NAIH - NAIH/2020/2000/5

From GDPRhub
NAIH - NAIH/2020/2000/5
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(a) GDPR
Article 12(2) GDPR
Article 13 GDPR
Article 58(2)(d) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 03.08.2020
Published: n/a
Fine: None
Parties: n/a
National Case Number/Name: NAIH/2020/2000/5
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: n/a

The Hungarian DPA (NAIH) held that the "data management prospectus" of a controller did not meet the standards required by the GDPR, and ordered the controller to bring its policy in line with Articles 12 and 13 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

After being notified and in light of previous interactions with the controller, the NAIH initiated an ex officio proceeding to examine, amongst other things, the "data management prospectus" of the controller.

Dispute[edit | edit source]

Was the controller's data management prospectus" in line with the GDPR?

Holding[edit | edit source]

The NAIH held that several elements of this prospectus were not in line with the requirements in Articles 12 and 13, including:

  • misleading information to data subjects about the retention of data and its possible transfer to a third party;
  • the legal basis for the processing not being clearly indicated;
  • a lack of information for data subjects regarding how to exercise their rights, such as the to the right to erasure and the right to file a complaint.

As a result, the NAIH ordered the controller to bring their processing into line with the provisions of the GDPR, pursuant to their powers under Article 58(2)(d).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Registration number: NAIH / 2020/2000 / 5. Subject: Decision DECISION National Data Protection and Freedom of Information Authority (hereinafter: Authority) of ......................... (..................................) (hereinafter: the Obligated) operated by ..... ...................... website (hereinafter: Website) on the data management of Act CXII of 2011 on the right to information self-determination and freedom of information. (hereinafter: Infotv.) and on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and 95/46 In order to examine the compliance of Regulation (EC) No 2016/679 repealing Directive 2016/679 / EC (hereinafter referred to as the General Data Protection Regulation) in the data protection procedure initiated by the above Registry, (1) and (2) and Article 13.II.The Authority instructs the Obliged Pursuant to Article 58 (2) (d) of the General Data Protection Regulation to bring its data processing operations into line with the provisions of the General Data Protection Regulation. III. The Debtor shall certify the fulfillment of the obligation provided for in point 1 to the Authority in writing within 30 days from the date of finalization of this decision, together with the submission of supporting evidence. can be challenged in an administrative lawsuit. The application must be submitted to the Authority, electronically, which will forward it to the court together with the case file. The request for a hearing must be indicated in the application. For those who do not receive a full personal tax exemption, the fee for the court review procedure is HUF 30,000, the lawsuit is subject to the right to record material taxes. Legal proceedings are mandatory in proceedings before the Metropolitan Court.

EXPLANATORY MEMORANDUM. 

The course of the procedure and clarification of the facts objected. According to the public interest notification, the operator of the Website, the Obligator, did not delete the personal data of the notifier from the Website despite the written request sent to the address published as a contact e-mail address. In its case NAIH / 2014/1451, the Authority obliged the Debtor to take the following measures: 1. To change its data management practices in such a way that obtain separate consent for the processing of personal data. In the case of consent, take a measure whereby the consent of the data subject to the processing of data for both identification and marketing purposes will be an active act, an active behavior.2.End the practice of restricting the e-mail addresses stored by users to a. .................... sends information letters, text messages and other types of messages and invitations about the use of the website. 3.Change your data deletion policy. 4.Amend the text of its data management rules as requested by the Authority. In addition, supplement the provisions on data management for marketing purposes with the provisions on data management (or create a separate data management information sheet for data management for this purpose) .5.The Authority has concluded that all ................. ..the data management performed by the website operator and the information on data management did not comply with the Infotv. and Grt. Requirements in force in 2014, therefore the operator of the .................. website does not have an adequate legal basis for the processing of personal data in relation to registered users. Accordingly, the Authority called for the following measures. 5.1. Forwards to all registered users to the registered e-mail address their data management regulations as amended in accordance with the booking. 5.2.In this letter, ask users to indicate within 15 days whether they consent to the processing of their personal data in accordance with the amended data management policy. 5.3.After 15 days, delete the personal data of the data subjects who, on the basis of the amended prospectus, do not explicitly and explicitly consent to the operation of the .................. website by the manage their personal information. A NAIH / 2016/369. Investigation procedure no. During the investigation procedure, the Authority requested the amendment of the data management information posted on the Debtor's Website and the deletion of the personal data of all users whose deletion was requested in any way by the data subjects.
The Obligatory Authority did not comply with the provisions of the summons, so the Infotv. Pursuant to Section 58 (2) (b), the Infotv. As a result of the above, the Debtor amended the data management prospectus, but did not substantially change its previous practice, which is also supported by the complaint received on 2 January 2020. The data management prospectus does not clearly contain the legal basis for data management, the rules for sending newsletters and data retention are unclear and the Authority's previous decisions detailed above are not taken into account, there are no clear guidelines for the exercise of data subjects' rights, the designated data protection register does not exist since 25 May 2018 and there is no information on redress Therefore, in order to clarify this, it was necessary to contact the Debtor. For the above reasons, the Authority initiated an ex officio data protection authority procedure to investigate the data management practices related to the Debtor Website and invited it to make a statement. a certain number of sms can be sent through it or a certain number of credits can be obtained. It is possible to send an SMS if the appropriate amount of credit is available for sending the SMS at the given user. Registration is required to comply with the daily number of sms and to manage the related credits. The amount of credits available per day and the amount of credits required to send sms may vary. To identify the sender, the service provider may add the user's phone number to the end of II.2. According to the third paragraph of Section II.4., the legal basis for the processing of data on the Website is in all cases the consent of the data subject. Pursuant to Section II.6 of the Data Management Information, the Debtor may further process certain data for additional purposes. according to point III. In the cases covered by Chapter II.2. of the Data Protection Information, the Controller shall use the data, especially if the user commits unlawful conduct. In addition, in certain cases, in particular with regard to the mandatory data provided on the data sheet, data management is a condition for the use of the services of the site. On the basis of the reply received on 1 April 2006, the Authority concluded that: The user voluntarily registers on the site to access the service, the system sends a verification link to the specified email address, by clicking on which the account can be used. You can then access and delete your personal information in the "Setup" menu of your account.2. The Debtor has attached the data management information also available on the Website (...............................) 3. Name, email address, IP address, phone number and password information are provided voluntarily by users in order for the service to work.4. There are roughly 300,000 registrations on the Website, but there are many meaningless names like “asdf” so the exact number and identity of those involved cannot be identified.
5. Access to the account is subject to an email address and password, and the account and personal data can be deleted in the same way.6. As a private individual, the Website is operated free of charge and does not generate any substantial income. On the basis of the reply received on 4 June 2006, the Authority concluded that: 1. There are no actual newsletters and it has not been for years.2. The Debtor shall not transfer personal data to third parties in connection with advertising or otherwise.3. Personal data will not remain in the system after deletion. There was a plan to retain some data after deletion in order to eliminate multiple registrations (as the service can be used to send a limited number of SMS free of charge and this can be bypassed by multiple registrations), but this has not been achieved.4. The Obligator intended to fulfill the previous requests described above with modified data management as described above, however, it did not notify the Authority.5. The Obliged Private Employee is an employee who has been unemployed for some time, so he could not prove his annual income.II.Regulatory provisions in the case on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC Article 2 (1) of Regulation (EU) No 2016/679 (hereinafter: the General Data Protection Regulation) Any information relating to an identified or identifiable natural person ("data subject"), including the online identifier, shall be part of a registration system or intended to be part of a registration system. privacy Pursuant to Article 6 (1) (b) of this Regulation, the processing may be lawful if it is necessary for the performance of a contract to which the data subject is a party or to take steps at the data subject's request prior to the conclusion of the contract. In determining whether consent is voluntary, account shall be taken, as far as possible, of, inter alia, whether the performance of the contract, including the provision of services, is conditional on the In accordance with Article 12 (1) of the General Data Protection Regulation, the controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 15 to 22 and34. In a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible manner, 22. exercise of their rights under this Article.

Article 13 of the General Data Protection Regulation lists the minimum necessary information that the controller is obliged to provide to data subjects when personal data concerning the data subject are collected from the data subject: (b) the contact details of the data protection officer, if any; (c) the purpose of the intended processing of the personal data and the legal basis for the processing; (e) where applicable, the recipients or categories of recipients of the personal data, if any, (f) where applicable, the fact that the controller intends to transfer the personal data to a third country or international organization and the existence or absence of a Commission decision on adequacy , or in Article 46, Article 47 or the second subparagraph of Article 49 (1) (a) the period for which the personal data will be stored or, if that is not possible, the criteria for determining that period; that it may request the controller to access, rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data and to the data subject's right to data portability; or, in the case of processing based on Article 9 (2) (a), the right to withdraw the consent at any time, without prejudice to the lawfulness of the processing carried out prior to the withdrawal; , h (a) whether the provision of personal data is based on a law or a contractual obligation or a precondition for the conclusion of a contract, and whether the data subject is obliged to provide personal data and the possible consequences of non-disclosure; The fact of automated decision-making, including profiling, as referred to in paragraph 4, and at least in these cases, the logic used and comprehensible information on the significance of such processing and the expected consequences for the data subject. According to paragraph 2, the General Data Protection Regulation shall apply from 25 May 2018.

Act CXII of 2011 on the right to information self-determination and freedom of information applies to data processing covered by the General Data Protection Regulation. Act (hereinafter: the Information Act) 2. § (2) of the Infotv. Pursuant to Section 60 (1), in order to enforce the right to the protection of personal data, the Authority shall initiate data protection authority proceedings at the request of the data subject and may initiate data protection authority proceedings ex officio. Pursuant to Section 61 (1) (a), in its decision made in the data protection authority proceedings, the Authority In connection with the data processing operations specified in Section 2 (2), it may apply the legal consequences specified in the General Data Protection Decree. Pursuant to Article 58 (2) (b) of the General Data Protection Decree, the Authority condemns the data controller or processor if its data processing Pursuant to point (d) of the same paragraph, the supervisory authority, acting in its corrective power, instructs the data controller to bring its data processing operations into compliance with the provisions of this Decree, where appropriate in a specified manner and within a specified time. 75 / A. The Authority shall exercise the powers provided for in Article 83 (2) to (6) of the General Data Protection Regulation in accordance with the principle of proportionality, in particular by laying down rules on the processing of personal data laid down in law or in a binding act of the European Union. In accordance with Article 58 of the General Data Protection Regulation, in the event of a first-time breach of the General Data Protection Regulation, remedies shall be taken primarily by warning the data controller or data processor. Pursuant to Section 7 (1) of Act no. The provisions of this Decision shall apply.
III.
Decision
1.	False information in the privacy statement The privacy statement still contains provisions on the sending of newsletters. 

In contrast, there is no evidence to refute the Debtor's statement that the Authority has complied with its previous calls for newsletters and has not sent newsletters. However, this was not reflected in the data management prospectus, thus misleading data subjects about the data subject, as if he were currently conducting data processing for newsletter purposes. personal information. However, this was not reflected in the data management information sheet, thus providing misleading information to data subjects about the retention of data and its possible transfer to a third party. The data controller informs data subjects that the data management has been registered in the data protection register. As of 25 May 2018, the Authority no longer maintains a data protection register under the General Data Protection Regulation, so this information is untrue and misleading. Under Article 30 of the General Data Protection Regulation, from 25 May 2018 .This is without prejudice to the obligation to provide information in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible form, in accordance with Article 12 (1) of the General Data Protection Regulation and Article 5 (1) (a) of the General Data Protection Regulation. the principle of lawful and transparent data management, as the Obligated False is contradictory information to the data subjects, so that the data subjects can reasonably understand the essence of the data processing on this basis.

2.	Unclear indication of the legal basis for the data processing in the data management information

The text of the information notice requires both the necessity to provide the SMS service (Article 6 (1) (b) of the General Data Protection Regulation) and the data subject's consent The refusal or revocation of consent to the processing of personal data shall not have any adverse consequences for the data subject. data processing is in fact a condition for the provision of the service - there can be no valid legal basis. Particular account should be taken of Article 7 (4) of the General Data Protection Regulation. Without the management of a mobile phone number, it is technically impossible to provide the service and the management of the email address and password for identification purposes is necessary to establish entitlement to the service, thus excluding the data subject's consent. ) may be raised. Any other type of personal data or the processing of the above type of personal data for other purposes may only be based on the data subject's consent if the provision of the service is clearly not subject to consent and can be provided separately or withdrawn at any time without adverse consequences. An important condition for the validity of the consent is that it is given by the data subject on the basis of appropriate information, which in this case is given in Annex III.1 above. Due to the above, the legal basis of the data processing, which violates Articles 6 (1) and 7 (4) of the General Data Protection Regulation, has not been clarified on the basis of the data management information related to the Website.
3.	Lack of information on data subjects' rights in the data management information 

The exact manner of exercising the data subject's rights, in particular the right of cancellation, cannot be determined from the data subject's data management information, in particular the description of the possibility of deletion within the account is missing. At the request of the Authority, the Debtor presented several options that could not be found in the information provided to the data subjects or not in the form of the Debtor's declarations. the obligation to provide clear and comprehensible information and the obligation of the controller under Article 12 (2) of the General Data Protection Regulation to assist the controller in complying with Articles 15 to 22. exercise of their rights under this Article.
4.	Lack of information on the data subject's rights of appeal in the data management information sheet 
The data subject's data management information sheet does not include the right of data subjects to apply to the Authority or a court in order to enforce their rights, or the contact details of the Authority. This leads to a lack of information under Article 13 (2) (d) and Article 12 (4) of the General Data Protection Regulation, which infringes these provisions of the General Data Protection Regulation as well as Article 12 (1) 5. Summary of the main issues to be improved in the data management information document (i) The parts concerning unrealistic data processing activities should be deleted from the data management information document (newsletter, data retention in accordance with point 10 of the information document, data transfer). The processing of each type of personal data for each purpose must be based on one of the legal bases listed exhaustively in Article 6 (1) of the General Data Protection Regulation, which must be clearly indicated in the data protection prospectus. concise but informative information must be provided, as the right to delete and access can be exercised both in the account settings in person and by e-mail addressed to the Debtor, but this cannot be stated from the examined data management information. (v) Provide adequate information on the data subject's rights of appeal under Article 13 of the General Data Protection Regulation (possibility and means of recourse to the Authority or a court) .IV. Legal consequences Due to the above, the Authority decided in accordance with the operative part pursuant to Article 58 (2) (d) of the General Data Protection Regulation. However, the Authority examined of its own motion whether it was justified to impose a data protection fine on the Applicant. On the question of whether the imposition of a data protection fine is justified, the Authority decided acting in accordance with the discretion based on law, taking into account Infotv. Section 61 (1) a) of the Infotv. 75 / A. And Article 83 (2) of the General Data Protection Regulation and Article 58 (2) of the General Data Protection Regulation. in accordance with the provisions of the Authority, thus presumably without the imposition of a fine in all the circumstances of the case, to fully comply with the Authority's decision and ensure the protection of personal data. may initiate proceedings.

V. Other issues The competence of the Authority is regulated by the Infotv. § 38. (2) and (2a), its competence extends to the entire territory of Hungary. Pursuant to Section 112 (1) and (2) and Section 116 (1) and Section 114 (1), there is a right of appeal against the decision through an administrative lawsuit. Act I of 2017 on the Procedure of Litigation (hereinafter: Kp.). A Kp. Pursuant to Section 12 (1), the administrative lawsuit against the decision of the Authority falls within the jurisdiction of the court, the perrea Kp. Pursuant to Section 13 (3) (a) (aa), the Metropolitan Court has exclusive jurisdiction. Pursuant to Section 27 (1), the legal representative is obliged to appear in an administrative lawsuit before the general court. A Kp. Pursuant to Section 39 (6), the submission of an application does not have a suspensive effect on the entry into force of the administrative act. Section 29 (1) and with this regard Pp. Act CCXXII of 2015 on the general rules of electronic administration and trust services, applicable pursuant to Section 604. Pursuant to Section 9 (1) (b) of the Act (hereinafter: E-Administration Act), the legal representative of the customer is obliged to maintain electronic communication. The time and place of the filing of the application is Section 39 (1). Information on the possibility to request a hearing can be found in Kp. It is based on Section 77 (1) - (2). The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. Act (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee, the Itv. Section 59 (1) and Section 62 (1) (h) release the party initiating the proceedings. 

Budapest, August 3, 2020.Dr. President Attila Péterfalvi. professor