues several amendments have not substantially affected the practice examined by the Authority above, thus, the Authority could not take them into account in the interest of the Applicant. (iv) Illegality of the Applicant's investigated practice Pursuant to Article 12 (2) of the General Data Protection Regulation, the Applicant has the rights of the data subject on the other hand, both the recording of contact details and the the procedure for requesting a repair or cancellation by a person outside the customer in the Applicant's practice carries with it, in principle and in practice, the possibility of infringing the rights of the data subject, which has been proven in a number of antecedents. The Authority shall as detailed in section 1 has repeatedly established the general data protection Infringement of Article 12 of the Regulation by the Applicant in relation to contact details due to non-compliance with the exercise of rights. The problem with the Application has been raised several times, as explained above occurred at the Applicant and did not cease despite the Applicant's repeated previous statements as evidenced by antecedent cases and the present case. In addition, the Applicant is not the antecedent either nor in the present proceedings has it been justified to change its practice in accordance with Article IV: 2. would be an effective solution to the problems identified in For this reason, the general can be established also infringe Article 25 (2) of the Data Protection Regulation, as the Applicant is solely his own defined its organizational procedures as organizational solutions employed that they involve a real risk of infringement for the data subject, either by the Applicant or by the in the event of a loss of data by a third party, and in several cases there has been a real infringement. In view of the above, the Authority considers, in accordance with the operative part, that Article 58 (2) of the General Data Protection Regulation pursuant to paragraph (b) of this paragraph, found that by enforcing the rights of the Applicant concerned infringes Article 12 (2) of the General Data Protection Regulation and Article 25 (2) and Article 58 (2) (d) of the General Data Protection Regulation instructed to bring the infringing practice into line with the General Data Protection Regulation. IV.3. The data protection fine The Authority is the other measure under Article 83 (2) of the General Data Protection Regulation may impose a data protection fine instead or in addition. The Authority is governed by the case law accordingly, Article 83 (2) 14 of the General Data Protection Regulation applies to the imposition of fines in such a case The decision shall set out the merits of the aspects listed in paragraph justification. The Applicant handles a huge amount of personal data, millions of affected customers and - as in the present case and in Annex II. The cases detailed in point 1 also show an indeterminate number non-customer handles relevant personal data, aggregate annual revenue for 2020 accounts according to which it was HUF 524,131,000,000, ie five hundred and twenty-four billion to one hundred and thirty-one million forints In 2020. In addition, the Applicant's breach of the General Data Protection Regulation is not the first established by the Authority on several occasions, not once on a substantially related issue. THE Applicant has repeatedly indicated that he will take steps to avoid similar cases in the future, however, non-customer stakeholders are still not provided easily and unnecessarily without administration, under the minimum conditions necessary for data security right of cancellation. It has long been used, repeatedly causing problems and unreasonable solutions to it in some cases, only the customer knows the contact information provided incorrectly by the customers rectified if the data subject requests the deletion just through the contact details complained of, and the decision rests with clerks who misjudge such obvious cases. Neither the contact information immediately after the grant of the application does not provide an effective means for the Applicant to stakeholders to deal with the deletion (e.g. with a link that can be used by anyone, etc.). All this confirms that the protection of personal data, which is the responsibility of the Authority, cannot be achieved without imposing a data protection fine. Infotv. None of the mitigating circumstances under § 75 / A exists, whereas the Applicant is not an SME and is not the first to infringe the General Data Protection Regulation. THE the imposition of fines serves both special and general prevention, for which the decision will also be published on the website of the Authority, the identification data of the Applicant anonymization. In determining the amount of the data protection fine, the Authority took it as an attenuating circumstance taking into account that (a) the applicant has, at the request of the Authority, deleted the Applicant has unlawfully processed personal data, (b) the root of the problem was the misrepresentation of a third party (however, the acquisition of knowledge following an effective solution to the problem would have been the Applicant's obligation in general under Article 25 of the Data Protection Regulation, failure to do so requires a fine due to incorrect data alone), (c) the nature and gravity of the breach are moderately significant in the individual case (the General Data Protection Directive) infringements other than Article 25 of that Regulation), (d) the duration of the infringement was not significant in the individual case, (e) the personal data affected by the breach were contact details only, not sensitive data, (f) the internal rules were designed to commit an unintentional data breach. In setting the level of the data protection fine, the Authority took it as an aggravating circumstance taking into account that (a) the internal procedural problem giving rise to the infringement has persisted for a long time and the breach of the obligation under Article 25 of that Regulation, (b) the applicant's commitments in previous similar cases and the Authority's previous findings despite eliminating the actual solution to date, no solution has been developed attempts at the merits of the problem, the right of cancellation is easy and without unnecessary administration the issue of the exercise of the right has not been addressed, in particular in view of the legitimate need of those concerned to: to make account registration and other unnecessary administration without the actual data disposition be able to act by presenting the right, (c) based on the extent and market position of the Requested 's data processing, It is up to the applicant not to depend on the individual and unsupervised decision of each clerk the exercise of rights, especially if the technical subject is much simpler for the data subject a solution can also ensure the erasure of incorrectly entered data, (d) the online financial statements are also available according to the 2020 Requested Entity It had an annual income of HUF 524,131,000,000, ie five hundred and twenty-four billion to one hundred and thirty-one million forints, thus, a very small fine would have no punitive or deterrent effect. Based on the above, according to the operative part, the maximum amount that can be imposed by the Authority is approx. four ten thousand (0.04%) of the case considered the imposition of a data protection fine proportionate and dissuasive in relation to the Applicant. V. Other issues Infotv. Pursuant to Section 38 (2), the Authority is responsible for the protection of personal data, and the exercise of the right of access to data in the public interest and in the public interest free movement of personal data within the European Union promoting. Infotv. Pursuant to Section 38 (2a) of the General Data Protection Decree a the tasks and powers established for the supervisory authority under the jurisdiction of Hungary in the General Data Protection Regulation and in this Act exercised by the Authority as defined in The competence of the Authority is the whole of Hungary covers its territory. The Acre. Pursuant to Section 112 (1), Section 114 (1) and Section 116 (1) by decision there is a right of appeal against an administrative action. * * * The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by decision of the Authority The administrative lawsuit against the court falls within the jurisdiction of the court. Section 13 (3) a) The General Court has exclusive jurisdiction under subparagraph (aa) of A Kp. Pursuant to Section 27 (1), legal representation in administrative proceedings before the General Court obligatory. A Kp. Pursuant to Section 39 (6), the filing of an application is administrative has no suspensive effect on the entry into force of the act. A Kp. Section 29 (1) and with this regard Act CXXX of 2016 on the Code of Civil Procedure. law Applicable under Section 604, electronic administration and trust services are general CCXXII of 2015 on the rules of According to Section 9 (1) (b) of the Act, the customer is legal representative is required to communicate electronically. The time and place of the filing of the application is Section 39 (1). The trial Information on the possibility of requesting the maintenance of the It is based on Section 77 (1) - (2). The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. Act (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee, the Itv. Section 59 (1) and Section 62 (1) (h) exempt the party initiating the proceedings. 16 If the obligor does not duly prove the fulfillment of the prescribed obligations, the Authority shall considers that it has not fulfilled its obligations within the time allowed. The Acre. According to § 132, if a The debtor has not fulfilled the obligation contained in the final decision of the Authority, it is enforceable. The decision of the Authority Pursuant to Section 82 (1), it becomes final upon notification. The Acre. 133. §, unless otherwise provided by law or government decree - a ordered by the decision-making authority. The Acre. Pursuant to Section 134 of the Act - if by law, government decree or, in the case of a municipal authority, a local government decree otherwise by the state tax authority. Infotv. Pursuant to Section 61 (7), the Authority to carry out a specific act, to behave enforcement of the decision in respect of the obligation to tolerate or cease implements. Budapest, June 18, 2021 Dr. Attila Péterfalvi President c. professor