NAIH (Hungary) - NAIH/2020/6484

From GDPRhub
NAIH - NAIH / 2020/6484
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 15(1)(a) GDPR
Article 15(1)(c) GDPR
Article 15(1)(d) GDPR
Type: Complaint
Outcome: Upheld
Decided: 16.12.2020
Fine: None
Parties: n/a
National Case Number/Name: NAIH / 2020/6484
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: n/a

The Hungarian DPA (NAIH) found a violation of Article 15 GDPR and obliged a controller to grant a complainant access to his personal data.

English Summary


A complainant requested a controller to provide him with accurate, personalized information about processing of personal data. The controller failed to do so and shared with him only a general data protection notice.


The DPA found out that a content of controller's reply did not provide the complainant with an accurate, personalized information about the handling of his personal data. The DPA concluded that the controller has breached the general rule of Article 15 (1) (a), c) and d) of the GDPR by not giving substantive, specific answers to the request under Article 15 and by sharing only a link to a general data protection notice.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case No: NAIH / 2020/6484 /… Subject: Decision
Administrator: […]

                                      H A T Á R O Z A T

Before the National Data Protection and Freedom of Information Authority (hereinafter: the Authority) […]
applicant (hereinafter referred to as “Applicant”) against […] applicant (hereinafter referred to as
Applicant) received on 31 August 2020
In the data protection official proceedings initiated following the request of the

                                 grant his request, and

   I. finds that the Applicant has not properly complied with the Applicant 's 2020.
        request for exercise of the right of access dated 23 June

        violated by the Applicant the processing of personal data of natural persons
        and the free movement of such data, and
        Regulation (EU) 2016/679 repealing Directive 95/46 / EC (a
        hereinafter referred to as the "General Data Protection Regulation") Article 15 (1) (a) and (c) to (d);

  II. obliges the Applicant to do so within 15 days of the decision becoming final
        provide the Applicant with Article 15 (1) (a) of the General Data Protection Regulation; c) -
        d) complete information with the content handled by the Applicant
        personal information. The required action shall be taken by the Applicant for the action
        must be made in writing within 8 days of its submission - the supporting evidence

        to the Authority, thus giving it to the Applicant
        information (in full) and proof of posting
        by sending a copy of the mail to the Authority.

 III. Due to the above violation, the Authority will inform the Applicant - by another data protection violation.

        in determining the legal consequences of establishing the present infringement as
        history will be taken into account with increased weight - it will be warned.

There is no administrative appeal against the decision, but no later than 30 days after notification
within one day of the application filed with the Metropolitan Court in an administrative lawsuit

can be challenged. The application must be submitted to the Authority, electronically, which is the case
forward it to the court together with its documents. Indicate the request for a hearing in the application
must. For those who do not receive a full personal exemption from judicial review
the fee of the procedure is HUF 30,000, the lawsuit is subject to the right to record material fees. Before the Metropolitan Court
legal representation is mandatory in proceedings.

                                       EXPLANATORY STATEMENT

I. Facts

On 31 August 2020, the Applicant submitted an application to the Authority stating that
by letter dated 23 June 2020, requested the processing of your personal data
information from the Applicant by indicating the item by the Applicant
electronically processed data. The Applicant requested the Applicant's reply letter by post
sending. According to the return receipt attached by the Applicant, the Applicant shall

received his application on 29 July 2020. The Applicant objected to the Applicant's legislation
did not reply to its request within the time limit set by the

In the light of the above, the Applicant requested the Authority to order
Applicant to fulfill your access request.

In order to clarify the facts, the Authority in its order of 9 September 2020 amended the Ákr.

Pursuant to Section 63, he summoned the Applicant to make a statement.

It was sent to the Authority by order of the Applicant in its reply received on 28 September 2020
information. The Applicant stated that although the Applicant’s letter is June 2020
It is dated 23 July, and it was not actually dispatched until 23 July 2020. The Applicant a

In support of its statement, it attached a document certifying the tracking of items by Magyar Posta. THE
Applicant added that it had been sent to Applicant on 25 August 2020
provided in the reply letter received by the Applicant on 26 August 2020.

Attached to the Applicant's application is a copy of the Applicant's contracts, the person being treated is personal

list of data, the Applicant’s group-level privacy policy and customer data management
Magyar Posta on the information of the Applicant and the Letter of the Applicant
data requested from the tracking service and a mailing book for informing the Applicant
a copy of the reply and the content of the reply to the Applicant.

Based on the attached documents, the Applicant provided the following information to the Applicant.
On the one hand, it referred to attaching a list of personal data processed in connection with the Applicant, and on the other hand
stated that it only handles the range of personal data provided by the Applicant. Data management
purpose, legal basis, duration, data processors used and other recipients a

Applicant provided the link to the data management information to the Applicant. In addition, the
Applicant emphasized that it is not transmitted by the Applicant for any data management purpose
personal data to third countries outside the European Union and does not use it
a service related to the processing of personal data that is the Applicant's customers
would involve the international transfer of personal data (in this context, cloud-based

services). Finally, the Applicant explained the possibility to contact the Authority at
at the same time as the relevant contact details.

II. Applicable legal provisions

Pursuant to Article 2 (1) of the General Data Protection Regulation, this is the case here
the general data protection regulation applies to data processing.

Infotv. Pursuant to Section 2 (2), the General Data Protection Decree is indicated therein

shall apply with the additions provided for in

Infotv. Pursuant to Section 38 (3) (b), within the scope of its responsibilities under Section 38 (2) and (2a)
as defined in this Act, in particular at the request of the data subject and ex officio data protection
conduct an official procedure.

Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data
To that end, the Authority shall, at the request of the data subject, initiate a data protection authority procedure.

Unless otherwise provided in the General Data Protection Regulation, data protection was initiated upon request

CL of the General Administrative Procedure Act 2016. Act (a
hereinafter: Ákr.) shall apply with the exceptions specified in the Information Act.

Under Article 12 (1) to (6) of the General Data Protection Regulation: ‘1. The controller shall
take measures to enable the data subject to process personal data

all the information referred to in Articles 13 and 14 and Articles 15 to 22. and 34

each piece of information in a concise, transparent, comprehensible and easily accessible form, in a clear manner
and provide it in plain language, in particular any information addressed to children
in the case of. The information shall be provided in writing or by other means, including, where appropriate, by electronic means

also - must be specified. Oral information may be provided at the request of the data subject, provided otherwise
the identity of the data subject has been verified.
2. The controller shall facilitate the processing of the data subject concerned in accordance with Articles 15 to 22. exercise of their rights under this Article. Article 11 (2)
In the cases referred to in paragraphs 15 to 22, the controller shall exercise their rights under Article
may not refuse to comply with his request unless he proves that the person concerned

unable to identify.
3. The controller shall, without undue delay, but in any case upon receipt of the request,
inform the data subject within one month of the following an application under Article
measures. If necessary, taking into account the complexity of the application and the requests

this period may be extended by a further two months. On the extension of the deadline
the controller shall indicate the reasons for the delay from the date of receipt of the request
inform the data subject within one month. If the application has been submitted by electronic means, the
information shall, as far as possible, be provided by electronic means, unless the data subject provides otherwise

If the controller does not act on the data subject 's request without delay, but
shall inform the data subject no later than one month after receipt of the request
the reasons for not taking action and the fact that the person concerned may lodge a complaint
supervisory authority and may exercise its right of judicial review
5. The information referred to in Articles 13 and 14 and Articles 15 to 22 and 34

the measure shall be provided free of charge. If the data subject's request is clearly unfounded
- in particular because of its repetitive nature - excessive, the controller, depending on the information requested or
administrative costs of providing information or taking the requested action:
(a) charge a reasonable fee, or
(b) refuse to act on the request.

The burden of proving that the request is manifestly unfounded or excessive is on the controller.
6. Without prejudice to Article 11, if the controller has reasonable doubts as to the application of Articles 15 to 21. article
the identity of the natural person submitting the application under
request the information necessary to confirm his identity. "

Under Article 15 of the General Data Protection Regulation: '1. The data subject shall have the right to:
receive feedback from the data controller on the processing of your personal data
is in progress, and if such data processing is in progress, you are entitled to personal
access to data and the following information:
(a) the purposes of the processing;

(b) the categories of personal data concerned;
(c) the recipients or categories of recipients with whom the personal data are held
communicated or will be communicated, including in particular to third country consignees, and
international organizations;
(d) where applicable, the intended period for which the personal data will be stored or, if that is not possible,

criteria for determining this period;
(e) the data subject's right to request personal data concerning him or her from the controller
rectification, erasure or restriction of the processing and may object to such personal data
(f) the right to lodge a complaint with a supervisory authority;

(g) if the data were not collected from the data subject, all available information on their source;
(h) the fact of automated decision-making referred to in Article 22 (1) and (4), including:
profiling and, at least in these cases, the logic used
comprehensible information on the significance of such data processing and on the data subject
what are the expected consequences.

(2) If personal data are transferred to a third country or to an international organization
the data subject is entitled to be informed of the transfer
appropriate guarantees in accordance with Article 46.
(3) The data controller shall provide the data subject with a copy of the personal data which are the subject of the data processing

make it available. For additional copies requested by the data subject, the controller shall

charge a reasonable fee based on costs. If the person concerned provided it electronically
application, the information shall be in a widely used electronic format
unless the person concerned requests otherwise.

4. The right to request a copy referred to in paragraph 3 shall not be adversely affected
the rights and freedoms of others. "

Infotv. Pursuant to Section 61 (1) (a), it was taken in a data protection authority proceeding
In its decision, the Authority Data management specified in Section 2 (2)

defined in the General Data Protection Regulation in relation to
may apply legal consequences.

According to Article 58 (2) of the General Data Protection Regulation: “The supervisory authority shall be corrective

acting within its competence:
(a) warn the controller or processor that certain data processing operations are planned
its activities are likely to infringe the provisions of this Regulation;
(b) condemn the controller or the processor if his or her data processing activities
has infringed the provisions of this Regulation;

(c) instruct the controller or the processor to comply with this Regulation
exercise its rights under this Regulation;
(d) instruct the controller or processor to carry out its data processing operations, where applicable
in a specified manner and within a specified period, in accordance with this Regulation
with its provisions;

(e) instruct the controller to inform the data subject of the data protection incident;
(f) temporarily or permanently restrict the processing, including the prohibition of the processing;
(g) order personal data in accordance with Articles 16, 17 and 18 respectively
rectification or erasure of data or restrictions on data processing, and in accordance with Article 17 (2).
order to notify the addressees with whom it is addressed in accordance with paragraph 1 and Article 19

or with whom personal data have been communicated;
(h) withdraw the certificate or instruct the certification body in accordance with Articles 42 and 43
revoke a duly issued certificate or instruct the certification body not to grant it
issue the certificate if the conditions for certification are not or are no longer met;
(i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case

in addition to or instead of the measures referred to in this paragraph; and
(j) order the flow of data to a recipient in a third country or to an international organization
suspension. "

Under Article 83 (2), (5) and (7) of the General Data Protection Regulation:

administrative fines in accordance with Article 58 (2) (a) to (b), depending on the circumstances of the case.
It shall be imposed in addition to or instead of the measures referred to in points (h) and (j). When deciding
whether it is necessary to impose an administrative fine or the amount of the administrative fine
In each case, due account shall be taken of the following:
(a) the nature, gravity and duration of the breach, taking into account the processing in question

the nature, scope or purpose of the infringement and the number of persons affected by the infringement;
the extent of the damage they have suffered;
(b) the intentional or negligent nature of the infringement;
(c) the mitigation of damage suffered by the data subject by the controller or the processor
any measures taken to

(d) the extent of the responsibility of the controller or processor, taking into account the
and technical and organizational measures taken pursuant to Article 32;
(e) relevant infringements previously committed by the controller or the processor;
(f) the supervisory authority to remedy the breach and the possible negative effects of the breach
the extent of cooperation to alleviate

(g) the categories of personal data affected by the breach;
(h) the manner in which the supervisory authority became aware of the infringement, in particular that:
whether the breach has been reported by the controller or processor and, if so, what
in detail; 5

(i) if previously against the controller or processor concerned, on the same subject matter
- ordered one of the measures referred to in Article 58 (2), the measure in question
compliance with measures;

(j) whether the controller or processor has considered itself approved in accordance with Article 40
codes of conduct or approved certification mechanisms in accordance with Article 42;
(k) other aggravating or mitigating factors relevant to the circumstances of the case, such as:
financial gain obtained or avoided as a direct or indirect consequence of the infringement

5. Infringements of the following provisions in accordance with paragraph 2 shall not exceed 20 000 000
With an administrative fine of EUR 1 million or, in the case of undertakings, the previous financial year in full

amounting to a maximum of 4% of its annual worldwide turnover, provided that the two
the higher of which shall be charged:
(a) the principles of data processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9;
(b) the rights of data subjects under Articles 12 to 22. in accordance with Article
(c) the transfer of personal data to a recipient in a third country or to an international organization

transmission in accordance with Articles 44 to 49. in accordance with Article
d) IX. obligations under the law of a Member State adopted pursuant to this Chapter;
(e) instructions from the supervisory authority pursuant to Article 58 (2) and data processing
temporary or permanent restriction or suspension of data flows
or in breach of Article 58 (1)

failure to provide.
(7) Without prejudice to the supervisory powers of the supervisory authorities under Article 58 (2),
each Member State may lay down rules on the
may be imposed on a public authority or other body with a public function

administrative fine and, if so, the amount. "

Infotv. 75 / A. Pursuant to Article 83 (2) - (6) of the General Data Protection Regulation, the Authority
exercise the powers set out in paragraph 1 in accordance with the principle of proportionality,
in particular by the legislation on the processing of personal data or by the European

- breach for the first time of the requirements laid down in a binding act of the Union
in accordance with Article 58 of the General Data Protection Regulation
- act primarily by alerting the controller or processor.

Infotv. According to Section 61 (4) (b): “The amount of the fine is from one hundred thousand to twenty million forints

may be extended if the fine imposed in a decision taken in a data protection authority proceeding
budgetary body under Article 83 of the General Data Protection Regulation
in the case of a fine imposed. "

III. Decision

The date of the Applicant's request for access is June 23, 2020, which he has attached
as evidenced by a return receipt, it was mailed to the Applicant on 23 July 2020. THE
According to the return receipt, the applicant received the consignment on July 29, 2020.

According to the copy of the postal book attached by the Applicant, his reply letter was sent by August 2020.
25, so required by Article 12 (3) of the General Data Protection Regulation
fulfilled its obligation to act within the time allowed.

The Applicant shall provide the Applicant with all Article 15 (1) of the General Data Protection Regulation

provided information on the legal basis, purpose,
duration and the scope of the recipients only the data management information in force
reference to the relevant points. In addition, the personal information actually described on the site
compiled from an electronic database based on the path shown at the bottom. 6

The content of the reply letter did not provide the Applicant with an accurate, personalized
information about the handling of your personal data for the following reasons.

Not to fulfill access requests in a manner that complies with data protection requirements
a formal answer without relevant information is sufficient, as it is general
The essential element of Article 15 of the Data Protection Regulation is that it provides targeted and clear information
data subjects in relation to the personal data actually processed in connection with them. THE
information appearing on the controllers' page as a result of the exercise of the right of access

obligation is not an administrative obligation that can be fulfilled in a template. THE
when executing access requests, the controllers shall provide the information to the specific data subject
tailored, individualized and the substance of the questions asked by the data subject
make available to them. Failing this, the person concerned will not receive a clear picture of the person

management of your data, it will not become transparent to them. Therefore, if the general concerned
Article 15 of the Data Protection Regulation
information leaflets prepared under Article 13 of the General Data Protection Regulation
- as stated in the Applicant’s reply, the purpose and legal basis of the data processing, the
recipients and, in the case of data processors, the prospectuses published on the website and

reference to business rules - as it is not personalized, not explicitly the person concerned
management of your data. In addition, the Authority notes that they themselves referred to
documents also contained only general information.

Pursuant to Article 15 (1) of the General Data Protection Regulation, the data subject is entitled to:

receive feedback from the data controller on the processing of your personal data
is in progress and, if such data processing is in progress, you are entitled to it
in addition to the information you provide, access to your personal information. The general
Recital 63 of the Data Protection Regulation also distinguishes between personal data and
therefore the data subject should have access to both.

In view of the above, the Authority finds that the Applicant has breached the general rule
Article 15 (1) (a) of the Data Protection Regulation; c) -d) when not given substantive, specific
answers to the itemized criteria under Article 15, only
described a link to general data management information.

ARC. Legal consequences

In addition to the finding of an infringement, the Authority is Article 58 (2) of the General Data Protection Regulation
(c) instructs the Applicant to comply with the Applicant’s exercise of the right of access
Article 15 (1) (a) of the General Data Protection Regulation (c) to (d), and
the fact that the information was provided shall be certified to the Authority by the addressee addressed to the Applicant

by sending a copy of the information and a copy of the postmark certifying its posting.

The Authority also examined whether a data protection fine against the Applicant was justified
imposition. In this context, the Authority shall comply with Article 83 (2) of the General Data Protection Regulation and

Infotv. 75 / A. § considered all the circumstances of the case and found that the present
in the case of infringements detected during the procedure, the warning shall be a proportionate, dissuasive sanction,
therefore, it is not necessary to impose a fine. In that regard, it took particular account of the infringement
severity is low and no harm has been incurred in the proceedings, and the Authority
The applicant has not been convicted of the present breach of the general data protection regulation

until the date of the decision.

 Based on the above, the Authority has decided in accordance with the operative part.

V. Other issues 7

The powers of the Authority are limited by the Infotv. Section 38 (2) and (2a), its jurisdiction is
covers the whole country.

The present decision of the Authority is based on Art. 80-81. § and Infotv. It is based on Section 61 (1). The decision

the Acre. Pursuant to Section 82 (1), it becomes final with its communication. The Acre. Section 112 and Section 116 (1)
and (4) (d) and § 114 (1) against the decision
there is a right of appeal through an administrative lawsuit.

                                                * * *
The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a
hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by a decision of the Authority
The administrative lawsuit against the court falls within the jurisdiction of the court. Section 13 (3) a)
The General Court has exclusive jurisdiction under point (aa) of A Kp. Section 27 (1)

In a dispute in which the tribunal has exclusive jurisdiction, the
representation is mandatory. A Kp. Pursuant to Section 39 (6), the filing of the application a
has no suspensive effect on the entry into force of an administrative act.

A Kp. Section 29 (1) and with this regard Act CXXX of 2016 on the Code of Civil Procedure.

applicable pursuant to Section 604 of the Act, electronic administration and trust services
CCXXII of 2015 on the general rules of pursuant to Section 9 (1) (b) of the Act
legal representative is required to communicate electronically.

The time and place of the filing of the application is Section 39 (1). The trial

Information on the possibility of requesting the maintenance of the It is based on Section 77 (1) - (2). THE
the amount of the fee for an administrative lawsuit in accordance with Act XCIII of 1990 on Fees. Act (hereinafter:
Itv.) 45 / A. § (1). From the advance payment of the fee, the Itv. Section 59 (1)
and Section 62 (1) (h) exempt the party initiating the proceedings.

Budapest, December 16, 2020

                                                                       Dr. Attila Péterfalvi
                                                                       c. professor