Difference between revisions of "NAIH - NAIH/2020/5553"

From GDPRhub
(One intermediate revision by the same user not shown)
Line 19: Line 19:
 
|Date_Decided=July 16 2020
 
|Date_Decided=July 16 2020
 
|Date_Published=July 16 2020
 
|Date_Published=July 16 2020
|Year=
+
|Year=2020
|Fine=10.000
+
|Fine=
|Currency=HUF
+
|Currency=
  
 
|GDPR_Article_1=Article 12(3) GDPR
 
|GDPR_Article_1=Article 12(3) GDPR
Line 50: Line 50:
 
}}
 
}}
  
The Hungarian DPA fined Google Ireland Ltd HUF 10,000 for exceeding its administrative deadline to provide a data subject with their personal data stored by Google AdWords. The fine was issued with reference to GDPR Article 15 and Article 12(3).  
+
The Hungarian DPA fined Google Ireland Ltd for exceeding its administrative deadline to provide a data subject with their personal data stored by Google AdWords. The fine was issued with reference to GDPR Article 15 and Article 12(3).  
  
 
==English Summary==
 
==English Summary==
Line 64: Line 64:
  
 
==Comment==
 
==Comment==
''Share your comments here!''
+
There was conflicting information on the actual amount of the fine. The exact number will be updated.
  
 
==Further Resources==
 
==Further Resources==

Revision as of 16:24, 30 July 2020

NAIH - NAIH/2020/5553
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 12(3) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Decided: July 16 2020
Published: July 16 2020
Fine: n/a
Parties: Google Ireland Ltd
Claimant (not named)
National Case Number/Name: NAIH/2020/5553
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: Nemzeti Adatvédelmi és Információszabadság Hatóság (in HU)
Initial Contributor: Isabel Hahn

The Hungarian DPA fined Google Ireland Ltd for exceeding its administrative deadline to provide a data subject with their personal data stored by Google AdWords. The fine was issued with reference to GDPR Article 15 and Article 12(3).

English Summary

Facts

The claimant contacted Google AdWords and asked for the information stored by them in relation to the processing of the personal data related to the claimant's name. Google replied to the claimant stating that they did not know which organizational unit would be able to answer the Claimant's query, and therefore did not provide the Claimant with an answer to his request. The Claimant then filed a complaint against Google with the Hungarian DPA for not complying with his request under Article 15 and with the one month deadline under Article 12(3).

Dispute

Was Google Ireland Ltd in breach of its obligations under GDPR Article 15(1) and Article 12(3) by failing to provide the data subject with their personal data?

Holding

The DPA held that Google had not provided the Claimant with a substantive response to their data subject request under Article 15 within the one month time frame as specified in Article 12(3).

Comment

There was conflicting information on the actual amount of the fine. The exact number will be updated.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

The National Data Protection and Freedom of Information Authority (hereinafter: the Authority) a
.................................. (Hereinafter referred to as the Applicant) Szemben against Google Ireland Ltd (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland; hereinafter referred to as the "Applicant")
violation of the obligation to provide information and initiated ex officio by Google Stakeholders in Hungary are affected by AdWords extended to the examination of general data management practices relating to the exercise of in the data protection authority procedure decision

1. The Authority grants the applicant's application in part and finds that a Applicant violated the Applicant’s right of access by failing to provide a deadline adequate information on the processing of the Applicant's "name" personal data a Under Google AdWords. The Applicant thereby violated the processing of personal data the free movement of such data and Directive 95/46 / EC Regulation (EU) No 2016/679 repealing Directive (hereinafter referred to as General Data Protection Regulation) with regard to Article 15, Article 12 (3).

2. The Authority shall require that part of the application order the Authority to reply, and examine the Applicant's general practice regarding data subjects' rights, rejects.

3. The Authority in connection with the Google AdWords service in Hungary general data management practices related to the exercise of the rights of data subjects by data subjects terminate the ex officio extended procedure for

4. The Authority finds that it has exceeded the administrative deadline and therefore as such stipulates that HUF 10,000, ie ten thousand forints, must be indicated to the Applicant in writing at your choice - pay by bank account or postal order.

5. The Authority further provides that during the proceedings on the applicant's side incurred in connection with the exercise of access to documents for HUF 6,100, ie HUF 6,000 one hundred the procedural costs incurred shall be borne by the Applicant. There is no administrative appeal against the decision, but from the communication by application to the Metropolitan Court within 30 days of can be challenged in an administrative lawsuit. The application shall be submitted to the Authority, electronically, which forwards it to the court together with the case file. Holding the hearing The application must be indicated in the application. Not in total personal exemption for the beneficiaries, the fee for the court review procedure is HUF 30,000, the lawsuit is material subject to the right to record duties. Legal representation in proceedings before the Metropolitan Court obligatory.

EXPLANATORY STATEMENT

I. Procedure and clarification of the facts

1. In his application to the Authority on ……………………, the Applicant stated that asconcerned by alapján Google pursuant to Article 15 of the General Data Protection Regulation You contacted the AdWords operator, the Applicant, electronically and as follows requested information from him in connection with the processing of the personal data of the Applicant's name.

2. According to the Applicant's statement …………………… on Google AdWords web reference form with reference to Article 15 of the General Data Protection Regulation sent a request for the exercise of the right of access to the Applicant with the following content:

(i) which ads, websites, advertisers your name is treated in connection with, such as advertising keyword;
(ii) when and how many times Google’s Internet search engine displayed your name
Google AdWords advertising;
(iii) if Google AdWords does not use your name as your advertising keyword based on what algorithm, for what reason, what ad keywords as a result, when and how many times a Google AdWords ad was displayed to search for your name related to Google web search.

3. The Applicant ……………………, and by searching in his / her own name (the ……………………untitled) Google's Internet search engine returned ads that …………………… related to other service providers, therefore it is assumed that the his name is managed in conjunction with his profession and in automatic decision-making procedures used.

4. Ads with ads-support@google.com and legal-notices@google.com after several correspondence, the Applicant replied to the Applicant that they did not know to say which organizational unit could answer the above questions and therefore not they can answer your questions.

5. In view of the above, the Applicant has applied to the Authority with the rights of the Applicant concerned and the conviction of the controller, and the requested obligation to provide information.

6. On request, on the right to information self-determination and freedom of information CXII of 2011 Act (hereinafter: the Information Act) on the basis of Section 60 (1) of the Data Protection Act an official procedure was initiated, which the Authority extended ex officio to Google AdWords the rights of the data subjects in Hungary in connection with the service to examine the general data management practice related to the exercise of the on the basis of the individual request of the Applicant.

7. In order to clarify the cross-border nature of data management, the general data protection a procedure under Article 56 of that Regulation was necessary to decide which Member State data protection authority is entitled to act as the main authority in the case and which are concerned authorities. As foreign bodies had to be sought, on the Authority …………………… suspended the present administrative procedure and Article 56 (2) of the General Data Protection Regulation. requested data protection supervision in the controller's registered office in accordance with paragraph 1 authority to state whether it intends to act as the main supervisory authority in the matter.

The Authority justified the question on the grounds that it is natural for a person staying in Hungary relating to the exercise of the rights of the person concerned who submitted his application to the Authority, therefore there are no data subjects in another Member State, so it is appropriate for the Authority to act merits.

8. As a result of the procedure under Article 56 of the General Data Protection Regulation a In its replies to the Authority, the Irish Data Protection Authority stated that Google The Irish Privacy Authority is the primary authority for AdWords. Furthermore, the Irish Data Protection Authority as the main authority is Article 56 of the General Data Protection Regulation In accordance with paragraphs 3 and 5, it has decided that, for the reasons set out above, the Authority you can handle the request as the Irish Data Protection Authority does not wish to act on it.

9. Following the clarification of jurisdiction set out above, the Authority will issue NAIH / 2019/346/10. No. the suspension of the proceedings and the conduct of the proceedings decided.

10. The Authority shall issue NAIH / 2019/346/11. In his order no., he called on the Applicant, which is based on a certificate issued by Magyar Posta He received it on ……………………, but no return receipt was returned.

11. After inspecting the applicant's file, the Authority shall: repeatedly called on the Applicant to make a statement on which he applied By letter from his legal representative.

12. The Applicant …………………… sent a substantive response to the Applicant's access request, stating the data it uses and when, how many times, which method, based on which results related to the Applicant's personal data in your search engine.

13. The Applicant is not the data subject indicated in the Applicant's data protection information sent on the online form for processing applications by the General Data Protection Regulation His application under Article 15 and was therefore not addressed to the case department concerned. THE Claimant alleges that he was not forwarded to the wrong address due to an individual clerk error received a request from the competent authorities and is not aware of a similar case.

14. According to the applicant in its reply, the Authority did not has competence to examine its general data management practices.

II. Applicable legal provisions

According to Article 2 (1) of the General Data Protection Regulation, the Regulation shall apply to the processing of personal data in a partially or fully automated manner, and for the non-automated management of data contained in a registry system or which are intended to be part of a registration system. For data management falling within the scope of the General Data Protection Decree, Infotv. § 2 (2) the general data protection regulation in the provisions indicated therein shall apply with the additions set out in Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data To that end, the Authority shall, at the request of the data subject, initiate a data protection authority procedure and may initiate ex officio data protection proceedings.

In order to conduct the official procedure, Ákr. Pursuant to Section 7 (1), Ákr. provisions of this Regulation apply. Infotv. Section 60 (2) and Infotv. Pursuant to Section 2 (2) of the Data Protection Authority. The request to initiate proceedings is covered by the General Data Protection Regulation in the case provided for in Article 77 (1) of the General Data Protection Regulation may be submitted.

Pursuant to Article 77 (1) of the General Data Protection Regulation, other administrative or without prejudice to judicial remedies, any person concerned shall have the right to lodge a complaint with one supervisory authority, in particular its habitual residence, place of employment or in the Member State of the alleged infringement, if it considers that the person concerned processing of personal data relating to personal data infringes this Regulation. Pursuant to Article 56 (1) of the General Data Protection Regulation, without prejudice to Article 55, the center of activity or a single activity of the controller or processor the home supervisory authority is entitled to act as the main supervisory authority with regard to cross-border data processing by the controller or processor, in accordance with the procedure laid down in Article 60.
Pursuant to Article 12 (3) of the General Data Protection Regulation, the controller is unjustified without delay, but in any case within one month of receipt of the request inform the data subject in accordance with Articles 15 to 22. the action taken on a request pursuant to Article.

Where appropriate, taking into account the complexity of the application and the number of applications, this period may be extended by a further two months. The extension of the deadline is
the controller shall indicate the reasons for the delay from the date of receipt of the request inform the data subject within one month. If the person concerned has submitted the application, the information shall, as far as possible, be provided by electronic means, unless concerned requests otherwise.

Pursuant to Article 15 (1) of the General Data Protection Regulation, the data subject is entitled to: receive feedback from the data controller regarding the processing of your personal data is in progress, and if such data processing is in progress, you are entitled to personal access to data and the following information:

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data relate data have been or will be communicated, including in particular in third countries recipients and international organizations;
(d) where applicable, the intended period for which the personal data will be stored or, failing that possible, criteria for determining this period;
(e) the data subject's right to request from the controller the personal data concerning him or her rectification, erasure or limitation of the processing of such data and may object to such against the processing of personal data;
(f) the right to lodge a complaint with a supervisory authority;
(g) if the data were not collected from the data subject, all available sources information;
(h) the fact of automated decision-making referred to in Article 22 (1) and (4), including profiling as well as, at least in these cases, the logic used and comprehensible information on the significance of such data processing, and the expected consequences for the data subject.

Infotv. Pursuant to Section 61 (1) (a), it was taken in a data protection authority proceeding In its decision, the Authority Data management specified in Section 2 (2) defined in the General Data Protection Regulation in connection with may apply legal consequences.

Infotv. 75 / A. Pursuant to Article 83 (2) - (6) of the General Data Protection Regulation, the Authority exercise the powers set out in paragraph 1 in accordance with the principle of proportionality, in particular by complying with the law on the processing of personal data Requirements laid down in a binding act of the European Union to remedy the breach in the event of a breach of Article 58 of the General Data Protection Regulation in particular by alerting the controller or processor. Pursuant to Article 83 (2) of the General Data Protection Regulation, administrative fines are imposed by referred to in Article 58 (2) (a) to (h) and (j), as the case may be should be imposed in addition to or instead of measures. When deciding if it is necessary imposing an administrative fine or setting the amount of the administrative finein each case due account shall be taken of the following:

(a) the nature, gravity and duration of the infringement, taking into account the nature of the infringement in question the nature, scope or purpose of the processing and the number of data subjects affected by the affected by the infringement and the extent of the damage they have suffered;
(b) the intentional or negligent nature of the infringement;
(c) damage suffered by the controller or the data subject any measures taken to alleviate
(d) the extent of the responsibility of the controller or processor, taking into account
the technical and organizational measures it has taken pursuant to Articles 25 and 32;
(e) relevant infringements previously committed by the controller or the processor;
(f) the supervisory authority has remedied the breach and the breach may be negative the extent of cooperation to mitigate its effects;
(g) the categories of personal data affected by the breach;
(h) the manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor has reported the breach and if yes, in what detail;
(i) if previously against the controller or processor concerned, in the same case the measures referred to in Article 58 (2) compliance with one of the measures in question;
(j) whether the controller or processor has complied with Article 40 approved codes of conduct or approved certification in accordance with Article 42 mechanisms; as well as
(k) other aggravating or mitigating factors relevant to the circumstances of the case, for example, financial gain obtained as a direct or indirect consequence of the infringement profit or avoided loss.

III. Decision

1. The period considered

In the subject matter covered by the application, the examined data management period is the Applicant From the date of the first application of the data subject sent to the applicant (……………………) nap).
The data management period covered by the ex officio extension is the general data protection from the entry into force of this Regulation (25 May 2018) and to the Requesting Authority until the date of receipt of your application (……………………).

2. Data protection authority proceedings initiated upon request As the Applicant filed on the Applicant általános, general data protection The general authority did not provide a substantive response to the data subject's request under Article 15 of the Regulation within one month within the meaning of Article 12 (3) of the Data Protection Regulation the need to extend the deadline by a further two months and its response to did not reach the Applicant within the extended deadline, the Authority found that the Applicant's above conduct violated general data protection Articles 12 (3) and 15 (1) of this Regulation.

In view of the fact that the Applicant has in the meantime complied with its obligation to provide information, its obligation to comply with it has become devoid of purpose in the course of the proceedings. Therefore, this part of the application was rejected.

The Applicant shall inform Infotv. Section 60 (2) and Infotv. Section 2 (2) and pursuant to Article 77 (1) of the General Data Protection Regulation may request an examination of the practice only if it is in the Applicant’s right or legitimate interest however, no evidence or circumstance to that effect has arisen in the present proceedings, such has not been proved or probable by the Applicant. Where the Authority: Requested decision on general data management practices right or obligationdoes not arise for the Applicant, the Applicant shall not be considered a customer in this respect the Acre. § 10 (1), or - as the Ákr. Does not comply with Section 35 (1) there is no need to submit an application in this respect. In view of the above, the application this part was rejected.

3. Ex officio extended procedure

Contrary to the position of the Applicant, the Authority is of the opinion that the Authority is general identified as the main authority as a result of the procedure under Article 56 of the Data Protection Regulation in agreement with the Irish Data Protection Authority, is entitled to investigate the request and the facts are complete to fully explore. Part of this is whether it is an individual case or a system-wide problem weave. If, in the case of an individual application, there is an indication that it is general practice problem is in the background, the Authority shall be referred to it decision to the competent authority. However, it is necessary to establish this clarification of certain factual elements concerning general practice.
The Authority examined the Applicant's general practice only in so far as it: has an impact on the exercise of the rights of data subjects residing in Hungary, and it is necessary to determine whether the Irish Data Protection Authority is justified as the main authority to initiate proceedings. Continuation of the Authority's proceedings on this issue not justified on the basis of the information available, as the Requested is general no systemic infringements of its practice evidence that the Authority would know the procedure of the Irish Data Protection Authoritysuch evidence by the means available to the Authority not expected to continue.
The data management period covered by the ex officio extension is the general data protection from the entry into force of this Regulation (25 May 2018) and to the Requesting Authority until the date of receipt of your application (……………………).

2. Data protection authority proceedings initiated upon request As the Applicant filed on the Applicant általános, general data protection The general authority did not provide a substantive response to the data subject's request under Article 15 of the Regulationwithin one month within the meaning of Article 12 (3) of the Data Protection Regulation the need to extend the deadline by a further two months and its response to did not reach the Applicant within the extended deadline, the Authority found that the Applicant's above conduct violated general data protection Articles 12 (3) and 15 (1) of this Regulation.

In view of the fact that the Applicant has in the meantime complied with its obligation to provide information, its obligation to comply with it has become devoid of purpose in the course of the proceedings. Therefore, this part of the application was rejected.

The Applicant shall inform Infotv. Section 60 (2) and Infotv. Section 2 (2) and pursuant to Article 77 (1) of the General Data Protection Regulation may request an examination of the practice only if it is in the Applicant’s right or legitimate interest however, no evidence or circumstance to that effect has arisen in the present proceedings, such has not been proved or probable by the Applicant. Where the Authority: Requested decision on general data management practices right or obligation does not arise for the Applicant, the Applicant shall not be considered a customer in this respect the Acre. § 10 (1), or - as the Ákr. Does not comply with Section 35 (1) there is no need to submit an application in this respect. In view of the above, the application this part was rejected.

3. Ex officio extended procedure Contrary to the position of the Applicant, the Authority is of the opinion that the Authority is general identified as the main authority as a result of the procedure under Article 56 of the Data Protection Regulation in agreement with the Irish Data Protection Authority, is entitled to investigate the request and the facts are complete to fully explore. Part of this is whether it is an individual case or a system-wide problem weave. If, in the case of an individual application, there is an indication that it is general practice problem is in the background, the Authority shall be referred to it decision to the competent authority. However, it is necessary to establish this clarification of certain factual elements concerning general practice.

The Authority examined the Applicant's general practice only in so far as it: has an impact on the exercise of the rights of data subjects residing in Hungary, and it is necessary to determine whether the Irish Data Protection Authority is justified as the main authority to initiate proceedings. Continuation of the Authority's proceedings on this issue not justified on the basis of the information available, as the Requested is general no systemic infringements of its practice evidence that the Authority would know the procedure of the Irish Data Protection Authority such evidence by the means available to the Authority not expected to continue. he Acre. Section 112 (1) and (2) and Section 116 (1) and Section 114 (1), respectively the decision is subject to an administrative appeal.

* * *

The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by a decision of the Authority The administrative lawsuit against the court falls within the jurisdiction of the court. Section 13 (3) Under subparagraph (a) (aa), the Metropolitan Court has exclusive jurisdiction.

A Kp. Pursuant to Section 27 (1), legal representation in administrative proceedings before the General Court obligatory. A Kp. Pursuant to Section 39 (6), the filing of an application is administrative has no suspensive effect on the entry into force of the act. A Kp. Section 29 (1) and with this regard Pp. Applicable in accordance with § 604, electronic CCXXII of 2015 on the general rules of administration and trust services. Law (hereinafter: E-Administration Act) According to Section 9 (1) (b), the customer is legal representative is required to communicate electronically.

The time and place of the submission of the application is Section 39 (1). THE Information on the possibility of requesting a hearing can be found in Kp. Section 77 (1) - (2) based. The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. Law (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee the Itv. Section 59 (1) and Section 62 (1) (h) shall exempt the person initiating the proceedings party.

Budapest, July 16, 2020

Dr. Attila Péterfalvi
chairman
c. professor