NAIH (Hungary) - NAIH/2020/193/8

From GDPRhub
NAIH - NAIH/2020/193/8
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(d) GDPR
Article 6(1) GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 13 GDPR
Article 16 GDPR
Article 17(1)(a) GDPR
Section 6(4) Act I of 2012 on the Labor Code
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: None
Parties: n/a
National Case Number/Name: NAIH/2020/193/8
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: Nemzeti Adatvédelmi és Információszabadság Hatóság (in HU)
Initial Contributor: n/a

The Hungarian DPA (Nemzeti Adatvédelmi és Információszabadság Hatóság) issued a fine of 600,000 HUF (1,728 EUR) to the complainant's employer for failing to delete the complainant’s out-of-date address upon his request and by processing the complainant's personal data without this consent.

English Summary

Facts

The complainant filed a complaint with the Hungarian DPA against his former employer for registering a property as his temporary residential address despite that facts having ceased to be true in June 1999. The complainant claims to have asked his former employer by email to delete this data several times since 1999. The complainant further objected to the processing of his personal data without his consent.

The employer stated that according Section 6(4) Act I of 2012 on the Labor Code the complainant had a duty to inform the employer of any changes in personal information, including change in address. The employer claimed that the complainant had failed to do so until he filed the complaint before the Hungarian DPA. Any requests by email to delete the information mentioned by the complainant are inaccessible as they are deleted after 90 days.

The employer also stated that the complainant forwarded, on the employer’s Internet interface, his name, tax identification number, mother's name, place and date of birth and permanent residence in 2018 because of a change in the taxation rules. Therefore, the employer argued that this data transfer was on the legal basis of consent. However, the statement of consent was never signed by the complainant as the employment relationship terminated soon after.

Dispute

Did the complainant’s former employer breach various articles of the GDPR by failing to delete the complainant’s out-of-date address upon request and by processing personal data without the complainant’s consent?

Holding

With regards to the registered address, the Hungarian DPA stated that it only had the power to examine the complainant’s alleged series of emails sent after May 2018 as the GDPR was not in force prior to that date. Only the email sent by the applicant in September 2018 was addressed by the Hungarian DPA. In relation to that email, the Hungarian DPA held that the out-of-date address should have been deleted by the employer upon request pursuant to Article 16, Article 17 and Article 5(1)(d) GDPR (inaccuracy of personal data). Therefore, the employer was in breach of those articles by failing to do so.

Additionally, the Hungarian DPA held that the employer did not take action within the deadline when the complainant requested for his personal data to be deleted. Therefore, the employer was also in breach of Article 12(1) to Article 12(4) GDPR.

With regard to the personal data transferred in relation to the taxation rule change, the Hungarian DPA held that this data could not be processed on the basis of legitimate interest (Article 6(1)(f) GDPR) as claimed by the employer. This was in part because the legitimate interest of facilitating administration work for the employee (the complainant in this context) could not be considered the legitimate interest of the data controller (the employer in this context).

In addition, the Hungarian DPA established that as a general rule, voluntary consent cannot be considered valid in the context of an employment relationship. This is the case unless the processing of personal data on the basis of consent would benefit the employee with no possible detriment. Therefore, the personal data transferred in the context of the taxation rule change could be based on consent as a legal basis as it the processing could not detriment the complainant. However, the Hungarian DPA held that the employer transferred the complainant’s personal data without a legal basis as the personal data was processed without the consent of the complainant. Therefore, the employer was in breach of Article 6(1) GDPR.

Finally, the Hungarian DPA held that the employer did not provide adequate information to the complainant in relation to the processing of his personal data in relation to the taxation rule change. Therefore, the employer was in breach of its obligation to provide information to the data subject pursuant to Article 13 GDPR.

Therefore, the Hungarian DPA issued the employer a fine of 600,000 HUF (1,728 EUR) to be paid within 30 days.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case No: NAIH/2020/193/8. 

Subject: Decision granting a partial application (NAIH/2019/8019) 

In its application received by the National Data Protection and Freedom of Information Authority (hereinafter: the Authority) on 18 November 2019, [...] ...] He objected to the processing of the requested data. At the request of the Applicant, the Authority shall take the following decisions in the data protection authority proceedings initiated on 19 November 2019 regarding the unlawful processing of personal data: 


I. IN THE AUTHORITY'S DECISION, 

the Applicant is granted a part of its application and
1) finds that the Applicant has not deleted or not corrected the Applicant's temporary residential address on the basis of the Applicant's application dated 25 September 2018. In doing so, the Applicant infringed Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter referred to as the General Data Protection Regulation) Article 16, Article 17(1) (a) and Article 5 (1) (d) of the General Data Protection Regulation.

2) states that the Applicant did not provide information on the action taken on the Applicant's request to cancel his temporary residence dated 25 September 2018. In so doing, the Applicant infringed Article 12 (1) to (4) of the General Data Protection Regulation.

3) finds that the Applicant transferred his personal data to [...] without proper information and consent from the Applicant. infringed Articles 6 (1) and 13 of the General Data Protection Regulation.

II. In the decision of the Authority, the Applicant is obliged to pay ex officio 

600 000 Ft, ie a data protection fine of six hundred thousand forints

III. The Authority

IN ITS PERFORMANCE

1) terminates the data protection authority procedure in the part of the application according to which the Authority instructs the Applicant to keep a register of the Applicant's personal data in accordance with reality; 

2) orders the payment of HUF 10,000, ie ten thousand forints to the Applicant due to the exceeding of the administrative deadline - at his / her choice - by bank transfer or postal voucher

* * * 

The data protection fine shall be paid within 30 days from the final adoption of this Decision to the Authority's centralized collection account for centralized revenues (10032000-01040425-00000000 Centralized collection account IBAN: HU83 1003 2000 0104 0425 0000 0000). When transferring the amount, the NAIH / 2020 / 193. JUDGE. should be referred to.

If the Applicant fails to meet its obligation to pay the fine within the time limit, it shall pay a late payment surcharge to the above account number. The rate of the late payment allowance is the statutory interest rate, which is equal to the central bank base rate valid on the first day of the calendar semester affected by the delay.

In the event of non-payment of the data protection fine and the late payment allowance, the Authority shall order the enforcement of the decision.

The present decision I., II. and Annex III to this Decision. There is no administrative remedy against the order pursuant to point 1 of this Article, but they may be challenged separately in a separate administrative lawsuit addressed to the Metropolitan Court within 30 days of the notification. The application must be submitted to the Authority, electronically, which will forward it to the court together with the case file. The request for a hearing must be indicated in the application. An action brought against an order is adjudicated by the court in a simplified trial out of court. For those who do not receive a full personal tax exemption, the fee for the court review procedure is HUF 30,000, and the lawsuit is subject to the right to record material taxes. Legal proceedings are mandatory in proceedings before the Metropolitan Court

EXPLANATORY STATEMENT

I. Procedure and clarification of the facts

I. 1. By letter received on 18 November 2019, the Applicant applied to the Authority, alleging, on the one hand, that his former employer, the Applicant, was registering the property [...] as a temporary residential address despite the fact that the 1999 ceased in June.

According to its statement, the Applicant indicated to the Applicant on several occasions that his temporary residential address had expired, therefore, in his opinion, the Applicant would have had the opportunity to delete this data several times. According to the Applicant's Statement, he first indicated the change in the summer of 1999, when his temporary residential address actually ceased to exist. Subsequently, at the Applicant's June 2007. In connection with this, there was a change in the legal relationship of the Applicant, so in the opinion of the Applicant, the Applicant should have canceled the terminated temporary residential address even then. Furthermore, according to the Applicant's statement, from March 2014, during the agreement on the use of the car authorized for him and its annual renewals, the Applicant was aware of the termination of the Applicant's temporary home address, so he should have deleted this data. and on the 28th, by e-mail concerning the inspection of gas meters, he also informed the Applicant's staff member [...] that his previous temporary home address had expired.

In an e-mail sent to the CEO of the Applicant on 25 September 2018, the Applicant also indicated, in addition to his other non-data protection complaints, that
According to this letter, he referred to his e-mail of 27 and 28 September 2016 to the Applicant regarding the inspection of gas meters, according to which he said that he had moved out of the property under number [...] in June 1999, which fact was also reported to the Applicant's Personnel Department.

In the Applicant's application, he objected, inter alia, to the transfer of his personal data to the [...] without his consent.

The Applicant asked the Authority to establish that the Applicant had committed an infringement in connection with the registration of his / her personal data and to instruct the Applicant to keep a record of the Applicant's personal data. The Applicant further requested that the Authority establish that the Applicant had committed an infringement in connection with the transfer of his personal data to [...] without his consent.

I. 2. In its order, the Authority notified the Applicant of the initiation of the data protection authority procedure and invited it to make a statement and provide information in order to clarify the facts.

According to the Applicant's statement, Section 6 (4) of Act I of 2012 on the Labor Code (hereinafter: Mt.) stipulates as a general rule of conduct that the parties in the employment relationship are obliged to inform each other of any facts, data, circumstances or changes thereto. to inform, which is essential for the establishment of the employment relationship and for the exercise of the rights and fulfillment of the obligations specified in the Mt. According to the Applicant, it is therefore the Applicant's responsibility to notify the Applicant of any data changes. However, according to the Applicant's employment records, the Applicant did not announce the termination of his temporary home address to the Applicant as an employer, therefore no evacuation was transferred, his temporary home address was not deleted. However, in the light of the Applicant's submissions, after the Authority's request, the Applicant took action to delete the Applicant's temporary residential address from the labor registers2020. on January 17.

In connection with the Applicant's e-mails sent on September 27, 2016 and September 25, 2018, the Applicant stated that the log file of his mail system will be automatically deleted after 90 days, therefore he cannot retrieve the e-mails referenced by the Applicant. The e-mails in question could be contacted by the Applicant if the Applicants specify the recipients, however, if these recipients have already left the Applicant, their mailbox will be deleted. No document is available to the Applicant in this regard.

According to the Applicant's statement, the Applicant forwarded his name, tax identification number, mother's name, place and date of birth and permanent residence to [...] via its Internet interface on 12 October 2018.

According to the statement of the Applicant, the reason for the data transfer was that in 2018 the tax rules on fringe benefits changed, as a result of which the taxation of all cafeterias other than the Széchenyi Pihenő Card (hereinafter: SZÉP Card) increased. As a result, it was expected that employees who did not have a SZÉP Card before would benefit from this benefit in the future. The rules for applying for the SZÉP Card also changed in the current semester. The previous 55/2011 on the rules of issuing and using the Széchenyi Pihenő Card. (IV. 12.) of the Government, it was the employer's task to order the SZÉP Cards, however, the new 76/2018 on the rules of issuing and using the Széchenyi Resting Card. (IV. 20.) of the Government, the employee already had to contract directly with the fund provider. However, at the time of the data transfer, there were a number of uncertainties surrounding this process, the previous systems were still in place, but the final procedures on the cashier's side had not yet been established. Until January 4, they will be able to register new employees on the Portal in the usual way and order the card for them. We can only send a contract offer to those employees who have been registered and given an e-mail address by 28 December 2018. ”From the referenced and similar previous information, it follows from the Applicant that in order to ensure a smooth transition, SZÉP You need help with the card application process.

According to the Applicant's statement, the purpose of the data management was for the Applicant to initiate the application process for employees who did not have a SZÉP Card before. In practice, this meant that the personal data requested by the fund service provider was uploaded by the fund service provider via its own account and generated an application form, which was handed over to the employees. following an application process for this purpose.

According to the Applicant's statement, during the relevant period, the Applicant's expectation was that its employees without a SZÉP Card would opt for this benefit in the future. The legislation on applying for the SZÉP Card changed at that time, and there was a lot of uncertainty on the part of the fund service provider about the transition to the new rules and technical administration. If the Applicant had not provided any assistance to the employees, the employees would not have been able to apply for the SZÉP Card on time or at the cost of disproportionate efforts. It arose from the Applicant's legitimate interest to provide this fringe benefit smoothly to its employees as of January 1, 2019, and from the employees to facilitate the administration on their side. In view of this, the Applicant has decided to proceed as described above.

According to the Applicant's statement, the process was carried out by the Applicant's Human Customer Service, which has direct and daily contact with employees. There was also a central communication to the employees about the changes related to the SZÉP Card and the fringe benefits. In addition, employees were entitled to ask questions, make complaints or protest against their involvement in the process at any time, as usual with the Applicant, about the process and the process.

According to the Applicant's statement, the data subject's rights to employees are contained in the Applicant's general employee information, which also applies to this data management.

Despite claiming a legitimate interest in the smooth provision of fringe benefits, the Applicant stated that after the application form was generated, the claimants received and signed the claim form and the data management consent statement, which also provided them with direct information about claiming the SZÉP Card. On this basis, the Requested Party also based the data transfer on the legal basis of the consent.

According to the Applicant's statement, the transfer of the Applicant's personal data took place on 12 October 2018. The Applicant requested the signature of the Applicant on the [...] SZÉPKardi main card application form and the data management consent statement printed from the [...] interface available on the Internet, however, the declaration was not signed, given that the Applicant's employment relationship with the Applicant was 19 December 2018. terminated on.

According to the Applicant's statement, the procedure objected to by the Applicant was a one-off measure during the implementation period due to legal changes, after which all employees must now apply for the SZÉP Card independently through the channels established and operating since then.

In addition, in the Applicant's opinion, the data processing did not have a significant impact on the data subjects, including the Applicant, as it was a one-off step (generation of the application form) and only took place on the Applicant's treated further. The data processing was also carried out in the interest of the data subjects, the contracting process had to be completed by the data subjects, the data transfer to a financial institution with a reputation in the market and, apart from the present case, no complaint was received in relation to the Applicant.

According to the Applicant's statement, according to its records, which do not contain data prior to 2012, the Applicant received a cafeteria benefit from 1 January 2012 to 18 December 2018.

According to the Applicant's statement, the Applicant's permanent address, which the Applicant registers for all employees, was also indicated during the preparation of the SZÉP Card application form and in the agreement on the reimbursement of travel expenses by the Applicant.

II. Applicable legal provisions

Pursuant to Article 2 (1) of the General Data Protection Regulation, the General Data Protection Regulation applies to the processing of data under this case.

Act CXII of 2011 on the right to information self-determination and freedom of information. Act (hereinafter: the Information Act) 2. § (2) of the General Data Protection Decree shall be applied with the additions contained in the provisions indicated therein.

Infotv. In order to enforce the right to the protection of personal data pursuant to Section 60 (1), the Authority shall, upon request, initiate data protection authority proceedings and may initiate data protection authority proceedings ex officio. The data protection authority procedure is governed by Act CL of 2016 on General Administrative Procedure. (hereinafter: Ákr.) shall apply with the additions specified in the Infotv. and with the derogations according to the general data protection decree.

Infotv. Pursuant to Section 60 (2): "An application for the initiation of data protection authority proceedings may be submitted in the case specified in Article 77 (1) and Section 22 (b) of the General Data Protection Regulation."

Under Article 77 (1) of the General Data Protection Regulation: - if the data subject considers that the processing of personal data concerning him or her infringes this Regulation. "

According to Article 4 (10) of the General Data Protection Regulation: "" third party "means any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or any person who: they have been authorized to process personal data under the direct control of the controller or processor. "

According to Article 4 (11) of the General Data Protection Regulation: "" consent of the data subject "means a voluntary, specific and duly informed and clear statement of the will of the data subject to indicate his or her consent to the data subject by means of a statement or unambiguous statement. processing of personal data concerning him. "

For the purposes of Article 5 (1) (d) of the General Data Protection Regulation: 'Personal data shall: (d) be accurate and, where necessary, kept up to date; all reasonable steps shall be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without delay ("accuracy"). "

According to Article 12 (1) to (4) of the General Data Protection Regulation:
1. The controller shall take appropriate measures to provide the data subject with all information concerning the processing of personal data referred to in Articles 13 and 14 and Articles 15 to 22. and Article 34 shall provide each information in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible manner, in particular in relation to any information addressed to children. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. Oral information may be provided at the request of the data subject, provided that the identity of the data subject has been otherwise established. exercise of their rights under this Article. Article 11
In the cases referred to in paragraph 2, the controller shall It may not refuse to comply with a request for the exercise of its rights under Article 1 unless it proves that the person concerned cannot be identified.
3. The controller shall, without undue delay, but in any case within one month of receipt of the request, inform the data subject in accordance with Articles 15 to 22. on the action taken on a request pursuant to Article. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The controller shall inform the data subject of the extension of the time limit, indicating the reasons for the delay, within one month of receiving the request. If the data subject has submitted the request by electronic means, the information shall, as far as possible, be provided by electronic means, unless the data subject requests otherwise.
4. If the controller does not take action on the data subject's request, it shall inform the data subject without delay, but no later than one month after receipt of the request, of the reasons for the non-action and of the data subject's complaint to a supervisory authority. right of appeal. "

Under Article 6 (1) (a) and (f) of the General Data Protection Regulation: "The processing of personal data shall be lawful only if and to the extent that at least one of the following conditions is met: [...]
(f) processing is necessary for the protection of the legitimate interests of the controller or of a third party, unless those interests take precedence over the interests or fundamental rights and freedoms of the data subject necessitating the protection of personal data, in particular when the child concerned. "

Under Article 13 (1) to (2) of the General Data Protection Regulation: '1. Where personal data concerning a data subject are collected from the data subject, the controller shall provide the data subject with all of the following information at the time the personal data are obtained:
(a) the identity and contact details of the controller and, if any, of the controller's representative;
(b) the contact details of the data protection officer, if any;
(c) the purpose of the intended processing of the personal data and the legal basis for the processing;
(d) in the case of processing based on Article 6 (1) (f), the legitimate interests of the controller or of a third party;
(e) where applicable, the recipients of the personal data or the categories of recipients, if any;
(f) where applicable, the fact that the controller intends to transfer the personal data to a third country or international organization and the existence or absence of a Commission decision on adequacy, or in accordance with Article 46, Article 47 or Article 49 (1) In the case of the transmission of data referred to in the second subparagraph of paragraph 1, the indication of the appropriate and suitable guarantees and the means of obtaining or obtaining a copy of them shall be indicated.
2. In addition to the information referred to in paragraph 1, the controller shall inform the data subject of the following additional information at the time of receipt of the personal data, in order to ensure fair and transparent data processing:
(a) the period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;
(b) the data subject's right to request from the controller access to, rectification, erasure or restriction of the processing of personal data concerning him or her and to object to the processing of such personal data and the data subject's right to data portability;
(c) in the case of processing based on Article 6 (1) (a) or Article 9 (2) (a), the right to withdraw the consent at any time, without prejudice to the lawfulness of the processing carried out prior to the withdrawal;
(d) the right to lodge a complaint to the supervisory authority;
(e) whether the provision of personal data is based on law or a contractual obligation or a precondition for the conclusion of a contract, whether the data subject is obliged to provide personal data and the possible consequences of non-disclosure;
(f) the fact of the automated decision-making process referred to in Article 22 (1) and (4), including profiling, and, at least in those cases, information on the logic used and the significance of such processing and the expected outcome for the data subject. consequences. "

According to Article 16 of the General Data Protection Regulation: “The data subject shall have the right, at his or her request, to have inaccurate personal data concerning him or her rectified without undue delay. Taking into account the purpose of the processing, the data subject shall have the right to request that the incomplete personal data be supplemented, inter alia, by means of a supplementary declaration. "

Under Article 17 (1) of the General Data Protection Regulation: if one of the following reasons exists:
(a) personal data are no longer required for the purpose for which they were collected or otherwise processed;
(b) the data subject withdraws his or her consent under Article 6 (1) (a) or Article 9 (2) (a) and there is no other legal basis for the processing;
(c) the data subject objects to the processing pursuant to Article 21 (1) and there is no overriding legitimate reason to process the data, or the data subject objects to the processing pursuant to Article 21 (2);
(d) personal data have been processed unlawfully;
e) personal data must be deleted in order to fulfill a legal obligation under Union or Member State law applicable to the controller;
(f) personal data have been collected in connection with the provision of information society services referred to in Article 8 (1).

Under Article 17 (3) of the General Data Protection Regulation: 'Paragraphs 1 and 2 shall not apply where the processing is necessary:
(a) for the purpose of exercising the right to freedom of expression and information;
(b) for the purpose of fulfilling an obligation under Union or Member State law governing the processing of personal data or performing a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) on grounds of public interest in the field of public health, in accordance with Article 9 (2) (h) and (i) and Article 9 (3);
(d) for archiving in the public interest, for scientific and historical research purposes or for statistical purposes in accordance with Article 89 (1), where the right referred to in paragraph 1 is likely to make such processing impossible or seriously jeopardize; obsession
(e) to bring, assert or defend legal claims. "

Article 23 (1) of the General Data Protection Regulation states: “Union or Member State law applicable to a controller or processor may, by means of legislative measures, restrict Articles 34 and 34 and Articles 12 to 22. the scope of the rights and obligations set out in Article 5 with respect to its provisions in accordance with the rights and obligations set out in Article 5, provided that the restriction respects the essential content of fundamental rights and freedoms and is a necessary and proportionate measure to protect:
(a) national security;
b) national defense;
(c) public safety;
(d) the prevention, investigation, detection or prosecution of criminal offenses and the execution of criminal sanctions, including protection against and prevention of threats to public security;
(e) other important general interest objectives of general interest of the Union or a Member State, in particular important economic or financial interests of the Union or a Member State, including monetary, budgetary and fiscal matters, public health and social security;
(f) the independence of the judiciary and the protection of judicial proceedings, (g) the prevention, investigation, detection and prosecution of ethical misconduct in the case of regulated professions;
(h) in the cases referred to in points (a) to (e) and (g), on an occasional basis, control, inspection or regulatory activity connected with the exercise of official authority;
(i) the protection of the data subject or of the rights and freedoms of others;
(j) the enforcement of civil claims. "

Under Article 58 (2) of the General Data Protection Regulation:
(a) warn the controller or processor that certain of its intended processing operations are likely to infringe the provisions of this Regulation;
(b) convict the controller or the processor if his or her data processing activities have infringed the provisions of this Regulation;
(c) instruct the controller or the processor to comply with the data subject's request to exercise his or her rights under this Regulation;
(d) instruct the controller or processor to bring its processing operations into line with the provisions of this Regulation, where appropriate and within a specified period of time;
(e) instruct the controller to inform the data subject of the data protection incident;
(f) temporarily or permanently restrict the processing, including the prohibition of the processing;
(g) order the rectification or erasure of personal data or the restriction of data processing in accordance with Articles 16, 17 and 18 respectively, and order the recipients to be informed in accordance with Article 17 (2) and Article 19; with whom the personal data have been communicated;
(h) withdraw the certificate or instruct the certification body to withdraw the certificate issued in accordance with Articles 42 and 43, or instruct the certification body not to issue the certificate if the conditions for certification are not or are no longer met;
(i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures referred to in this paragraph, as the case may be; and
(j) order the suspension of data flows to a recipient in a third country or to an international organization

Under Article 83 (2) and (5) of the General Data Protection Regulation: '...
2. Administrative fines shall be imposed in addition to or instead of the measures referred to in points (a) to (h) and (j) of Article 58 (2), as the case may be. In deciding whether to impose an administrative fine or in setting the amount of an administrative fine, due regard shall be had in each case to the following:
(a) the nature, gravity and duration of the breach, taking into account the nature, extent or purpose of the processing in question, the number of data subjects affected by the breach and the extent of the damage they have suffered;
(b) the intentional or negligent nature of the infringement;
(c) any measures taken by the controller or the processor to mitigate the damage suffered by the data subject;
(d) the extent of the responsibility of the controller or processor, taking into account the technical and organizational measures taken by him under Articles 25 and 32;
(e) relevant infringements previously committed by the controller or processor;
(f) the extent of cooperation with the supervisory authority in order to remedy the breach and mitigate any adverse effects of the breach;
(g) the categories of personal data affected by the breach;
(h) the manner in which the supervisory authority became aware of the breach, in particular whether the breach was reported by the controller or the processor and, if so, in what detail;
(i) if one of the measures referred to in Article 58 (2) has previously been imposed on the controller or processor concerned, on the same subject matter, compliance with those measures;
(j) whether the controller or processor has complied with the approved codes of conduct under Article 40 or the approved certification mechanisms under Article 42; and
(k) other aggravating or mitigating factors relevant to the circumstances of the case, such as the financial gain or loss avoided as a direct or indirect consequence of the infringement ...
5. Infringements of the following provisions shall be subject to an administrative fine of up to EUR 20 000 000 or, in the case of undertakings, up to 4% of the total annual worldwide turnover in the preceding business year, in accordance with paragraph 2. the higher of the two amounts shall be charged:
(a) the principles of data processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9;
(b) the rights of data subjects under Articles 12 to 22. in accordance with Article
(c) the transfer of personal data to a recipient or international organization in a third country in accordance with Articles 44 to 49. in accordance with Article
d) IX. obligations under the law of a Member State adopted pursuant to this Chapter;
(e) failure to comply with an instruction of the supervisory authority pursuant to Article 58 (2) or a request for a temporary or permanent restriction of data processing or suspension of data flow or failure to provide access in breach of Article 58 (1). "

Infotv. 75 / A. § “The Authority shall exercise the powers provided for in Article 83 (2) to (6) of the General Data Protection Regulation, taking into account the principle of proportionality, in particular by providing for the first in accordance with Article 58 of the General Data Protection Regulation, in particular by warning the controller or processor. "

55/2011 on the rules for issuing and using the Széchenyi Rest Card. (IV. 12.) of the Government of the Republic of Hungary: “On the basis of the employer's order, the institution opens a personal electronic voucher register for each employee, in which it keeps up-to-date the balance of employer's allowances paid under the titles. "

76/2018 on the rules of issuing and using the Széchenyi Rest Card. (IV. 20.) of the Government of the Republic of Hungary: “Act CXVII of 1995 on personal income tax. (hereinafter: Szja Act) shall be paid by the payment service provider on a limited-purpose payment account opened and maintained on the basis of a framework contract for the provision of payment services concluded with the payment service provider. the funds of which may be used only for the purposes set out in this Regulation. A limited payment account can only be owned by one natural person.

III. Decision

III. 1. Register of the Applicant's temporary residential address

It follows from the principle of accuracy of data under Article 5 (1) (d) of the General Data Protection Regulation that personal data must be accurate and, where necessary, kept up to date. The controller shall take all reasonable steps to delete or rectify personal data which are inaccurate for the purposes of the processing without delay.

The General Data Protection Regulation regulates the right of rectification as well as the right of erasure within the framework of the rights of the data subject. Accordingly, under Article 16 of the General Data Protection Regulation, the data subject has the right to have inaccurate personal data concerning him or her rectified without undue delay upon request, while Article 17 (1) of the General Data Protection Regulation specifies in which case the data controller is obliged to delete the personal data of the data subject, including when the personal data are no longer needed for the purpose for which they were collected or otherwise processed

The obligations of the controller in relation to the rectification and erasure of personal data are set out in Article 12 of the General Data Protection Regulation.

The General Data Protection Regulation23. Article 17 (1) also defines the cases in which the right to rectification or erasure of personal data may be restricted, and Article 17 (3) of the General Data Protection Regulation specifically specifies the cases in which the rules on erasure of personal data do not apply.

In the present case, the Applicant indicated in his application several dates, including before 25 May 2018, when he informed the Applicant that his temporary residential address had ceased. These parts of the request concern data subjects' requests which were made before 25 May 2018, before the date of application of the General Data Protection Regulation, and therefore the rules of the General Data Protection Regulation do not apply to these requests. These parts of the application do not comply with Infotv. 60. § (2), as the General Data Protection Regulation was not yet applicable during the period of the aggrieved data subject's legal proceedings, so no application for the Authority's data protection authority procedure can be submitted in respect of them. the Authority does not have the power to examine compliance under this data protection authority procedure.

With regard to the Applicant's letter submitted after 25 May 2018, the date of application of the General Data Protection Regulation, the Authority's position is as follows:

In an e-mail sent to the Applicant's CEO on 25 September 2018, the Applicant indicated, inter alia, that his previous temporary home address had expired, referring back to his letter of 27 September 2016, in which he also indicated this. The Applicant also sent this letter to the Authority. In contrast, the Applicant stated that, based on his employment records, the Applicant had not announced the termination of his temporary home address to the Applicant as an employer, therefore the change had not been transferred or the temporary home address had not been canceled.

On the basis of all the above, and based on the content of the e-mail available to the Authority, the Applicant's e-mail sent to the Applicant's CEO on 25 September 2018, although covering other non-data protection issues, should have deleted or rectified this personal data of the Applicant, given that there were no circumstances under which the right of the Applicant to delete or rectify the personal data could have been restricted or the rules applicable to them could not have been applied. Consequently, the Authority finds that the Applicant did not delete the Applicant's temporary home address or correct this personal data registered about him, contrary to the rules of the General Data Protection Regulation, in violation of the General Data Protection Regulation16. Article 17. Article 5 (1) (d) of the General Data Protection Regulation on the processing of inaccurate personal data.

III. 2. Measures taken on the basis of the Applicant's request to cancel the temporary residence address

Article 12 (1) to (4) of the General Data Protection Regulation sets out the obligations of data controllers and the measures that data controllers must take in connection with the receipt and execution of requests from data subjects.

The Authority examined the measures taken by the Applicant in relation to Article 12 (1) to (4) of the General Data Protection Regulation in the context of his request for the cancellation of his temporary home address in an e-mail sent to the Applicant's CEO on 25 September 2018. In this letter, the Applicant indicated, inter alia, to the Applicant that his previous temporary residential address had expired. However, the Applicant did not provide any information in this letter.

In view of the above, the Authority notes that since the Applicant did not provide any information within the deadline, the Applicant2018. in breach of Article 12 (1) to (4) of the General Data Protection Regulation on the action taken on his request for erasure of his personal data sent on 25 September

The Authority draws the Applicant's attention to the fact that it must establish appropriate internal processes to ensure the exercise of the data subject's rights, and the Applicant's head as data controller must know not as an individual data controller.

III.3. Recording of the Applicant's real personal data

In his request, the Applicant requested the Authority to instruct the Applicant to keep a true personal data of the Applicant.

According to the Applicant's statement, after becoming aware of the Authority's data protection authority procedure, it took measures to delete the Applicant's temporary home address from the labor records on 17 January 2020, which was confirmed by sending the Requested Minutes.

Consequently, no action is required in this respect of the Applicant's application, therefore the Authority Pursuant to Section 47 (1) (c), the proceedings were terminated as the proceedings had become devoid of purpose in that regard.

III. 4. Transmission of the Applicant's personal data

1. According to the Applicant's declaration, the Applicant forwarded his name, tax identification number, mother's name, place and date of birth and permanent residence to [...] via its Internet interface on 12 October 2018 in order to: in view of the changes in the legislation concerning the application for the SZÉP CARD, to facilitate and start the application for the employees and the Applicant SZÉP Card.

76/2018 on the rules of issuing and using the Széchenyi Rest Card. (IV. 20.) from 1 January 2019, in order to order SZÉP Cards, the employee must enter into a contract directly with the cash register service provider, as opposed to the period before that, when the employer was responsible for ordering SZÉP Cards.

2.The Applicant indicated the legal basis of the data transfer as the legal basis of the legitimate interest, in the context of which he claimed that he had a legitimate interest in providing this fringe benefit to his employees smoothly from 1 January 2019, and from the employees, to make the administration easier on their side.

However, in the Authority's view, data processing can be based on a legal basis of a legitimate interest if the data processing is necessary to safeguard the interests of the controller or a third party and not of the data subject. It follows from the concept of a third party within the meaning of Article 4 (10) of the General Data Protection Regulation that the data subject does not constitute a third party and that this plea cannot therefore be relied on.

Consequently, this legal basis is not applicable in the case of the Applicant - and thus the other employees of the Applicant - as concerned. In addition, the circumstance classified by the Applicant as a legitimate interest to facilitate administration on the part of employees cannot be considered as a legitimate interest of data controllers in the opinion of the Authority, it also appears as the interest of employees as data subjects.

In the opinion of the Authority, the legal basis for the data management or data transfer related to the application of the Applicant SZÉP Card could be the data subject or, in the case of the Applicant, the consent of the Applicant.

The Applicant, although referring to its legitimate interest in ensuring the fringe benefit smoothly, also stated that after the application form was generated, the claimant employees received and signed the claim form and the data management consent statement, which also provided them with direct information about claiming the SZÉP Card. On this basis, the Requested Party also based the data transfer on the legal basis of the consent, but not properly.

Consent, as defined in the General Data Protection Regulation, must be based on appropriate information, be voluntary and be a specific, clear statement of intent indicating, by means of a statement or unambiguous statement of consent, that he or she consents to the processing of personal data concerning him or her. all of this must apply to the data subject or the Applicant in the present case and can only consent to the processing of the personal data of the data subject - the Applicant - instead of the Applicant, as in this case it is no longer possible to speak of data subject consent.

With regard to the voluntary nature of the consent, it can be stated that according to the established data protection practice, in the employment relationship, the consent cannot be interpreted due to the subordinate relationship between the volunteer and the employee, as in many cases the employee refuses his / her consent. The data subject's consent as a legal basis can therefore only be invoked exceptionally in the case of data processing at work, essentially when it is clear that the employee derives unconditional "benefits" from the data processing and cannot be disadvantaged in any way. Consequently, the legal basis for present data management or data transfer could have been the consent of the Applicant, as the Applicant as such could have decided whether or not to receive the benefit. If the Applicant had consented to the processing of his personal data for such purposes, he would not have received the benefit for his transfer, but he would not have been disadvantaged in connection with his legal relationship.

Consequently, in the Authority's view, the Applicant could have transferred his personal data to [...] before 1 January 2019, with the consent of the Applicant, regardless of whether the claimant was ultimately to be processed by the Applicant as an employer. After 1 January 2019, when [...] already concludes the relevant contract directly with the employee concerned, the Applicant no longer has such a role, as the data processing legal relationship is established between the data subject and [...].

On this basis, the Authority finds that the Applicant transmitted the Applicant's personal data to [...] on 12 October 2018 on an incorrect legal basis, in breach of Article 6 (1) of the General Data Protection Regulation.

3. In connection with the information on the transfer of the Applicant's personal data, it can be stated that the data management information sent by the Applicant - as stated by the Applicant - is a general employee information, but it does not appear separately as an However, in the case of several data management purposes, the data subjects must be informed separately about each data management purpose and each data management.

The Applicant also referred to internal correspondence, on the basis of which he informed the employees and the Applicant about the application for the SZÉP Card and its changes.

These prospectuses did indeed provide information on the changed procedure for claiming the benefit, but cannot be considered as data management information under Article 13 of the General Data Protection Regulation, as they do not provide any of the information specified therein.

On this basis, the Authority finds that the Applicant did not provide adequate information on the data processing to the Applicant, in breach of Article 13 of the General Data Protection Regulation.

III. 5. Sanctioning
1. The Authority accepts the Applicant's request in part and condemns the Applicant pursuant to Article 58 (2) (b) of the General Data Protection Regulation, as Annex III to this Decision. Infringed Article 16 of the General Data Protection Regulation, as set out in Article 5 (1) (a) and Article 5 (1) (d) of the General Data Protection Regulation by not deleting the Applicant's temporary residence address or correcting this personal data registered about him.

However, in view of the fact that Annex III to this Decision Pursuant to Clause 3, the Applicant took measures to delete the Applicant's temporary home address from the employment registers after becoming aware of the Authority's data protection authority procedure, no action is required in this respect of the Applicant's application, therefore the Authority did not instruct the Applicant to comply with the Applicant's right. but the Acre. Pursuant to Section 47 (1) (c), the proceedings were terminated.

The Authority further condemns the Applicant pursuant to Article 58 (2) (b) of the General Data Protection Regulation, as Annex III to this Decision. It infringed Article 12 (1) to (4) of the General Data Protection Regulation, as detailed in point 2, by failing to provide information on the action taken on the Applicant's request to cancel his temporary residence address.

The Authority also grants the Applicant's request in part and condemns the Applicant pursuant to Article 58 (2) (b) of the General Data Protection Regulation, as Annex III to this Decision. Infringed Articles 6 (1) and 13 of the General Data Protection Regulation, as set out in point 4, by transferring his personal data to [...] without the proper information and consent of the Applicant, without a proper legal basis.

2. The Authority examined of its own motion whether it was justified to impose a data protection fine on the Applicant. In this context, the Authority complies with Article 83 (2) of the General Data Protection Regulation and Infotv. 75 / A. §, it considered all the circumstances of the case and found that in the case of the infringements discovered in the present proceedings, the warning was neither a proportionate nor a dissuasive sanction, therefore it is necessary to impose a fine.

3. In setting the amount of the fine, the Authority first of all took into account that the Applicant had, in essence, made two separate applications to the Authority. One of the applications is related to the registration, correction or deletion of the personal data of the temporary home address of the Applicant, and the other is related to the transfer of his / her personal data to [...].

In relation to both requests, the Authority took into account that the infringements committed by the Applicant constitute an infringement falling within the higher category of fines under Article 83 (5) (b) of the General Data Protection Regulation.

In both applications, the Authority considered as an attenuating circumstance that the Applicant had not suffered harm as a result of the infringement committed by the Applicant (Article 83 (2) (a) of the General Data Protection Regulation).

In both applications, the Authority took into account as an attenuating circumstance that the Applicant had not yet been convicted of a breach of the General Data Protection Regulation (Article 83 (2) (e) of the General Data Protection Regulation).

4. The Authority took into account as a countervailing circumstance the request of the Applicant regarding the correction or deletion of the temporary home address that the Applicant indicated to the Applicant three times, once during the period of application of the General Data Protection Regulation, that his temporary home address had been terminated [Article 83 of the General Data Protection Regulation. Article 2 (2) (k)].

The Authority took into account as an attenuating circumstance with regard to the Applicant's request to correct or delete the temporary residence address that the Applicant deleted the Applicant's temporary residence address from its records after becoming aware of the initiation of the data protection authority procedure [Article 83 (2) (f) of the General Data Protection Regulation].

With regard to the request related to the correction or deletion of the Applicant's temporary residential address, the Authority took into account as an additional mitigating circumstance that the data processing concerned the Applicant's only personal data. [Article 83 (2) (k) of the General Data Protection Regulation].

The Authority did not consider the General Data Protection Regulation to be relevant in determining the imposition of a fine with regard to the Applicant's request to correct or delete the temporary home address83. the circumstances referred to in Article 2 (2) (b), (c), (d), (g), (h), (i) and (j), as they cannot be interpreted in the context of the specific case.

5. In view of its request for the transfer of the Applicant's personal data to [...], the Authority took into account as an attenuating circumstance that the transfer was in the interest of the Applicant and the employees in an uncertain legal environment, so that they were not financially disadvantaged The applicant intended to promote the interests of employees (Article 83 (2) (a) and (k) of the General Data Protection Regulation).

The Authority did not consider Article 83 (2) (b), (c), (d), (f), (g) of the General Data Protection Regulation to be relevant for the determination of the fine in relation to its request for the transfer of the Applicant's personal data to [...]. circumstances referred to in points (h), (i) and (j), as they cannot be interpreted in the context of the specific case.

6. The sales revenue of the Applicant in 2019 was in the order of HUF 20,000 million, so the imposed data protection fine is distant compared to the maximum fine that can be imposed.

ARC. Other issues:

The powers of the Authority are defined in Infotv. § 38 (2) and (2a), its jurisdiction extends to the entire territory of the country.

The present decision of the Authority is based on Art. 80-81. § and Infotv. It is based on Section 61 (1). The decision is made by Ákr. Pursuant to Section 82 (1), it becomes final upon its communication. The Acre. Pursuant to Section 112 and Section 116 (1) and (4) (d) and Section 114 (1), the decision is subject to administrative appeal.

* * *

The Acre. Pursuant to Section 135, the debtor is obliged to pay a late payment allowance corresponding to the statutory interest if he fails to meet his obligation to pay money on time.

A Ptk. 6:48. § (1), in the event of a monetary debt, the obligor shall pay default interest at the same rate as the central bank base rate valid on the first day of the calendar half-year affected by the delay.

The rules of an administrative lawsuit are defined by Act I of 2017 on the Procedure of Administrative Lawsuits (hereinafter: the Public Procurement Act). A Kp. Pursuant to Section 12 (1), administrative lawsuits against the decision of the Authority fall within the jurisdiction of the courts, the lawsuit is subject to the provisions of Art. Pursuant to Section 13 (3) (a) (aa), the Metropolitan Court has exclusive jurisdiction. A Kp. Pursuant to Section 27 (1) (b), in a dispute in which the tribunal has exclusive jurisdiction, legal representation is mandatory. A Kp. Pursuant to Section 39 (6), the filing of an application does not have a suspensive effect on the entry into force of the administrative act.

A Kp. Section 29 (1) of the Civil Procedure Code and Act CXXX of 2016 on Civil Procedure. CCXXII of 2015 on the general rules of electronic administration and trust services applicable pursuant to Section 604 of Act no. Pursuant to Section 9 (1) (b) of the Act, the legal representative of the client is obliged to communicate electronically.

The time and place of filing the application is set out in the Act. Section 39 (1). Information on the possibility of requesting a hearing can be found in Kp. It is based on Section 77 (1) - (2). The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. Act (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee, the Itv. Section 59 (1) and Section 62 (1) (h) shall release the party initiating the proceedings.

If the Applicant does not duly prove the fulfillment of the required obligation, the Authority shall consider that the obligation has not been fulfilled within the time limit. The Acre. Pursuant to Section 132, if the Applicant has not complied with the obligation contained in the final decision of the authority, it may be enforced. The decision of the Authority Pursuant to Section 82 (1), it becomes final upon notification. The Acre. Pursuant to Section 133, enforcement is ordered by the decision-making authority, unless otherwise provided by law or government decree. The Acre. Pursuant to Section 134, enforcement is carried out by the state tax authority, unless otherwise provided by law, a government decree or a decree of a local government in a municipal authority matter. Infotv. Pursuant to Section 61 (7), the Authority shall enforce the decision in relation to the obligation contained in the decision of the Authority to perform a specific act, to behave in a certain manner, to tolerate or to stop.

Budapest, July 23, 2020

Dr. Attila Péterfalvi
President
c. professor