Lde: Created page with “{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=7905/2025 |ECLI= |Original_Source_Name_1=NAIH |Original_Source_Link_1=https://naih.hu/hatarozatok-vegzesek |Original_Source_Language_1=Hungarian |Original_Source_Language__Code_1=HU |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2= |Ty…”
|Jurisdiction=Hungary
|DPA-BG-Color=background-color:#7f0037;
|DPAlogo=LogoHU.jpg
|DPA_Abbrevation=NAIH
|DPA_With_Country=NAIH (Hungary)
|Case_Number_Name=7905/2025
|ECLI=
|Original_Source_Name_1=NAIH
|Original_Source_Link_1=https://naih.hu/hatarozatok-vegzesek
|Original_Source_Language_1=Hungarian
|Original_Source_Language__Code_1=HU
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Type=Complaint
|Outcome=Partly Upheld
|Date_Started=
|Date_Decided=17.02.2025
|Date_Published=30.01.2026
|Year=2025
|Fine=
|Currency=
|GDPR_Article_1=Article 12(3) GDPR
|GDPR_Article_Link_1=Article 12 GDPR#3
|GDPR_Article_2=Article 13 GDPR
|GDPR_Article_Link_2=Article 13 GDPR
|GDPR_Article_3=Article 17 GDPR
|GDPR_Article_Link_3=Article 17 GDPR
|GDPR_Article_4=Article 17(1)(c) GDPR
|GDPR_Article_Link_4=Article 17 GDPR#1c
|GDPR_Article_5=Article 21(3) GDPR
|GDPR_Article_Link_5=Article 21 GDPR#3
|GDPR_Article_6=
|GDPR_Article_Link_6=
|GDPR_Article_7=
|GDPR_Article_Link_7=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
|Initial_Contributor=lde
|
}}
The DPA found that a controller violated [[Article 17 GDPR#1c|Article 17(1)(c) GDPR]] by failing to timely comply with a data subject’s request for erasure following an objection to processing. Although the data were eventually deleted, the delay constituted an infringement and triggered an obligation to properly inform the data subject.
== English Summary ==
=== Facts ===
The data subject submitted a request on 12 October 2023 asking the controller to permanently delete all his personal data after unsubscribing from the controller’s newsletters. Despite this request, the controller continued to send emails to the data subject, including an evaluation questionnaire.
In response to the erasure request, the controller informed the data subject that his data would be deleted but warned that, due to automated settings, one further questionnaire email could not be stopped. The controller later claimed that the erasure had been carried out on 18 October 2023.
Following a complaint by the data subject, the DPA initiated proceedings.
During the proceedings, the controller admitted that, due to an administrative error, the erasure had only been partial, as the data had not been deleted from a “purchase-related dispatch file.” Full deletion was only completed on 8 February 2024, after the DPA proceedings had already been initiated.
The controller argued that it currently processed the data subject’s personal data solely for the purpose of handling the enforcement of the data subject’s rights and stated that technical developments had since been implemented to prevent similar issues in the future.
=== Holding ===
The DPA partially upheld the data subject’s request.
It found that the controller was responsible for ensuring full compliance with the GDPR throughout the entire data processing operation. An internal administrative error did not exempt the controller from its obligations under the GDPR, including the accountability principle in [[Article 5 GDPR#2|Article 5(2) GDPR]].
The DPA furthre held that the controller should have complied with the erasure request within one month, in accordance with [[Article 12 GDPR#3|Article 12(3) GDPR]]. By only fully deleting the data on 8 February 2024, the controller was found in violation of [[Article 17 GDPR#1c|Article 17(1)(c) GDPR]]. Moreover, after the data subject’s objection, the controller should have ceased processing the personal data for business purposes under [[Article 21 GDPR#3|Article 21(3) GDPR]], yet continued to send evaluation-related emails.
However, since the erasure had ultimately been carried out in full, the Authority rejected the request to order deletion.
In addition, the Authority found that the controller failed to comply with its transparency and information obligations under Article 12(2)(3) GDPR. The controller did not clearly inform the data subject which specific personal data had been deleted and which data continued to be processed, particularly in relation to data retained for handling data subject requests.
As a result, the Authority reprimanded the controller for the infringement of [[Article 17 GDPR#1c|Article 17(1)(c) GDPR]] and ordered it to provide the data subject with proper information on the fulfillment of the erasure request and the continued processing of any remaining personal data.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
<pre>
1055 Budapest Tel.: +36 1 391-1400 naih.hu/adatkezelesi-tajekoztatok
Falk Miksa utca 9-11. KR ID: 429616918 ugyfelszolgalat@naih.hu
Case number: NAIH-7905-1/2025.
NAIH-1510/2024.
NAIH-9387/2023. Subject: decision partially granting the request
Administrator: […]
D E R C I O N S
The National Data Protection and Freedom of Information Authority (hereinafter: Authority) makes the following decision in the data protection authority proceedings initiated against […] ([…]; hereinafter:
Requester) regarding the Applicant’s right to erasure:
I. In its decision, the Authority partially grants the Applicant’s request
and establishes that the Applicant, by processing the Applicant’s personal data, has infringed Article 17 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter:
General Data Protection Regulation and GDPR) (1) point c), therefore the Authority condemns the
Applicant.
II. In its decision, the Authority rejects the Applicant’s request in the part to instruct the
Applicant to delete the Applicant’s personal data.
III. In its decision, the Authority ex officio obliges the Applicant to provide information to the
Applicant within 3 days of the expiry of the time limit for initiating a legal action for initiating a judicial review, or, in the case of initiating a review, within 3 days of the court’s decision, regarding the fulfillment of the
Applicant’s request for deletion submitted pursuant to Article 17 of the GDPR, and the processing of the Applicant’s data that is not to be deleted pursuant to Article 12 (2)-(3) of the GDPR.
III. The Applicant must prove to the Authority in writing that he has fulfilled the obligation under point 15 within 15 days of taking the measure, along with the supporting evidence, i.e. a letter written to the Applicant and a copy of the document proving its sending. In case of failure to comply with the obligation, the Authority shall order the enforcement of the decision. There is no administrative remedy against this decision, but it may be challenged in an administrative lawsuit by filing a claim with the Metropolitan Court within 30 days of its notification. The claim must be submitted to the Authority electronically1, which will forward it to the court together with the case documents. The request for a hearing must be indicated in the claim. The administrative lawsuit fee for those not entitled to full personal fee exemption is HUF 30,000, and the lawsuit is subject to the right to record the subject matter fee. Legal representation is mandatory in the proceedings before the Metropolitan Court.
1 The form NAIH_KO1 is used to initiate administrative proceedings: NAIH KO1 form (2019.09.16) The form can be filled out using the general form-filling program (ÁNYK program). The form is available and downloadable from the Authority’s website:
https://www.naih.hu/kozig-hatarozat-birosagi-felulvizsgalata
2
JUSTIFICATION
I. Procedure
(1) In its application received by the Authority on 10 November 2023, the Applicant initiated a data protection authority procedure against the Applicant pursuant to Section 60 (1) of Act CXII of 2011 on the right to information self-determination and freedom of information (hereinafter: the Infotv.).
(2) The Authority called on the Applicant to remedy the deficiencies in its order NAIH-9387-2/2023, sent with reference to Section 44 of the Act CL of 2016 on General Administrative Procedure (hereinafter referred to as the Act), as its application did not contain the mandatory content elements pursuant to Section 60 (5) d) of the Information Act. The Applicant complied with the Authority’s call in its statement received by the Authority on 23 November 2023. (3) The Authority called on the Applicant to make a statement with reference to Section 63 of the Act in order to clarify the facts – NAIH-1510-1/2024. in the document filed under number -, to which the
Requested Party responded within the deadline in the document filed under number NAIH-1510-3/2024.
(4) The Authority notified the Applicant and the Respondent in the documents filed under number NAIH-1510-4/2024.
and number NAIH-1510-5/2024.
of the completion of the evidentiary procedure, of their right to make a statement and to inspect the documents, however, neither the Applicant nor the Respondent exercised this
right.
II. Facts
II.1. The Applicant’s request and remedial action (Documents NAIH-9387/2023 and NAIH-1510-2/2024)
(5) The Applicant requested that the Authority condemn the Applicant for unlawful data processing and oblige it to delete the Applicant’s personal data.
(6) The Applicant claimed that the Applicant, despite his request, did not delete his personal data and sent e-mails despite the fact that the Applicant had unsubscribed from the newsletters,
and further indicated to the Applicant by e-mail on 12 October 2023 that he would like the Applicant to delete all his personal data from its system.
(7) In support of its claims, the Applicant attached a copy of the disputed e-mails sent by the Respondent, as well as a copy of the data subject’s request for the deletion of its personal data.
Accordingly, the Applicant addressed the Respondent with the following request on 12 October 2023:
“[…]Please kindly delete my data permanently from your system,[…]”. In response,
the Respondent informed the Applicant in an e-mail sent on 17 October 2023 that
“[…] We will delete your data from our system in accordance with your request, however, I would like to draw your
attention that after sending our letter, a questionnaire will be sent to you, which we cannot stop. We apologize for this!”.
II.2. The Applicant’s statement (document NAIH-1510-3/2024)
(8) The Applicant stated that at the time of the statement (February 22, 2024), the Applicant’s request for deletion had already been fully fulfilled, and that the Applicant’s personal data was currently only processed “for the purpose of communication related to the enforcement of data subject claims”.
(9) The Applicant further stated that the Applicant submitted a request for deletion related to the processing of his personal data on October 12, 2023. The Applicant’s employee processed the Applicant’s request on October 16, 2023. The Respondent informed the
Requester in its response to his request (October 17, 2023) that it would take action to delete his data
3 and drew his attention to the fact that due to the set automations, he would receive another questionnaire requesting an evaluation. According to the Respondent’s statement, the (supposed) complete deletion was carried out on October 18, 2023.
(10) The Respondent submitted that the “complete” deletion referred to above did not take place on October 18, 2023 due to an administrative error, but only the partial deletion took place, as the Respondent’s employee failed to delete the so-called “purchase-related mailing file” of his database. The Respondent corrected the omission subsequently and the complete deletion was carried out on February 8, 2024.
(11) The Respondent provided screenshots of the Applicant’s request for deletion recorded in its bug ticket management system on 16 October 2023, and the implementation of the deletion on 18 October 2023, as well as the deletion operation on 8 February 2024 in the so-called “purchase-related dispatch file”.
(12) In connection with the case, the Respondent further submitted that its system and database have undergone development in the meantime, which ensures that deletions are now automatically implemented in all data files, thus enabling it to fully fulfill the data subject’s requests.
(13) The Applicant informed the Authority that the Applicant’s personal data were processed for the following data processing purposes:
Purpose of data processing
Legal basis
Scope of processed data
Planned data processing period
Source of data
Processing related to the fulfillment of orders
Performance of a contract
(Article 6(1)(b) of the GDPR)
Name, delivery address, telephone number, generated e-mail, address, parcel number
Until the termination of the contract
Date of contact
Customer service information
Exercise of the legitimate interests of the Data Controller
(Article 6(1)(f) of the GDPR)
Name, e-mail address, information related to the order and purchase, data provided by the customer
4 last working day of March following the year Data Subject Advertising of services, providing information to partners, sending newsletters Enforcement of legitimate interests of the Data Controller (Article 6(1)(f) of the GDPR) Name, company name, e-mail address, telephone number Until the data subject objects Data reclassified for other data processing purposes following a purchase Data processing related to the GDPR Compliance with a legal obligation to the Data Controller (Article 6(1)(c) of the GDPR) Name, data protection identifier, data subject request, date, type, content, result of data subject request, incident date,
documentation,
result
of
Data Subject 4 not to be
discarded
II.3. The established facts
(14) On 12 October 2023, the Applicant submitted a request for deletion of the processing of his/her personal data, which, due to an administrative error, the Applicant only complied with on 8 February 2024 after the initiation of the present procedure.
III. Applied legal provisions
(15) According to Section 2 (2) of the Infotv., the GDPR shall be applied with the additions specified in the provisions specified there.
(16) According to Section 60 (1) of the Infotv., in order to ensure the validity of the right to the protection of personal data, the Authority shall initiate a data protection authority procedure at the request of the data subject.
(17) Unless otherwise provided in the General Data Protection Regulation, the provisions of the Data Protection Act shall apply to the data protection authority procedure initiated upon the request, with the exceptions specified in the Privacy Act. (18) According to Section 35 (1) of the Data Protection Act, a request is a written or personal statement by the client requesting the conduct of an authority procedure or the decision of the authority in order to enforce his or her right or legitimate interest.
(19) Article 4(1) of the GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, an identifier such as an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(20) According to Article 4(2) of the GDPR, ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(21) Article 4(7) of the GDPR defines the concept of controller as “the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific aspects relating to the designation of the controller may also be determined by Union or Member State law.”
(22) Pursuant to Article 6(1) of the GDPR, the processing of personal data is lawful only if and to the extent that at least one of the following is met:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
5
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the exercise of their tasks.
(2) In order to adapt the application of the rules on data processing laid down in this Regulation, Member States may, in order to comply with points (c) and (e) of paragraph 1, maintain or introduce more specific provisions, which specify more precisely the specific requirements for data processing and which take additional measures to ensure the lawfulness and fairness of data processing, including other specific data processing situations as set out in Chapter IX.
(3) The legal basis for data processing pursuant to points (c) and (e) of paragraph 1 shall be:
a) Union law, or
b) the law of the Member State to which the controller is subject.
The purpose of the processing shall be determined by reference to that legal basis and, in the case of processing referred to in point (e) of paragraph 1, it shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may contain provisions adapting the application of the rules laid down in this Regulation, including the general conditions governing the lawfulness of processing by the controller, the types of data subject to processing, the data subjects, the legal entities to which the personal data may be disclosed and the purposes of such disclosure, the limitations on the purposes of the processing, the period of storage and the processing operations, and other processing operations, including measures necessary to ensure lawful and fair processing, including other specific processing situations as set out in Chapter IX. Union or Member State law shall pursue an objective of public interest and be proportionate to the legitimate aim pursued.
(4) Where processing for a purpose other than the purpose for which the personal data were collected is not based on the data subject’s consent or on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to achieve the objectives set out in Article 23(1), in order to determine whether the processing for a different purpose is compatible with the purpose for which the personal data were initially collected, the controller shall take into account, inter alia:
(a) the purposes for which the personal data were collected and the purposes of the intended further processing;
(b) the circumstances in which the personal data were collected, in particular the relationship between the data subjects and the controller;
6
c) the nature of the personal data, in particular whether the processing concerns special categories of personal data pursuant to Article 9 or whether the processing concerns data relating to criminal prosecution and criminal offences pursuant to Article 10;
d) the possible consequences for the data subjects of the intended further processing of the data;
e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.
(23) Pursuant to Article 12(1)-(6) of the GDPR:
(1) The controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 and in Articles 15 to 22 concerning the processing of personal data. and 34 in a concise, transparent, intelligible and easily accessible form, in clear and plain language, in particular in the case of any information addressed to children. The information shall be provided in writing or by any other means, including, where appropriate, electronic means. At the request of the data subject, oral information may also be provided, provided that the data subject’s identity is otherwise verified.
(2) The controller shall facilitate the exercise of the data subject’s rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to comply with the data subject’s request to exercise the rights under Articles 15 to 22, unless the controller demonstrates that the data subject is unable to be identified.
(3) The controller shall inform the data subject without undue delay and in any event not later than one month from the date of receipt of the request of the data subject of the information provided in Articles 15 to 22. of the action taken on a request pursuant to Article 13. Where necessary, taking into account the complexity of the request and the number of requests, this period may be extended by a further two months. The controller shall inform the data subject of the extension of the period, stating the reasons for the delay, within one month of receipt of the request. Where the data subject has submitted the request electronically, the information shall be provided electronically, where possible, unless the data subject otherwise requests. (4) Where the controller does not take action on the request of the data subject, it shall, without delay and at the latest within one month of receipt of the request, inform the data subject of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and of the right to a judicial remedy. (5) The information provided pursuant to Articles 13 and 14 and the information provided pursuant to Articles 15 to 22 shall be provided to the data subject in accordance with Article 13 and 14. and 34 shall be provided free of charge. Where the data subject’s request is manifestly unfounded or, in particular because of its repetitive nature, excessive, the controller may: – charge a fee which is reasonable having regard to the administrative costs of providing the requested information or information or taking the requested action, or – refuse to act on the request. The burden of proof that the request is manifestly unfounded or excessive shall be borne by the controller. (6) Without prejudice to Article 11, where the controller has reasonable doubts as to the identity of the natural person making the request pursuant to Articles 15 to 21, it may request that the data subject be provided with further information necessary to confirm his or her identity. (24) Article 17 of the GDPR: Right to erasure (‘right to be forgotten’)
(1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data concerning him or her without undue delay where one of the following grounds applies:
7
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent to the processing pursuant to point (a) of Article 6(1) or point (a) of Article 9(2)
and there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and * there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been processed unlawfully;
(e) the personal data must be erased for compliance with a legal obligation to which the controller is subject under Union or Member State law;
(f) the personal data were collected in connection with the offering of information society services referred to in Article 8(1).
(2) Where the controller has made the personal data public and is required to erase them pursuant to paragraph (1), the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the controllers processing the data that the data subject has requested erasure by them of links to, or copies or replications of, the personal data concerned.
(3) Paragraphs 1 and 2 shall not apply where processing is necessary:
(a) for the exercise of the right to freedom of expression and information;
(b) for compliance with an obligation to which the controller is subject under Union or Member State law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) and Article 9(3);
(d) for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1), where the right referred to in paragraph 1 would likely render impossible or seriously jeopardise such processing; or
(e) for the establishment, exercise or defence of legal claims.
(25) GDPR Article 21: Right to object
(1) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on point (e) or (f) of Article 6(1), including profiling based on those provisions. In such a case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
(2) Where the personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling where it is related to direct marketing.
(3) If the data subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for these purposes.
(4) The right referred to in paragraphs (1) and (2) shall be expressly brought to the data subject’s attention at the latest when the data subject is first contacted and the information shall be displayed clearly and separately from all other information.
(5) In connection with the use of information society services and by way of derogation from Directive 2002/58/EC, the data subject may also exercise the right to object by automated means based on technical specifications.
(6) Where personal data are processed for scientific and historical research purposes or for statistical purposes in accordance with Article 89(1), the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest. (26) According to recital 47 of the GDPR, the legitimate interests of the controller, including those of the controller to whom the personal data may be disclosed, or of a third party, may constitute a legal basis for the processing, provided that the interests, fundamental rights and freedoms of the data subject are not overridden by the data subject’s interests, fundamental rights and freedoms, taking into account the reasonable expectations of the data subject in the light of his or her relationship with the controller. Such a legitimate interest may exist, for example, where there is a relevant and appropriate relationship between the data subject and the controller, for example where the data subject is a client or employee of the controller. In order to establish the existence of a legitimate interest, it is necessary to carefully examine, among other things, whether the data subject can reasonably expect, at the time and in the context of the collection of the personal data, that the data may be processed for the given purpose. The interests and fundamental rights of the data subject may take precedence over the interests of the data controller if the personal data are processed in circumstances in which the data subjects do not expect further processing. Since it is the task of the legislator to determine in law the legal basis on which public authorities may process personal data, the legal basis supporting the legitimate interest of the data controller cannot be applied to the processing of data by public authorities in the performance of their tasks. The processing of personal data that is strictly necessary for the prevention of fraud also constitutes a legitimate interest of the data controller. The processing of personal data for direct business purposes can also be considered to be based on a legitimate interest. (27) Pursuant to Article 58(2)(b) and (d) of the GDPR, the supervisory authority shall, acting in its corrective capacity: (b) order the controller or processor to bring its processing operations into compliance with this Regulation, where applicable, in a specified manner and within a specified period. (28) Without prejudice to any other administrative or judicial remedy, each data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, where the data subject considers that the processing of personal data relating to him or her infringes this Regulation. 9 IV. Decision IV.1. Personal data of the Applicant, data processing, data controller and data processing under review
(29) The Applicant’s name, delivery address, address, e-mail address, parcel number, order-related data, correspondence with him/her are the Applicant’s personal data pursuant to Article 4, point 1, of the GDPR, and the storage and use of these data constitute data processing pursuant to Article 4, point 2, of the GDPR.
(30) The Applicant has determined and determines the purpose and means of the data processing of the Applicant’s personal data referred to in paragraph (13), and therefore it is considered a data controller pursuant to Article 4, point 7, of the GDPR.
(31) In the present proceedings, which were initiated upon request, the Authority is examining whether the Applicant has complied with the Applicant’s request as a data subject and whether it has deleted the personal data that it was required to delete based on the Applicant’s request for deletion.
IV.2. The Applicant’s data protection request
(32) According to the Applicant, the Applicant’s data protection request submitted on 12 October 2023 was only fulfilled on 8 February 2024, as a result of an internal investigation conducted following the receipt of the Authority’s order, due to an administrative error in the “purchase-related dispatch file”.
(33) The Authority states the following in relation to the administrative error
As stated in paragraph (30), the Applicant is the data controller in the examined
procedure, i.e. the data controller is the one who organizes the data processing, decides on the purpose and means of the data processing, and ensures data processing in accordance with the provisions of the GDPR during the entire data processing process, and can also prove this on the basis of Article 5(2) of the GDPR. In the present case, therefore, the administrative error does not exempt the controller from these obligations and does not exempt it from compliance with the provisions of the GDPR.
(34) The Respondent should have fully complied with the Applicant’s data subject request by 12 November 2023 at the latest, in accordance with Article 12(3) of the GDPR. Based on the processes of the Applicant’s deletion operations and the related screenshots, it can be established that the Applicant only fully complied with its deletion obligation after a significant delay, on 8 February 2024, after the initiation of the present proceedings.
(35) Following the Applicant’s objection, the Applicant could not have processed the Applicant’s personal data for business purposes pursuant to Article 21(3) of the GDPR, whereas – as acknowledged by the Applicant – letters were sent requesting an assessment of the Applicant’s service after the Applicant’s data subject request had been “fulfilled”. (36) Based on the above, the Authority concludes that the Applicant did not comply with the Applicant’s request for erasure, and therefore negligently infringed Article 17(1)(c) of the GDPR. However, the Applicant subsequently carried out the erasure in full on 8 February 2024, and the Authority rejects the relevant part of the application because the order for erasure has become obsolete. (37) The data subject request detailed in paragraph (7) was not exclusively an objection related to the newsletters, but rather requested the deletion of his personal data in general (without specifically naming the personal data). Given that the Requester claimed that it processed the Requester’s personal data for various purposes and on various legal grounds, it also had to consider which personal data it was obliged to delete based on the Requester’s request for deletion and which it was not. Of the personal data detailed in the table in paragraph (13) of this
10
decision, the Requester had to delete from the database the personal data marked “Until the data subject’s objection is deemed legitimate”, while the other personal data were not subject to the deletion obligation in relation to the data subject’s request submitted based on the right to object. The Respondent must inform the Applicant about this and the personal data affected by the deletion pursuant to Article 12(1)-(3) of the GDPR, which the Respondent has not confirmed to the Authority, since the letter referred to in paragraph (7) was sent before the deletion took place (February 8, 2024), and it only informs that it will delete the personal data, but does not specify which ones it will delete and which ones it will not. According to its statement, the Respondent also processes data in light of data subject requests, and does not delete data processed in connection with this even upon request. For this reason, the Authority finds that the Respondent has failed to comply with its obligation to provide information pursuant to Article 12(2)-(3) of the GDPR, and orders the Respondent to comply with this obligation.
(38) In relation to the above, the Authority also highlights that the part of the Respondent’s statement that the planned data processing period is marked as “non-exhaustive” is unacceptable in view of the data processing related to the provisions of the GDPR,
since, in accordance with the principles set out in Article 5(1) of the GDPR, data processing must be transparent (Article 5(1)(a) of the GDPR), and, in accordance with the principles of purpose limitation (Article 5(1)(b) of the GDPR) and data economy (Article 5(1)(c) of the GDPR), the duration of data processing must be precisely determined.
IV.3. Legal Consequences
(39) The Authority condemns the Respondent on the basis of Article 58(2)(b) of the GDPR,
because it violated Article 17(1)(c) of the GDPR.
(40) In accordance with Article 58(2)(d) of the GDPR, the Authority has ex officio ordered that the Respondent inform the Applicant of the fulfilment of his data subject request and of the processing of his undeleted personal data.
(41) The Authority has exceeded the administrative deadline pursuant to Section 60/A.§ (1) of the Data Protection Act, therefore the
Applicant is entitled to HUF 10,000, i.e. ten thousand forints, at his option – by bank transfer or postal order – pursuant to Section 51(1)(b) of the Data Protection Act.
V. Other issues
(42) The Data Protection Act According to Section 38(2), the Authority is responsible for monitoring and promoting the protection of personal data, as well as the right to access data of public interest and made public in the public interest, and for promoting the free flow of personal data within the European Union. According to Section (2a) of the same Section, the tasks and powers assigned to the supervisory authority in the General Data Protection Regulation shall be exercised by the Authority in accordance with the provisions of the General Data Protection Regulation and this Act with regard to legal entities under the jurisdiction of Hungary.
(43) The Authority’s jurisdiction extends to the entire territory of the country.
(44) Pursuant to Sections 112 and 116(1) and Section 114(1) of the Administrative Procedure Act, a legal remedy may be sought against the decision and order through administrative proceedings.
(45) The rules of administrative litigation are determined by Act I of 2017 on the Code of Administrative Procedure (hereinafter: the Code). Pursuant to Section 12 (1) of the Code, administrative litigation against the decision of the Authority falls within the jurisdiction of the court, and the Metropolitan Court has exclusive jurisdiction over the litigation pursuant to Section 13 (3) (a) (aa) of the Code.
11
(46) Pursuant to Section 27 (1) (b) of the Code, legal representation is mandatory in litigation falling within the jurisdiction of the court. Pursuant to Section 39 (6) of the Code, the filing of a claim does not have a suspensive effect on the entry into force of the administrative act.
(47) Pursuant to Section 29 (1) of the Code and, in view of this, to Section 29 (1) of the Code and, in accordance with this, to the Act of the Court of Appeals, According to Section 19 (1) (b) of Act CIII of 2023 on the Digital State and Certain Rules for the Provision of Digital Services (hereinafter: Dáptv.), which is applicable pursuant to Section 604, the legal representative of the client is obliged to maintain electronic communication.
(48) The time and place of filing the statement of claim is determined by Section 39 (1) of the Kp. The information on the possibility of requesting a hearing is based on Section 77 (1)-(2) of the Kp. The amount of the administrative litigation fee is determined by Section 45/A (1) of Act XCIII of 1990 on Fees (hereinafter: Itv.). The advance payment of the fee is exempted from the Itv. Section 59 (1) and Section 62 (1) h) exempt the party initiating the proceedings.
(49) The amount of the administrative litigation fee is determined by Section 45/A. (1) of Act XCIII of 1990 on Fees
(hereinafter: Itv.). Section 59 (1) and Section 62 (1) h) of the Itv. exempt the party initiating the proceedings from paying the fee in advance.
(50) If the Applicant does not adequately prove the fulfillment of the prescribed obligation, the
Authority shall consider that the obligation has not been fulfilled within the deadline. According to Section 132 of the Ákr.
, if the obligated party has not fulfilled the obligation set out in the final decision of the authority,
it shall be enforceable. The Authority’s decision shall be subject to the Ákr. According to Section 82 (1), it becomes final upon notification. Pursuant to Section 133 of the Act on the Protection of Personal Data, the enforcement shall be ordered by the authority that made the decision – unless otherwise provided by law or government decree. Pursuant to Section 61 (7) of the Information Act, the execution of the act shall be carried out by the Authority. (51) During the procedure, the Authority exceeded the one hundred and fifty-day processing deadline pursuant to Section 60/A (1) of the Information Act, therefore the Applicant is entitled to HUF 10,000, i.e. ten thousand forints – at his/her choice – by bank transfer or postal order pursuant to Section 51 (1) (b) of the Act on the Protection of Personal Data. Budapest, “according to the electronic signature and time stamp” Dr. habil. Attila Péterfalvi, President in the absence of a university professor
Dr. Tamás Bendik
general vice president
</pre>