NAIH (Hungary) - NAIH/4410-1/2023

From GDPRhub
NAIH - NAIH/4410-1/2023
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 6(1)(f) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 28.04.2023
Fine: 50000 HUF
Parties: n/a
National Case Number/Name: NAIH/4410-1/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (Hungary) (in HU)
Initial Contributor: n/a

The Hungarian DPA found that a solarium studio could not rely on legitimate interests under Article 6(1)(f) GDPR without carrying out a balancing of interests test. The DPA also held that the studio violated Articles 13(1)(2) GDPR by only providing the information, on paper and upon request.

English Summary


A solarium studio in Hungary, the controller, had installed a CCTV system within its premises. Although the decision is not clear in this regard, an individual, the data subject, whose image had been recorded by such system, objected to the processing under Article 21 GDPR. Following a notification, the DPA initiated an ex officio investigation with regard to the solarium studio’s video surveillance system.

The controller argued that it had a legal basis under Article 6(1)(f) GDPR for carrying out the camera surveillance on the premises in order to, inter alia, protect the property. However, despite the DPA’s multiple requests, the controller did not provide any balancing of interests test, nor did it make any statement to the authority of having such document.

Furthermore, in light of Article 13(1)(2) GDPR, the controller claimed that there were printed privacy notices available at the front desk of studio. With regard to its employees, the controller claimed that it had provided information on the processing operations orally and within the job descriptions. However, the controller did not provide evidence to support its statements.


The DPA emphasised that a controller is required to make a prior balancing test under Article 6(1)(f) GDPR. However, the controller did not provide such assessment and the DPA concluded that the controller could not rely on a legitimate interest as a legal basis required under Article 6(1) GDPR. Furthermore, the DPA noted that even if a balancing of interests had been carried out, the processing at stake could have not have been justified by legitimate interests.

In particular, the controller did not demonstrate the suitability of the cameras in question to the announced processing purpose (presumably, the protection of property), nor their proportionality. The DPA viewed that, in order to protect the property, other available solutions (e.g. lock, padlock, window bars, safe, alarm, motion detector, security guard, etc.) may in some cases provide more security than a camera-based data processing.

Since, according to the controller, the information on processing operations were only made available to the data subjects using the service on paper, on the spot, upon explicit request, the DPA found that no adequate information on the processing was available to the data subjects. Furthermore, the DPA noted that the controller had not demonstrated that the same information was provided to its employees.

As a result of the investigation, the DPA found that the controller infringed Article 6(1) GDPR and Article 13(1)(2) GDPR. The controller was imposed with a fine of HUF 50,000 (approx. €130).


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

File number: NAIH/4410-1/2023 Subject: decision and procedural fine

Background: request for the release of NAIH/2866/2022
Administrator: (...) rejection order

The National Data Protection and Freedom of Information Authority (hereinafter: Authority) is (…)

(head office: (…), hereinafter: “Client” or “Company”) by (…) operating under (…)
related to the cameras operated in the solarium studio (hereinafter: premises).
of data management for natural persons regarding the management of personal data
on the protection of data and the free flow of such data, as well as Directive 95/46/EC
2016/679 (EU) repealing Regulation (hereinafter: "GDPR" or
"General Data Protection Regulation") launched ex officio to investigate its compliance

makes the following decisions in its official data protection procedure.

1. In its decision, the Authority states that the examined data processing violated it

    1.1. Article 6 (1) of the GDPR;
    1.2. Paragraphs (1)-(2) of Article 13 of the GDPR.

and condemns the Company for the violations established above.
There is no place for administrative appeal against the decision, but from the announcement

within 30 days from the date of issue, with a letter of claim addressed to the Capital Tribunal
can be challenged in a lawsuit. The claim must be submitted to the Authority electronically, which
forwards it to the court together with the case documents. A hearing can be held in the statement of claim
to ask. For those who do not receive the full personal tax exemption, the administrative lawsuit
the fee is HUF 30,000, the lawsuit is subject to the right to record fees. Before the Metropolitan Court
legal representation is mandatory in the procedure.

2. In the order of the Authority, to waive or reduce the Company's procedural fine
rejects the relevant request and at the same time calls on the Company that NAIH/2866-3/2022
Procedural fine in the amount of HUF 50,000 (i.e. fifty thousand forints) imposed in order with file number

payment immediately, but at the latest from the date of receipt of this order
Please do so within 15 working days.

There is no place for an administrative appeal against the order, but it is subject to notification
Within 30 days with a letter of claim addressed to the Capital Court in a public administrative case
can be attacked. The claim must be submitted electronically to the Authority, which is

forwards it to the court together with the case documents. A hearing can be requested in the statement of claim.
For those who do not benefit from the full personal tax exemption, the administrative court fee
HUF 30,000, the lawsuit is subject to the right to record the levy. In the proceedings before the Metropolitan Court
legal representation is mandatory.


In connection with point 2 above (procedural fine), the Authority provides the following information:

The fine is the forint account of the Authority's centralized revenue collection target account

(10032000-01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000
0104 0425 0000 0000) must be paid by bank transfer. When transferring the amount, the NAIH
4410/2023 FEES. number must be referred to.

1055 Budapest Tel.: +36 1 391-1400
Falk Miksa utca 9-11 Fax: +36 1 391-1410. (XII. 14.) MNB decree
§ 28 in point a) subpoint aa) (transfer), point b) subpoint bb) (cash payment)

to a payment account), point c) (payment method without a payment account, in particular a
cash transfer) can be in the form of listed payment methods. In fulfilling the obligation
VI of the same regulation is applicable. chapter, with the proviso that it is not in the Authority's building
possibility to pay the fine amount.

If the Company does not fulfill its obligation to pay the fine within the deadline,
must pay a late fee. The amount of the late fee is the legal interest, which is a

it is the same as the central bank base rate valid on the first day of the calendar semester affected by the delay.
The late fee is settled by the Authority for the purpose of collecting centralized revenues
forint account (10032000-01040425-00000000 Centralized direct debit account)
to pay.

If the Company does not pay the procedural fine within the above deadline
enough, the Authority orders the recovery of the fine and late fee and its execution

to the tax authority.


I. Facts

(1) To the Authority on 10.01.2019. on the day of, a notification was received, in which the notifier is the Company

      objected to data management with the cameras installed at the above location.
      Given that the investigation procedure initiated based on this did not include the facts
      can be revealed, the Authority 11.10.2021. started official proceedings ex officio on
      (NAIH/7643-1/2022). The order with file number NAIH/7643-1/2022 is issued by the Company
      18.10.2021 received on the day There is a 15-day deadline for responding
      02.11.2021 expired on 11.04.2021, but the Company did not respond until 04.11.2021. gave it on the day
      to the post office, the shipment to the Authority on 08.11.2021. arrived on

(2) According to the Company's statement with file number NAIH/7643-2/2021, the Company complies with the GDPR
      Pursuant to point f) of Article 6 paragraph (1), a camera operator with a legitimate interest as a legal basis
      surveillance at the site to protect life, physical integrity, and personal freedom
      for the sake of, as well as for the purpose of property protection. Showing the angle of view of the 4 cameras
      the Company attached snapshots to its response. Based on these, one of the cameras is a
      It was directed to one of the company's workstations, one to and from the external entrance

      in connection with this, he partly monitored the public area, and two more were the solarium customer traffic
      it was directed to its open interior spaces. Camera images attached by the Company
      based on, covering an area that is not relevant to the purpose of the observation or a
      filtering of the observed part with IT tools (hereinafter: masking)
      was not set. The viewing angles of the camera system are also shown on the Company's site plan
      presented. From camera images and site plan submitted by the Company
      it could be established that some tanning machines and the

      doors leading to standing solariums were also included.
      According to the Company's claim, the solarium's customers receive a paper-based data management information sheet
      they could ask the person working at the reception desk; the Company informs employees
      was realized verbally and in job descriptions, however these statements
      the Company did not prove it with evidence.
      Stickers warning about the fact of camera data management were submitted by the Company
      based on photographs, however, the Company outside the front door and in the area of the site
      also placed inside.

                                              2(3) In view of the Company's response, further clarification of the facts became necessary,
      therefore, the Authority NAIH/2866-1/2022. by post again with the order with file number

      he contacted the Company with his questions. The Authority is responsible for the response
      set a deadline of 15 days from the date of receipt. Delivery by Magyar Posta Zrt
      according to the certificate of the Authority NAIH/2866-1/2022. the Company's order with case file no
      21.02.2022. received it, so the response deadline is 08.03.2022. fell on his day. THE
      Company's response to the Authority 28.03.2022. arrived by post on

(4) NAIH/2866-2/2022. In its material response with file number, the Company informed the

      Authority that it no longer operates a solarium or anything else at the indicated address
      does not carry out any activities there. In addition, he stated in his answer that the Company has a website
      does not have The Company's response did not contain any additional information. For the answer
      the Company did not attach an attachment. To the questions asked in the Authority's referenced order
      the Company did not provide an answer, as part of this despite the Authority's request
      the Company did not present a balance of interests test, nor did it present a statement to that effect
      act to have such a document. The Company's answer is not about that either

      did not contain a statement or evidence that the cameraman
      data management would have ceased or the camera system would have been decommissioned.

(5) On the day of receiving the reply, the Authority queried the Company's certificate of incorporation,
      in which (...) was still listed as the Company's location, so that a
      at the time of his answer, the Company's activities were included in the founding deed
      it was a place with permanent, independent business (operating) establishment.

(6) In view of the above, the Authority, in its procedural order with file number NAIH/2866-3/2022
      in addition to imposing a penalty, he repeatedly called the Company to clarify the facts. THE
      order based on the relevant delivery certificate, the Company issued the order on 26.04.2022. on the day of
      took over, but only on 02.06.2022. answered on the day

(7) NAIH/2866-4/2022. In its material response with file number, the Company submitted that a

      does not operate any business or any other activity at the site referred to
      doesn't use it either. According to his statement, with several locations listed in his company certificate
      the same situation, only one location is actually used by those indicated there
      of. According to his claim, he has already dismantled the cameras previously operating at the site in question
      and removed it from the property.
      According to his statement, it is a personal tragedy, health problems and financial
      due to difficulties, the administrative burden, including the necessary company procedure,

      he can't do it permanently. In view of this, he requested a reduction of the procedural fine or
      release. The material declaration did not contain attached evidence or annexes, a
      Despite the authority's request, the Company did not present the balance of interests test
      nor did he make a relevant declaration that he had such a document.

II. Applicable legal provisions

(8) Infotv. According to paragraph (2) of § 2
      General Data Protection Regulation as defined in the provisions indicated there
      must be applied with supplements.

(9) Infotv. The right to the protection of personal data based on § 60, paragraph (1).
      in order to enforce it, the Authority may initiate official data protection proceedings ex officio.

(10) In the absence of a different provision of the general data protection regulation, the request was initiated

      for official data protection procedure of 2016 on the general public administrative procedure

                                              3 CL. Act (hereinafter: Act) shall be applied in Infotv
      with certain deviations.

(11) In the ex officio proceedings, Art. its provisions on procedures initiated upon request
      shall be applied with the exceptions contained in §§ 103-104 of this law.

(12) Pursuant to Article 4, point 1 of the GDPR, "personal data": identified or identifiable
      any information relating to a natural person ("data subject"); it is possible to identify the a
      a natural person who, directly or indirectly, in particular

      identifier such as name, number, location data, online identifier or a
      physical, physiological, genetic, intellectual, economic, cultural or natural person
      can be identified based on one or more factors related to his social identity.

(13) Based on Article 4, point 2 of the GDPR, "data management": you are on personal data
      any operation performed on data files in an automated or non-automated manner
      or a set of operations, such as collection, recording, organization, segmentation, storage,

      transformation or change, query, insight, use, transmission of information,
      by means of distribution or other means of making available, coordination or
      connection, restriction, deletion or destruction.

(14) According to Article 6 (1) of the GDPR:
      The processing of personal data is only legal if and to the extent that
      at least one of the following is met:

   a) the data subject has given his consent to the processing of his personal data for one or more specific purposes
      for its treatment;
   b) data management is necessary for the performance of a contract to which the data subject is a party
      party, or the steps taken at the request of the data subject prior to the conclusion of the contract
      necessary to do;
   c) data management is necessary to fulfill the legal obligation of the data controller;
   d) data management is vital for the data subject or another natural person

      necessary to protect your interests;
   e) data processing is in the public interest or the data controller is authorized by a public authority
      necessary for the execution of a task performed in the context of its exercise;
   f) data management to enforce the legitimate interests of the data controller or a third party
      necessary, unless the interests of the person concerned take precedence over these interests
      interests or fundamental rights and freedoms that make personal data protection
      necessary, especially if a child is involved.

      Point f) of the first subparagraph cannot be applied by public authorities in their tasks
      for data management during its provision.

(15) Based on paragraphs (1)-(2) of Article 13 of the GDPR:
   (1) If personal data concerning the data subject is collected from the data subject, the data controller a
      at the time of obtaining personal data, provides the data subject with a
      all of the following information:

   a) the identity of the data controller and - if any - the data controller's representative and
      your contact information;
   b) contact details of the data protection officer, if any;
   c) the purpose of the planned processing of personal data and the legal basis of data processing;
   d) in the case of data management based on point f) of paragraph (1) of Article 6, the data controller or
      legitimate interests of third parties;
   e) where applicable, recipients of personal data, or categories of recipients, if any;
   f) where appropriate, the fact that the data controller is in a third country or international

      organization wishes to forward the personal data to, and the Commission

                                              4 the existence or absence of a conformity decision, or in Article 46, Article 47
      or the transfer of data referred to in the second subparagraph of Article 49 (1).
      indication of the appropriate and suitable guarantees, as well as their copies
      a reference to the means of obtaining it or their availability.

   (2) In addition to the information mentioned in paragraph (1), the data controller is the personal data
      at the time of acquisition, in order to be fair and transparent
      provides data management, informs the data subject of the following additional information:
   a) on the duration of storage of personal data, or if this is not possible, on this
      aspects of determining the duration;

   b) the data subject's right to request from the data controller the personal data relating to him
      access to data, their correction, deletion or restriction of processing,
      and may object to the processing of such personal data, as well as the data subject
      about your right to data portability;
   c) based on point a) of Article 6 (1) or point a) of Article 9 (2)

      in the case of data processing, it is for withdrawing consent at any time
      a right that does not affect data processing carried out on the basis of consent before withdrawal
   d) on the right to submit a complaint to the supervisory authority;
   e) that the provision of personal data is legal or contractual

      whether it is based on an obligation or a prerequisite for concluding a contract, and whether it is
      whether the data subject is obliged to provide personal data, and how it is possible
      failure to provide data may have consequences;
   f) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including
      also profiling, and at least in these cases to the applied logic and that

      comprehensible information regarding the significance of such data management and
      what are the expected consequences for the person concerned.

(16) Pursuant to Article 58 (2) point b) of the GDPR, the supervisory authority
      acting within its competence, condemns the data manager or the data processor if

      its data management activities violated the provisions of this regulation.

III. Decision

(17) III.1. In the case of camera data management, the legitimate interest of the data controller is typically 1

      legal basis applied. The conceptual element of the legitimate interest is the discretion of the data controller
      obligation. The data controller is obliged to carry out a preliminary, written interest assessment test
      preparation in order to be able to refer to this legal basis. Legitimate interest is a legal basis
      it can be applied by the data controller if its application is based on the balancing of interests test
      is supported by its result (so the existence of the interest assessment test in itself does not

      sufficient). A test of interest balancing to identify different interests and those
      is built to balance. Within this framework, among other things, the
      the issue of necessity-proportionality and the reasonable expectations of those involved. These
      when considering it, it should be kept in mind that the interests of the stakeholders take precedence
      may enjoy against the interests of the data controller, and it should also be considered that it is

      at the start of data processing, can the data subjects reasonably expect that
      data controller manages their data for the given purpose.

 GDPR Article 6 (1) point f): The processing of personal data is only lawful if and to the extent that at least
f) data processing is necessary to assert the legitimate interests of the data controller or a third party, unless these interests are involved
on the other hand, the interests or fundamental rights and freedoms of the data subject, which are personal data, take precedence
their protection is necessary, especially if the child concerned is a child. Point f) of the first subparagraph does not apply to public authorities
for data management carried out by bodies in the performance of their duties.

                                              5(18) Despite repeated calls from the Authority, the Company does not carry out such an interest assessment test
      presented, so the legal basis of legitimate interest cannot legally be invoked.

(19) At the same time, the data management is carried out in the established way, the submission of a balance of interests test
      no legitimate interest could have been substantiated with a legal basis. Attached by the Company
      based on photos and floor plan, in the camera monitoring the entrance door from the outside section
      also observed public space. The worker and his workstation were under constant surveillance
      so that the angle of view of this camera partially extended to a reclining solarium.
      One of the internal cameras was partially or completely in the field of view of several of them

      tanning machine or the door leading to stationary tanning beds. The user of the service
      those involved could not get out of their way, and masking for the cameras was not
      was set.

(20) In relation to the cameras in question, the data management purpose - which is believed to be a
      it was asset protection - neither the ability to achieve it nor the proportionality was proven.
      Especially from an asset protection point of view, other available solutions (e.g. lock, padlock,

      window grill, safe, alarm, motion detector, security guard, etc.) is larger if applicable
      they can also mean security, like camera data management. Purpose of data management
      point of view, in the absence of a balance of interests test, it was not and is not supported
      it is likely that the camera system was one of the available solutions
      the most effective and, at the same time, the least burdensome solution for the privacy of those concerned.

(21) Since, based on the Company's statement, data management information is only available locally, on paper

      based on the express request of the parties using the service
      accessible, adequate information about data management was not available to them.
      The Company also does not provide the same information to employees
      verified; according to his statement, this was verbal information and included in the job description
      was realized by means of information, but his claims about this were not supported by evidence
      supported it.

(22) On the basis of the above, the Authority shall comply with Article 6 (1) of the GDPR and Article 13 (1) of the GDPR-
      (2) of the GDPR and Article 58 (2) point b) of the GDPR
      decided in accordance with the provisions of the ruling part (decision).

(23) At the same time, according to its statement, the Company abandoned the investigated data management, i.e
      dismantled devices on site.

(24) III.2. There was no clarification of the circumstances of data management in the investigation procedure
      possible, the Authority therefore decided to initiate the ex officio official procedure.
      Despite this, the Company's statements in the official procedure initiated ex officio
      were incomplete or delayed. Procedural fine against the Company
      was imposed in view of these antecedents, and thus the Authority is the authority
      in accordance with the provisions of section (order), for the waiver of the Company's procedural fine or

      decided to reject his request for mitigation.

ARC. Other questions

(25) The Art. § 112, subsections (1) and (2), point d) and § 116, subsections (1) and (3), respectively
      Based on § 114, paragraph (1), against both the decision and the order
      there is room for legal redress through an administrative lawsuit.

(26) The rules of the administrative trial are set out in Article I of 2017 on the Code of Administrative Procedure.
      is determined by law (hereinafter: Law). The Kp. Based on Section 12 (1) a

                                              6 An administrative lawsuit against an authority's decision falls under the jurisdiction of the court, a
      sued by Kp. On the basis of Section 13. (3) point a) point aa) the Capital Court

      exclusively competent. The Kp. On the basis of § 27 (1) point b), the tribunal
      legal representation is mandatory in a lawsuit within its jurisdiction. Cp. According to § 39, paragraph (6).
      - if the law does not provide otherwise - the administrative procedure for submitting the claim
      does not have the effect of postponing the entry into force of the act.

(27) The Kp. Paragraph (1) of § 29 and, in view of this, the 2016 Code of Civil Procedure
      CXXX. Act (hereinafter: Pp.) is applicable according to § 604, the electronic

      CCXXII of 2015 on the general rules of administration and trust services.
      Act (hereinafter: E-Administration Act.) According to Section 9 (1) point b) the customer
      legal representative is obliged to maintain electronic contact.

(28) The time and place of submitting the statement of claim is determined by Kp. It is defined by § 39, paragraph (1).
      The information about the simplified trial can be found in Kp. Paragraphs (1)-(2) of § 77 and § 124
      It is based on paragraph (1) and (2) point c) and (5) respectively. The public administration

      the amount of the fee for the lawsuit is determined by Act XCIII of 1990 on fees. law (hereinafter:
      Itv.) 45/A. Section (1) defines. Regarding the advance payment of the fee, the Itv.
      Section 59 (1) and Section 62 (1) point h) exempt the procedure
      initiating party.

(29) Infotv. According to § 38, paragraph (2), the Authority is responsible for personal data
      for its protection, as well as to learn about data of public interest and public in the public interest

      monitoring and facilitating the enforcement of the right, as well as personal data
      Facilitating its free movement within the European Union. Paragraph (2a) of the same §
      as established for the supervisory authority in the general data protection regulation
      tasks and powers of legal entities under the jurisdiction of Hungary
      with respect to those specified in the general data protection regulation and this law
      according to the Authority.
      The Authority's jurisdiction covers the entire territory of the country.

Dated: Budapest, according to the electronic signature

                                                                 Dr. Habil. Attila Péterfalvi
                                                                     c. professor