NAIH (Hungary) - NAIH/2020/32/4

From GDPRhub
(Redirected from NAIH - NAIH/2020/32/4)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
NAIH (Hungary) - NAIH/2020/32/4
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1) GDPR
Article 12 GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 04.03.2020
Published:
Fine: 13,136 EUR
Parties: Anonymous
National Case Number/Name: NAIH/2020/32/4
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: n/a

The NAIH fined €13.136 deputy mayor for posting a photo on his public Facebook page during local election campaign, which depicted chief officer of government-owned company and her daughter who allegedly had removed a campaign poster from the street.

English Summary

Facts

When the picture was taken the complainant warned the defendant not to publish the photo anywhere and especially on social media. The complainant's minor daughter was also present in the photo and although her face was obscured but she was easily recognizable because it was mentioned in the post that the daughter was also present. The defendant as being the data controller was asked by the complainant both via e-mail and postal letter to inform her about the legal basis and the purpose of the data processing, and in case of lack of legal basis or of violation of the purpose limitation principle the data controller was called to remove the post immediately. However, the data controller neither replied to the letters nor removed the post. The post at stake was reported on Facebook on the 3rd September 2019 but the company did not respond to the request.

Dispute

Is it lawful to take a picture and make it public on a Facebook site without the depicted data subject's consent if it is about a chief officer of a local government-owned business who allegedly removes a campaign poster during local election campaign?

Holding

The data controller violated the right of access under Article 15 GDPR, the right to erasure (‘right to be forgotten’) of the data subject under Article 17 GDPR, and the duties on transparent information, communication and modalities for the exercise of the rights of the data subject according to Article 12 GDPR, as well as the principles of lawfulness, fairness and transparency under Article 5(1) GDPR. The data controller did not indicate any of the legal basis of Article 6(1) GDPR and the data subject did not give his consent to the data processing.

The NAIH found that the name of the data subject was considered to be information of public interest as she held a public office and this was allowed to be made public under the Hungarian Act CXII of 2011 on Informational Self-determination and Freedom of Information. The photo at stake, however, could not be considered to be information of public interest as it did not provide any further information of public interest. The publication of the data subject's name would have sufficed to inform the public so that the publication of the photo was not necessary.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Hungarian original for more details.

DECISION
The National Authority for Data Protection and Freedom of Information (hereinafter:Before [...] Zrt., former chairman of the board of directors of [...] Zrt., applicant [...] ([...]:(applicant) Dr. Gábor Erőss, Member of the Municipal Council and current Deputy Mayor of District VIII of Budapest ([...];hereinafter: In the procedure initiated by the Data Protection Authority in response to its request for unlawful processing and disclosure of personal data (requested or required), the Authority shall take the following decisions:
I.	The Authority partially accepts the request  and  finds that the Applicant has committed and implemented unlawful data processing by producing and publishing an image recording of the Applicant without a proper legal basis, in breach of the principles of legality, purpose limitation and data minimisation.
1.1.	The Authority finds ex officio  that the applicant has infringed the applicant’s right to exercise the data subject’s rights and the principles of fair trial and transparency by disregarding the applicant’s request for the exercise of the data subject’s rights (right of access, right of erasure).
1.2.	The Authority shall condemn the obligor,  prohibit the obligor from continuing  the data processing complained of and order the deletion of the image from the Facebook social website. It shall certify the deletion of the data and the fact that it has also notified the Applicant of the deletion to the Authority.
The action referred to in point I.2 shall be justified by the obligor to the Authority in writing within 15 days of the decision becoming final, together with supporting evidence.
II.	The Authority shall order the publication of the final decision by publication of the identity of the controller.
III.	The Authority rejects the part of the application relating to the imposition of a data protection fine,  but, on its own initiative, the obligor for the infringements referred to in points I and I.1
HUF 100 000, i.e. one hundred thousand forint data protection fines

orders it to pay.
No procedural costs were incurred in the course of the administrative procedure and therefore it was not provided for by the Authority to bear it.
The data protection fine within 15 days of the expiry of the time limit for bringing an action for judicial review or, if a review is initiated, of the Authority’s target forint account for the collection of centralised revenues (1003200001040425-00000000 Centralised Recovery Account: IBAN:¬To be paid in favour of HU83 1003 2000 contained in 0104 0425 0000 0000. When transferring the amount, reference shall be made to NAIH/2020/32/4 BÍRS. 
If the obligor fails to comply with his obligation to pay the fine within the time limit, he shall pay a penalty for late payment. The default surcharge shall be the statutory interest rate, which shall be equal to the base rate of the central bank in force on the first day of the calendar half-year in which the default occurred. In the event of non-payment of the fine and the penalty for late payment, the Authority shall order the enforcement of the decision.
No administrative appeal may be brought against this decision, but an action brought before the Fővárosi Törvényszék (Budapest Municipal Court) may be brought before it within 30 days of its notification. The application form shall be submitted to the Authority by electronic means, which shall forward it to the court together with the case file. The request for a hearing shall be indicated in the application.
For those who do not benefit from the full personal fee exemption, the fee for the judicial review procedure is HUF 30 000 and the litigation is subject to the right to note the amount of the duty. In proceedings before the Fővárosi Törvényszék (Budapest Municipal Court), legal representation is mandatory.
The Authority draws the attention of the obligor to the fact that until the expiry of the time limit for bringing an action to challenge the decision or, in the case of an administrative action, until the final decision of the court, the data concerned by the contested processing shall not be erased or destroyed.
GROUNDS
I.	Procedure and clarification of the facts
In its submissions of 2019 9 September 2019, received by the Authority by post on 17 September, the Applicant stated that in its own official (i.e. not used for private purposes) Facebook page [...] the Applicant had published a photo representing the Applicant and the minor child of the Applicant, which the Applicant had not consented to being produced and published. In addition, the Applicant considers that the registration infringes Act V of 2013 on the Applicant Civil Code (hereinafter: Under Section 2: 48(1) of the Civil Code Act).
The image has been published with the following text:
‘IN ACCORDANCE WITH ARTICLE 8, THE FOLLOWING SHALL APPLY: DISTRICT FIDESZES CITY LEADERSHIP TÉPDESIS IN PERSON OPPOSITION ANNOUNCEMENTS
After yesterday I received a notice from the opposition (calling for the campaigner of [...]) in Teleki Square with his own child, [...] (in the image, I wrapped the hand with the filtered paper), I asked the presidents of the boards of [...] Zrt. and [...] Zrt.: in that way?
According to him, ‘the rules must be complied with’.
When I began classifying breaches of law and law in recent years (from the criminal case of one district fidesz Member to the housing case of the other district representative, from the misuse of EU funds, from offshore mutaty to amending notices not put to the vote...), I was hidden...
I note: the municipality NOT provided any advertising space of square centimetres for the campaign. There are only capital posters, too few, while the Fideszes management is campaigning unscrupulously – at the “municipal” information points.”
The contested entry/photo is available at the following URLs:
—[...]
—[...]
The Applicant also submitted that, in relation to the unlawful placement of posters, the Local Electoral Commission of Budapest-Capital VIII (Local Electoral Commission of Budapest-Capital VIII) was in breach of Decree 9/2019. In its decision No (VIII.24.) and in its decision No 65/2019 (09.06), it ruled out further infringement of the law by the ‘United Opposition’.The latter decision was notified to the Authority by the Applicant.
On the basis of the above, the Applicant requested the Authority to establish the unlawful processing of personal data and to require the applicant to bring the infringement to an end.
[PROVIDED FOR IN ARTICLE OF REGULATION (EC) NO/]
Before the Authority, at the request of the applicant, in Regulation (EU) 95/46 of the European Parliament and of the Council of 2016 April 27 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 2016/679/EC (hereinafter: Article 57(1)(f) of the General Data Protection Regulation (GDPR) and the Information Act60On the basis of paragraph (1) of Section NAIH/2019/6885, a data protection authority procedure was initiated.
In the Authority’s order of 2019 September 30 NAIH/2019/6885/2, Act CXL of 2016 on general administrative procedures (hereinafter: Article 44 of Decree No/of the Minister for National DevelopmentThe applicant was asked to remedy the deficiencies. The Applicant remedied the deficiencies in the Request by letter of October 2019, which was received by the Authority on October 11, and
-	clarified the application by requesting, in addition to establishing the existence of the infringement, that the applicant be prohibited from further infringements and that a fine be imposed on the applicant;
-	stated that, at the moment when the photograph was taken, he immediately drew the attention of the applicant on the spot to the fact that he did not abuse his image and did not make it public on any social website because he did not consent to it; his minor daughter was present at the interview, but although his face was hidden, he was said to be visible on the image and was therefore easily identifiable;
-	informed the Authority that, following receipt of the Authority’s request to remedy the deficiencies, it had requested the applicant in writing, by post and electronic mail, to provide information on the legal basis and the purpose of the processing and, if the processing was carried out without a legal basis and not in a purpose-bound manner, to remove the contested entry from the page without delay, but that the applicant had failed to comply with the letter of formal notice sent to the applicant on October 2019, as well as the acknowledgement of receipt of receipt;
-	informed the Authority that the contested entry had been reported to Facebook on September 2019, but that the community site had not reacted;
-	he informed the Authority that he had not initiated legal proceedings for the violation of his personality rights because he expected the Authority to establish the existence of the violation and the prohibition of the applicant from further violations, as well as the finding that he was not a public actor, given that although he was the chairman of the board of directors of a 100 % municipal company, he did not hold any politically elected or appointed position.
The Authority notified the opening of the data protection authority’s procedure by order NAI H/2019 of 13 November 2019/6885/4, and Ákr.63It called on the defendant to make a statement in order to clarify the facts. In the case of an order sent to [...] and [...] on November 2019, the Authority did not receive an error message indicating that the sending had been unsuccessful, and the order sent by post to the Józsefváros Municipality of District VIII of Budapest was received by an authorised person on November 13, 2019 on the basis of the acknowledgement of receipt received by the Authority.
The applicant did not comply with the order within the 8-day time limit set by the Authority and the Authority therefore, in its order of 2019 of 16 December 2019 under reference NAIH/2019/6885/5, invited the applicant to make a further statement, subject to the imposition of a procedural fine.
By letter of 2019 of 24 December 2019, sent electronically to the Authority on 27 December 2020 and received by post on 2 January, the applicant complied with the
At the request of a public authority, in addition to the AP Decree.53For failure to comply with the time-limit for replying, the applicant submitted a request for a certificate pursuant to Paragraph of the BGB.
In the Authority’s order of 2020 January 9, NAIH/2020/32/3, Ákr.54It upheld the application for restitutio in integrum and withdrew the procedural fine imposed on the applicant.
In its reply to the Authority’s request, the applicant stated the following:
-	In its view, in the case referred to by the Applicant, the exclusive application of the GDPR is contrary to Hungarian law, the practice of the Constitutional Court, the Curia and the European Court of Human Rights.
-	The publication of the recording of the image was based on the right to freedom of expression and information and was intended to provide information on an event of public interest for the exercise of official authority.
-	The picture shows that, during an election period, a person entrusted with a public service mission automatically annuls an election notice. On the basis of a final decision of the Curia, the same person was liable for the unlawful situation which existed at the time when the offence was committed: Mr [...] Zrt., led by the Applicant, was condemned by the Curia because it issued a daily newspaper entitled [...].It violated the principle of ensuring equal opportunities for candidates and nominating organisations in its 31st and 32nd editions.
-	The purpose of the photographing and publication was, in the opinion of the applicant, to record the unlawful act which took place during the 2019 municipal election campaign, in the course of which the executive officer of [...] Zrt., a municipally owned organisation with public funds, was the election procedure.(hereinafter: (ve) has automatically removed an election poster or a public announcement during the election campaign period (invitation to the campaign opening of the opposition candidate mayor, [...]) in a manner contrary to the rules of the Act and beyond the rules of the Act.
-	The photograph was therefore taken and published for the purpose of recording and publicising the applicant’s act, in order to ensure the fairness of the elections and balanced information for voters. The legal basis for drawing the picture was the right to freedom of expression, the fairness of the elections and the right to a balanced information of voters.
-	The rules of the Ve. contested (or infringed) in the present case are not based on EU law and therefore, under Article 2(2)(a) of the General Data Protection Regulation, the present case does not fall within the scope of EU law.
-	The person mentioned in the post is the head of companies owned by the District (i.e. “the public”), is an employer of hundreds of people, holds (or has held) billions of forints of public money, is a regular actor and speaker of on-line meetings of representative bodies that are mediated online and accessible online after the meetings; in short, it is a public actor. But even if that were not the case, it would be in the public interest to disclose its actions because of what it has done (wrapping and destroying an opposition poster during a campaign), public affairs.
-	More recently, the concept of "public affairs” or otherwise the concept of an event of public interest has become more important than the concept of a public actor.The Applicant derives this from the Hungarian National/Ministry of National Economy case which was finally awarded by the Hungarian National Court of Appeal in 2018 on the basis of a decision of the Fővárosi Ítélőtábla (Budapest Regional Court).
-	The rationale behind the final decision of the Fővárosi Ítélőtábla (Budapest Regional Court of Appeal) was rejected by the Constitutional Court already in 1994, when it stated 60/1994(XII.(24)) that "In the  case of persons exercising public authority or engaging in political activities, the right of persons, in particular voters, to have access to data of public interest shall take precedence over the protection of personal data of the former which may be relevant for their public activities and for their assessment.
-	The exercise of official authority is an aspect which may be considered in relation to the limitation of personal data. But the clear breakthrough came twenty years later from the Constitutional Court. This is the case under Decree No 28/2014.(IX.29) AB decision in which it ruled on the public disclosure of the police officer’s image. In this opinion, the Constitutional Court stated that:‘As long as a communication is not an abuse of the exercise of freedom of the press, the reference to the violation of personality rights in the context of the protection of human dignity rarely gives rise to a restriction on the exercise of freedom of the press. An image of a person who has come to the attention of the public in connection with a contemporary event may normally be made public in connection with that event without their authorisation.[,..K]recordings may be made available to the public without consent if such disclosure is not of an end in itself, that is to say, in the light of the circumstances of the case, information on the events of the present or of public interest in the exercise of official authority, and visual reporting concerning public affairs.“
-	As a matter of principle, the final judgment summarises the above in such a way that, in the context of freedom of expression in public affairs, it is important whether the speaker has spoken on a social and political issue and not whether the person concerned by that report is a professionally exposed person or not.
-	As the head of the business associations of the district and as a regular actor in the meetings of the representative bodies, the Applicant is also a public actor, but what is undisputed is the fact that, by damaging the poster, it manifested itself on a political issue of public interest. Thus, using the wording of the judgment cited above, the Applicant has become the main player in an event of public interest. The inclusion of photographs in the Facebook post is not at all ancillary: it proves that the description of the post is true, so that recruitment guarantees that the statements of the post cannot be challenged. These are not disputed by the Applicant either. This is particularly important in the age of fake news. The impossibility would therefore not have been ensured by the literal description of the events and the description of the name of [...].As a result, the public became aware of the fact that the opposition poster was thrown down, damaged and destroyed by the municipal company manager sworn to the public service.
-	The practice of the European Court of Human Rights in Strasbourg follows the same principle, i.e. that the interest in debates on public affairs in democratic states is often more important than the protection of the private sector. For example, in Flinkkila and Others v. Finland, it pointed out that when a photograph of a person who is not a public actor is used by the press in the context of a public case, the freedom of the press should prevail over the private sphere of the person concerned. Moreover, according to the judgment in Lillo-Stenbergand S&ther v. Norway, it is legitimate for a photograph of a wedding arranged in a public place but otherwise qualifying as an event protected by family life to be published by the press without the consent of the persons concerned.
-	In summary, [...] Zrt., led by the Applicant, did not provide the necessary conditions for the establishment of free and equal suffrage, and there was a public interest in presenting this conscious breach of fundamental rights.
-	It is not clear from the text of the entry whether the applicant’s child is included in the registration or whether it would be in a walking shape behind the applicant. In the case of the applicant’s child, only the fact that he was present when the poster was thrown off is not the fact that he is also included in the recording.(The photograph was not taken when the poster was closed, but after it was closed).I obscure the face of any person other than the applicant, the image of the applicant’s child is neither visible nor identified by the post.
-	The Applicant did not reply to the Applicant’s request and considered it part of the campaign.
-	The applicant’s request (which, according to the final judgment of the Curia, was sent by way of his assistant, as the head of the [...] Zrt., who had committed an election violation, or as the header of the publishing company, ‘[...] Zrt’s board of directors’, 39 days after the publication of the post!) and the threat of a fine of one million were political pressure aimed at identifying the applicant’s intention not to reveal any further events in the public interest at the heart of the election campaign.
-	The act (poster) took place before the above-mentioned decision of the Local Electoral Commission, bypassing the rules on legal remedies laid down in the relevant law. Moreover, the fact that [...] Zrt., managed by the Applicant, was condemned by the Curia because it published a daily newspaper entitled [...], is not an additional factor. It violated the principle of ensuring equal opportunities for candidates and nominating organisations (Ve. Section 2(1)(c)).The applicant’s arbitrary conduct therefore sought to maintain an unlawful situation established by the Kúria and, moreover, that unlawful situation was created or tolerated by the applicant in his capacity as leader of... as a public actor.The [...] sheet did not provide any real information on the electoral campaign in the district and capital city, nor did it report on the election events and election programmes of opposition candidates. It was the same organisation, [...] Zrt., which, despite its public mission, did not provide the surfaces for the accommodation of the election posters in the district.
-	The contested imagery was not published on another website or in a social forum.
II.	Legal provisions applied
Pursuant to Article 2(1) of the GDPR, the GDPR applies to the processing of personal data wholly or partly by automated means, as well as to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
For data processing within the scope of the GDPR, the Information Act2Paragraph 2 of the General Data Protection Regulation provides that the General Data Protection Regulation is to be applied with the additions specified in the provisions specified therein.
In accordance with the Information Act,60According to Article 1, in order to ensure that the right to the protection of personal data is respected, the Authority shall initiate a procedure by the data protection authority at the request of the data subject.
Unless otherwise provided for in the GDPR, the provisions of the AP Decree shall apply to the data protection authority procedure initiated on request, subject to the derogations laid down in the Information Act.
According to Article 4(1) of the GDPR, “personal data” means: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
According to Article 4(2) of the GDPR, “processing” means: any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
According to Article 4(7) of the GDPR: ‘controller’ means: a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for appointing the controller may be determined by Union or Member State law.
According to Article 5(1)(a) of the GDPR, the processing of personal data shall be carried out in a lawful and fair manner and in a manner that is transparent to the data subject (“lawfulness, fairness and transparency”).
According to Article 5(1)(b) of the GDPR, personal data may only be collected for specified, explicit and legitimate purposes and cannot be processed in a way incompatible with those purposes (“purpose limitation”).
According to Article 5(1)(c) GDPR, they must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
Under Article 6(1) of the GDPR, personal data may be lawfully processed only if and to the extent that at least one of the following is fulfilled:
a)	the data subject has given consent to the processing of their personal data for one or more specific purposes;
b)	processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c)	processing is necessary for compliance with a legal obligation to which the controller is subject;
d)	processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e)	processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f)	processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The obligations of the controller in relation to measures relating to the exercise of the rights of data subjects (including the right to erasure of personal data) are laid down in Article 12 of the GDPR.
Pursuant to Article 12(1) of the GDPR, the controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 relating to the processing of personal data and with all the information referred to in Articles 15 to 22 and 34 in a concise, transparent, intelligible and easily accessible form, in particular in the case of any information addressed to children. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
Pursuant to Article 12(2) of the GDPR, the controller shall facilitate the exercise of the data subject’s rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
Pursuant to Article 12(3) of the GDPR, the controller shall inform the data subject, without undue delay and in any event within one month of receipt of the request, of the follow-up given to the request under Articles 15 to 22. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
According to Article 12(4) of the GDPR, if the controller does not take action on the request of the data subject, it shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the non-action and of the possibility for the data subject to lodge a complaint with a supervisory authority and to have access to a judicial remedy.
According to Article 12(5) GDPR, information pursuant to Articles 13 and 14 and information and action pursuant to Articles 15 to 22 and 34 shall be provided free of charge. Where the request of the data subject is manifestly unfounded or excessive, in particular because of its repetitive character, the controller may, taking into account the administrative costs involved in providing the requested information or information or taking the requested action, charge a reasonable fee or refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Pursuant to Article 15(1) of the GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not personal data are being processed and, if such processing is ongoing, to obtain access to the personal data and to the following information:
a)	the purposes of the processing;
b)	the categories of personal data concerned;
c)	the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d)	where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e)	the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f)	the right to lodge a complaint with a supervisory authority;
g)	where the personal data are not collected from the data subject, any available information as to their source;
h)	the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Pursuant to Article 17(1) of the GDPR, the data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without undue delay and the controller shall be obliged to erase personal data relating to the data subject without undue delay if one of the following reasons applies:
a)	the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b)	the data subject withdraws Article 6(1)(a) or Article 9(2)
a)	the consent on which the processing is based and there is no other legal basis for the processing;
c)	the data subject objects to his or her processing pursuant to Article 21(1) and there are no overriding legitimate grounds for processing or the data subject objects to the processing pursuant to Article 21(2);
d)	the personal data have been unlawfully processed;
e)	the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f)	the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
Pursuant to Article 17(3) GDPR, paragraphs 1 and 2 shall not apply where processing is necessary:
a)	for exercising the right of freedom of expression and information;
b)	for the purpose of fulfilling an obligation to process personal data under Union or Member State law to which the controller is subject or for the purpose of performing a task carried out in the public interest or in the exercise of official authority vested in the controller;
c)	for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
d)	for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), where the right referred to in paragraph 1 is likely to render such processing impossible or seriously jeopardise it; or
e)	for the establishment, exercise or defence of legal claims.
Without prejudice to any other administrative or judicial remedy pursuant to Article 77(1) of the GDPR, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
In accordance with the Information Act,38According to Article 2, the Authority’s tasks are to monitor and facilitate the enforcement of the right to the protection of personal data and the right to access data of public interest and data accessible on grounds of public interest, and to facilitate the free flow of personal data within the European Union. The tasks and powers of the Authority are set out in Articles 57(1), 58(1)-(3) of the General Data Protection Regulation and in the Information Act.38Specified in paragraphs (2)-(4) of Section.
In accordance with the Information Act,61In accordance with Section 1(a) of Act CXVII of on data protection authority procedures, the Authority shall adopt a decision in accordance with the Information Act.2It may apply the legal consequences referred to in Article 2(58) of the General Data Protection Regulation in relation to the processing operations referred to in Article 2 of the General Data Protection Regulation. Accordingly, the Authority, acting within its corrective powers:
a)	to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;
b)	to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;
c)	to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;
d)	to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;
e)	to order the controller to communicate a personal data breach to the data subject;
f)	to impose a temporary or definitive limitation including a ban on processing;
g)	to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;
h)	to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
i)	impose an administrative fine in accordance with Article 83, in addition to or in place of the measures referred to in this paragraph, depending on the circumstances of the case; and
j)	to order the suspension of data flows to a recipient in a third country or to an international organisation.
Pursuant to Article 83(1) of the GDPR, each supervisory authority shall ensure that administrative fines imposed pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5, 6 are effective, proportionate and dissuasive in each individual case.
According to Article 83(2) GDPR, administrative fines should be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of the case. When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
a)	the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
b)	the intentional or negligent character of the infringement;
c)	any action taken by the controller or processor to mitigate the damage suffered by data subjects;
d)	the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
e)	any relevant previous infringements by the controller or processor;
f)	the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
g)	the categories of personal data affected by the infringement;
h)	the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
i)	where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
j)	adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
k)	any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
Pursuant to Article 83(5) of the GDPR, infringements of the following provisions shall, in accordance with paragraph 2, be subject to an administrative fine of up to EUR 20000000 or, in the case of undertakings, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
a)	the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
b)	the rights of data subjects in accordance with Articles 12 to 22.
Under Article 83(7) of the GDPR, without prejudice to the corrective powers of supervisory authorities under Article 58(2), each Member State may lay down rules on whether and to what extent an administrative fine may be imposed on a public authority or other body with a public service mission established in that Member State.
In accordance with the Information Act,61In accordance with Section 1(bg), the Authority may impose a fine in its decision in the procedure of the data protection authority.
In accordance with the Information Act,61According to Article 2, the Authority may order the publication of its decision by publishing the identity of the controller or processor if the decision concerns a wide range of persons, has been taken in the context of the activities of a body performing a public function, or the seriousness of the infringement justifies publication.
In accordance with the Information Act,61The data concerned by the contested data processing shall not be erased or destroyed until the expiry of the time limit for bringing an action to challenge the decision or, if an administrative action is brought, until the final decision of the court.
In accordance with the Information Act,Pursuant to Section 75/A, the Authority shall exercise its powers under Article 83(2) to (6) of the General Data Protection Regulation with due regard to the principle of proportionality, in particular by taking action, in accordance with Article 58 of the General Data Protection Regulation, to remedy the first violation of the provisions on the processing of personal data, laid down by law or by a binding legal act of the European Union, in particular by warning the controller or processor.
According to Article VI(3) of the Fundamental Law, everyone has the right to the protection of personal data and the right to access and distribute data of public interest.
Pursuant to paragraphs 1 and 4 of Article IX of the Fundamental Law, everyone has the right to freedom of expression. Exercise of freedom of expression may not set out to violate the dignity of other persons.
According to Article 85(1) of the GDPR, Member States shall, by law, reconcile the right to the protection of personal data under this Regulation with the right to freedom of expression and information, including the processing of personal data for journalistic or scientific, artistic or literary purposes.
According to Recital 65 of the GDPR, [...] further retention of personal data may be considered lawful if it is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation or for the performance of a task carried out in the public interest or for the exercise of public authority vested in the controller, or for reasons of public interest in the field of public health, for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes, or for the establishment, exercise or defence of legal claims.
Pursuant to recital 153 of the GDPR, the law of the Member States [should] reconcile the rules on freedom of expression and information, including journalistic, scientific, artistic or literary expression, with the right to the protection of personal data under this Regulation.
In accordance with the Information Act,3In accordance with point 6 of Paragraph, data which are made public on grounds of public interest means any data which is not covered by the concept of data of public interest and whose disclosure, disclosure or disclosure is ordered by law in the public interest.
In accordance with the Information Act,26In accordance with Section 2, data accessible on grounds of public interest shall mean the name, function, job title, management mandate, other personal data relating to the performance of public duties and personal data of a person acting within the scope of the tasks and powers of a body performing a public function, and the personal data of which access is required by law. Personal data accessible for reasons of public interest may be disseminated in compliance with the principle of purpose-specific processing.
The Civil Code: 2: 44 on the protection of the personality rights of a public actor. Pursuant to Paragraph 1 (3)-, the exercise of fundamental rights guaranteeing the free challenge of public affairs may restrict the protection of the personal rights of a public actor to the extent necessary and proportionate, without prejudice to human dignity; however, it should not harm his private and family life and his home. A public actor shall be entitled to the same protection as a non-public actor against any communication or conduct outside the scope of the free challenge of public affairs. An activity or data relating to the private or family life of a public actor is not a public matter.
The Civil Code: 2: 48 on the right to portrait and sound recording. The consent of the person concerned shall be required for the making and use of an image or sound recording pursuant to Paragraph a. The consent of the data subject shall not be required for the preparation of the recording and the use of the recording made in the case of mass taking and recording of public appearance.
WHAT.Decision of the Authority
III.	1Identity of the controller
According to the GDPR definition, a natural or legal person, a public authority, agency or any other body which alone or jointly with others determines the purpose and means of processing or of processing a person’s face, image, personal data, image recording and any operation carried out on the data shall be considered to be a controller.
With regard to the processing under consideration, the image recording of the applicant is considered to be processing pursuant to Article 4(1) of the GDPR, the recording and publication of the image on the social website of Facebook is considered to be processing pursuant to Article 4(2) of the GDPR, and the applicant operating and managing the Facebook page is a controller pursuant to Article 4(7) of the GDPR, given that the exercise of the personal data (in this case, the image recording of the applicant may have defined the purpose of making and publishing the personal data as being a balanced public, in terms of the public, namely, in terms of the exercise.
The processing (preparation and publication of images) under consideration in the present procedure fall within the scope of the GDPR pursuant to Article 2(1) of the GDPR and consequently the rules of the GDPR apply to these processing.
The Authority notes that since the image of the Applicant has been published on the Applicant’s own (official) Facebook page in a public registration, i.e. visible to all, on the Applicant’s own Facebook page – who, at the time of the processing under investigation, was already a municipal representative and was therefore considered to be a public operator before becoming a sub-mayor – the processing cannot in any event be considered as a personal or home processing activity excluded from the scope of the GDPR by Article 2(2)(c).
The owner of the Facebook page, in this case the defendant, has, in principle also under Facebook’s rules of use, a clear responsibility for the processing of data in connection with the use of the page in respect of any activity on that page. Indeed, the controller has an objective responsibility for the processing and is obliged under the GDPR to respect and enforce with others the processing rules set out in the GDPR or in other legislation. The fact that images were taken and published during a municipal election campaign cannot in any way result in a discharge of that controller’s responsibility.
III.2.	Identity of the applicant
The Applicant is 100 % owned by a municipal company, [...] Zrt. (hereinafter: Company) was the chairman of the Board of Directors.
Pursuant to the Statutes of the Company, the activities of the Company are governed by Act CLXXXIX of 2011 on local governments in Hungary.13In Sections 23(5) and 7, the following shall be added: 111317 and 19, 1993 on social administration and social benefits. Act III, contained in Annex 36 to Local Authority Decree No. 36/2014 (XI.06.) on the Organisational and Operational Rules of the representative body and its bodies, and in Annex 4 to Local Authority Decree No. 81/2011 on the municipality’s public education tasks. On the basis of a local government decree (XII.22.) it performs in the interest of the public service.
The Company is therefore considered to be a body performing a public function and the company’s executive officers (including the chairman of the board of directors) are entitled to represent it. In this respect, it should be pointed out that persons authorised to represent public bodies (as well as persons performing public functions or public actors) have a much wider range of data whose public does not yet violate their personal rights and must tolerate more of the negative judgements and criticisms of their destruction, but this should of course not result in the loss of the right to the protection of personal data.
In accordance with the Information Act,26Section 2 lists, by way of example, data which are in any event accessible on grounds of public interest, but, in addition, adds to the scope of data accessible on grounds of public interest the personal data listed in each law. However, the same paragraph also states that the principle of purpose-bound processing of personal data should also apply in relation to personal data which are public for reasons of public interest.
In accordance with the Information Act,1The objective which must be pursued in order to obtain information which is accessible in the public interest, that is to say, the transparency of public affairs, is laid down in Paragraph of the BGB.As it is impossible to list all data relating to the tasks of persons performing a public function and essential for the public control of official authority, the list is opened by the Infotv.26It extends access to all personal data, in addition to data specified by other laws, that are directly related to the performance of the public task when acting within the scope of the tasks and powers of the body concerned.
With regard to personal data which are made public on grounds of public interest, it is important to point out that, although the rules on access to data of public interest apply, the nature of such data remains in spite of the public, so that the most important guarantee of data protection, the requirement of the principle of purpose-specific processing, remains unchanged.
Freedom of information and the right to informational self-determination must be exercised with due regard to each other, so that when determining the scope of other personal data relating to the performance of a public task, account should be taken of whether the disclosure of such data does not constitute a disproportionate interference with the right to privacy. A violation of the purpose-specific dissemination of personal data which is made public on grounds of public interest may result in a violation of personality rights and may also lead to the determination of a violation fee by a court.
The name of the Applicant was considered to be public data in the public interest when the image was taken and published. However, the applicant’s image cannot be regarded as public (personal) data in the public interest.26On the basis of Paragraph 2, given that the appearance of a chairman (or member) of the board of directors is unrelated to the performance of a public task.
III.3.	Lawfulness of processing
Under the provisions of the GDPR, a number of requirements need to be met in order for processing to be lawful. Among these, the principles of purpose limitation and data minimisation, as well as the appropriate legal basis for processing, are of particular importance:
Data controllers must maintain the requirements arising from the principle of purpose limitation and data minimisation laid down in Article 5(1)(b) and (c) of the GDPR when processing data. Accordingly, the controller should demonstrate the purpose for which the personal data of the data subject have been used and disclosed to the public and why the processing of personal data is considered to be strictly necessary for that processing purpose.
-	The controller shall have a legal basis for the processing in accordance with Article 6 of the GDPR.The controller shall demonstrate whether, on the basis of the data subject’s consent or according to which legal provisions, the personal data of the data subject have been used and made public, or whether the processing is necessary for the purposes of the legitimate interests of the controller or of a third party, and the processing shall proportionately restrict the data subject’s right to the protection of the personal data.
Account shall also be taken of whether the data fall within the category of sensitive personal data within the meaning of Article 9 of the GDPR, the extent to which the availability of the information adversely affects the privacy of the data subject, and whether or not the data subject is a person performing a public function or a public operator.
In the present case, account must also be taken of the conflict between the fundamental right to the protection of personal data and the freedom of expression. Article 85(1) of the GDPR requires Member States to reconcile the right to the protection of personal data with the right to freedom of expression and information. Since the Fundamental Law of Hungary also mentions the right to the protection of personal data and freedom of expression among fundamental rights, the fundamental right of freedom of expression as a constitutional right must be exercised in conjunction with the protection of the constitutional fundamental right to the protection of personal data.
The defendant, as a person performing a public function (and processing personal data), should be an integral part of the performance of his or her duties in the application of data protection requirements and should be expected to ensure the proper application of the law in the course of his or her activities and to ensure the protection of fundamental rights.
Processing took place during the production and publication of the recording, which must comply with the rules of the General Data Protection Regulation. Accordingly, one of the legal bases provided for in Article 6(1) of the GDPR should exist in order for the processing to be lawful.
According to Article 6(1) of the GDPR, the consent of the data subject may be an appropriate legal basis for the processing, which is not the case here, as the Applicant has not consented to the preparation and publication of the recording.
The applicant did not specifically indicate any of the legal bases listed in Article 6(1) of the GDPR as the legal basis for the production and publication of the contested image, but instead set out the right to freedom of expression, fairness of elections and balanced information for voters. In order to justify the lawfulness of the processing, he also referred to the judgments of the requested court (decisions of the Constitutional Court, judgments of the European Court of Human Rights).
With regard to the judicial decisions referred to, it should be pointed out that they were made specifically in connection with the processing of data by the press and the exercise of freedom of the press:
-	GOVERNMENT DECREE 28/2014(IX.(29) In an AB judgment, the Constitutional Court ruled that:‘As long as a communication is not an abuse of the exercise of freedom of the press, the reference to the violation of personality rights in the context of the protection of human dignity rarely gives rise to a restriction on the exercise of freedom of the press.An image of a person brought to the attention of the public in connection with a contemporary event may generally be disclosed in connection with the event without their authorisation.[,..K]recordings may be made available to the public without consent if such disclosure is not of an end in itself, that is to say, in the light of the circumstances of the case, information on events of the present or of interest to the public in the exercise of public authority, or pictorial reporting concerning public affairs.“
In Flinkkila and Others v. Finland, the ECtHR pointed out that if a photograph of a person who is not a public actor is used by the press in the context of a public case, the press freedom should prevail over the private sphere of the person concerned. Moreover, according to the judgment in Lillo-Stenbergand S&ther v. Norway, it is legitimate for a photograph of a wedding arranged in a public place but otherwise qualifying as an event protected by family life to be published by the press without the consent of the persons concerned.
As regards the press, the legal provisions in force essentially provide for the possibility of, in particular, Act CIV of 2010 on freedom of the press and the fundamental rules governing media content (hereinafter: In compliance with the provisions of Act CXVII of, press officers shall make recordings. The press may also publish recordings in individual press releases without violating personality rights.
Article IX of the Fundamental Law, and in particular Article IX of the Fundamental Law.10Sections 13 andArticle requires press bodies to inform the public of events of public interest and, at the same time, the public has the constitutional right to be aware of them. It follows that, when the press reports on a matter of public interest, it fulfils its constitutional obligation.
In the present case, however, it is common ground that the applicant cannot be regarded as a press officer and that his Facebook page cannot be regarded as a press product, so that the findings made by the courts in relation to freedom of the press in the judicial decisions relied on by the applicant cannot be applied to the data processing under consideration.
In the absence of the applicant’s consent to the processing, it was necessary to examine whether the right to make and publish the recording, as indicated by the applicant as the legal basis, takes precedence over the applicant’s right to the protection of personal data, whether the taking and publication of the recording complies with the principles of purpose limitation and data minimisation and whether the processing is necessary, proportionate, whether there is (was) other means of data minimising the data subject’s requirements or data minimisation.
The contested recording was the moment when the applicant, wearing sunglasses, crossed in his right hand with a sum of paper at a designated foot crossing point. The recording also shows the applicant’s minor child, whose face has been redacted, but the text of the entry also includes a reference to the child:“...as well as with his/her child...”
Although the request did not cover the processing of the personal data of the applicant’s minor child and was therefore not examined by the Authority during the procedure, the Authority notes that the applicant’s position that it is not clear from the text of the registration that the applicant’s child is not included in the inclusion. While it is true that the applicant did not name the child and obscure its face, it can be inferred from the description of the act that the person seen next to the applicant is the minor child of the applicant.
The applicant stated that the purpose of the recording and publication of the photograph was, in the opinion of the applicant, to record and make public the unlawful act (annulment of the election notice) which took place during the 2019 municipal election campaign. According to the applicant, the inclusion of a photograph in the Facebook post is by no means incidental, as it proves that the description of the post is correct, so that the recording ensures that the statements of the post are not disputed.
However, it is clear from the image recording that it was not made at the time of the annulment of the electoral notice, but after that, it is not apparent from the alleged infringement, but from the fact that the Applicant passes through a designated pedestrian crossing point with an unrecognised piece of paper.
It is true that the personality rights of public actors are the Ptk.2: 44. On the one hand, and on the other hand, in the case of a public prosecutor, on the other hand, the recent constitutional court practice and the subsequent judicial case-law, on the basis of which it is established, may be limited in order to exercise fundamental rights to challenge public affairs, and on the other hand, the interpretation that the ‘public’ nature of the case to which the expression of opinion relates is the primary consideration for determining the reduced scope of protection of personality, whereas in the present case it can be established that, on the private or family life of the public registration is not, on the public, on the subject, on the public, but that it is not.
The Ptk should not be ignored when assessing the lawfulness of the taking and use of photographs. Nor does it require the consent of the data subject for the production and use of his or her image, except in the case of mass recordings and recordings of public appearance. According to judicial practice, a photograph is considered to be a mass taking if a multitude of people are visible or if the persons depicted are not visible as individual persons but as parts of the mass. Although the impugned imagery shows a number of persons, given that the applicant’s face alone was not redacted, i.e. depicting the applicant as a unique person, the image cannot be regarded as a mass recording. In addition, the act visible in the image recording cannot be regarded as a public appearance. It follows that the applicant’s consent would have been required for the recording and publication of the image.
It was also necessary to examine whether the publication of the image was considered necessary. On the basis of the above, it can be concluded that the image published in the entry has no specific additional information value contributing to the discussion of public affairs. In order to inform the public, it would have been sufficient to have a textual record without a photograph.
In the light of the foregoing, it can be concluded that neither the recording nor the publication of the image is compatible with the objective stated by the applicant, namely the recording and public disclosure of an unlawful act. On the basis of the statements and documents obtained in the course of the procedure, it could not be established that the interest in producing and publishing the image would take precedence over the interests of the Applicant and his right to the protection of his personal data, or that the processing would be in the public interest or necessary for the performance of a task carried out in the exercise of official authority vested in the defendant as controller.
In view of the lack of justification of an adequate legal basis in the procedure and the fact that the processing went beyond what was necessary and proportionate, the Authority concludes that the Applicant has also breached Article 6(1) GDPR and the principles of lawful processing as set out in Article 5(1) GDPR as well as purpose limitation and data minimisation.
Furthermore, it cannot be overlooked in this case that the photograph continues to be available on the Applicant’s Facebook page at the date of the present decision, i.e. several months after the October 2019 municipal elections, and that the Applicant no longer holds the position of Chairman of the Board of Directors of [...] Zrt. or of [...] Zrt. mentioned in the Applicant’s Facebook registration, on the basis of documents and information published by those companies since November 2019. [The documents and/or information are available at the following URLs:
—[...]
—[...]
In view of the fact that the Applicant no longer performs the functions performed at the time of capturing the image, the inclusion of the image on the Applicant’s Facebook page is not lawful without a proper purpose and without a legal basis and violates the Applicant’s right to be forgotten under Article 17 of the General Data Protection Regulation.
III.4.	The Applicant’s request to exercise the rights of the data subject
The obligations of the controller in relation to measures relating to the exercise of the rights of data subjects (including the right of access to information relating to the processing of personal data and the right to erasure of personal data) are set out in Article 12 GDPR.
By letter of October 2019, the Applicant requested the applicant to provide information on the legal basis and purpose of the processing and, if the processing was carried out without a legal basis and not in a purpose-bound manner, to remove the contested entry from the page without delay.
The applicant did not provide any response or information to the applicant’s claims in the context of the exercise of the data subject’s rights in the manner and within the time period specified in Article 12(3) to (4) of the General Data Protection Regulation.
The Applicant did not comply with the Applicant’s request to exercise the data subjects’ rights, did not respond to it in any way and did not inform the Applicant of the reasons for fulfilling the claims it had identified.
The execution of a data subject’s request for access to information related to the processing of personal data may only be refused in the cases referred to in Article 12(5) of the GDPR, i.e. if the data subject’s request is clearly unfounded or excessive, and the request to exercise the right to erasure (“forgotten”) may only be refused in the cases referred to in Article 17(3) of the GDPR.
In the light of the above, the applicant’s statement that he did not reply to the applicant’s request because he considered it to be part of the campaign cannot be accepted. By completely disregarding the Applicant’s request to exercise the data subject’s rights, the Applicant has infringed the Applicant’s right of access under Article 15 of the GDPR and the right to erasure (‘forgotten’) under Article 17 of the GDPR, Article 12 of the GDPR on measures to exercise the data subject’s rights and the principles of fair trial and transparency under Article 5(1) of the GDPR.
III.5.	The Applicant’s request to impose a fine
The Authority rejects the Applicant’s request for the imposition of a data protection fine, as the application of this legal consequence does not directly affect the Applicant’s right or legitimate interest, does not give him any right or obligation by such a decision of the Authority and, therefore, with regard to the application of this legal consequence, falling within the public interest, the Applicant does not qualify as a client in relation to the imposition of the fine.10Pursuant to Paragraph 1 of the Kvt. And because Akr.35No application may be made in this respect, so this part of the submission cannot be interpreted as an application.
III.6Legal Consequences
The Authority partially accepts the Applicant’s request and condemns the debtor on the basis of Article 58(2)(b) of the GDPR because its processing activities infringed Articles 5(1)(a)(b) and (c), 6(1), 12(1)-(5), 15(1) and 17(1) of the GDPR.
Furthermore, the Authority, pursuant to Article 58(2)(c) of the GDPR, instructs the obligor to remove the contested image from the Facebook social website. The obligor shall provide evidence to the Authority that the data have been deleted and that the deletion has been notified to the Applicant.
The Authority rejected the Applicant’s request to impose a data protection fine as set out in point III.5, but examined ex officio whether a data protection fine should be imposed on the obligor. In this context, on the basis of Article 83(2) of the GDPR and Section 75/A of the Informationtv, the Authority considered of its own motion all the circumstances of the case and concluded that, in the case of an infringement detected in the course of the present proceedings, the warning is neither proportionate nor dissuasive and therefore a fine should be imposed.
In setting the fine, the Authority took into account the following factors:
-	The privacy of the Applicant is significantly affected by processing without an appropriate legal basis and purpose. The infringement is serious because it concerns the exercise of a data subject’s right and the data processing by the boundary violated several articles of the GDPR, including an infringement of fundamental principles.[Article 83(2)(a) GDPR]
-	The infringement was caused by the intentional conduct of the obligor.[Article 83(2)(b) GDPR]
-	The obligor has not yet been convicted for violating the General Data Protection Regulation.[Article 83(2)(e) GDPR]
-	The Authority reviewed the other aspects of the imposition of the fine in Article 83(2) GDPR but did not take them into account because, in its assessment, they were not relevant in the material case.
-	Based on the nature of the infringement, in violation of data processing principles and data subjects’ rights, the maximum fine that may be imposed is EUR 20000000 [Article 83(5)(a) and (b) GDPR]
-	Meeting of the Józsefvárosi Municipal Council of District VIII of Budapest held on November 2019, 7th.(XI.07) established that the debtor, as a full-time deputy mayor, is entitled to a monthly salary of HUF 797800 and a reimbursement of HUF 119670. According to the obligor’s most recent declaration of assets, dated January 2020, 30 January, the obligor holds HUF 1920000 in cash, has no public debt or debts to a financial institution or individuals. The minutes of the representative’s meeting and the declaration of assets of the obligor are available at the following URLs:
-	https: //jozsefvaros.hu/tu_dokumentumok/6426_20191107_nyilt_ules_hatarozat.pdf
-	Https: //jozsefvaros en/documents/vny/2020/dr_eross_gabor_janos.pdf
-	By imposing a fine, the specific preventive objective of the Authority is to encourage the obligor to review its practice of processing the personal data of natural persons in the capacity of a municipal representative and a deputy mayor, as well as in responding to and handling requests from data subjects. In determining the amount of the fine imposed, in addition to the specific preventive objective, the Authority also took into account the general preventive objective pursued by the fine, which, while dissuading the obligor from a new infringement, seeks to move towards legality the data processing practices of persons performing a public function such as the obligor. The reference to the right to freedom of expression and the right to information as a legitimate interest requires precise support, and the reference to freedom of the press is not appropriate in the case of data controllers and not in the case of ‘products’ published by them which are not press products.
The data protection fine imposed by the Authority shall not exceed the maximum amount of the fine that may be imposed.
Given that the Authority’s decision is taken in the context of the activities of a person who acts and communicates to members of society in pursuit of Community objectives and social standards, the Authority is required to provide information in accordance with the provisions of the Information Act.61Order the publication of the decision by the publication of the data controller, i.e. the identity of the applicant, on the basis of Article 2.
IV.	Procedural rules
The powers of the Authority are laid down in the Information Act.38It is defined in paragraphs (2) and (2a) of Section and its competence extends to the whole territory of the country.
The AP Decree37According to Article 2, the procedure shall start on the day following the date of receipt of the application by the competent authority. The AP Decree50Unless otherwise provided by law, the administrative time limit shall begin on the day on which the procedure is initiated.
The decision shall be adopted in accordance with the provisions of the AP Decree.82On the basis of Paragraph 1, it shall become final upon its communication.
The AP Decree112Section 116 and Section of Act CXVI ofParagraph (1) of Section 114 and Section respectively. The decision may be appealed by means of an administrative action pursuant to Paragraph 1.
* * *
The AP Decree135Under Section 1(a), the debtor is required to pay a late payment supplement equal to statutory interest if he fails to comply with his obligation to pay money within the deadline.
The Civil Code6: 48. In the event of a debt of money, the obligor shall pay default interest at the rate applicable on the first day of the calendar half-year affected by the delay, starting from the date of the delay.
The rules of administrative procedure are laid down in Act I of 2017 on the Code of Administrative Procedure (hereinafter: KP.).The Kp.12Pursuant to Section 2(a) of the Kp., administrative actions against decisions of the Authority fall within the jurisdiction of the regional courts.13The Fővárosi Törvényszék (Budapest Municipal Court) has exclusive jurisdiction pursuant to Paragraph 11 of the BGB.Act CXXX of 2016 on the Code of Civil Procedure (hereinafter: (PP.) – the Kp.26Applicable pursuant to paragraph (1) of Section 72Under Section, legal representation is mandatory in actions falling within the jurisdiction of the regional court. KP.39Unless otherwise provided by law, the lodging of an application shall not have suspensory effect on the entry into force of the administrative act.
The Kp.29Section 1 of the Civil Procedure Act and, in this respect, Section of the Civil Procedure Act604Act CCXXII of 2015 on the general rules of electronic administration and trust services (hereinafter: (e-administration Act)According to Section 1(b), the client’s legal representative is obliged to communicate electronically.
The date and place of submission of the claim against the Authority’s decision shall be in accordance with Kp.39Referred to in paragraph (1) of Section. Information on the simplified procedure and on the possibility of requesting a hearing is provided in the Kp.77Paragraphs (1)-(2) of Section 124 and SectionIt is based on paragraphs (1) and (2)(c) and (5) of Section III.The amount of the administrative litigation fee shall be set in accordance with Act XCIII of 1990 on duties (hereinafter: As defined in Section 45/A(1) of Act XLII of. From the obligation to pay the duty in advance, in accordance with Act XCIII of59Paragraph 1 and Article 62Section 1(h) exempts the party initiating the procedure.
If the fulfilment of the obligation imposed is not duly demonstrated by the obligor, the Authority shall consider that the obligation has not been fulfilled within the time limit. The AP Decree132If the obligor has not complied with the obligation laid down in the final decision of the authority, it shall be enforceable. The Authority’s decision on the application of the AP Decree82In accordance with Paragraph 1 of the BGB, it becomes definitive upon notification. The AP Decree133Unless otherwise provided by law or government decree, enforcement shall be ordered by the authority which made the decision. The AP Decree134Unless otherwise provided by law, government decree or local authority decree in the case of a municipal authority, the state tax authority shall execute the execution. In accordance with the Information Act,61Pursuant to Section 7 of the Act, the Authority shall enforce the decision in respect of an order to carry out a specific act, conduct, tolerance or cessation contained in the Authority’s decision.
Budapest, March 2020