Banner1.png
Banner3.png

NAIH - NAIH-2020/2204/8

From GDPRhub
NAIH - 2020/2204/8
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 12(4) GDPR
Article 15(1) GDPR
Article 18(1)(c) GDPR
Article 24(1) GDPR
Article 24(2) GDPR
Article 25(1) GDPR
Article 83(2) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 03.09.2020
Published: 22.10.2020
Fine: 20000000 HUF
Parties: Deichmann Cipőkereskedelmi Korlátolt Felelősségű Társaságnak
National Case Number/Name: 2020/2204/8
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: n/a

The Hungarian DPA (NAIH) fined Deichmann approx. €55700 for breaching multiple GDPR provisions in connection with a data subject access request.

English Summary[edit | edit source]

Facts[edit | edit source]

A customer of the Deichmann company claimed that after an in-store purchase he did not receive the correct amount of money back from the cashier. The customer initially did not notice that he paid with a larger bill, and only later noticed and informed Deichmann.

Since the facts were disputed, the customer asked the company to view the video recording in which the customer appeared as he was paying. Deichmann informed the customer that the recording can only be accessed by the police following an official request. The customer filed a police report, but the camera recording was no longer available by the time of the request.

Following this situation, the NAIH conducted an ex officio investigation into the company and found that Deichmann was operating cameras extensively throughout the country, with cameras in all 129 of its stores.

The DPA found that the controller had breached multiple GDPR provisions in connection to data subject access requests. Amongst these, the company did not keep separate records of the data subject requests that it had been receiving.

Dispute[edit | edit source]

Did the data controller fulfill its obligations under the GDPR in connection with data subject access requests?

Holding[edit | edit source]

The DPA first held that the request to access the camera images does fall within the scope of Article 15(1) GDPR. Furthermore, the NAIH emphasised that the controller's claims were incorrect with regards to the footage only being accessible to the police. Apart from Article 15(3), the DPA held that the data controller must also give data subjects access to the part of the recording in which that person appears.

The NAIH also pointed to the importance of Article 12(4) and offering data subjects adequate explanations on the reasons for a controller's refusal to act on a data subject's request.

Regarding the deletion of the recording, the DPA held that Deichmann breached Article 18(1)(c). The controller should have kept the data following the data subject's request, until his legal claim was settled.

More generally, the DPA emphasised that the controller had failed to fulfill its obligations under Articles 24 and 25 GDPR, as it did not set up appropriate technical and organisational measures in order to ensure and demonstrate that the personal data are processed in compliance with the GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH / 2020/2204/8. Subject: Ex officio decision
                                                                        procedure



                                             DECISION

The National Authority for Data Protection and Freedom of Information (hereinafter: the Authority) is Deichmann
Shoe Trade Limited Liability Company (registered office 1134 Budapest, Kassák Lajos utca
19-25, company registration number: 0109693582; hereinafter referred to as the Debtor or the Company) - 25 May 2018.

for the period from 1 March to 3 March 2020,
the general data protection regulation in accordance with Article 1 of the General Data Protection Regulation
ex officio data protection authority to verify compliance with the requirements set out in
procedure, take the following decisions :.


1. The Authority notes that, in dealing with the requests made by […], the

    (a) infringed the rules on the right of access laid down in Article 15 (1) of the Regulation

        containing provisions

    (b) has infringed Article 18 (1) (c) of the Regulation to restrict data processing
        containing the rules of the law of the


    (c) infringed Article 12 (4) of the Regulation.


2. The Authority shall establish the 25 May and 2018 of the Debtor
the illegality of its procedure in force between 1 August 2006 in so far as it did not do so
appropriate technical and organizational measures to enable camera data management
related data should be ensured in accordance with the provisions of the General Data Protection Regulation.


3. The Authority shall establish the 26 November 2019 established in the course of the management of the rights of the Debtor.
the illegality of its procedure in force between 3 and 3 March 2020 in so far as it does not
has taken appropriate technical and organizational measures to enable camera data management

related rights, in particular the right of access and the processing of data
exercise of the right to restrict - is provided for in the General Data Protection Regulation
be.


4. The Authority shall impose on the Debtor the infringements found in points 1, 2 and 3 during the period under review.
within 30 days of the date on which this Decision becomes final

                                   HUF 20,000,000, ie twenty million forints

                                            data protection fine

obliges to pay.


It shall govern the initiation of judicial review of the measures taken by the Debtor
shall inform the Authority within 30 days of the expiry of the time limit for bringing an action.

The fine shall be imposed by the Authority on centralized revenue within 30 days of the decision becoming final

direct debit forint account (10032000-01040425-00000000 Centralized collection account
IBAN: HU83 1003 2000 0104 0425 0000 0000). When transferring the amount, NAIH / 2020 /




1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data and repealing Regulation (EC) No 95/46 (General Data Protection Regulation or GDPR or Regulation) 2





2204/8. JUDGE. should be referred to.

If the Debtor fails to meet his obligation to pay the fine within the time limit, he shall be liable for a penalty payment.
to pay. The amount of the late payment allowance is the statutory interest, which is the first of the calendar semester affected by the delay

equal to the central bank base rate valid on Non - payment of fines and penalties for late payment
In that case, the Authority shall order the enforcement of the decision, the payment of the fine and the penalty payment for late payment.
recovery.


There shall be no administrative appeal against this Decision, but it shall be subject to a right of appeal within 30 days of notification
An appeal addressed to the Metropolitan Court may be challenged in an administrative lawsuit within one day. THE
The application shall be submitted to the Authority, electronically, which shall forward it together with the case file to the
court. The request for a hearing must be indicated in the application. The whole personal
For those who do not receive an exemption, the fee for the court review procedure is HUF 30,000, the lawsuit is material

It is subject to the right to record fees. In proceedings before the Metropolitan Court, legal representation is mandatory.

The Authority shall include the decision on its website with the identification data of the Debtor involved in the proceedings as a client […].
(hereinafter: Customer) without identification data.



                                               EXPLANATORY STATEMENT


I. Procedure and clarification of the facts


I.1. History, notification to the Authority

The National Data Protection and Freedom of Information Authority (hereinafter: the Authority) has received and
NAIH / 2019/2507. In the notification filed under case number, the Client submitted that on May 26, 2018, the

In his obligated shop in Kaposvár (7400 Kaposvár, Achim András utca 4; hereinafter: the Shop)
purchased in the value of HUF nine hundred and ninety forints, after payment he stated that he did not ask for
returning. He also stated that he later noticed that he had paid with twenty thousand forints banknotes, the block
According to him, he received a return of ten thousand to ten forints, but according to his claim he did not receive a return.


On 29 May 2018, the Customer lodged a complaint, about which - on the objection of consumer quality -
minutes were recorded. The record states that the notifier was informed of his complaint
can do to the police.

In a letter addressed to the Company on May 29, 2018, the Client described in detail the

events, and then made a request to the Company to view the
or requested that the camera not be deleted until
the objected case has not been verified. The Applicant also informed the Company that - the Business is past
on his advice - he also approached the police, who recommended that he contact the Society.


The Company responded to the Customer's request dated May 29, 2018 on June 19, 2018. THE
reply letter informed him that camera recording was only for the police - official police
upon request - they can issue it, they can turn to the Somogy County Police Headquarters with a legal remedy.


On May 30, 2018, the Customer also entered his "complaint" in the customer's book in the Store. E
document contains the applicant’s request that “on 26 May 2018 (5:14 p.m.
camera recording is saved by the company’s management ’because this is the only evidence and the
you need the recording to validate your additional needs. The Store in connection with the application it
the remark stated that “At the closing of the current day’s cash register, the cash surplus, the cash surplus is not

generated ’. 3





On June 25, 2018, the Client filed a police report against an unknown perpetrator, however, the police
during the procedure, camera recording was no longer available at the time of the request.

The Authority has instructed the Client on the types of procedures that can be initiated at the Authority and their

the manner and conditions of initiating an investigation by the Authority after training
did not submit a request for formal proceedings.

I.2. Official control initiated ex officio


I.2.1. In view of the above, the Authority considered it appropriate to initiate an ex officio official review
in order to check whether the Company complies with the data management practices applied by it
requirements of the General Data Protection Regulation. Official inspection on 12 December 2019
started NAIH / 2019/8543. case number. During the official control, the Authority found that:

The company operated cameras extensively throughout the country, operating cameras in all 129 of its stores
period.

During the official inspection, the Company stated that there was only one during the period under review
a request has been received “on this subject” (i.e. in relation to access to camera recordings) a

To company. The access right was not managed on the basis of a central instruction, but by a faulty individual
caused by a decision which, in the opinion of the Company, is an internal regulation in accordance with the regulation
absence at that time: when the decree became applicable, on 25 May 2018, the Company had not yet
had no internal data management regulations for camera recordings, so it was not
regulating, inter alia, the way in which applications from the data subject are to be handled.


The Company itself acknowledged that, in its view, it had not complied with the Regulation
processing of the stakeholder request received during the investigation period.

The Company has identified the need to regulate surveillance systems used in stores

therefore between 18 June and 1 August 2018 in all its stores
made the decision to turn off the camera system until proper control was achieved
prepare.

The Company 's regulations for the electronic monitoring system (hereinafter: the Regulations) 2019.

adopted on 26 November 2006, which contains, inter alia, detailed instructions on how to
how to handle stakeholder requests for access to camera recordings. From this day
the Company again recorded the camera footage, which it stores for 7 days.

I.2.2. In this connection, the Code states that “A person whose right or legitimate interest is concerned

the recording of the image affects, you may, by proving your right or legitimate interest, request that the recording be
not be destroyed or erased by the controller until requested to do so by a court or authority, but not later than 30
napra. The person included in the recording may also request that the controller inform in writing what
can be seen in the recording containing him. The data subject can only receive a copy of a recording on which another person has it
not or only in an unrecognizable way. If the above cannot be met, the data controller will provide it

for the data subject to view the recording that contains him or her. Review camera footage
can only be performed at the headquarters of Deichmann Cipőkereskedelmi Kft., outside of which the data subject
the auditor and other staff entrusted with technical tasks by the director may be present. "


The Regulations also state that applications are addressed to the registered office of the Company or to the
can be delivered to the e-mail address adatvedelem@deichmann.com, which the Company will receive upon receipt of the application.
examine and provide information on the measures taken within one month.

The Code also provides information that you can assert your rights before the court concerned, and a

You can also file a complaint with an authority. 4





I.3. Official procedure initiated ex officio

I.3.1. In view of the information revealed during the official inspection, the Authority stated that
made it probable that the Company violated the provisions of the General Data Protection Regulation, 2020.

On 4 March, it decided ex officio to initiate official data protection proceedings.

The official procedure was aimed at verifying that the Company was general during the period under review
whether the data subject has received or received the data subject's requests in accordance with the Data Protection Regulation

its practice in dealing with the exercise of rights has been complied with in the General Data Protection Regulation
included.

Although the Authority, following the alleged infringement found at the time of the notification,
the Company reported on its general practice in the management of rights, the Company reported

that it received a single request from a interested party during the period considered. Because it affected the Company in this way
the identity of the person exercising his rights, ie the Client, has become identifiable and the Authority, as
The company claimed that there was no such claim - the findings were specific to it
can do it. In view of this, the Authority involved the Client as a client on 4 June 2020
dated, NAIH / 2020/2204/6. in order no.


I.3.2. During the official proceedings, the Debtor stated that it had received inquiries from customers
the following records are maintained: Conciliation Board inquiries (4-500 inquiries per year),
letters of complaint received by e-mail (1192 letters at the time of the Debtor's letter of 24 March),
buyers book. On the basis of the Debtor's statement, the Authority found that during the period under review

the Debtor has not kept separate records of the data subject's exercise of data protection
inquiries.

The Debtor stated that between 25 May and 1 August 2018, the cameras recorded the
image, between August 1, 2018, and November 26, 2019, the monitors showed a mere live image, and then

From November 26, 2019, the recording of camera recordings resumed.

The Debtor has sent a letter dated 15 June 2018 entitled “33. circular ’, which
circular 5.4. contains the Debtor's decision to operate the cameras in all
shop shut down.


In the first period (May 25-August 1, 2018), the adhesive around the entrance and inside the store
provided information on the fact of camera data management with stickers. According to Annex 2 / A sent, a
information was provided with the following text: “Camera monitored area. The recording is for recording
costs. ".


In the second period (1 August 2018 to 26 November 2019) on viable observation also a
glued stickers provided information. A 2 / C. The following wording has been added in accordance with Annex
for deployment: “Camera monitored area”. Section 3.3.1 of the Annex provided guidance on what
stickers should be placed on the doors. A 3.3.1. to place the “Camera Monitored Area” sticker

he instructed that this sticker should only be placed in stores where the camera
records.

In the third period (from 26 November 2019), the information shall be affixed to the shop and to the mirror.

it happened with stickers. In addition, the Debtor provided information to its employees on the special a
also in the data management information prepared for them.

I.3.3. On December 20, 2019, the Company sent it to all stores, area managers, decorators
and Helpdesk Circular No. 66. In Circular 66, the Company expressly requested the employees to

to read the information on camera data management in addition to the information for employees a
version for customers, so that they know what permissions customers have
when retrieving camera recordings. 5






I.3.4. The Debtor further submitted that the Authority take the following facts as mitigating
as a circumstance: the Debtor ordered the data processing after recognizing the infringing condition
elimination; On November 26, 2019, the Electronic Surveillance Systems Act was adopted

regulations; only one stakeholder request was received during the period considered; privacy
with the involvement of legal professionals, the transformation of data management practices is under way; the notifier is so
tried to compensate for the fact that he had been offered thirty thousand forints, which the applicant did not accept.
el.


II. Applicable law

Infotv. Pursuant to Section 2 (1), the scope of this Act - with regard to personal data
as defined in paragraph 1, covers all processing of personal data

and data of public interest or data of public interest.

Infotv. Pursuant to Section 2 (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council
(hereinafter referred to as the General Data Protection Regulation)
the Data Protection Regulation in Annexes III-V. and VI / A. Chapter 3 and Sections 3, 4, 6, 11, 12, 13, 16, 17, 21,

23-24. Section 4 (5), Section 5 (3) to (5), (7) and (8), Section 13 (2)
§ 23, § 25, 25 / G. § (3), (4) and (6), 25 / H. § (2)
paragraph 25 / M. § (2), 25 / N. §, 51 / A. § (1), Articles 52-54. §-
in Section 55 (1) - (2), Sections 56-60. §, 60 / A. § (1) - (3) and (6), § 61 (1)
paragraph 61 (a) and (c), Section 61 (2) and (3), paragraph (4) (b) and paragraphs (6) to (10)

paragraphs 62 to 71. §, § 72, § 75 (1) - (5), § 75 / A. § and 1.
shall apply with the additions set out in Annex I.

Infotv. Pursuant to Section 60 (1), in order to enforce the right to the protection of personal data
the Authority may initiate ex officio data protection authority proceedings.


According to recital 171 of the General Data Protection Regulation, the application of this Regulation
within two years of the entry into force of this Regulation
should be brought into line with this Regulation. If the processing is based on consent under Directive 95/46 / EC
and the data subject has given his or her consent in accordance with the conditions laid down in this Regulation

request the data subject's consent again in order to allow the controller to apply this Regulation
continue data management after that. Decisions taken by the Commission under Directive 95/46 / EC
and authorizations issued by supervisory authorities shall remain valid until
they shall not be amended, replaced or repealed.


Pursuant to Article 2 (1) of the General Data Protection Regulation, this Regulation applies to personal data
automated processing of data in whole or in part and their personal data
non-automated processing of data which are part of a registration system
or which are intended to be part of a registration system.


Processing of personal data under Article 5 (1) (a) of the General Data Protection Regulation
be carried out lawfully and fairly and in a way that is transparent to the data subject ("legality,
fair procedure and transparency ’).


Pursuant to Article 12 (1) of the General Data Protection Regulation, the controller is appropriate
take measures to ensure that the data subject
all the information referred to in Articles 13 and 14 and Articles 15 to 22. and Article 34
information in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible manner
particularly in the case of any information addressed to children. The

information shall be provided in writing or by other means, including, where appropriate, by electronic means. The
oral information may be provided at the request of the data subject, provided that the data subject has been otherwise substantiated
identity. 6






Pursuant to Article 12 (4) of the General Data Protection Regulation, if the controller does not do so
measures at the request of the data subject, without delay, but no later than upon receipt of the request
inform the person concerned of the reasons for the non-action and of the

that the person concerned may lodge a complaint with a supervisory authority and have the right to a judicial remedy.

Information pursuant to Articles 13 and 14 pursuant to Article 12 (5) of the General Data Protection Regulation
and 15-22. The information and action provided for in Articles 31 and 34 shall be provided free of charge. If concerned

request is manifestly unfounded or, in particular due to its repetitive nature, excessive, the controller,
the provision of the requested information or information or the taking of the requested action
administrative costs:

Pursuant to Article 13 (2) (b) of the General Data Protection Regulation, the controller (…) is personal

at the time of data acquisition, in order to ensure fair and transparent data management
inform the data subject of his or her right to request from the controller the
access, rectification, erasure or processing of personal data relating to
and may object to the processing of such personal data as well as to the data subject
the right to data portability.


Pursuant to Article 15 (1) of the General Data Protection Regulation, the data subject is entitled to:
receive feedback from the data controller that your personal data is being processed
and if such processing is in progress, you have the right to access the personal data (…)
access.


Pursuant to Article 15 (3) of the General Data Protection Regulation, the controller is the subject of the processing
provide the data subject with a copy of the personal data Additional requested by the data subject
for copies, the controller may charge a reasonable fee based on administrative costs.
If the data subject submitted the application electronically, the information was widely used

shall be provided in electronic format, unless otherwise requested by the data subject.

Pursuant to Article 15 (4) of the General Data Protection Regulation, the copy referred to in paragraph 3
the right to claim must not adversely affect the rights and freedoms of others.


Pursuant to Article 18 (1) (c) of the General Data Protection Regulation, the data subject is entitled to:
at the request of the data controller, the data processing shall be restricted if the data controller no longer needs the personal data
data for data processing purposes, but the data subject requests them for legal claims,
to enforce or protect.


Pursuant to Article 24 (1) of the General Data Protection Regulation, the controller is the nature of the processing,
its scope, circumstances and objectives, as well as the rights and freedoms of natural persons,
appropriate technical and organizational measures taking into account the varying probability and severity of the risk
take measures to ensure and demonstrate that the processing of personal data e
in accordance with this Regulation. These measures shall be reviewed by the controller and, if necessary,

it updates.

Pursuant to Article 24 (2) of the General Data Protection Regulation, if it is a data processing activity
as part of the measures referred to in paragraph 1

it also applies internal data protection rules.

Pursuant to Article 25 (1) of the General Data Protection Regulation, the controller is a science and technology
the nature, scope, circumstances and purposes of the data processing,
and the rights and freedoms of natural persons

taking into account the severity of the risk, both when determining the method of data processing and
it shall take appropriate technical and organizational measures, such as pseudonymisation, in the course of data management
implemented, on the one hand, to ensure the effective application of data protection principles such as data retention 7





requirements of this Regulation and the rights of data subjects
incorporate the necessary safeguards into the data management process.

According to recital 78 of the General Data Protection Regulation, natural persons

the protection of the rights and freedoms with regard to the processing of their personal data requires
appropriate technical and organizational measures to ensure that the requirements of this Regulation are met
adoption. In order for the controller to be able to demonstrate compliance with this Regulation, it shall be internal
apply the rules and implement measures that comply

in particular the principles of privacy by design and default.

Infotv. In its decision made pursuant to Section 61 (1) (a) of the Data Protection Authority proceedings
the Authority in connection with the data processing operations specified in Section 2 (2) and (4) a
may apply the legal consequences set out in the General Data Protection Regulation.


Pursuant to Article 58 (2) (b), (d) and (i) of the General Data Protection Regulation, the supervisory authority
condemning the controller or processor, acting in its capacity to rectify, if it is a data controller
infringed the provisions of the Regulation or administrative proceedings in accordance with Article 83
impose the fine on the measures referred to in this paragraph, depending on the circumstances of the case

in addition to or instead of them.

Pursuant to Article 83 (5) of the General Data Protection Regulation, the principles of data processing, including
Articles 5, 6, 7 and 9 of the General Data Protection Regulation
in accordance with Article 83 (2), a maximum of EUR 20 000 000

or, in the case of undertakings, the full financial year of the previous financial year
up to 4% of its worldwide turnover, with the higher of the two
an amount shall be charged.

III. Decision:


The General Data Protection Regulation shall apply from 25 May 2018, ie on 26 May 2018
applications submitted in the following days
should be used.


However, the Regulation entered into force on 27 April 2016 and recital 171
for data processing started before the date of application of this Regulation
The data protection rules provided for a "grace period" of two years from the date of entry into force of this Regulation
to comply with this Regulation.


Although the period under review does not cover data processing prior to 25 May 2018, the Authority
notes that the data protection rules also ensure that the data subject is exercised during this period
was of paramount importance: the right of the data subject to information was granted by Infotv. also recorded and the Authority's practice
This right also included the right to inspect the camera recordings concerned and to block them
In terms of the content of the right, the data processing regulated in the GDPR was a similar legal institution

the way in which the applicant submitted the applications had to be known
would have been in front of the Company.

III.1. Handling Customer's affected requests


As the Company reported that it received a single request from interested parties during the period considered,
and thus the identity of the person exercising his / her rights at the Company became identifiable, the Authority a
Findings received by the Company regarding the handling of a stakeholder application specifically to the Client
it does.


III.1.1. The Client's request addressed to the Company on May 29, 2018 stated that it wished
to view the named camera image requested in accordance with Article 15 (1) of the Regulation





constitutes a request for access on the basis of which the Company has access to personal data
would have been obliged to ensure that the Client had access to the recordings made about him.

It appears from the Company's letter of June 19, 2018 that the Company informed it

the Client that they can take camera footage only to the police - upon official police request
may appeal to the Somogy County Police Headquarters.

The Authority first of all notes that the camera footage of a data controller is not limited to the police

but, in addition to the fact that it is otherwise required to provide any information
court or authority, in accordance with Article 15 (3) of the GDPR
it must give a person access to the part of the recording in which that person is
person is listed.


However, Customer did not request the release of the original camera image or a copy thereof
From the Company, but to have access to the recorded recordings, while the Company is the recording
He did not recognize the difference between the need to view the recording and the need to publish the recording and judged it
request as if the Customer had requested the release of the recording, when otherwise to view the recording
and the right to issue a copy of the recording.


Thus, the Company, in addition to not allowing access to the recorded camera footage, nor
neither the fact of refusal of access nor the reasons for refusal of access
information.


Based on the above, the Authority found that although the Company is defined by the GDPR as one month
answered the Client's request for the exercise of the rights of the data subject within the time limit, did not state the reasons,
why he does not allow him access to the recordings or the exercise of the data subject's rights
denied it on appropriate grounds, so that the management of the Client 's right of access did not comply with the
Article 15 (1) of the GDPR.


If a data controller refuses to comply with the data subject's request, ie as a result
does not take any action, so in the present case, if the Company decides to do so for the Customer
does not grant him access to the camera footage taken of him, the GDPR
Under Article 12 (4), he must inform him, in addition to giving details of the reasons for the refusal, that:

that you can lodge a complaint with a supervisory authority (i.e. in this case the Authority) and live
with the right to go to court.

Information on the right to a remedy is particularly important in the management of data subjects' rights,
whereas a person less familiar with data protection law is not necessarily aware of it

by which authority you can turn to in the event of a restriction, in the absence of this knowledge
the violation or restriction of rights that may have befallen him or her will remain unresolved. This is borne out by the fact that in the present case a
nor was the notifier aware that his application concerned a data subject
which, in the event of its refusal, may be referred to the Authority. By the time the notifier is correct
he became aware of the Remedies Forum, it was so long that it was made about it

the Company no longer had camera footage, so the Authority could not oblige the Company to
the execution of the data subject's request.

Based on the above, the Authority has determined that in refusing the Client 's request for access, the

Company has not acted pursuant to Article 12 (4) of the GDPR, hence the Customer’s request for access
did not meet the requirements of the GDPR.

III.1.2. The Customer's request dated May 29, 2018 also includes that camera recording until then
do not delete it until the case he or she objects to has been verified. The Customer is dated May 30, 2018

request states in more detail that ‘the camera recording of 26 May 2018 (taken at 5:14 p.m.)
save the management of the company ”because this is the only evidence and additional needs of the applicant
you need the recording to validate. 9






Pursuant to Article 18 (1) (c) of the Regulation, any interested party whose legal claims may be
in order to validate or protect the personal data processed about him, he is entitled to
at the request of the controller, the data shall not be “deleted”, even if the controller, otherwise

beyond a specified retention period - you no longer need personal data for data processing
for the purpose of.

Without restricting data processing, it could be a common situation to request the data subject's legal needs

enforce (e.g., file a complaint with the police or initiate court proceedings) and the commencement
procedure, if the acting body requests the camera recording necessary for the proof, the data would no longer be available
at the disposal of the data controller, as the retention period required for the purpose of data processing is already in place
letelne. This is also confirmed by the case of the Client, when - on the advice of the Company - he made a police report,
however, when the proceedings have reached the stage where the police request the named recording, the

Company - as the Client's request was not taken into account - it had been canceled by then, so the police
the applicant's allegations or the contrary were not substantiated in the proceedings.

Enforcing the right to restrict data processing may be particularly important in a business premises
in the case of an operated camera system where money is managed, as both the buyer and the seller

on the other hand, there may be a need to use the recording in the proceedings if they are unaware of a contentious situation
to decide. Without the availability of recordings, both parties may be harmed, as only the camera recording
it can be proved how much the buyer has paid and how much the seller has paid
received, so the seller may not return it to the buyer badly, so there may be a shortage in the cash register,
or the buyer pays more money for the product than it would actually cost.


It is clear from the reply to the request, both on 29 May and 30 May 2018, that the
Company to "save the recordings" or "do not delete them until checked",
he did not react in any way.


In response to a letter dated May 29, the Company only stated that the camera recording was only
police have the opportunity to hand it over, however, it did not elaborate on the obstacle to the recordings
the fact that he does not keep the recordings beyond the normal retention period,
also did not provide information to the Client, but clearly refused to comply with the request,
as he no longer had the recordings during the police proceedings.


In its reply to the letter dated 30 May, the Company also did not explain why it did not retain the
recordings beyond the normal retention period, nor did it provide information on the fact of refusal
nor, merely that “at the closing of the cash register of the given day, no cash surplus or cash was generated”.


Based on the above, the Authority has determined that the Company intends to restrict the Client's data management
infringed Article 12 (4) and Article 18 (1) of the GDPR in the handling of his application
(c).

III.2. The Debtor's data management practice between 25 May and 1 August 2018


Although the Company identified only one stakeholder application during the period considered, the Authority
did not accept the declaration, as it was the conclusion based on the handling of the only known request
it can be deduced that the Company did not recognize, prior to the initiation of the Authority’s proceedings, that the

application is subject to data protection, which is included in Annex GDPR III. the exercise of the rights of data subjects under Chapter

III.2.1. On May 29, 2018, the employee filed a consumer protection complaint in the Kaposvár store a
application because it did not detect that the application was subject to data protection. The consumer complaint is recorded
according to the minutes, the acting employee also consulted with the sales department, where they also did not know

identify the stakeholder request: the sales department also suggested that the Customer do
report. 10





On May 30, 2018, an employee of the Kaposvár store recorded the application in the customer's book.
with the Client, who has also not noticed that the application constitutes an exercise of rights by the data subject.

Nor could the customer service assistant, who was the Customer’s

by letter dated 18 June 2018 to the registered office of the Company
or if the senior official, as the addressee of the letter, himself
he read, not even the senior official himself.


As the Company itself stated that the improper handling of the data subject's claim was due to
that the Company has no data protection regulations regarding camera recordings at all during this period
provided, the Company may have more than one known request for privacy
However, as with the known application, they were not identified
as a data protection submission.


This is also confirmed by the fact that the Company kept a systematic record of incoming messages, but
did not separate the data subject submissions concerning data protection, but the Customer - otherwise data protection
as a consumer protection complaint, as well as in the customers' book
has been recorded. The Company kept three different records of incoming submissions

(Conciliation Board inquiries, e-mail complaints, customer book), but this does not mean
that other privacy notices could not have been received by the Company as the notifier
his application was also considered a complaint or an entry in the purchasers' book.

III.2.2. Article 24 of the GDPR contains the general obligations of the controller: this is the basis for the controller

shall take appropriate technical and organizational measures to ensure and demonstrate this
to ensure that personal data are processed in accordance with the GDPR. If it is data management
proportionate to the activity, the controller shall, as part of these measures,
also apply internal data protection rules.


Article 25 of the GDPR specifies the general obligations set out in Article 24: in this Article
the principle of regulated built-in and default data protection explicitly requires that data subjects be involved
the guarantees necessary for the protection of the rights of the data controller should be incorporated by the data controller into the data management process, ie
data protection considerations should be reflected in the design process and not in the established practice
the necessary measures should be taken.


All this means that the Company is already in the process of planning and developing camera data management - that is
before installing the cameras - you should have brought them to the organizational or technical
measures to be taken by the parties concerned in accordance with GDPR III. they can secure their rights under Chapter


These measures include, on the one hand, internal procedures for the management of data subjects' rights
designation of, inter alia, the person responsible for handling the requests of the data subject; to form
the channels through which the Company can receive the requests of the data subject, and, where applicable, the Data Protection Officer
designation; to establish the rules of the exercise of the rights of the data subject (eg the Company is made in stores
the right to access the camera in person, by post or electronically);

take appropriate data security measures; keep a register of data processing in accordance with Article 30.

The necessary measures also include appropriate information practices for those concerned
in which stakeholders are informed about the fact of data management and most importantly

including their rights to camera data management
and to whom and what contact details they may make their requests
they may receive a reply within the time limit or, in the event of disagreement, to which body
for redress.


Given that the Company has extensive coverage in the country, in all 129 of its stores
operated cameras during this period, the Authority considers that camera data management
proportionate expectation that the Company, in compliance with Article 24 (2) of the GDPR, will





also apply appropriate internal data protection rules. The Company would have been needed in this area
all its employees working with customers, in particular in the sales area and
customer service staff - teaching you what to do with camera data management under the GDPR
affected requests may occur, how to identify and distinguish these requests from others

submissions, complaints, how to handle these requests, which organization within the Company
these requests shall be forwarded to the unit.

Failure to take all of these measures has resulted in the Company not, as detailed above

recognized that the only known request for access under Article 15 (1) of the GDPR was
It shall be deemed to be a request for restriction pursuant to Article 18 (1) (c). This has led to the Company -
despite repeated requests from the applicant - did not give the applicant access to the information about him
camera recording, or restrict it. Furthermore, the Company did not inform the notifier that
appeal to the courts or the Authority, but erred in pointing out that the

camera footage can only be issued to the police upon official police request,
you can appeal to the Somogy County Police Headquarters.

Given that the Company during this period is the camera data management, so is the camera
with regard to the exercise of data subjects' rights in relation to data processing

infringed Article 25 (1) of the Regulation.

III.3. Evaluation of the Debtor's data management practices performed after 26 November 2019

Regulations governing the data management practices of the Company during the operation of the camera system

It was adopted on November 26, 2019, which includes, among other things, detailed instructions to that effect
on how to deal with stakeholder requests related to camera recordings.

III.3.1. Rules for handling access requests


The Regulations regulate three rights in the context of access to camera recordings: a
requesting written information about events recorded on camera footage, requesting a copy a
camera recording, view the camera recording.

The Regulations restrict the right of the persons concerned to issue a copy, as the Company is this document

issue a copy of the recording to the data subject only if outside that data subject
no other person is listed. If the data subject requests the release of a recording which includes other
you will only be able to view the contents of the recording if you get tired of the Company's headquarters
(To Budapest) and watch the recording there. The Company applies this practice despite the fact that a
Article 15 (3) of the GDPR clearly states that the controller is concerned

shall, at his request, provide a copy of the recording to the person concerned: he shall be free of charge for the first time
this can be done by the data controller, while for other occasions you may charge a fee for making a copy.

Based on the above, the Company is therefore obliged to issue copies, during which - Article 15 of the GDPR
Paragraph 4, it shall ensure that the request for access of the data subject is complied with

the rights of another person are not infringed. As the obligation to issue copies to the Company from this
Article 15 (4) of the GDPR does not have to be
in the case of other persons covered by this Regulation, the data recording requested by the
copy, but must be guaranteed by the Company by appropriate technical measures (eg masking),

that the rights of other persons on the recording are not infringed while the data subject requests access
fulfills. The restriction of the rights of the data subject in this way is particularly significant because the Company is
It has business premises in a significant number of cities in the country, more than fifty
all stakeholders are expected to travel several hours to the capital headquarters if the content of the recordings
you want to know.


The Regulations also limit the right of data subjects to view the recording, as the
It follows from the wording that it is only possible to view the recording in the Company 's 12





if a person other than the data subject is included in the recording, thus - based on their own practice
- cannot record the camera image.


The right to issue the copy in question is therefore provided for in Article 15 (3) of the GDPR, while the
access to personal data pursuant to Article 15 (1) of the GDPR
means. These two rights are two different sub-rights to the right of access under Article 15 of the GDPR,

each of which belongs to the person concerned separately, so that it is not appropriate to a
practice if you can practice one (view a recording) if the other (view a recording)
copy) cannot be complied with, but the data subject's request must be in accordance with the content of the request
whether you are requesting a copy of the recording or viewing the recording.


However, Article 12 (5) of the GDPR gives the controller a limited possibility to
refuses to take action on the application of the person concerned (in this case, the
or a copy thereof), but only if it is
in the opinion of the person concerned, is manifestly unfounded or excessive.


Based on the above, the Authority has determined that the development of the Company's data management regulations
has taken organizational measures which do not guarantee the right of access of data subjects to
Under the conditions set out in Article 15 (1) and (3) of the GDPR, thereby infringing the GDPR

Article 25 (1).

III.3.2. Designed to handle requests to limit data processing
regulation


The Code states that “the person whose right or legitimate interest is in the recording of the image
may, by proving his right or legitimate interest, request that the recording not be destroyed by the controller
or deleted until requested to do so by a court or authority, but for no longer than 30 days ’.

                                                                           2
The Authority first states that this provision was previously amended by Act no. contained which provision
however, after the GDPR becomes applicable on 25 May 2018, it is necessary for implementation
has been changed due to legal harmonization, and at the time of the creation of the Regulations, the
contained this provision.


The Authority further notes that the provisions of the GDPR apply to Hungarian legal entities from 25 May 2018
are directly applicable, except for those for the full application and implementation of
additional provisions provided for in the national legislation of some Member States are necessary. In addition, the regulation

it gives Member States, to a limited extent, an additional or comparable option
different rules in a certain direction, but the exercise of the rights of the data subject does not fall
that is to say, if the data subject requests the controller to restrict the processing, it shall inform the controller
you have to implement.


Neither the GDPR nor the Svv. no longer contains a rule that would require data management only
may be limited to a maximum of 30 days from the date of the request, since if it is
30 days after receipt of the request for a restriction on data processing
would delete the recordings requested to be restricted, it would not help to enforce your rights in that case

because the procedure it has initiated would not yet reach the stage where
that the acting body seek the data controller in possession of the recording.

Furthermore, the GDPR exercises the right to restrict data processing - or the right of any data subject

does not impose a condition for the exercise of the right of restriction
it would be required to prove the right or legitimate interest of the data subject.




2
 Act CXXXIII of 2005 on the rules for the protection of persons and property and for the activities of private investigators. Act (hereinafter: the Act) 13





The interpretation of the right to restrict data processing in this way is restrictive, so the Company
has taken organizational measures that it has not
ensure the right of data subjects to restrict data processing under the conditions provided for in Article 18 of the GDPR
thereby infringed Article 25 (1) of the GDPR.


ARC. Sanction and justification applied

The Authority found that during the data processing performed by the Debtor during the examined period - the III.1.

- in the course of handling the Client's exercise of the rights of the data subject, violated Article 12 of the Decree.
Article 15 (4), Article 15 (1) and Article 18 (1) (c) respectively. The Obliged
- a III.2. and III.3. infringed Article 25 (1) of the Regulation. This infringement
the Authority considered it appropriate to impose a fine as follows.


As to whether the imposition of a data protection fine is justified, the Authority should
Article 83 (2) of the Regulation and Infotv.75 / A. § under the ex officio consideration of the case all
and found that there was no warning in the case of the infringement found in the present proceedings
it is neither a disproportionate nor a dissuasive sanction, so it is necessary to impose a fine.


The Authority considers it necessary to impose a fine, as the Debtor in the period under review 2019.
until 26 November, no data protection regulations will apply to camera recordings
that is to say, it did not take the necessary organizational measures to ensure that the
the exercise of the rights of the parties concerned should be ensured in accordance with the provisions of the GDPR, which has resulted in the
The Debtor has violated the Customer's right to access or restrict data processing.

Furthermore, the data management regulations of the Debtor established on November 26, 2019 are still not in force
complies with the provisions of the GDPR, disproportionately restricts access to those concerned, and
the right to restrict data processing, so that the measures taken at that time are still inadequate,
as they do not ensure the exercise of the rights of data subjects in accordance with the requirements of the GDPR.


In view of this, the Authority Pursuant to Section 61 (1) (a), they are contained in the operative part
and in the present decision ordered the Debtor to pay a data protection fine.

The amount of the fine was determined by the Authority acting in accordance with its statutory discretion.


Depending on the nature of the infringement, the maximum amount of the fine that may be imposed under Article 83 (5) of the GDPR
EUR 20 000 000 or, in the case of the Debtor, the previous financial year in full
up to 4% of its worldwide turnover, whichever is the higher.

Depending on the nature of the breach, in breach of the principle of privacy by design and by default, the

the maximum amount of the fine under Article 83 (4) (a) of the GDPR is EUR 10 000 000 and the amount of the
not more than 2% of the total worldwide turnover in the preceding business year, whichever is the higher.

In imposing the fine, the Authority took into account the following factor as an aggravating circumstance:


    the Customer 's request to the data subject was not properly processed because the Debtor was a
        Regulation becomes operational when it becomes applicable - operated by it
        camera system - did not have any at all: the notifier wanted to do so in several forums
        to exercise his rights as a data subject, however, none of the Defendant’s employees recognized that the applicant

        his request is considered to be a data protection exercise of the data subject - committed by the Debtor
        an infringement is therefore considered to have been committed with serious negligence [Article 83 (2) GDPR
        paragraph (b)]

    - during the development of the regulations in force by the Debtor since 26 November 2019
        the organizational measures taken disproportionately impede the access or
        the right to restrict data processing [Article 83 (2) (a) GDPR]; 14





    - the Debtor is fully liable both for the breach committed against the Client and
        and for the development of a restrictive practice that has existed ever since, as it is under Article 25
        it would have been his responsibility to take action [Article 83 (2) (d) GDPR];

    - the Debtor is subject to extremely serious negligence in relation to the data processing in question due to the fact that
        despite the order of magnitude more affected by the larger number of its stores

        should have prepared for a request for the exercise of a right, its organizational arrangements are still such
        nor were they capable of identifying and handling applications and it can therefore reasonably be assumed that
        the right of access was not properly exercised not only in the specific case examined, but also at other times
        [Article 83 (2) (b) GDPR].


In setting the fine, the Authority took into account the following mitigating circumstances:

    - the Debtor offered the applicant thirty thousand forints to alleviate the damage suffered by the applicant
        [Article 83 (2) (c) GDPR];

    - the Debtor already facilitates lawful data management during the official control
        took action, so in Circular 66 he drew his staff’s attention to read the
        prepared a camera brochure for customers in order to be aware of the

        the rights conferred on data subjects by the GDPR [Article 83 (2) (f) GDPR];
    - the Debtor has complied with the cooperation with the Authority to such an extent

        obligation to admit the infringement itself [Article 83 (2) GDPR
        point f)].


In imposing the fine, the Authority took into account the following other factors:

    - during the period under review, the Debtor has identified a single claim, thus according to his statement
        committed a single infringement in the processing of the applications concerned, but

        Authority did not accept this statement of the Debtor [Article 83 (2) (k) GDPR];
    - the processing did not affect specific categories of personal data [Article 83 (2) GDPR

        paragraph (g)];
    - the fine imposed is able to achieve its purpose if its amount - the Obliged sales

        relative to its turnover - appreciable;
    - net sales revenue according to the Debtor's 2018 report, as last published

        Was HUF 33,645,000,000, the amount of the data protection fine imposed is based on the net sales
        0.0594% of its turnover.

The Authority did not consider Article 83 (2) (e), (h), (i) and (j) of the GDPR to be relevant for the imposition of fines.
as they cannot be interpreted in the context of the specific case.


In setting the fine, the Authority did not consider it relevant that the
“Not a central instruction” but was the result of an “erroneous individual decision” as the Authority
in his opinion, the Debtor is also liable in this case.


ARC. Other issues:

Infotv. Pursuant to Section 60 (1), in order to enforce the right to the protection of personal data
the Authority may initiate ex officio data protection authority proceedings. The data protection authority procedure is general
CL of 2016 on administrative order. (hereinafter: Ákr.) shall apply

with the additions specified in the Infotv.

The Acre. Pursuant to Section 103 (1) of the Act, ex officio proceedings procedures initiated upon request
The relevant provisions of Art. 103–105. With the exceptions contained in §. 15





Infotv. Pursuant to Section 38 (2) and (2a), the Authority is responsible for the protection of personal data, and
monitoring the exercise of the right of access to data in the public interest and in the public interest
and promoting. The tasks set out for the supervisory authority in the General Data Protection Regulation
and powers with respect to entities under the jurisdiction of Hungary in the context of general data protection

as defined in the Decree and the Information Act. The powers of the Authority shall be:
covers the whole country.

Infotv. 75 / A. § according to Article 83 (2) - (6) of the General Data Protection Regulation

shall exercise its powers in accordance with the principle of proportionality, in particular by:
legislation on the processing of personal data or in a binding act of the European Union
for the first time in the event of a breach of the rules, to remedy the breach
in accordance with Article 58 of the General Data Protection Regulation, in particular the controller or the processor
shall act with a warning.


The decision is otherwise based on Ákr. Sections 80 and 81 shall apply.

The Acre. § 112 and § 116 (1) and § 114 (1) against the decision
there is a right of appeal through an administrative lawsuit.


The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (hereinafter:
Kp.). A Kp. Pursuant to Section 12 (2) (a), against the decision of the Authority
administrative lawsuit falls within the jurisdiction of the court, the lawsuit is subject to the Kp. Pursuant to Section 13 (11), the Capital
The General Court shall have exclusive jurisdiction.


CXXX of 2016 on the Code of Civil Procedure. Act (hereinafter: Pp.) - the Kp. § 26 (1)
applicable pursuant to § 72 - in a lawsuit falling within the jurisdiction of the tribunal
representation is mandatory. Kp. Pursuant to Section 39 (6), unless otherwise provided by law, the application
has no suspensory effect on the entry into force of the administrative act.


A Kp. Section 29 (1) and with this regard Pp. Applicable according to § 604, electronic administration
and Act CCXXII of 2015 on the general rules of trust services. Act (hereinafter: E-
according to Section 9 (1) (b) of the Administrative Procedure Act), the legal representative of the client for electronic communication
obliged.


The time and place of the filing of the application is Section 39 (1). Holding the hearing
Information on the possibility of applying for It is based on Section 77 (1) - (2). The administrative lawsuit
XCIII of 1990 on Fees. Act (hereinafter: Itv.) 45 / A. § (1)
Define. From the advance payment of the fee, the Itv. Section 59 (1) and Section 62 (1) h)

exempts the party initiating the proceedings.

The Acre. Pursuant to Section 135, the debtor is obliged to pay a late payment supplement corresponding to the statutory interest
to pay if it fails to meet its payment obligation on time.


Act V of 2013 on the Civil Code 6:48. § (1) in the case of a debt
the debtor shall, from the date of the delay, on the first day of the calendar half-year affected by the delay
shall pay default interest equal to the applicable central bank base rate.


Budapest, September 2020 ""


                                                                Dr. Attila Péterfalvi
                                                                       President

                                                                 c. professor