Infotv – €1,250 Fine (Hungary, 2022)

Two data subjects received unsolicited commercial emails from a hotel booking website (the controller). They objected to the processing of their personal data for direct marketing purposes and requested their email address to be deleted form the controller's register. However, the controller did not comply with the request and continued sending unsolicited emails. The same happened to the second data subject. Additionally, one of the data subjects submitted an access request to the controller but did not receive a response. Both data subjects filed a complaint with the Hungarian DPA. The DPA initiated an investigation, trying to contact the controller several times. After not receiving any reply, the DPA started sanctioning proceedings. During the proceedings, the controller argued that it was not aware of the data protection aspect of its activity and only considered it "simple advertising". Moreover, the controller stated that it had given instructions to delete the data from the mailing list, but an error occurred, as a result of which the personal data was still in the register. Furthermore, according to the controller, once the error was remedied, the data subjects were orally informed by a phonecall about the deletion of their data. The DPA held that the controller provided misleading information in its privacy policy. Although the controller claimed that the legal basis for processing personal data in relation to newsletters and marketing was consent under Article 6(1)(a) GDPR, the privacy policy mentioned the legitimate interest of the controller. Hence, it confused the data subjects, as to which legal basis was actually used. Moreover, the privacy policy did not expressly mention the purposes of processing personal data. Therefore, the DPA found a violation of Article 12(1) GDPR as the data subjects were not clearly informed of the purposes and the legal basis for processing. Additionally, the DPA established a violation of Article 6(1) GDPR because