NAIH (Hungary) - NAIH/2020/3479

From GDPRhub
Revision as of 10:39, 6 May 2021 by Msm (talk | contribs)
NAIH - NAIH/2020/3479
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(d) GDPR
Article 16 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 18.11.2020
Published:
Fine: 28 EUR
Parties: n/a
National Case Number/Name: NAIH/2020/3479
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: n/a

The Hungarian DPA (NAIH) issued a fine of €28 on a controller for failing to meet an administrative deadline to rectify the data subject's outdated email address.

English Summary

Facts

A complainant argued that he continued to receive a newsletter from a controller to an old e-mail address despite numerous attempts to rectify his data. According to the complainant, even when his address had been changed manually by an employer of the controller, he continued to receive the newsletter to the older one.

Dispute

Holding

The DPA stated that the controller infringed Article 16 of the GDPR, as he did not comply with the complainant's request. However, given that that the e-mail address has been corrected as a result of the proceedings, no further measure is required. Additionally, given that the rights of the data subject are closely linked to data protection principles, the DPA concluded ex officio that the controller violated the principle of accuracy under Article 5 (1) (d) of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case No: NAIH / 2020/3479 / Subject: Decision granting the application
Administrator: […]

                                         DECISION


The National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority) […]
to the applicant (hereinafter: the Applicant) […] (hereinafter: the Applicant) against the
Infringement of the applicant's right to rectify his personal data and unsolicited newsletters
initiated an official procedure following his request of 16 April 2020,

in which case the Authority has taken a decision on the Applicant

                                      grant his request, and


I. finds that the Applicant has violated the Applicant's natural persons a
protection of personal data and the protection of such data
and repealing Directive 95/46 / EC
the right of rectification under Article 16 of the Regulation (hereinafter referred to as the General Data Protection Regulation) and
at the same time, the Authority finds of its own motion that it has infringed the general rule

the principle of accuracy under Article 5 (1) (d) of the Data Protection Regulation.

Due to the above violation, the Authority will inform the Applicant - by another data protection violation.
in determining the legal consequences of the present infringement as a precedent
will be taken into account with increased weight - will be warned.


                                            EXECUTION


II. Given that it has exceeded the administrative deadline, the Authority considers that
HUF 10,000, ie ten thousand forints to the Applicant - according to his / her choice to be indicated in writing -
pay by bank transfer or postal order.



                                               * * *

There is no administrative remedy against this decision, but it is from notification

within 30 days of the application to the Metropolitan Court in an administrative lawsuit
can be challenged. The application must be submitted to the Authority, electronically, which is the case
forward it to the court together with its documents. Those who do not benefit from full personal exemption
The fee for the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to record material fees. The Capital
In proceedings before the General Court, legal representation is mandatory.


A II. There is no place for an independent appeal against the order under point 1, only on the merits of the case
may be challenged in an appeal against a decision taken.






1
 The administrative lawsuit is initiated by the form NAIH_K01: Form NAIH_K01 (16.09.2019) The form is the general
can be filled in using a form filling program (ÁNYK program).

                                                1 I N D O K O L Á S

I. Procedure and clarification of the facts


The Applicant submitted a notification to the Applicant on 20 February 2020 in which
complained that he had rewritten his e-mail address several days before his submission to the
operated Internet subscriber interface, after which continued to receive mail from the old e-mail
address.

The Applicant sent on February 21, 2020, referring to the Applicant's notification

In its reply, it provided information that it had changed its previous e-mail address in its system
To the e-mail address provided by the applicant. The Applicant nevertheless continues - March 2020
Also on 16 and 20 March 2020 - received a newsletter from the Applicant to his previous e-mail address.

In view of all this, the Applicant, in its application submitted on 16 April 2020, requested a
Authority, and at the same time the National Media and Communications Authority, to
initiate proceedings against the Applicant for rectification of his personal data

infringement of their rights and the receipt of unsolicited newsletters.

Act CXII of 2011 on the right to information self-determination and freedom of information. law
(hereinafter: the Information Act) the right to the protection of personal data pursuant to Section 60 (1)
before the Authority at the request of the data protection authority
proceedings have been initiated.


Following the Authority's call for rectification, the Applicant arrived on 5 June 2020
in its submission, it stated that between 1 January 2020 and 19 February 2020
changed his e-mail address on the Applicant's online subscriber interface during the period, and submitted
that the "Confirmation" in the "Confirm New Email Address - Reminder" email
clicked on the button to arrive in your inbox on February 21, 2020.

In its order to initiate the data protection authority procedure, the Authority notified the Applicant

and called for a statement and disclosure in order to clarify the facts.

Based on the Applicant's statement, the Applicant initiated the e-mail on February 16, 2020
address change on the Applicant's online subscriber interface. The Applicant submitted that in such a case
validating email to the new email address of the customer initiating the change
will be sent in order for the Applicant to verify the email address provided
correctness. After clicking on the confirmation, the Applicant will be automatically rewritten

e-mail address in your systems.

The Applicant stated that the Applicant on February 16, 2020, and the reminder
The Applicant also failed to re-send the confirmation on 21 February 2020
so that, subject to no modification, the Applicant's old e-mail
the newsletter received by the Applicant in his complaint of 20 February 2020.


The Applicant submitted that in view of the contents of the Applicant's complaint, the Applicant
on 21 February 2020, his employee manually changed the Applicant's e-mail address, which
however, due to an administrative error, the so-called campaign management system
so that the Applicant again received newsletters to his old e-mail address.


                                                                                                2The Applicant stated that the Authority had received an order for clarification of the facts
on 8 July 2020, the so-called campaign management system also modified the
Applicant's email address, so no later newsletters will be sent to the old email address.


In its order, the Authority invited the Applicant to make another statement, to which the
its reply was received by the Authority on 5 August 2020.

The Applicant emphasized that validation is necessary to protect customers, as
so that no third party modification can be made on behalf of the subscriber to the subscriber's knowledge
without.


The Applicant stated that the confirmation was made by the Applicant on 21 February 2020
he cannot prove his absence (absence), given that for an event that did not happen
related logfile is not and cannot be available to the Applicant.

II. Applicable law


Pursuant to Article 2 (1) of the General Data Protection Regulation, for the processing of data in the present case
the general data protection regulation applies.

Infotv. Pursuant to Section 2 (2), the General Data Protection Decree is indicated therein
shall apply with the additions provided for in


Infotv. Pursuant to Section 38 (2), the Authority is responsible for the protection of personal data,
and the right of access to data of public interest and public interest
personal data within the European Union
facilitating its free movement.

Infotv. Pursuant to Section 38 (2a) of the General Data Protection Decree on Supervision
the tasks and powers established for the authority under the jurisdiction of Hungary

as defined in the General Data Protection Regulation and this Act
according to the Authority.

Infotv. Pursuant to Section 38 (3) (b), within the scope of its responsibilities under Section 38 (2) and (2a)
as defined in this Act, in particular at the request of the data subject and ex officio data protection
conduct an official procedure.

Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data

To that end, the Authority shall, upon request, initiate a data protection authority procedure and of its own motion
initiate data protection authority proceedings. The data protection authority procedure is general
CL of 2016 on administrative order. (hereinafter: Ákr.)
apply with the additions specified in the Infotv. and the general data protection regulation
with the derogations provided for in

Infotv. Pursuant to Section 60 (2): “For the initiation of data protection authority proceedings

Article 77 (1) and Article 22 (b) of the General Data Protection Regulation.
may be submitted in the case provided for in

Under Article 77 (1) of the General Data Protection Regulation, “other administrative or
without prejudice to judicial remedies, any person concerned shall have the right to lodge a complaint with one

                                                                                                 At the supervisory authority, in particular at the place of usual residence, place of work or
in the Member State of the alleged infringement, if it considers that the
the processing of personal data infringes this Regulation. "


Article 5 (1) (d) of the General Data Protection Regulation states: “Personal data shall:
[…]
(d) be accurate and, where necessary, kept up to date; all reasonable measures must be taken
in order to ensure that personal data are inaccurate for the purposes of data processing
immediately deleted or corrected ("accuracy") ".


Under Article 16 of the General Data Protection Regulation, the data subject has the right to request
data controller to correct inaccurate personal data without undue delay
data. Taking into account the purpose of the data processing, the data subject is entitled to request the incomplete
supplementing personal data, inter alia by means of a supplementary declaration.

According to Article 12 (1) to (6) of the General Data Protection Regulation: “1. The controller shall
take measures to enable the data subject to process personal data

all the information referred to in Articles 13 and 14 and Articles 15 to 22. and Article 34
each piece of information in a concise, transparent, comprehensible and easily accessible form, in a clear manner
and provide it in plain language, in particular any information addressed to children
in the case of. The information shall be provided in writing or by other means, including, where appropriate, by electronic means
also - must be specified. Oral information may be provided at the request of the data subject, provided otherwise
the identity of the data subject has been verified.
2. The controller shall facilitate the processing of the data subject concerned in accordance with Articles 15 to 22. exercise of their rights under this Article. Article 11 (2)

In the cases referred to in paragraphs 15 to 22, the controller shall exercise their rights under Article
may not refuse to comply with his request unless he proves that the person concerned
unable to identify.
3. The controller shall, without undue delay, but in any case upon receipt of the request,
inform the data subject within one month of the following an application under Article
measures. If necessary, taking into account the complexity of the application and the requests
this period may be extended by a further two months. On the extension of the deadline

the controller shall indicate the reasons for the delay from the date of receipt of the request
inform the data subject within one month. If the application has been submitted by electronic means, the
information shall, as far as possible, be provided by electronic means, unless the data subject provides otherwise
asks.
If the controller does not act on the data subject 's request without delay, but
shall inform the data subject no later than one month after receipt of the request
the reasons for not taking action and the fact that the person concerned may lodge a complaint

supervisory authority and may exercise its right to a judicial remedy. 5. In accordance with Articles 13 and 14
information and Articles 15 to 22. The information and action provided for in Articles 31 and 34 shall be provided free of charge
to assure. If the data subject's request is clearly unfounded or - particularly repetitive
excessive, the controller, in view of the provision of the requested information or information
or for the administrative costs of taking the requested action: (a) a reasonable fee
or (b) refuse to act on the request. The application
the burden of proving that it is manifestly unfounded or excessive is on the controller. (6) A 11.

without prejudice to Articles 15 to 21, if the controller has reasonable doubts in accordance with Article
the identity of the natural person submitting the application
request the information necessary to confirm his identity. "



                                                                                                 4Article 23 (1) of the General Data Protection Regulation states: “The controller or
Union or Member State law applicable to the processor may be limited by legislative measures
a 12-22. Articles 12 and 34 and Articles 12 to 22. with the rights set out in Article

the rights and obligations set out in Article 5 in respect of
obligations if the restriction respects fundamental rights and freedoms
necessary and proportionate measure to protect the following
in a democratic society:
(a) national security;
b) national defense;
(c) public safety;

(d) the prevention, investigation, detection or prosecution of criminal offenses; or
enforcement of criminal sanctions, including against threats to public security
protection and prevention of these dangers;
(e) other important general interest objectives of general interest of the Union or of a Member State, in particular:
Important economic or financial interests of the Union or of a Member State, including monetary,
budgetary and fiscal issues, public health and social security;
(f) protection of judicial independence and judicial proceedings;

g) in the case of regulated professions, the prevention, investigation and detection of ethical violations
and conducting related procedures;
(h) in the cases referred to in points (a) to (e) and (g), even occasionally, the performance of public
control, inspection or regulatory activity related to the provision of
(i) the protection of the data subject or the protection of the rights and freedoms of others;
(j) the enforcement of civil claims. "


According to Article 58 (2) of the General Data Protection Regulation: “The supervisory authority shall be corrective
acting within its competence:
(a) warn the controller or processor that certain data processing operations are planned
its activities are likely to infringe the provisions of this Regulation;
(b) condemn the controller or the processor if his or her data processing activities
has infringed the provisions of this Regulation;
(c) instruct the controller or the processor to comply with this Regulation

exercise its rights under this Regulation;
(d) instruct the controller or processor to carry out its data processing operations, where applicable
in a specified manner and within a specified period, in accordance with this Regulation
with its provisions;
(e) instruct the controller to inform the data subject of the data protection incident;
(f) temporarily or permanently restrict the processing, including the prohibition of the processing;
(g) order personal data in accordance with Articles 16, 17 and 18 respectively

rectification or erasure of data or restrictions on data processing, and in accordance with Article 17 (2).
order to notify the addressees with whom it is addressed in accordance with paragraph 1 and Article 19
or with whom personal data have been communicated;
(h) withdraw the certificate or instruct the certification body in accordance with Articles 42 and 43
revoke a duly issued certificate or instruct the certification body not to grant it
issue the certificate if the conditions for certification are not or are no longer met;
(i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case

in addition to or instead of the measures referred to in this paragraph; and
(j) order the flow of data to a recipient in a third country or to an international organization
suspension. "



                                                                                                5 Pursuant to Article 83 (2), (5) and (7) of the General Data Protection Regulation: “[...]
administrative fines in accordance with Article 58 (2) (a) to (h), depending on the circumstances of the case.
and (j) shall be imposed in addition to or instead of the measures referred to in When deciding that

whether it is necessary to impose an administrative fine or the amount of the administrative fine
In each case, due account shall be taken of the following:
(a) the nature, gravity and duration of the breach, taking into account the processing in question
the nature, scope or purpose of the infringement and the number of persons affected by the infringement;
the extent of the damage they have suffered;
(b) the intentional or negligent nature of the infringement;
(c) the mitigation of damage suffered by the data subject by the controller or the processor

any measures taken to
(d) the extent of the responsibility of the controller or processor, taking into account the
and technical and organizational measures taken pursuant to Article 32;
(e) relevant infringements previously committed by the controller or the processor;
(f) the supervisory authority to remedy the breach and the possible negative effects of the breach
the extent of cooperation to alleviate
(g) the categories of personal data affected by the breach;

(h) the manner in which the supervisory authority became aware of the infringement, in particular
whether the controller or processor has reported the breach and, if so, what
in detail;
(i) if previously against the controller or processor concerned, in the same
one of the measures referred to in Article 58 (2), orally
compliance with revolving measures;
(j) whether the controller or processor has considered itself approved in accordance with Article 40

codes of conduct or approved certification mechanisms in accordance with Article 42;
and
(k) other aggravating or mitigating factors relevant to the circumstances of the case, such as:
financial gain obtained or avoided as a direct or indirect consequence of the infringement
loss.
[…]
Infringements of the following provisions, in accordance with paragraph 2, shall be

An administrative fine of EUR 000 000 or, in the case of undertakings, the previous financial penalty
shall not exceed 4% of the total annual world market turnover for the year, provided that the
the higher of the two shall be charged:
(a) the principles of data processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9;
appropriately;
(b) the rights of data subjects under Articles 12 to 22. in accordance with Article
(c) the transfer of personal data to a recipient in a third country or to an international organization

transmission in accordance with Articles 44 to 49. in accordance with Article
d) IX. obligations under the law of a Member State adopted pursuant to this Chapter;
(e) instructions from the supervisory authority pursuant to Article 58 (2) and data processing
temporary or permanent restriction or suspension of data flows
or in breach of Article 58 (1)
failure to provide.
[…]

(7) Without prejudice to the supervisory powers of the supervisory authorities under Article 58 (2),
each Member State may lay down rules on the
may be imposed on a public authority or other body with a public function
administrative fine and, if so, the amount. "


                                                                                                6Infotv. 75 / A. §: The Authority is included in Article 83 (2) - (6) of the General Data Protection Regulation
exercise its powers in accordance with the principle of proportionality, in particular by:
legislation on the processing of personal data or binding European Union law

in the event of a first breach of the rules set out in its act
in accordance with Article 58 of the General Data Protection Regulation
by alerting the controller or processor.

Infotv. According to Section 61 (4) (b): “The amount of the fine is from one hundred thousand to twenty million forints
may be extended if the fine imposed in a decision taken in a data protection authority proceeding
budgetary body under Article 83 of the General Data Protection Regulation

in the case of a fine imposed. "

ARC. Decision

In its application, the Applicant requested the Authority to establish that the Applicant
infringed his right to rectification under Article 16 of the General Data Protection Regulation by his e-mail address
during the change.


Regarding how to provide information on the correction of personal data
the obligations of the controller are detailed in Article 12 of the General Data Protection Regulation.

It was not possible to prove that fact in a credible manner in the present proceedings - and
The Authority has not identified any other means by which it can be optimally clarified that
Whether or not the applicant clicked on the “confirm” button on 21 February 2020 or

on the same day, the Applicant’s employee manually corrected the Applicant’s email
address. However, it can be stated that before 20 February 2020 alone, the Applicant
The legal declaration communicated by the Commission to the Applicant on the Applicant's interface shall not be considered a data subject
as an application, as in that case it was carried out by only one Applicant
it was an amendment to the data and not a request for a correction indicating the inaccuracy of the data. So the
The applicant's only complaint to the Applicant, submitted on 20 February 2020, was considered
as a request for rectification under Article 16 of the General Data Protection Regulation

without undue delay, but no later than one month.

However, despite the fact that the Applicant lawfully amended the
In view of the applicant's complaint lodged on 20 February 2020, the e-mail address, the so-called campaign
management system illegally on 8 July 2020 only as a result of the present proceedings
corrected the Applicant's email address.


On the basis of all this, in view of the fact that the Applicant to correct the Applicant's e-mail address
has not complied with its request of 20 February 2020, the Authority finds that
The applicant infringed Article 16 of the General Data Protection Regulation. However, given that
that the Applicant has corrected the Applicant's e-mail address as a result of the present proceedings, further
no measure is required. Also given the rights of the data subject
are closely linked to data protection principles, the Authority concludes ex officio that
By violating the details of the exact e-mail address of the Applicant, the Applicant violated it

the principle of accuracy under Article 5 (1) (d) of the General Data Protection Regulation.

The Authority finds, as an infringement related to the above infringement, that at the same time the
treated personal data without legal basis in connection with the sending of the newsletter, as it was two newsletters


                                                                                               7is sent (March 16, 2020 and March 20, 2020) after February 21, 2020 about it
informed the Applicant that he had corrected his e-mail address.


The Acre. According to Section 51 (b), if the authority exceeds the administrative deadline - and
there was no place to make a decision - equivalent to a fee or charge for conducting the proceedings
in the absence of this, he shall pay ten thousand forints to the applicant client, who shall be released from the
from the payment of procedural costs. Consequently, the Authority shall take a decision in accordance with the operative part
brought.

IV.3. Legal consequences


The Authority examined whether it was justified to impose a data protection fine on the Applicant.
In this context, the Authority complies with Article 83 (2) of the General Data Protection Regulation and Infotv. 75 / A. §-
on the basis of which it considered all the circumstances of the case and found that in the present proceedings
in the case of detected infringements, the warning is a proportionate, dissuasive sanction and therefore a fine
is not required.


The Authority shall use the following criteria for each measure, as appropriate
has decided, in the light of:

    - the gravity of the infringement is low, also taking into account the fact that it has been established
       the infringements are closely linked and the damage suffered has not occurred
       in proceedings [Article 83 (2) (a) of the General Data Protection Regulation];

    the infringement is the result of the Applicant 's negligent conduct [general data protection
       Article 83 (2) (b) of the Regulation]

    - the Authority convicted the Applicant of NAIH / 2020/2758/4. In its decision no
       breach of the General Data Protection Regulation, however, NAIH / 2020/2758. No.
       The findings made in the course of the proceedings cannot be regarded as relevant in the present case [General
       Article 83 (2) (e) of the Data Protection Regulation];

    - the personal data (email address) affected by the breach do not constitute special data
       [Article 83 (2) (g) of the General Data Protection Regulation]

    - the Applicant as soon as it becomes aware that the Applicant is not a valid e-mail
       records its address, has rectified it [General Data Protection Regulation
       Article 83 (2) (k)].

Based on the above, the Authority has decided in accordance with the operative part.

V. Other issues

The powers of the Authority are limited by the Infotv. Section 38 (2) and (2a), its jurisdiction is

covers the whole country.

The present decision of the Authority is based on Art. 80-81. § and Infotv. It is based on Section 61 (1). The decision is
Ákr. Pursuant to Section 82 (1), it becomes final with its communication. The Acre. Section 112 and Section 116 (1)
and (4) (d) and § 114 (1) against the decision
there is a right of appeal through an administrative lawsuit.




                                                                                                  8 * * *

The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a

hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by a decision of the Authority
The administrative lawsuit against the court falls within the jurisdiction of the court. Section 13 (3) a)
The General Court has exclusive jurisdiction under point (aa) of A Kp. Section 27 (1)
In a dispute in which the tribunal has exclusive jurisdiction, the
representation is mandatory. A Kp. Pursuant to Section 39 (6), the filing of the application a
has no suspensive effect on the entry into force of an administrative act.


A Kp. Section 29 (1) and with this regard Act CXXX of 2016 on the Code of Civil Procedure.
applicable pursuant to Section 604 of the Act, electronic administration and trust services
CCXXII of 2015 on the general rules of pursuant to Section 9 (1) (b) of the Act
legal representative is required to communicate electronically.

The time and place of the filing of the application is Section 39 (1). THE
Information on the possibility to request a hearing can be found in Kp. Section 77 (1) - (2)

based on. The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. law
(hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee is
Itv. Section 59 (1) and Section 62 (1) (h) shall release the party initiating the proceedings.

Budapest, November 18, 2020


                                                                    Dr. Attila Péterfalvi
                                                                           President
                                                                     c. professor




























                                                                                                  9