NAIH - NAIH-2020/2204/8
|NAIH - 2020/2204/8|
|Relevant Law:||Article 12(4) GDPR|
Article 15(1) GDPR
Article 18(1)(c) GDPR
Article 24(1) GDPR
Article 24(2) GDPR
Article 25(1) GDPR
Article 83(2) GDPR
|Parties:||Deichmann Cipőkereskedelmi Korlátolt Felelősségű Társaságnak|
|National Case Number/Name:||2020/2204/8|
|European Case Law Identifier:||n/a|
|Original Source:||NAIH (in HU)|
The Hungarian DPA (NAIH) fined Deichmann approx. €55700 for breaching multiple GDPR provisions in connection with a data subject access request.
English Summary[edit | edit source]
Facts[edit | edit source]
A customer of the Deichmann company claimed that after an in-store purchase he did not receive the correct amount of money back from the cashier. The customer initially did not notice that he paid with a larger bill, and only later noticed and informed Deichmann.
Since the facts were disputed, the customer asked the company to view the video recording in which the customer appeared as he was paying. Deichmann informed the customer that the recording can only be accessed by the police following an official request. The customer filed a police report, but the camera recording was no longer available by the time of the request.
Following this situation, the NAIH conducted an ex officio investigation into the company and found that Deichmann was operating cameras extensively throughout the country, with cameras in all 129 of its stores.
The DPA found that the controller had breached multiple GDPR provisions in connection to data subject access requests. Amongst these, the company did not keep separate records of the data subject requests that it had been receiving.
Dispute[edit | edit source]
Did the data controller fulfill its obligations under the GDPR in connection with data subject access requests?
Holding[edit | edit source]
The DPA first held that the request to access the camera images does fall within the scope of Article 15(1) GDPR. Furthermore, the NAIH emphasised that the controller's claims were incorrect with regards to the footage only being accessible to the police. Apart from Article 15(3), the DPA held that the data controller must also give data subjects access to the part of the recording in which that person appears.
The NAIH also pointed to the importance of Article 12(4) and offering data subjects adequate explanations on the reasons for a controller's refusal to act on a data subject's request.
Regarding the deletion of the recording, the DPA held that Deichmann breached Article 18(1)(c). The controller should have kept the data following the data subject's request, until his legal claim was settled.
More generally, the DPA emphasised that the controller had failed to fulfill its obligations under Articles 24 and 25 GDPR, as it did not set up appropriate technical and organisational measures in order to ensure and demonstrate that the personal data are processed in compliance with the GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH / 2020/2204/8. Subject: Ex officio decision procedure DECISION The National Authority for Data Protection and Freedom of Information (hereinafter: the Authority) is Deichmann Shoe Trade Limited Liability Company (registered office 1134 Budapest, Kassák Lajos utca 19-25, company registration number: 0109693582; hereinafter referred to as the Debtor or the Company) - 25 May 2018. for the period from 1 March to 3 March 2020, the general data protection regulation in accordance with Article 1 of the General Data Protection Regulation ex officio data protection authority to verify compliance with the requirements set out in procedure, take the following decisions :. 1. The Authority notes that, in dealing with the requests made by […], the (a) infringed the rules on the right of access laid down in Article 15 (1) of the Regulation containing provisions (b) has infringed Article 18 (1) (c) of the Regulation to restrict data processing containing the rules of the law of the (c) infringed Article 12 (4) of the Regulation. 2. The Authority shall establish the 25 May and 2018 of the Debtor the illegality of its procedure in force between 1 August 2006 in so far as it did not do so appropriate technical and organizational measures to enable camera data management related data should be ensured in accordance with the provisions of the General Data Protection Regulation. 3. The Authority shall establish the 26 November 2019 established in the course of the management of the rights of the Debtor. the illegality of its procedure in force between 3 and 3 March 2020 in so far as it does not has taken appropriate technical and organizational measures to enable camera data management related rights, in particular the right of access and the processing of data exercise of the right to restrict - is provided for in the General Data Protection Regulation be. 4. The Authority shall impose on the Debtor the infringements found in points 1, 2 and 3 during the period under review. within 30 days of the date on which this Decision becomes final HUF 20,000,000, ie twenty million forints data protection fine obliges to pay. It shall govern the initiation of judicial review of the measures taken by the Debtor shall inform the Authority within 30 days of the expiry of the time limit for bringing an action. The fine shall be imposed by the Authority on centralized revenue within 30 days of the decision becoming final direct debit forint account (10032000-01040425-00000000 Centralized collection account IBAN: HU83 1003 2000 0104 0425 0000 0000). When transferring the amount, NAIH / 2020 / 1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46 (General Data Protection Regulation or GDPR or Regulation) 2 2204/8. JUDGE. should be referred to. If the Debtor fails to meet his obligation to pay the fine within the time limit, he shall be liable for a penalty payment. to pay. The amount of the late payment allowance is the statutory interest, which is the first of the calendar semester affected by the delay equal to the central bank base rate valid on Non - payment of fines and penalties for late payment In that case, the Authority shall order the enforcement of the decision, the payment of the fine and the penalty payment for late payment. recovery. There shall be no administrative appeal against this Decision, but it shall be subject to a right of appeal within 30 days of notification An appeal addressed to the Metropolitan Court may be challenged in an administrative lawsuit within one day. THE The application shall be submitted to the Authority, electronically, which shall forward it together with the case file to the court. The request for a hearing must be indicated in the application. The whole personal For those who do not receive an exemption, the fee for the court review procedure is HUF 30,000, the lawsuit is material It is subject to the right to record fees. In proceedings before the Metropolitan Court, legal representation is mandatory. The Authority shall include the decision on its website with the identification data of the Debtor involved in the proceedings as a client […]. (hereinafter: Customer) without identification data. EXPLANATORY STATEMENT I. Procedure and clarification of the facts I.1. History, notification to the Authority The National Data Protection and Freedom of Information Authority (hereinafter: the Authority) has received and NAIH / 2019/2507. In the notification filed under case number, the Client submitted that on May 26, 2018, the In his obligated shop in Kaposvár (7400 Kaposvár, Achim András utca 4; hereinafter: the Shop) purchased in the value of HUF nine hundred and ninety forints, after payment he stated that he did not ask for returning. He also stated that he later noticed that he had paid with twenty thousand forints banknotes, the block According to him, he received a return of ten thousand to ten forints, but according to his claim he did not receive a return. On 29 May 2018, the Customer lodged a complaint, about which - on the objection of consumer quality - minutes were recorded. The record states that the notifier was informed of his complaint can do to the police. In a letter addressed to the Company on May 29, 2018, the Client described in detail the events, and then made a request to the Company to view the or requested that the camera not be deleted until the objected case has not been verified. The Applicant also informed the Company that - the Business is past on his advice - he also approached the police, who recommended that he contact the Society. The Company responded to the Customer's request dated May 29, 2018 on June 19, 2018. THE reply letter informed him that camera recording was only for the police - official police upon request - they can issue it, they can turn to the Somogy County Police Headquarters with a legal remedy. On May 30, 2018, the Customer also entered his "complaint" in the customer's book in the Store. E document contains the applicant’s request that “on 26 May 2018 (5:14 p.m. camera recording is saved by the company’s management ’because this is the only evidence and the you need the recording to validate your additional needs. The Store in connection with the application it the remark stated that “At the closing of the current day’s cash register, the cash surplus, the cash surplus is not generated ’. 3 On June 25, 2018, the Client filed a police report against an unknown perpetrator, however, the police during the procedure, camera recording was no longer available at the time of the request. The Authority has instructed the Client on the types of procedures that can be initiated at the Authority and their the manner and conditions of initiating an investigation by the Authority after training did not submit a request for formal proceedings. I.2. Official control initiated ex officio I.2.1. In view of the above, the Authority considered it appropriate to initiate an ex officio official review in order to check whether the Company complies with the data management practices applied by it requirements of the General Data Protection Regulation. Official inspection on 12 December 2019 started NAIH / 2019/8543. case number. During the official control, the Authority found that: The company operated cameras extensively throughout the country, operating cameras in all 129 of its stores period. During the official inspection, the Company stated that there was only one during the period under review a request has been received “on this subject” (i.e. in relation to access to camera recordings) a To company. The access right was not managed on the basis of a central instruction, but by a faulty individual caused by a decision which, in the opinion of the Company, is an internal regulation in accordance with the regulation absence at that time: when the decree became applicable, on 25 May 2018, the Company had not yet had no internal data management regulations for camera recordings, so it was not regulating, inter alia, the way in which applications from the data subject are to be handled. The Company itself acknowledged that, in its view, it had not complied with the Regulation processing of the stakeholder request received during the investigation period. The Company has identified the need to regulate surveillance systems used in stores therefore between 18 June and 1 August 2018 in all its stores made the decision to turn off the camera system until proper control was achieved prepare. The Company 's regulations for the electronic monitoring system (hereinafter: the Regulations) 2019. adopted on 26 November 2006, which contains, inter alia, detailed instructions on how to how to handle stakeholder requests for access to camera recordings. From this day the Company again recorded the camera footage, which it stores for 7 days. I.2.2. In this connection, the Code states that “A person whose right or legitimate interest is concerned the recording of the image affects, you may, by proving your right or legitimate interest, request that the recording be not be destroyed or erased by the controller until requested to do so by a court or authority, but not later than 30 napra. The person included in the recording may also request that the controller inform in writing what can be seen in the recording containing him. The data subject can only receive a copy of a recording on which another person has it not or only in an unrecognizable way. If the above cannot be met, the data controller will provide it for the data subject to view the recording that contains him or her. Review camera footage can only be performed at the headquarters of Deichmann Cipőkereskedelmi Kft., outside of which the data subject the auditor and other staff entrusted with technical tasks by the director may be present. " The Regulations also state that applications are addressed to the registered office of the Company or to the can be delivered to the e-mail address email@example.com, which the Company will receive upon receipt of the application. examine and provide information on the measures taken within one month. The Code also provides information that you can assert your rights before the court concerned, and a You can also file a complaint with an authority. 4 I.3. Official procedure initiated ex officio I.3.1. In view of the information revealed during the official inspection, the Authority stated that made it probable that the Company violated the provisions of the General Data Protection Regulation, 2020. On 4 March, it decided ex officio to initiate official data protection proceedings. The official procedure was aimed at verifying that the Company was general during the period under review whether the data subject has received or received the data subject's requests in accordance with the Data Protection Regulation its practice in dealing with the exercise of rights has been complied with in the General Data Protection Regulation included. Although the Authority, following the alleged infringement found at the time of the notification, the Company reported on its general practice in the management of rights, the Company reported that it received a single request from a interested party during the period considered. Because it affected the Company in this way the identity of the person exercising his rights, ie the Client, has become identifiable and the Authority, as The company claimed that there was no such claim - the findings were specific to it can do it. In view of this, the Authority involved the Client as a client on 4 June 2020 dated, NAIH / 2020/2204/6. in order no. I.3.2. During the official proceedings, the Debtor stated that it had received inquiries from customers the following records are maintained: Conciliation Board inquiries (4-500 inquiries per year), letters of complaint received by e-mail (1192 letters at the time of the Debtor's letter of 24 March), buyers book. On the basis of the Debtor's statement, the Authority found that during the period under review the Debtor has not kept separate records of the data subject's exercise of data protection inquiries. The Debtor stated that between 25 May and 1 August 2018, the cameras recorded the image, between August 1, 2018, and November 26, 2019, the monitors showed a mere live image, and then From November 26, 2019, the recording of camera recordings resumed. The Debtor has sent a letter dated 15 June 2018 entitled “33. circular ’, which circular 5.4. contains the Debtor's decision to operate the cameras in all shop shut down. In the first period (May 25-August 1, 2018), the adhesive around the entrance and inside the store provided information on the fact of camera data management with stickers. According to Annex 2 / A sent, a information was provided with the following text: “Camera monitored area. The recording is for recording costs. ". In the second period (1 August 2018 to 26 November 2019) on viable observation also a glued stickers provided information. A 2 / C. The following wording has been added in accordance with Annex for deployment: “Camera monitored area”. Section 3.3.1 of the Annex provided guidance on what stickers should be placed on the doors. A 3.3.1. to place the “Camera Monitored Area” sticker he instructed that this sticker should only be placed in stores where the camera records. In the third period (from 26 November 2019), the information shall be affixed to the shop and to the mirror. it happened with stickers. In addition, the Debtor provided information to its employees on the special a also in the data management information prepared for them. I.3.3. On December 20, 2019, the Company sent it to all stores, area managers, decorators and Helpdesk Circular No. 66. In Circular 66, the Company expressly requested the employees to to read the information on camera data management in addition to the information for employees a version for customers, so that they know what permissions customers have when retrieving camera recordings. 5 I.3.4. The Debtor further submitted that the Authority take the following facts as mitigating as a circumstance: the Debtor ordered the data processing after recognizing the infringing condition elimination; On November 26, 2019, the Electronic Surveillance Systems Act was adopted regulations; only one stakeholder request was received during the period considered; privacy with the involvement of legal professionals, the transformation of data management practices is under way; the notifier is so tried to compensate for the fact that he had been offered thirty thousand forints, which the applicant did not accept. el. II. Applicable law Infotv. Pursuant to Section 2 (1), the scope of this Act - with regard to personal data as defined in paragraph 1, covers all processing of personal data and data of public interest or data of public interest. Infotv. Pursuant to Section 2 (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as the General Data Protection Regulation) the Data Protection Regulation in Annexes III-V. and VI / A. Chapter 3 and Sections 3, 4, 6, 11, 12, 13, 16, 17, 21, 23-24. Section 4 (5), Section 5 (3) to (5), (7) and (8), Section 13 (2) § 23, § 25, 25 / G. § (3), (4) and (6), 25 / H. § (2) paragraph 25 / M. § (2), 25 / N. §, 51 / A. § (1), Articles 52-54. §- in Section 55 (1) - (2), Sections 56-60. §, 60 / A. § (1) - (3) and (6), § 61 (1) paragraph 61 (a) and (c), Section 61 (2) and (3), paragraph (4) (b) and paragraphs (6) to (10) paragraphs 62 to 71. §, § 72, § 75 (1) - (5), § 75 / A. § and 1. shall apply with the additions set out in Annex I. Infotv. Pursuant to Section 60 (1), in order to enforce the right to the protection of personal data the Authority may initiate ex officio data protection authority proceedings. According to recital 171 of the General Data Protection Regulation, the application of this Regulation within two years of the entry into force of this Regulation should be brought into line with this Regulation. If the processing is based on consent under Directive 95/46 / EC and the data subject has given his or her consent in accordance with the conditions laid down in this Regulation request the data subject's consent again in order to allow the controller to apply this Regulation continue data management after that. Decisions taken by the Commission under Directive 95/46 / EC and authorizations issued by supervisory authorities shall remain valid until they shall not be amended, replaced or repealed. Pursuant to Article 2 (1) of the General Data Protection Regulation, this Regulation applies to personal data automated processing of data in whole or in part and their personal data non-automated processing of data which are part of a registration system or which are intended to be part of a registration system. Processing of personal data under Article 5 (1) (a) of the General Data Protection Regulation be carried out lawfully and fairly and in a way that is transparent to the data subject ("legality, fair procedure and transparency ’). Pursuant to Article 12 (1) of the General Data Protection Regulation, the controller is appropriate take measures to ensure that the data subject all the information referred to in Articles 13 and 14 and Articles 15 to 22. and Article 34 information in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible manner particularly in the case of any information addressed to children. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. The oral information may be provided at the request of the data subject, provided that the data subject has been otherwise substantiated identity. 6 Pursuant to Article 12 (4) of the General Data Protection Regulation, if the controller does not do so measures at the request of the data subject, without delay, but no later than upon receipt of the request inform the person concerned of the reasons for the non-action and of the that the person concerned may lodge a complaint with a supervisory authority and have the right to a judicial remedy. Information pursuant to Articles 13 and 14 pursuant to Article 12 (5) of the General Data Protection Regulation and 15-22. The information and action provided for in Articles 31 and 34 shall be provided free of charge. If concerned request is manifestly unfounded or, in particular due to its repetitive nature, excessive, the controller, the provision of the requested information or information or the taking of the requested action administrative costs: Pursuant to Article 13 (2) (b) of the General Data Protection Regulation, the controller (…) is personal at the time of data acquisition, in order to ensure fair and transparent data management inform the data subject of his or her right to request from the controller the access, rectification, erasure or processing of personal data relating to and may object to the processing of such personal data as well as to the data subject the right to data portability. Pursuant to Article 15 (1) of the General Data Protection Regulation, the data subject is entitled to: receive feedback from the data controller that your personal data is being processed and if such processing is in progress, you have the right to access the personal data (…) access. Pursuant to Article 15 (3) of the General Data Protection Regulation, the controller is the subject of the processing provide the data subject with a copy of the personal data Additional requested by the data subject for copies, the controller may charge a reasonable fee based on administrative costs. If the data subject submitted the application electronically, the information was widely used shall be provided in electronic format, unless otherwise requested by the data subject. Pursuant to Article 15 (4) of the General Data Protection Regulation, the copy referred to in paragraph 3 the right to claim must not adversely affect the rights and freedoms of others. Pursuant to Article 18 (1) (c) of the General Data Protection Regulation, the data subject is entitled to: at the request of the data controller, the data processing shall be restricted if the data controller no longer needs the personal data data for data processing purposes, but the data subject requests them for legal claims, to enforce or protect. Pursuant to Article 24 (1) of the General Data Protection Regulation, the controller is the nature of the processing, its scope, circumstances and objectives, as well as the rights and freedoms of natural persons, appropriate technical and organizational measures taking into account the varying probability and severity of the risk take measures to ensure and demonstrate that the processing of personal data e in accordance with this Regulation. These measures shall be reviewed by the controller and, if necessary, it updates. Pursuant to Article 24 (2) of the General Data Protection Regulation, if it is a data processing activity as part of the measures referred to in paragraph 1 it also applies internal data protection rules. Pursuant to Article 25 (1) of the General Data Protection Regulation, the controller is a science and technology the nature, scope, circumstances and purposes of the data processing, and the rights and freedoms of natural persons taking into account the severity of the risk, both when determining the method of data processing and it shall take appropriate technical and organizational measures, such as pseudonymisation, in the course of data management implemented, on the one hand, to ensure the effective application of data protection principles such as data retention 7 requirements of this Regulation and the rights of data subjects incorporate the necessary safeguards into the data management process. According to recital 78 of the General Data Protection Regulation, natural persons the protection of the rights and freedoms with regard to the processing of their personal data requires appropriate technical and organizational measures to ensure that the requirements of this Regulation are met adoption. In order for the controller to be able to demonstrate compliance with this Regulation, it shall be internal apply the rules and implement measures that comply in particular the principles of privacy by design and default. Infotv. In its decision made pursuant to Section 61 (1) (a) of the Data Protection Authority proceedings the Authority in connection with the data processing operations specified in Section 2 (2) and (4) a may apply the legal consequences set out in the General Data Protection Regulation. Pursuant to Article 58 (2) (b), (d) and (i) of the General Data Protection Regulation, the supervisory authority condemning the controller or processor, acting in its capacity to rectify, if it is a data controller infringed the provisions of the Regulation or administrative proceedings in accordance with Article 83 impose the fine on the measures referred to in this paragraph, depending on the circumstances of the case in addition to or instead of them. Pursuant to Article 83 (5) of the General Data Protection Regulation, the principles of data processing, including Articles 5, 6, 7 and 9 of the General Data Protection Regulation in accordance with Article 83 (2), a maximum of EUR 20 000 000 or, in the case of undertakings, the full financial year of the previous financial year up to 4% of its worldwide turnover, with the higher of the two an amount shall be charged. III. Decision: The General Data Protection Regulation shall apply from 25 May 2018, ie on 26 May 2018 applications submitted in the following days should be used. However, the Regulation entered into force on 27 April 2016 and recital 171 for data processing started before the date of application of this Regulation The data protection rules provided for a "grace period" of two years from the date of entry into force of this Regulation to comply with this Regulation. Although the period under review does not cover data processing prior to 25 May 2018, the Authority notes that the data protection rules also ensure that the data subject is exercised during this period was of paramount importance: the right of the data subject to information was granted by Infotv. also recorded and the Authority's practice This right also included the right to inspect the camera recordings concerned and to block them In terms of the content of the right, the data processing regulated in the GDPR was a similar legal institution the way in which the applicant submitted the applications had to be known would have been in front of the Company. III.1. Handling Customer's affected requests As the Company reported that it received a single request from interested parties during the period considered, and thus the identity of the person exercising his / her rights at the Company became identifiable, the Authority a Findings received by the Company regarding the handling of a stakeholder application specifically to the Client it does. III.1.1. The Client's request addressed to the Company on May 29, 2018 stated that it wished to view the named camera image requested in accordance with Article 15 (1) of the Regulation constitutes a request for access on the basis of which the Company has access to personal data would have been obliged to ensure that the Client had access to the recordings made about him. It appears from the Company's letter of June 19, 2018 that the Company informed it the Client that they can take camera footage only to the police - upon official police request may appeal to the Somogy County Police Headquarters. The Authority first of all notes that the camera footage of a data controller is not limited to the police but, in addition to the fact that it is otherwise required to provide any information court or authority, in accordance with Article 15 (3) of the GDPR it must give a person access to the part of the recording in which that person is person is listed. However, Customer did not request the release of the original camera image or a copy thereof From the Company, but to have access to the recorded recordings, while the Company is the recording He did not recognize the difference between the need to view the recording and the need to publish the recording and judged it request as if the Customer had requested the release of the recording, when otherwise to view the recording and the right to issue a copy of the recording. Thus, the Company, in addition to not allowing access to the recorded camera footage, nor neither the fact of refusal of access nor the reasons for refusal of access information. Based on the above, the Authority found that although the Company is defined by the GDPR as one month answered the Client's request for the exercise of the rights of the data subject within the time limit, did not state the reasons, why he does not allow him access to the recordings or the exercise of the data subject's rights denied it on appropriate grounds, so that the management of the Client 's right of access did not comply with the Article 15 (1) of the GDPR. If a data controller refuses to comply with the data subject's request, ie as a result does not take any action, so in the present case, if the Company decides to do so for the Customer does not grant him access to the camera footage taken of him, the GDPR Under Article 12 (4), he must inform him, in addition to giving details of the reasons for the refusal, that: that you can lodge a complaint with a supervisory authority (i.e. in this case the Authority) and live with the right to go to court. Information on the right to a remedy is particularly important in the management of data subjects' rights, whereas a person less familiar with data protection law is not necessarily aware of it by which authority you can turn to in the event of a restriction, in the absence of this knowledge the violation or restriction of rights that may have befallen him or her will remain unresolved. This is borne out by the fact that in the present case a nor was the notifier aware that his application concerned a data subject which, in the event of its refusal, may be referred to the Authority. By the time the notifier is correct he became aware of the Remedies Forum, it was so long that it was made about it the Company no longer had camera footage, so the Authority could not oblige the Company to the execution of the data subject's request. Based on the above, the Authority has determined that in refusing the Client 's request for access, the Company has not acted pursuant to Article 12 (4) of the GDPR, hence the Customer’s request for access did not meet the requirements of the GDPR. III.1.2. The Customer's request dated May 29, 2018 also includes that camera recording until then do not delete it until the case he or she objects to has been verified. The Customer is dated May 30, 2018 request states in more detail that ‘the camera recording of 26 May 2018 (taken at 5:14 p.m.) save the management of the company ”because this is the only evidence and additional needs of the applicant you need the recording to validate. 9 Pursuant to Article 18 (1) (c) of the Regulation, any interested party whose legal claims may be in order to validate or protect the personal data processed about him, he is entitled to at the request of the controller, the data shall not be “deleted”, even if the controller, otherwise beyond a specified retention period - you no longer need personal data for data processing for the purpose of. Without restricting data processing, it could be a common situation to request the data subject's legal needs enforce (e.g., file a complaint with the police or initiate court proceedings) and the commencement procedure, if the acting body requests the camera recording necessary for the proof, the data would no longer be available at the disposal of the data controller, as the retention period required for the purpose of data processing is already in place letelne. This is also confirmed by the case of the Client, when - on the advice of the Company - he made a police report, however, when the proceedings have reached the stage where the police request the named recording, the Company - as the Client's request was not taken into account - it had been canceled by then, so the police the applicant's allegations or the contrary were not substantiated in the proceedings. Enforcing the right to restrict data processing may be particularly important in a business premises in the case of an operated camera system where money is managed, as both the buyer and the seller on the other hand, there may be a need to use the recording in the proceedings if they are unaware of a contentious situation to decide. Without the availability of recordings, both parties may be harmed, as only the camera recording it can be proved how much the buyer has paid and how much the seller has paid received, so the seller may not return it to the buyer badly, so there may be a shortage in the cash register, or the buyer pays more money for the product than it would actually cost. It is clear from the reply to the request, both on 29 May and 30 May 2018, that the Company to "save the recordings" or "do not delete them until checked", he did not react in any way. In response to a letter dated May 29, the Company only stated that the camera recording was only police have the opportunity to hand it over, however, it did not elaborate on the obstacle to the recordings the fact that he does not keep the recordings beyond the normal retention period, also did not provide information to the Client, but clearly refused to comply with the request, as he no longer had the recordings during the police proceedings. In its reply to the letter dated 30 May, the Company also did not explain why it did not retain the recordings beyond the normal retention period, nor did it provide information on the fact of refusal nor, merely that “at the closing of the cash register of the given day, no cash surplus or cash was generated”. Based on the above, the Authority has determined that the Company intends to restrict the Client's data management infringed Article 12 (4) and Article 18 (1) of the GDPR in the handling of his application (c). III.2. The Debtor's data management practice between 25 May and 1 August 2018 Although the Company identified only one stakeholder application during the period considered, the Authority did not accept the declaration, as it was the conclusion based on the handling of the only known request it can be deduced that the Company did not recognize, prior to the initiation of the Authority’s proceedings, that the application is subject to data protection, which is included in Annex GDPR III. the exercise of the rights of data subjects under Chapter III.2.1. On May 29, 2018, the employee filed a consumer protection complaint in the Kaposvár store a application because it did not detect that the application was subject to data protection. The consumer complaint is recorded according to the minutes, the acting employee also consulted with the sales department, where they also did not know identify the stakeholder request: the sales department also suggested that the Customer do report. 10 On May 30, 2018, an employee of the Kaposvár store recorded the application in the customer's book. with the Client, who has also not noticed that the application constitutes an exercise of rights by the data subject. Nor could the customer service assistant, who was the Customer’s by letter dated 18 June 2018 to the registered office of the Company or if the senior official, as the addressee of the letter, himself he read, not even the senior official himself. As the Company itself stated that the improper handling of the data subject's claim was due to that the Company has no data protection regulations regarding camera recordings at all during this period provided, the Company may have more than one known request for privacy However, as with the known application, they were not identified as a data protection submission. This is also confirmed by the fact that the Company kept a systematic record of incoming messages, but did not separate the data subject submissions concerning data protection, but the Customer - otherwise data protection as a consumer protection complaint, as well as in the customers' book has been recorded. The Company kept three different records of incoming submissions (Conciliation Board inquiries, e-mail complaints, customer book), but this does not mean that other privacy notices could not have been received by the Company as the notifier his application was also considered a complaint or an entry in the purchasers' book. III.2.2. Article 24 of the GDPR contains the general obligations of the controller: this is the basis for the controller shall take appropriate technical and organizational measures to ensure and demonstrate this to ensure that personal data are processed in accordance with the GDPR. If it is data management proportionate to the activity, the controller shall, as part of these measures, also apply internal data protection rules. Article 25 of the GDPR specifies the general obligations set out in Article 24: in this Article the principle of regulated built-in and default data protection explicitly requires that data subjects be involved the guarantees necessary for the protection of the rights of the data controller should be incorporated by the data controller into the data management process, ie data protection considerations should be reflected in the design process and not in the established practice the necessary measures should be taken. All this means that the Company is already in the process of planning and developing camera data management - that is before installing the cameras - you should have brought them to the organizational or technical measures to be taken by the parties concerned in accordance with GDPR III. they can secure their rights under Chapter These measures include, on the one hand, internal procedures for the management of data subjects' rights designation of, inter alia, the person responsible for handling the requests of the data subject; to form the channels through which the Company can receive the requests of the data subject, and, where applicable, the Data Protection Officer designation; to establish the rules of the exercise of the rights of the data subject (eg the Company is made in stores the right to access the camera in person, by post or electronically); take appropriate data security measures; keep a register of data processing in accordance with Article 30. The necessary measures also include appropriate information practices for those concerned in which stakeholders are informed about the fact of data management and most importantly including their rights to camera data management and to whom and what contact details they may make their requests they may receive a reply within the time limit or, in the event of disagreement, to which body for redress. Given that the Company has extensive coverage in the country, in all 129 of its stores operated cameras during this period, the Authority considers that camera data management proportionate expectation that the Company, in compliance with Article 24 (2) of the GDPR, will also apply appropriate internal data protection rules. The Company would have been needed in this area all its employees working with customers, in particular in the sales area and customer service staff - teaching you what to do with camera data management under the GDPR affected requests may occur, how to identify and distinguish these requests from others submissions, complaints, how to handle these requests, which organization within the Company these requests shall be forwarded to the unit. Failure to take all of these measures has resulted in the Company not, as detailed above recognized that the only known request for access under Article 15 (1) of the GDPR was It shall be deemed to be a request for restriction pursuant to Article 18 (1) (c). This has led to the Company - despite repeated requests from the applicant - did not give the applicant access to the information about him camera recording, or restrict it. Furthermore, the Company did not inform the notifier that appeal to the courts or the Authority, but erred in pointing out that the camera footage can only be issued to the police upon official police request, you can appeal to the Somogy County Police Headquarters. Given that the Company during this period is the camera data management, so is the camera with regard to the exercise of data subjects' rights in relation to data processing infringed Article 25 (1) of the Regulation. III.3. Evaluation of the Debtor's data management practices performed after 26 November 2019 Regulations governing the data management practices of the Company during the operation of the camera system It was adopted on November 26, 2019, which includes, among other things, detailed instructions to that effect on how to deal with stakeholder requests related to camera recordings. III.3.1. Rules for handling access requests The Regulations regulate three rights in the context of access to camera recordings: a requesting written information about events recorded on camera footage, requesting a copy a camera recording, view the camera recording. The Regulations restrict the right of the persons concerned to issue a copy, as the Company is this document issue a copy of the recording to the data subject only if outside that data subject no other person is listed. If the data subject requests the release of a recording which includes other you will only be able to view the contents of the recording if you get tired of the Company's headquarters (To Budapest) and watch the recording there. The Company applies this practice despite the fact that a Article 15 (3) of the GDPR clearly states that the controller is concerned shall, at his request, provide a copy of the recording to the person concerned: he shall be free of charge for the first time this can be done by the data controller, while for other occasions you may charge a fee for making a copy. Based on the above, the Company is therefore obliged to issue copies, during which - Article 15 of the GDPR Paragraph 4, it shall ensure that the request for access of the data subject is complied with the rights of another person are not infringed. As the obligation to issue copies to the Company from this Article 15 (4) of the GDPR does not have to be in the case of other persons covered by this Regulation, the data recording requested by the copy, but must be guaranteed by the Company by appropriate technical measures (eg masking), that the rights of other persons on the recording are not infringed while the data subject requests access fulfills. The restriction of the rights of the data subject in this way is particularly significant because the Company is It has business premises in a significant number of cities in the country, more than fifty all stakeholders are expected to travel several hours to the capital headquarters if the content of the recordings you want to know. The Regulations also limit the right of data subjects to view the recording, as the It follows from the wording that it is only possible to view the recording in the Company 's 12 if a person other than the data subject is included in the recording, thus - based on their own practice - cannot record the camera image. The right to issue the copy in question is therefore provided for in Article 15 (3) of the GDPR, while the access to personal data pursuant to Article 15 (1) of the GDPR means. These two rights are two different sub-rights to the right of access under Article 15 of the GDPR, each of which belongs to the person concerned separately, so that it is not appropriate to a practice if you can practice one (view a recording) if the other (view a recording) copy) cannot be complied with, but the data subject's request must be in accordance with the content of the request whether you are requesting a copy of the recording or viewing the recording. However, Article 12 (5) of the GDPR gives the controller a limited possibility to refuses to take action on the application of the person concerned (in this case, the or a copy thereof), but only if it is in the opinion of the person concerned, is manifestly unfounded or excessive. Based on the above, the Authority has determined that the development of the Company's data management regulations has taken organizational measures which do not guarantee the right of access of data subjects to Under the conditions set out in Article 15 (1) and (3) of the GDPR, thereby infringing the GDPR Article 25 (1). III.3.2. Designed to handle requests to limit data processing regulation The Code states that “the person whose right or legitimate interest is in the recording of the image may, by proving his right or legitimate interest, request that the recording not be destroyed by the controller or deleted until requested to do so by a court or authority, but for no longer than 30 days ’. 2 The Authority first states that this provision was previously amended by Act no. contained which provision however, after the GDPR becomes applicable on 25 May 2018, it is necessary for implementation has been changed due to legal harmonization, and at the time of the creation of the Regulations, the contained this provision. The Authority further notes that the provisions of the GDPR apply to Hungarian legal entities from 25 May 2018 are directly applicable, except for those for the full application and implementation of additional provisions provided for in the national legislation of some Member States are necessary. In addition, the regulation it gives Member States, to a limited extent, an additional or comparable option different rules in a certain direction, but the exercise of the rights of the data subject does not fall that is to say, if the data subject requests the controller to restrict the processing, it shall inform the controller you have to implement. Neither the GDPR nor the Svv. no longer contains a rule that would require data management only may be limited to a maximum of 30 days from the date of the request, since if it is 30 days after receipt of the request for a restriction on data processing would delete the recordings requested to be restricted, it would not help to enforce your rights in that case because the procedure it has initiated would not yet reach the stage where that the acting body seek the data controller in possession of the recording. Furthermore, the GDPR exercises the right to restrict data processing - or the right of any data subject does not impose a condition for the exercise of the right of restriction it would be required to prove the right or legitimate interest of the data subject. 2 Act CXXXIII of 2005 on the rules for the protection of persons and property and for the activities of private investigators. Act (hereinafter: the Act) 13 The interpretation of the right to restrict data processing in this way is restrictive, so the Company has taken organizational measures that it has not ensure the right of data subjects to restrict data processing under the conditions provided for in Article 18 of the GDPR thereby infringed Article 25 (1) of the GDPR. ARC. Sanction and justification applied The Authority found that during the data processing performed by the Debtor during the examined period - the III.1. - in the course of handling the Client's exercise of the rights of the data subject, violated Article 12 of the Decree. Article 15 (4), Article 15 (1) and Article 18 (1) (c) respectively. The Obliged - a III.2. and III.3. infringed Article 25 (1) of the Regulation. This infringement the Authority considered it appropriate to impose a fine as follows. As to whether the imposition of a data protection fine is justified, the Authority should Article 83 (2) of the Regulation and Infotv.75 / A. § under the ex officio consideration of the case all and found that there was no warning in the case of the infringement found in the present proceedings it is neither a disproportionate nor a dissuasive sanction, so it is necessary to impose a fine. The Authority considers it necessary to impose a fine, as the Debtor in the period under review 2019. until 26 November, no data protection regulations will apply to camera recordings that is to say, it did not take the necessary organizational measures to ensure that the the exercise of the rights of the parties concerned should be ensured in accordance with the provisions of the GDPR, which has resulted in the The Debtor has violated the Customer's right to access or restrict data processing. Furthermore, the data management regulations of the Debtor established on November 26, 2019 are still not in force complies with the provisions of the GDPR, disproportionately restricts access to those concerned, and the right to restrict data processing, so that the measures taken at that time are still inadequate, as they do not ensure the exercise of the rights of data subjects in accordance with the requirements of the GDPR. In view of this, the Authority Pursuant to Section 61 (1) (a), they are contained in the operative part and in the present decision ordered the Debtor to pay a data protection fine. The amount of the fine was determined by the Authority acting in accordance with its statutory discretion. Depending on the nature of the infringement, the maximum amount of the fine that may be imposed under Article 83 (5) of the GDPR EUR 20 000 000 or, in the case of the Debtor, the previous financial year in full up to 4% of its worldwide turnover, whichever is the higher. Depending on the nature of the breach, in breach of the principle of privacy by design and by default, the the maximum amount of the fine under Article 83 (4) (a) of the GDPR is EUR 10 000 000 and the amount of the not more than 2% of the total worldwide turnover in the preceding business year, whichever is the higher. In imposing the fine, the Authority took into account the following factor as an aggravating circumstance: the Customer 's request to the data subject was not properly processed because the Debtor was a Regulation becomes operational when it becomes applicable - operated by it camera system - did not have any at all: the notifier wanted to do so in several forums to exercise his rights as a data subject, however, none of the Defendant’s employees recognized that the applicant his request is considered to be a data protection exercise of the data subject - committed by the Debtor an infringement is therefore considered to have been committed with serious negligence [Article 83 (2) GDPR paragraph (b)] - during the development of the regulations in force by the Debtor since 26 November 2019 the organizational measures taken disproportionately impede the access or the right to restrict data processing [Article 83 (2) (a) GDPR]; 14 - the Debtor is fully liable both for the breach committed against the Client and and for the development of a restrictive practice that has existed ever since, as it is under Article 25 it would have been his responsibility to take action [Article 83 (2) (d) GDPR]; - the Debtor is subject to extremely serious negligence in relation to the data processing in question due to the fact that despite the order of magnitude more affected by the larger number of its stores should have prepared for a request for the exercise of a right, its organizational arrangements are still such nor were they capable of identifying and handling applications and it can therefore reasonably be assumed that the right of access was not properly exercised not only in the specific case examined, but also at other times [Article 83 (2) (b) GDPR]. In setting the fine, the Authority took into account the following mitigating circumstances: - the Debtor offered the applicant thirty thousand forints to alleviate the damage suffered by the applicant [Article 83 (2) (c) GDPR]; - the Debtor already facilitates lawful data management during the official control took action, so in Circular 66 he drew his staff’s attention to read the prepared a camera brochure for customers in order to be aware of the the rights conferred on data subjects by the GDPR [Article 83 (2) (f) GDPR]; - the Debtor has complied with the cooperation with the Authority to such an extent obligation to admit the infringement itself [Article 83 (2) GDPR point f)]. In imposing the fine, the Authority took into account the following other factors: - during the period under review, the Debtor has identified a single claim, thus according to his statement committed a single infringement in the processing of the applications concerned, but Authority did not accept this statement of the Debtor [Article 83 (2) (k) GDPR]; - the processing did not affect specific categories of personal data [Article 83 (2) GDPR paragraph (g)]; - the fine imposed is able to achieve its purpose if its amount - the Obliged sales relative to its turnover - appreciable; - net sales revenue according to the Debtor's 2018 report, as last published Was HUF 33,645,000,000, the amount of the data protection fine imposed is based on the net sales 0.0594% of its turnover. The Authority did not consider Article 83 (2) (e), (h), (i) and (j) of the GDPR to be relevant for the imposition of fines. as they cannot be interpreted in the context of the specific case. In setting the fine, the Authority did not consider it relevant that the “Not a central instruction” but was the result of an “erroneous individual decision” as the Authority in his opinion, the Debtor is also liable in this case. ARC. Other issues: Infotv. Pursuant to Section 60 (1), in order to enforce the right to the protection of personal data the Authority may initiate ex officio data protection authority proceedings. The data protection authority procedure is general CL of 2016 on administrative order. (hereinafter: Ákr.) shall apply with the additions specified in the Infotv. The Acre. Pursuant to Section 103 (1) of the Act, ex officio proceedings procedures initiated upon request The relevant provisions of Art. 103–105. With the exceptions contained in §. 15 Infotv. Pursuant to Section 38 (2) and (2a), the Authority is responsible for the protection of personal data, and monitoring the exercise of the right of access to data in the public interest and in the public interest and promoting. The tasks set out for the supervisory authority in the General Data Protection Regulation and powers with respect to entities under the jurisdiction of Hungary in the context of general data protection as defined in the Decree and the Information Act. The powers of the Authority shall be: covers the whole country. Infotv. 75 / A. § according to Article 83 (2) - (6) of the General Data Protection Regulation shall exercise its powers in accordance with the principle of proportionality, in particular by: legislation on the processing of personal data or in a binding act of the European Union for the first time in the event of a breach of the rules, to remedy the breach in accordance with Article 58 of the General Data Protection Regulation, in particular the controller or the processor shall act with a warning. The decision is otherwise based on Ákr. Sections 80 and 81 shall apply. The Acre. § 112 and § 116 (1) and § 114 (1) against the decision there is a right of appeal through an administrative lawsuit. The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (hereinafter: Kp.). A Kp. Pursuant to Section 12 (2) (a), against the decision of the Authority administrative lawsuit falls within the jurisdiction of the court, the lawsuit is subject to the Kp. Pursuant to Section 13 (11), the Capital The General Court shall have exclusive jurisdiction. CXXX of 2016 on the Code of Civil Procedure. Act (hereinafter: Pp.) - the Kp. § 26 (1) applicable pursuant to § 72 - in a lawsuit falling within the jurisdiction of the tribunal representation is mandatory. Kp. Pursuant to Section 39 (6), unless otherwise provided by law, the application has no suspensory effect on the entry into force of the administrative act. A Kp. Section 29 (1) and with this regard Pp. Applicable according to § 604, electronic administration and Act CCXXII of 2015 on the general rules of trust services. Act (hereinafter: E- according to Section 9 (1) (b) of the Administrative Procedure Act), the legal representative of the client for electronic communication obliged. The time and place of the filing of the application is Section 39 (1). Holding the hearing Information on the possibility of applying for It is based on Section 77 (1) - (2). The administrative lawsuit XCIII of 1990 on Fees. Act (hereinafter: Itv.) 45 / A. § (1) Define. From the advance payment of the fee, the Itv. Section 59 (1) and Section 62 (1) h) exempts the party initiating the proceedings. The Acre. Pursuant to Section 135, the debtor is obliged to pay a late payment supplement corresponding to the statutory interest to pay if it fails to meet its payment obligation on time. Act V of 2013 on the Civil Code 6:48. § (1) in the case of a debt the debtor shall, from the date of the delay, on the first day of the calendar half-year affected by the delay shall pay default interest equal to the applicable central bank base rate. Budapest, September 2020 "" Dr. Attila Péterfalvi President c. professor