NAIH (Hungary) - NAIH/2020/974/4

From GDPRhub
(Redirected from NAIH - NAIH/2020/974/4)
NAIH - NAIH/2020/974/4
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(a) GDPR
Article 9(1) GDPR
Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 18.11.2019
Published:
Fine: 1000000 HUF
Parties: n/a
National Case Number/Name: NAIH/2020/974/4
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: n/a

The Hungarian DPA (NAIH) fined a controller 1 million HUF (approximately 2,830 EUR), and ordered the deletion of data from the initiative "Join the EPPO", for the processing of personal data with no legal basis and for the failing to provide data subjects with adequate information on all relevant circumstances of the processing.

English Summary

Facts

The complainant objected to the controller processing their data in connection to the collection of signatures for the purpose of a petition supporting Hungary's accession to the European Public Prosecutor's Office. The data was initially connected for demonstrating support for the cause, and then was then used for other purposes.

Dispute

Was there a lawful basis for the processing under Article 6(1)? Did an exception to the prohibition of processing sensitive data under Article 9(2)? Were there any other GDPR violations incurred by the processing?


Holding

The DPA held that there was no lawful basis, and in particular rejected the controller's contention that the processing was based on consent under Article 6(1)(a), given that the consent could not have been informed. Following on from this, the DPA held that the exception of explicit consent under Article 9(2)(a) also did not apply because the provision of requested data in a signature collection form, or an "acceptance" of Data Protection Information could not be considered a specific, unambiguous statement of the data subject's intention to process the data. Furthermore, the DPA also found that the controller violated the principle of data transparency under Article 5(1)(a), because of a lack of adequate information about the processing being provided to the data subject.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

DECISION National Data Protection and Freedom of Information Authority (hereinafter: the Authority) dr. Ákos Ákos Hadházy ([...]; hereinafter: the Data Controller) shall make the following decisions in the data protection authority proceedings initiated ex officio on 10 February 2020 to examine the lawfulness of data processing in connection with the collection of signatures on joining the European Public Prosecutor's Office:

1. Notes that the Data Controller, by "Joining the European Public Prosecutor's Office!" between 19 July 2018 and 30 May 2019, in breach of Articles 6 (1) and 9 (1) of the General Data Protection Regulation.

2.Notes that by infringing Articles 5 (1) (a), 5 (2) and 13 of the General Data Protection Regulation.3 by instructing the Data Controller to fail to provide adequate information on all relevant circumstances of data processing.

3. within 30 days of the decision becoming final, delete "Join the European Public Prosecutor's Office!" collected all personal data from stakeholders between 19 July 2018 and 30 May 2019 in the context of the initiative.

4. The Authority obliges the Data Controller to pay a data protection fine of HUF 1000000, ie HUF 1 million.

The fine pursuant to point 4 shall be paid to the Authority's centralized revenue collection forint settlement account (10032000-01040425-00000000 Centralized collection account IBAN: HU83 1003 2000 0104 0425 0000 0000) within 30 days of the final adoption of this decision. When transferring the amount, NAIH / 2020/974. Quince. If the Data Controller fails to meet the obligation to pay the fine within the time limit, he / she is obliged to pay a late fee. The amount of the late payment interest shall be the statutory interest rate, which is the central bank base rate valid on the first day of the calendar half-year affected by the delay. To the Authority. In the event of non-payment of the fine and the late payment allowance or failure to comply with the obligation under point 3 above, the Authority shall order the enforcement of the decision. No procedural costs have been incurred in the proceedings.

Contrary to the present decision, there is no place for an administrative appeal, but within 30 days of the notification, it can be challenged in an administrative lawsuit by a petition addressed to the Metropolitan Court. The application must be submitted to the Authority, electronically, which will forward it to the court together with the case file. The request for a hearing must be indicated in the application. For those who do not receive a full personal tax exemption, the fee for the court review procedure is HUF 30,000, the lawsuit is subject to the right to record material taxes. In legal proceedings before the Metropolitan Court, legal representation is obligatory.

REASONS. TényállásI.1. The Authority received a notification objecting to the processing of data by the petitioner in connection with the collection of signatures of the Data Controller for the purpose of enforcing a connection with the European Public Prosecutor's Office. Article CXII (1) (f) and Article CXII of 2011 on the right to information self-determination and freedom of information. Pursuant to Section 38 (3) (a) of the Act (hereinafter: the Information Act) NAIH / 2019/5062. The Authority examined ex officio the data processing practices of the Data Controller in connection with the collection of signatures, both for the purpose of supporting the initiative and for the purpose of contact. The Authority also examined the handling of personal data in connection with the online filling of the forms. In order to clarify the facts, the Authority contacted the Data Controller on 3 July 2019, setting a deadline of 15 days. The Data Controller2019. In its reply of 17 July 2006 to the Authority's request, it informed the Authority that it would manage the full names, addresses and, optionally, e-mail addresses and telephone numbers of the data subjects in connection with the collection of signatures. The data controller has indicated the consent of the data subjects as the legal basis for this personal data. The data collection page of the form contained the following information text: express consent. ".

The data provided by the Data Controller in accordance with the statement, if the data subject provides the e-mail and / or telephone contact details provided, until the data subject's consent is revoked, if no data has been provided for contact purposes, the data will be collected after the collection is completed (30 May 2019). It is processed by the Data Controller for 3 months.

The data may be disclosed to employees or to natural and legal persons who have been contracted to assist in the data management policy or to perform IT tasks on a contractual basis. Before deleting the data, it is stored in physical form (paper, handwriting), under the supervision of a 24-hour security service, fire alarm system and camera system, in a multi-locked location. After processing, the data was stored in tabular (.csv) format in The paper sheets are stored in a multi-locked location under the supervision of the 24-hour security service, fire alarm system and camera system until they are destroyed. According to the privacy statement of the signature collection sheet, “the data controller shall, no later than 31 May 2019, hand over to the notary a petition, supported by the signatures on the signature sheets, containing the names, addresses and signatures of the sponsors as personal data, to enclose the signature sheets in a closed form in the text of the petition. " When asked by the Authority about the personal data of the data subjects during the authentication of the data, and how the Data Controller ensures that the e-mail address and telephone number provided by the data subjects in the signature collection form do not become known to the notary, the Data Controller stated that notarization would have taken place when the 1 million signatures were reached. The contact details were verified during the personal contact based on the contact details with proof of identity. The data of those who did not consent to be contacted were randomly checked. No contract was concluded with a notary, therefore no data processing was performed by a notary.

Regarding the question of which personal data of data subjects are collected and stored as “Contact Data” and why the scope of the requested data is necessary and how it complies with the principle of data saving, the Data Controller suggested that the address of the data subjects be “Contact Data” stores your phone number, email address, and full name. The contact name and address are used to provide personal, territorially relevant information, the e-mail address is for the purpose of delivering written documents and messages to the general public at the same time, the telephone number is for personal, urgent or near-time events, and to reach citizens who do not have a computer. According to the Data Controller, they all meet the purpose of data management, communication, and help to meet the requirements of accuracy and up-to-dateness, because if one of the data turns out to be illegible or incorrect, another contact method can request correction. allow the controller to adapt to his preferences.

In its request, the Authority also requested information from the Data Controller on how it complies with the data security requirements of Article 32 of the GDPR, who has access to the database (s) and is logged. In its reply, the Data Controller informed the Authority that the databases are only accessed by experts or a small number of staff with a data processing contract who use or are essential for their maintenance, with multi-factor identification, and therefore access is not currently logged. The personal data provided by the data subjects are transmitted to the Data Manager's newsletter or cloud service provider via encrypted channels, protected by the SSL web protocol for security data transmission. They use special security programs and perform regular security checks. In addition, according to the Data Controller Declaration, it uses a trusted server provider where outbound connections are logged to track any intrusions. They use the latest technology and perform regular backups. Outside Hungary, it only uses the GDPR compliant services of a third country with a secure and adequate level of data protection and certification mechanism (USA: EU-USA Privacy Shield, Canada). The use of data overwriting and backup peripherals is strictly limited, such data is protected by encryption. It destroys data and media that are no longer needed under the supervision of 2 witnesses.

According to the Data Controller's Declaration, the legal basis for the management of the e-mail address or telephone number to be provided when filling in the completed signature collection forms at https://europaiugyeszsegert.hu/feltoltes/ - as stated in the data management information - is the consent of the data subject. The purpose of data management is to maintain contact, including requests for clarification and correction of data resulting from erroneous or illegible uploads. The Data Controller will manage until the withdrawal of the data subject's consent. consent to the processing of the data provided until the withdrawal of consent. These fields previously pointed to this prospectus and allowed for data management until the withdrawal of consent, but their name was changed for more accurate and clear information, which was not immediately followed by the wording in the data management prospectus. According to the data controller, the data collection will take place from 19 July 2018. from pre-registration to 30 May 2019, after which the registration and upload interfaces were closed.

I.2. In the course of the investigation, the Authority found that the most important conceptual elements of the data subject's consent to data processing, ie voluntary, specific and well-informed and unambiguous expression of the data subject's consent, are necessary for the data controller's legal basis, ie consent, to be valid. In view of this, the Authority has concluded that the Data Controller handles all personal data collected from data subjects in connection with the collection of signatures without a valid legal basis, thus violating Article 6 of the General Data Protection Regulation. As these data fall into special categories of personal data and can be processed, inter alia, by the controller if the data subject has given his or her explicit consent, the processing also infringes Article 9 (1) of the General Data Protection Regulation. The Data Controller also violated the provisions of Article 13 of the General Data Protection Regulation by not providing the data subjects with information on all relevant circumstances of the data processing. Pursuant to Section 56 (1) and (2), the Authority, by letter dated 11 October 2019, called on the Data Controller to delete the words "Join the European Public Prosecutor's Office!" Without warning of the legal consequences. July 2018. All personal data collected from data subjects between 2012 and 30 May 2019, as well as any such data, shall be verified to the Authority within 30 days of receipt of the request.

By letter received by the Authority on 19 November 2019, the Data Controller informed the Authority of the action taken following the request that, by destroying the signature collection sheets, the non-contact details contained therein should be provided to those concerned prior to receipt of the request. inclusive - deleted; the data stored in the Mailchimp mailing system was deleted on 14 November 2019, and the account used by the Data Controller was also terminated; in addition, the data stored on the sync.com cloud storage facility was deleted on November 14, 2019, and the account used by the Data Controller was also terminated.

He also informed the Authority that the contact details affected by the request were still available on an external medium in .csv format, as in his view the Authority's request was unfounded and disputed the Authority's claim that the consent did not comply with GDPR 4. Subsequently, in a letter dated 18 December 2019, the Authority gave further reasons for its decision and reiterated its request to the Data Controller to delete "Join the European Public Prosecutor's Office!" In view of the fact that the remedy was not remedied within the given deadline, despite the repeated injunction, the Authority closed the investigation and Infotv. Pursuant to Section 58 (1) and Section 58 (2) (a), it initiated data protection authority proceedings on 10 February 2020. I.3. The Authority addressed a request to the Data Controller in the framework of the data protection authority procedure in order to clarify the facts. Those who actually did so supported the Data Controller campaign as volunteers / activists.

The distinction between volunteers / activists and supporters of the initiative is based on the fact that all persons who have supported the initiative by signing are considered to be signatories of the initiative, while volunteers / activists are those who have actively participated in the campaign (eg by downloading signature sheets). by collecting and collecting signatures or uploading them online). Someone could also become a volunteer / activist by uploading sheets to the site, thus supporting the collection of signatures. questionable. Online uploading was just a convenience option, not the only viable option.

In support of its previous assertion that "objections raised by the Authority in relation to the processing of personal data required for contact purposes when uploading forms online only arise in relation to the data of volunteers responsible for signature collection forms, ie not at all in relation to contact details provided by signatories", that the Authority had previously complained, in the context of volunteering, that natural persons uploading the forms online had also subscribed to a newsletter during the upload and that there was no way to avoid this during the upload. The Data Controller stated that in all his / her reply letters he / she names the persons filling in the forms as volunteers / activists. With regard to the personal data of the persons on the uploaded sheets, this argument could not be interpreted, as the signatories were not present at the time of the upload, so they should not be affected by the characteristics of the consent obtained in this respect. The set of volunteers / activists and signatories could be a cross-section of the people who supported the initiative with their signatures and also collected signatures, thus filling in sheets, and they could be individuals who either supported the initiative with their signatures only or only collected them. and sheets were loaded. However, the issue of volunteering has so far been raised in connection with the filling in of the sheets, and thus in relation to the management of data on volunteers / activists.

II. Applicable legal provisionsRegulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (hereinafter "the General Data Protection Regulation") 2. Pursuant to Article 1 (1) of the General Data Protection Regulation, the General Data Protection Regulation shall apply to the partially or fully automated processing of personal data and to the non-automated processing of personal data which form part of a registration system or are intended to form part of a registration system. . The Infotv. Pursuant to Article 2 (2), the General Data Protection Regulation shall apply with the additions indicated therein. Pursuant to Article 2 (2) of the General Data Protection Regulation, the Regulation shall not apply to the processing of personal data if it: a) falls outside the scope of Union law; (b) by Member States in the context of activities covered by Chapter 2 of Title V of the TEU, (c) by natural persons acting exclusively in the course of their personal or domestic activities, (d) by the competent authorities for the prevention, investigation, detection or prosecution of criminal offenses or for the purpose of enforcing criminal sanctions, including protection against and prevention of threats to public security.

According to Article 4 (1) of the General Data Protection Regulation, “personal data” shall mean any information relating to an identified or identifiable natural person ("data subject"); identifies a natural person who, directly or indirectly, in particular by reference to an identifier such as name, number, location, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identified. " According to paragraph 2 of that article, 'data processing' means any set of operations or operations on personal data or files, whether automated or non-automated, such as collection, recording, systematisation, sorting, storage, transformation or alteration, retrieval, consultation, use, communication, by distribution or otherwise making available, coordination or interconnection, restriction, deletion or destruction. ”Article 4 of the General Data Protection Regulation7. "controller" means any natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law. "According to Article 4 (11) of the General Data Protection Regulation," consent of the data subject " : a voluntary, specific and duly informed and unambiguous statement of the will of the data subject, by which the data subject indicates, by means of a statement or an act unequivocally expressing his or her consent, that he or she consents to the processing of personal data concerning him or her.

According to Article 5 (1) of the General Data Protection Regulation, personal data:
(a) processed lawfully and fairly and in a way that is transparent to the data subject ("legality, fairness and transparency"); (b) collected only for specified, explicit and legitimate purposes and not in a way incompatible with those purposes; in accordance with Article 89 (1), further processing for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes ("purpose limitation") shall not be considered incompatible with the original purpose (c) appropriate and relevant to the purposes of the processing; , (d) be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without delay ("accuracy"), (e) stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; ; personal data may be stored for a longer period only if the processing of personal data is carried out in accordance with Article 89 (1) for archiving in the public interest, for scientific and historical research purposes or for statistical purposes, in accordance with this Regulation; subject to the implementation of appropriate technical and organizational measures to protect its freedoms ("limited storage capacity");
(f) processed in such a way as to ensure the adequate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage to personal data ("integrity and confidentiality"), using appropriate technical or organizational measures. According to paragraph 2, the controller is responsible for compliance with paragraph 1 and must be able to demonstrate such compliance ("accountability").

Under Article 6 of the General Data Protection Regulation, the processing of personal data is lawful only if and to the extent that at least one of the following is fulfilled: (a) the data subject has consented to the processing of his or her personal data for one or more specific purposes; (c) the processing is necessary for the performance of a legal obligation to which the controller is subject, (d) the processing is necessary for the protection of the vital interests of the data subject or of another natural person; (f) the processing is necessary for the protection of the legitimate interests of the controller or of a third party, unless those interests take precedence over those interests; the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the child concerned is concerned. Point (f) of the first subparagraph shall not apply to the processing of data by public authorities in the performance of their tasks.

According to Article 9 (1) of the General Data Protection Regulation, “personal data referring to racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data identifying natural persons, health data and the processing of personal data concerning the sexual life or sexual orientation of natural persons is prohibited. " According to paragraph 2 (a) of the same section, paragraph 1 does not apply if the data subject has given his or her explicit consent to the processing of that personal data for one or more specific purposes, unless Union or Member State law so provides, that the prohibition referred to in paragraph 1 cannot be lifted with the consent of the data subject.

Article 13 (1) and (2) of the General Data Protection Regulation sets out the information that must be provided to the data subject at the time the personal data are obtained if the personal data are collected from the data subject. Subject to paragraph 1, the controller shall provide the data subject with all of the following information: (a) the identity and contact details of the controller and, if any, the controller's representative, (b) the contact details of the data protection officer, if any; (d) in the case of processing based on Article 6 (1) (f), the legitimate interests of the controller or of a third party, (e) where applicable, the recipients of the personal data or the categories of recipients, if any; (f) where applicable, the fact that the controller intends to transfer personal data to a third country or to an international organization, and the existence or absence of a Commission decision on adequacy, or in accordance with Article 46, Article 47 or Article 49 (1); the second and second subparagraphs of paragraph 1, the indication of the appropriate and suitable guarantees and the reasons or a reference to their availability.

Subject to paragraph 2, the controller shall inform the data subject of the following additional information at the time of obtaining the personal data: (a) the period for which the personal data will be stored or, if that is not possible, the criteria for determining that period; (c) Article 6 (1) (a) or Article 9 of the Regulation on access to, rectification, erasure or restriction of the processing of personal data concerning him or her and on the right to the processing of such personal data; (D) the right to lodge a complaint to the supervisory authority, (e) the right to lodge a complaint with the supervisory authority in the case of data processing pursuant to paragraph 2 (a); legislation or contract (s) whether it is based on an obligation or a precondition for the conclusion of a contract and whether the data subject is required to provide personal data and the possible consequences of non-disclosure; , including profiling, and at least in these cases, comprehensible information on the logic used and the significance of such data processing and the expected consequences for the data subject.

Infotv. Pursuant to Section 60 (1), in order to enforce the right to the protection of personal data, the Authority may initiate data protection authority proceedings ex officio. Pursuant to Section 61 (1) (a), in its decision in the data protection authority proceedings, the Authority In connection with the data processing operations specified in Section 2 (2), it may apply the legal consequences specified in the General Data Protection Decree. Infotv. Pursuant to Section 61 (2), the Authority may order the publication of its decision - by disclosing the identification data of the data controller or the data processor - if the decision affects a wide range of persons, it was made in connection with the activities of a public body or the seriousness of the infringement justify the decision.

Pursuant to Article 58 (2) (b) of the General Data Protection Regulation, the supervisory authority shall prosecute the controller or the processor if its data processing activities have infringed the provisions of this Regulation. impose an administrative fine in accordance with Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of the case. 5), (6), the administrative fines imposed on the basis of this Article shall be effective, proportionate and dissuasive in each case. 75 / A. The Authority shall exercise the powers provided for in Article 83 (2) to (6) of the General Data Protection Regulation, taking into account the principle of proportionality, in particular by laying down rules on the processing of personal data laid down in law or in a binding act of the European Union. In the event of a first-time breach, the remedy shall be taken in accordance with Article 58 of the General Data Protection Regulation, in particular by warning the controller or processor.

Pursuant to Article 83 (2) of the General Data Protection Regulation, administrative fines should be imposed in addition to or instead of the measures referred to in Article 58 (2) (a) to (h) and (j), depending on the circumstances of the case. In deciding whether to impose an administrative fine or in setting the amount of an administrative fine, due regard shall be had in each case to the following:
(a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected by the breach and the extent of the damage they have suffered; (d) the extent of the liability of the controller or the processor, taking into account the technical and organizational measures taken by the controller or the processor pursuant to Articles 25 and 32; (f) the extent of the cooperation with the supervisory authority to remedy the breach and mitigate any possible negative effects of the breach, (g) the categories of personal data affected by the breach, (h) the way in which the supervisory authority became aware of the breach. , in particular whether the controller or the data processor (i) if the controller or processor concerned has previously been ordered to take one of the measures referred to in Article 58 (2) on the same subject matter, compliance with those measures; (j) whether the controller or processor has complied with the codes of conduct approved in accordance with Article 40 or the certification mechanisms approved in accordance with Article 42; as well as

(k) other aggravating or mitigating factors relevant to the circumstances of the case, such as the financial gain or loss avoided as a direct or indirect consequence of the infringement.

III. Decision

III.1. Validity of the legal basis for collecting data on the signature collection form) 

Lack of explicit consent

The Data Controller "Join the European Public Prosecutor's Office!" collected the names, addresses (postcode, city, home address), e-mail contact details, telephone numbers and signatures of the data subjects in the form of a According to the provisions of the general data protection regulations, a number of requirements must be met for the lawfulness of data processing. Of these, the General Data Protection Regulation plays a key role5. the principles of legality, due process and transparency as well as purpose. In addition, the controller is subject to the general data protection regulation6. It shall have a legal basis for the processing in accordance with Article 1 (1).

In addition to facilitating the connection to the European Public Prosecutor's Office, the Data Controller handles all personal data policy contacts provided by the data subject, provided that the Data Controller provides information in connection with the activities of Members of Parliament. therefore, the data subjects provided their contact details by telephone and / or e-mail, they wished to handle it for the purposes of the Privacy Policy Contact. As a result, personal data processed for political contact purposes are also information indicating the political views of data subjects and Therefore, the name and contact details collected from data subjects in support of an initiative should not in themselves be considered as special personal data, If, in addition to the original purpose of the initiative, the data controller collects the data provided by the data subject for the purpose of contacting a political or political organization, in this case, in they constitute specific personal data referring to a policy opinion under Article 9 (1) of the General Data Protection Regulation.

The regulation prohibits the processing of special categories of personal data as a general rule or makes them subject to strict conditions. These special categories of personal data may be processed, inter alia, in accordance with Article 9 (2) of the General Data Protection Regulation, provided that the data subject has given his or her explicit consent to their processing for one or more specific purposes. The data controller has indicated the data subject's consent as a legal basis. He also referred to the consent of the data subjects in the Privacy Notice on the back of The data collection page of the sheet contained the following information text: "Privacy Notice - I accept the information with my signature", while the text of the Privacy Notice on the back of the sheet states "The legal basis for data management is your express consent after reading this information.". In order for the controller to be able to legitimately invoke the legal basis of the consent, all conceptual elements of the consent must comply with the requirements applicable to him.

5/2020 on the consent of the European Data Protection Board. Guideline WP259 on the consent of the Working Party on Data Protection set up under Article 29 of the Data Protection Directive, which preceded it, also confirms that a statement or act unequivocally expressing a confirmation is a precondition for lawful consent. The guidelines state that explicit consent is required in certain situations where there is a serious data protection risk. Under the General Data Protection Regulation, explicit consent plays an important role in Article 9 on the processing of specific categories of personal data, including in the case of the processing of personal data referring to a political opinion. An express term refers to the way in which the data subject expresses his or her consent. This means that the data subject must make a statement of explicit consent. An obvious way to be convinced of the explicit consent would be to explicitly confirm the consent in a written statement. In order for the data subject to be able to express his or her will in concrete terms, it is therefore necessary for the controller to clearly separate the information related to obtaining consent from data processing activities from information on other issues. ensure that it is provided in an understandable and easily accessible form, and that its language is clear and unambiguous and does not contain unfair terms.

In the Authority's view, the mere fact that the data subject provides the requested data in the signature collection form cannot be considered as a specific, unambiguous statement of his intention to process this data, nor does his "acceptance" of the Data Protection Information . In the case of consent-based data processing, the data subject does not have to "accept" the prospectus, but must consent to the data processing on the basis of the information, and must expressly state his or her consent to the data processing. The consent is therefore closely linked to the information, since the data subject can, with the appropriate information, decide whether to give his or her consent to the processing of personal data concerning him or her. In relation to the information, the data subject may be expected to make a statement that he / she has read its content, taken note of its contents, and therefore has the role of proving that the consent is informed. and its specific declaration cannot be considered as a valid legal basis for data processing, the Data Controller handles the personal data of the data subjects without a valid legal basis, in violation of the General Data Protection Regulation6. Article 1 (1). As these data fall into special categories of personal data and can be processed, inter alia, by the controller if the data subject has given his or her explicit consent, the processing is in breach of the General Data Protection Regulation9. Article 1 (1).

b) Lack of adequate information on the purpose of data processingThe General Data Protection Regulation5. According to Article 1 (1) (a), the processing of personal data must be carried out lawfully and fairly and in a way that is transparent to data subjects; According to the Privacy Policy of the sheet, the purpose of data processing is to collect supporting signatures for names, addresses and signatures and to submit them to a notary public as a joint petition of the signatory voters. If contact information (telephone number, e-mail address) has also been provided, according to the Data Protection Information, the purpose of managing all data - in addition to the telephone number and / or e-mail address - name, address and signature - is to ensure that the Data Controller In his reply to the Authority, the Data Controller stated that he had collected the data of the data subjects in order to facilitate the accession to the European Public Prosecutor's Office and that the notarization would have taken place when the 1 million signatures were reached. With regard to the purpose of data processing, he also stated that he would use the data of the data subjects for political purposes, if they had been given permission to do so by providing their contact details by telephone and / or e-mail.


In the course of the procedure, the Authority found that the sheet data collection page did not contain a specific indication or call for each set of data to be collected that the provision of personal data is mandatory or supportive and different from the initiative, for other data management purposes, in this case for political liaison purposes, which in the Authority's view is misleading to the initiative's sponsorship number. if the e-mail and / or telephone contact provides the signatory, which is not necessary for the validity of the initiative to be supported, all personal data of the contact person The Data Controller will also handle the information in the Privacy Statement on the back of the sheet. on the other hand, it cannot be considered as consenting to the processing of personal data for contact purposes in addition to the original purpose of the data processing. because the data subject's consent cannot be extended to further, new data processing purposes.

Recital 32 of the General Data Protection Regulation states that where the processing serves several purposes at the same time, the consent must be given separately for each processing purpose. If the controller does not attempt to request consent for each purpose separately, he or she lacks discretion.

In the Authority's view, the lawfulness of the processing of data subjects' personal data can be established if the data subject has been able to consent to the processing of his or her personal data for all data processing purposes and the processing of personal data can be considered fair if the data controller However, according to the position of the Data Controller, as stated in his / her information on the action taken following the request, the acceptance of the information indicating the legal basis, followed by the provision of the data in the form by the data subject, and finally by the an act expressly expressing the will required by the General Data Protection Regulation to place a signature. stakeholders had the opportunity to provide: name, address (postcode, city, home address), e-mail, telephone and signature. The table for giving the data was highlighted in bold, “I support Hungary's accession to the European Public Prosecutor's Office with my signature.” Furthermore, the following text could be read below: To Ákos Hadházy, you can submit it at a collection point or upload it at http://europaiugyeszseget.hu/feltoltesoldalonData management information - I accept the information with my signatureData management information from dr. On the personal data managed by Ákosstábja Hadházy and his colleagues. CONTINUED ON NEXT PAGE

However, the collection of signatures was not only for the purpose of collecting supporting signatures, as the data subject stated in the form "With my signature I support Hungary's accession to the institution of the European Public Prosecutor's Office." sentence, as only the name, address and signature personal data were collected for that purpose. According to the "Privacy Notice" of the sheet, if the data subject has provided his / her e-mail address and telephone number, the data controller will also process all data for contact purposes. Article 4 (11) of the General Data Protection Regulation defines "data subject's consent" as one of the legitimate grounds for the processing of personal data. In this respect, recital 32 of the General Data Protection Regulation provides further guidance that data processing can only take place if the data subject gives his or her voluntary, specific, informed and unambiguous consent by means of a clear confirmatory act, such as a written or electronic statement. for the processing of personal data concerning a natural person. The consent shall cover all data processing activities carried out for the same purpose or purposes. If the data management serves several purposes at the same time, the consent must be given for all data management purposes.

Furthermore, it is not sufficiently transparent, clear and unambiguous to inform the data subjects about the purposes of data management due to the fact that one of the data management purposes ("I support Hungary's accession to the European Public Prosecutor's Office") is highlighted on the main page of the signature sheet. - if the data subject provides his / her e-mail address and / or telephone number - is handled by the Data Controller for other data management purposes (contact purposes) in addition to the original purpose, only in the Data Protection Information on a page other than the signature collection page of the form.

The above is confirmed by Decree 5/2020 on consent under Regulation (EU) 2016/679. Guideline WP259 and its predecessor, WP259, state that a controller requesting consent for various different purposes should provide a separate contribution option for each purpose in order to allow data subjects to make specific contributions for specific purposes. The fairness and lawfulness of the processing of data subjects' personal data for contact purposes can therefore be established if the data subject has been duly informed that the collection of personal data is for different data processing purposes (initiative support and further political contacts) and optional. the scope of personal data, and if the data subject has given his / her clear and specific consent to the Data Controller providing him / her with information at the given contact details in connection with the activities of the members of Parliament. It is not possible to dispute the choice of data subjects to support the purpose of signature collection with their signatures, but also to be free to decide whether they wish to receive political items separately from the Data Controller, separately from signature collection.

By failing to provide the data subject with adequate information on the purpose of the data processing, the data controller violates the fundamental requirement of fair data management set out in Article 5 (1) (a) of the General Data Protection Regulation. a clear and concrete statement of the will of the data subjects cannot be considered as a valid legal basis for data processing, the Data Controller handles the personal data of the data subjects without a valid legal basis, thus violating the general data protection regulation6. Article 1 (1). As these data fall into special categories of personal data and can be processed, inter alia, by the controller if the data subject has given his or her explicit consent, the processing is in breach of the General Data Protection Regulation9. Article 1 (1).

c) Lack of informed consent 

An important conceptual element of a valid consent is that the request for consent is preceded by appropriate information. Adequate prior information is necessary to ensure that data subjects are aware of what they are specifically agreeing to, in order to know the details of the processing and to exercise their right to withdraw their consent. Failing this, the legal basis for the consent, ie the data processing, will be invalid. The General Data Protection Regulation5. Article 39 (1) (a) and (b) and, in this context, recital 39 state that the processing of personal data must be carried out lawfully and fairly and in a way that is transparent to the data subject ("lawfulness, fairness and transparency"). it must be transparent to them how their personal data concerning them are collected, used, viewed or otherwise handled, and in relation to the extent to which their personal data are and will be processed. The natural person must be informed of the risks, rules, guarantees and rights associated with the processing of personal data. The principle of transparency also applies to informing data subjects about the purposes of data processing. The specific purposes of the processing of personal data must be explicitly stated and lawful, as well as defined at the time the personal data are collected.

In the course of the procedure, the Authority found that the Data Controller did not adequately inform the data subjects about the legal basis and purpose of the data processing in the data management information accompanying the signature collection form. It will be handed over to a notary on 31 May 2019, ie regardless of the number of supporting signatures collected. At the request of the Authority, on the other hand, the Data Controller stated that the notarization would have taken place when the 1 million signatures were reached, and given that the sufficient number of supporting signatures could not be collected, . In the Authority's view, the information on the addressees would therefore have been complete if they had been informed that the sheets and the personal data contained therein would be transferred to a notary only if the appropriate number of signatures had been collected, or they would have been informed of what would have happened to the sheets and thus to the personal data on them after submission to the notary. Therefore, the prospectus did not provide information on what would happen to the archives and all the personal data contained in them if a sufficient number of signatures were collected. In this case, too, the decision on whether or not to support the initiative the person concerned could have considered whether or not it was worth exercising that right.

In its reply to the Authority, the Data Controller provided information on the data processors used by it, however, the data subjects were not informed about the use of the data processors in the Data Protection Information Sheet attached to the sheet. Stakeholders were also not informed whether or not the activists commissioned by the Data Controller qualify as data processors. It is also not clear who is meant by the Data Controller's employees or the "crew", it is not known what the Data Controller's legal relationship is with these persons, who performs what tasks during the data processing. only the information was that after submitting the signature collection forms to the notary, the notary is obliged to delete the data after considering the initiative under the petition. However, there was no information as to when the sheets would still be submitted to the notary when they would be canceled. The Authority found that, as detailed above, the Data Controller did not provide the data subject with information on all relevant circumstances of the data processing in the Data Management Information Sheet of the signature collection form, thus violating the General Data Protection Regulation5. Article 13 (1) (a) and Article 13.

In its information on the action taken by the Data Controller upon request, the Authority stated in relation to the statement that “an important conceptual element of a valid consent is that the request for consent is preceded by appropriate information. Adequate prior information is necessary in order for data subjects to be aware of what they are specifically agreeing to, to know the details of the processing and to exercise their right to withdraw their consent. Failing this, the consent, ie the legal basis for the processing, will be invalid, ”he explained that in recital 42 of the General Data Protection Regulation, the legislator provides guidance on the cases in which consent is valid. According to the text, "in order for consent to be considered as informed, the data subject must at least be clearer as to the identity of the controller and the purpose of the processing of personal data." According to the Data Controller, the above finding of the Authority is in contradiction with the preamble to the General Data Protection Regulation itself, so it is clearly arbitrary.

According to the Data Controller's position, the Authority's finding that its breach of the information obligation can only be established on the sole ground that it does not concern the transmission to the notary or the quality of the data processing of the activists is also incorrect. These circumstances are known to those concerned, so the appropriate prior information is the General Data Protection Regulation13. with regard to Article 4 (4). As the data subjects have been informed about the identity of the controller and the purpose of the processing, the existence of a legal basis (valid consent) is unquestionable. as voluntary, specificity, clarity). This is necessary in order for the data subjects to have adequate information on what exactly they agree to, to know the details of the data processing and to exercise their right to withdraw their consent.

The General Data Protection Regulation13. Article 2 of the Directive defines exhaustively the information that must be communicated to data subjects at the time the data are obtained, regardless of the legal basis for the processing. With regard to adequate information, the General Data Protection Regulation states in recital 42 that consent is acceptable for information purposes even if the data subject is aware of at least the identity of the controller and the purpose of the processing of personal data, but not exceptionally for paper-based signatures. This recital does not in any way override the obligation to provide information under Article 13 of the General Data Protection Regulation, nor does recital 42 be interpreted as meaning that the consent of data subjects can only be considered as informed by a description of these two content elements, this would reduce the requirement for transparency in the regulation.

III.2. Validity of the legal basis for data management when uploading forms online) Lack of voluntary consent During the period of collecting signatures, it was also possible to upload completed signature collection forms via https://europaiugyeszseget.hu/feltoltes/. The following personal data had to be provided during the upload or for its successful completion: name (surname and first name), e-mail address, county, settlement, telephone, and the acceptance of the Data Management Information was obligatory. According to the Data Management Information Document, the purpose of data processing is to contact and liaise with supporters of the European Public Prosecutor's Office and to inform data subjects about activities, events, movements and signatures in support of the European Public Prosecutor's Office. the purpose of the data management is to keep in touch with the pediga, and to provide the possibility to request clarification and correction of the data resulting from erroneous or illegible uploads with the help of the provided contact data.

It can therefore be concluded that the consent of the data subjects to the processing of the personal data provided when uploading the forms online was given by the data subjects by entering their personal data in the mandatory fields and checking the box next to the Data Management Information. It was therefore not possible to upload an sheet until the requested personal data had been provided by the uploader or the check box had been selected. The General Data Protection Regulation4. Voluntary is one of the key elements of a valid contribution, as set out in Article 11 (11). In this respect, recital 42 of the General Data Protection Regulation states that consent is not considered voluntary if the data subject does not have a real or free choice and is not in a position to refuse or withdraw consent without prejudice. Furthermore, as stated in recital 43, consent cannot be considered voluntary if it does not allow its individual consent to different data processing operations, although appropriate where appropriate.

5/2020 on consent under Regulation (EU) 2016/679 In Guideline No 259 and its predecessor, Guideline IP259, the EDPS stated in relation to voluntary contributions that the "free" element presupposes that data subjects have a real choice and right of disposal. As a general rule, the general data protection regulation stipulates that if the data subject has no real choice, he or she feels compelled to give consent, or there will be negative consequences if he or she does not give his or her consent, the consent will not be valid. The lawfulness of data processing requires a separate, valid legal basis for data processing for all independent purposes, ie both for the purpose of supporting the initiative and for data processing for contact purposes. As explained above, the data subjects' consent to data processing for all data processing purposes lacks the essential conceptual elements that are necessary for the consent, ie the legal basis for data processing, to be valid. There is a lack of voluntary, specific, well-informed and unambiguous expression of the data subject's consent to the processing of his or her personal data. In the Authority's view, the Data Controller handles the personal data of data subjects without a valid legal basis, both during the data collection on the signature collection form and during the data collection for contact purposes, in breach of the General Data Protection Regulation6. Article 1 (1). As these data fall into special categories of personal data and can be processed, inter alia, by the controller if the data subject has given his or her explicit consent, the processing is in breach of the General Data Protection Regulation9. Article 1 (1).

In his information on the action taken on the request, the Data Controller noted that the Authority's concerns regarding the voluntary nature of the consent could only arise in relation to the data of the volunteers responsible for the signature forms, ie the contact details provided by the signatories. Why the request covers the entire database. –The newsletter was also subscribed to during the upload, and there was no way to ignore the newsletter during the upload. With regard to the personal data of the persons on the uploaded sheets, this argument could not be interpreted, as the signatories were not present at the time of the upload, so they should not be affected by the characteristics of the consent obtained in this respect. There may be a cross-section of the set of volunteers / activists and signatories, and there may have been individuals who either supported the initiative with their signatures alone or only collected and filled in sheets. However, the issue of volunteering arose in connection with the completion of the forms, thus related to the management of data on volunteers / activists.

In addition, according to recital 42, the consent was considered valid if the controller and the purpose were indicated, and the information was appropriate, as the context and the available information allowed activists to know the legal basis for the data processing. According to the information on the main page of the signature collection form, if someone wanted to support the initiative, they could do so in the following ways: Ákos Hadházy, you can submit it at a collection point or upload it at https://europaiugyeszseget.hu/feltoltesoldalon ”.

However, according to the findings of the Authority, and as confirmed by the Data Controller during the clarification of the facts, anyone had the opportunity to download the sheets from the website and then send them to the Data Controller in the ways described above. Based on this information, anyone also had the opportunity to upload the sheet at https://europaiugyeszseget.hu/feltoltesoldal, whether they wanted to do so as a supporter of the initiative, as a volunteer or as an activist. However, during the upload or for its successful completion, the following personal data had to be provided: name (surname and first name), e-mail address, county, settlement, telephone, as well as acceptance of the Data Management Information, ie the information provided when uploading the forms online. their consent to the processing of personal data has been given by the data subjects as described above by entering their personal data in the mandatory fields and ticking the box next to the Data Management Information. It was therefore not possible to fill in the form until the requested personal data had been provided by the person uploading it, whether a volunteer or an activist supporting the initiative, or the check box had been ticked.

In the Authority's view, when submitting the forms online, the provision of data cannot be considered as the data subject's consent to the data controller for contact purposes, without providing the data, ie in case of refusal to consent, it was not possible for the data subject to upload page. One of the most important elements of a valid consent, as defined in the General Data Protection Regulation, is volunteering. Furthermore, the voluntary nature of the consent and the validity of the person filling in the form, whether as a volunteer or as an activist, did not affect the filling of the sheet. Only the data of the volunteers responsible for the signature collection forms can be understood, therefore it is not clear why the call covers the whole database or why the call does not refer to the data of the contact database in general or to the data related to the volunteers. This data can be separated from other personal contact data and is processed in a separate IT database.

b) Lack of adequate information on the processing of data to be provided when uploading sheets online With the actual content of the data management prospectus, the legal basis of the data processing was not indicated in the prospectus, only the data subjects are informed about what they consider to be the purpose of the data processing. In connection with the information on the duration of the data processing, the Authority data will be processed until the end of the signature-taking campaign, but no specific date has been y It is not clear to the data subjects how long their data will be processed by the Data Controller. In the course of the investigation, the Authority found that the form to be filled in during the online upload did not include a possibility to subscribe to a newsletter, therefore uploading the forms online could also mean subscribing to the newsletter, for which data subjects could not give their consent. .The controller therefore did not provide data subjects with clear, adequate and factual information on all relevant circumstances of the processing of personal data provided when uploading the forms via the website, in breach of the General Data Protection Regulation5. Article 5 (1) (a), Article 5 (2) and Article 13 Article 1 (1) to (2).

III.3. JogkövetkezményekIII.3.1. The Authority is responsible for implementing the General Data Protection Regulation58. Pursuant to Article 6 (2) (b), it finds that the Data Controller has infringed Article 6 of the General Data Protection Regulation. Article 9 (1) and Article 9 (1) by treating the personal data of data subjects collected for contact purposes without a valid legal basis, as the data subjects' consent to data processing lacks the essential conceptual elements necessary to have a legal basis for data processing, ie the consent must be valid.The Authority finds that the Data Controller has infringed the General Data Protection Regulation5. Article 5 (1) (a), Article 5 (2) and Article 13 by not providing data subjects with information on all relevant circumstances of the data processing.III.3.2. The Authority instructs the Data Controller to delete the "Join the European Public Prosecutor's Office!" collected all personal data from stakeholders between 19 July 2018 and 30 May 2019 in the context of the initiative called III.3.3. The Authority has examined whether it is justified to impose a data protection fine on the Data Controller. In this context, the Authority shall comply with Article 83 of the General Data Protection Regulation. Article 2 (2) of the Infotv. 75 / A. § considered all the circumstances of the case. In view of the circumstances of the case, the Authority also concluded that, in the case of the infringement detected in the present proceedings, the warning is neither a proportionate nor a dissuasive sanction, and therefore a fine should be imposed.

In particular, the Authority took into account that the breach committed by the Data Controller is covered by the General Data Protection Regulation83. The infringement falls within the higher category of fines under Article 5 (5) (a) and (e), as it violated the terms of the consent, and the provisions of this Decision are not expected to be complied with without imposing a fine due to non-compliance with the Authority's previous request. assessed the following circumstances as an aggravating circumstance: - Quality of special categories of personal data collected by the controller (Article 83 (2) (g) of the General Data Protection Regulation) - Duration of data processing (from 19 July 2018, ie collection processing of personal data of data subjects for contact purposes) and the large number of data subject However, in order to comply with data management rules, the organizer of the initiative and the Member of Parliament have been required to take technical and organizational measures to ensure the adequacy of data management (Article 83 (2) (d) of the General Data Protection Regulation).

During the imposition of fines, the Authority assessed the following circumstances as mitigating circumstances: -The Authority considered the breach to be of a negligible nature, as the controller apparently took measures to ensure compliance before the start of the processing, but these measures did not result in the adequacy of the processing [Article 83 (2) (b) of the General Data Protection Regulation). ] .The Authority also took into account that -the Data Controller had not previously committed a relevant infringement similar to the one found in the present case [Article 83 (2) (e) of the General Data Protection Regulation]; .800, -Ft. Based on the above, the imposition of a fine is necessary especially for the Data Controller, and the Authority, in determining the amount of the fine imposed, took into account in order to ensure that political actors do not use the various signatures to build a support database without the valid consent of those concerned.

The Authority did not consider the General Data Protection Regulation to be relevant when imposing fines83. circumstances referred to in Article 2 (2) (c) (f) (h), (i), (j) and (k), as they cannot be interpreted in the specific context of the case. The amount of the fine was determined by the Authority acting in accordance with its statutory discretion.III.3.4. The Authority has issued the Infotv. Pursuant to Section 61 (2) (b), it ordered the publication of the decision because it affects a wide range of persons and was taken in connection with the activities of a person performing a public task.

ARC. Other issues The competence of the Authority is limited to It is defined in Section 38, Paragraphs (2) and (2a), and its competence extends to the entire territory of the country. § and Infotv. It is based on Section 60 (1). Pursuant to Section 82 (1), it becomes final upon notification of the decision. § 112 and § 116 (1), respectively. Pursuant to Section 114 (1), there is a right of appeal against the decision through an administrative lawsuit.

The rules of administrative litigation are defined by Act I of 2017 on the Procedure of Administrative Litigation (hereinafter: Kp.). A Kp. Pursuant to Section 12 (1), the administrative lawsuit against the decision of the Authority falls within the jurisdiction of the court. Pursuant to Section 13 (3) (a) (aa), the Metropolitan Court has exclusive jurisdiction. A Kp. Pursuant to Section 27 (1) (b), legal representation within the jurisdiction of the tribunal is mandatory. Kp. Pursuant to Section 39 (6), unless otherwise provided by law, the filing of an application does not have a suspensive effect on the entry into force of the administrative act. Section 29 (1) and with this regard Pp. Applicable pursuant to Section 604 of the General Rules of Electronic Administration and Trust Services2015. évi CCXXII. Pursuant to Section 9 (1) (b) of the Act (hereinafter: E-Administration Act), the legal representative of the customer is obliged to keep in touch. The time and place of the submission of the application is Section 39 (1). Information on the simplified lawsuit and the possibility to request a hearing can be found in Kp. It is based on Section 77 (1) - (2) and Section 124 (1) and (2) (c) and (5), respectively. The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. Act (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee, the Itv. Section 59 (1) and Section 62 (1) (h) release the party initiating the proceedings. Pursuant to Section (1) (a), the Debtor is obliged to pay a default interest corresponding to the statutory interest if he fails to meet his obligation to pay money on time.

If the Applicant fails to duly demonstrate the required fulfillment of the required obligation, the Authority shall consider that the obligation has not been fulfilled within the due date. The Acre. Pursuant to Section 132, if the obligated authority has not complied with the obligation contained in the final decision, it may be enforced. The decision of the Authority Pursuant to Section 82 (1), it becomes final upon notification. The Acre. Pursuant to Section 133, enforcement is ordered by the decision-making authority, unless otherwise provided by law or government decree. The Acre. Pursuant to Section 134, enforcement is carried out by the state tax authority, unless otherwise provided by law, government decree or a decree of a local government in a matter of local government authority. Infotv. Pursuant to Section 61 (7) of the Authority, the Authority shall implement the decision in relation to the obligation to perform a specific act, to behave, to tolerate or to stop specified in the decision of the Authority. 

Budapest, July 9, 2020

Dr. Attila Péterfalvi President. professor