ALDI MAGYARORSZÁG ÉLELMISZER Élelmiszer Kereskedelmi Betéti Társaság – €200,000 Fine (Hungary, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The controller, a supermarket company, conducted verifications about the age of customers wanting to buy alcoholic beverages. In addition to asking for an ID card, in some shops the controller also recorded the date of birth of the data subjects, while in other shops it did not. Moreover, another complaint concerned the fact that the controller asked elderly data subjects for an ID, even though it was evident that they were not under 18. Finally, according to the data subjects, no information under Article 13 GDPR was not provided to them. Therefore, they could not know which was the legal basis and the duration of the processing. For these reasons, several data subjects filed a complaint with the DPA. First, the DPA found that the data subjects were not able to have sufficient information about the processing at hand, since no sign was put in the controller’s shops. Moreover, the staff were not able to provide more information or to inform the data subjects where to find more information about the data processing. Furthermore, the DPA noted that the practices varied between the stores. Therefore, the DPA held that the information provided by the controller was insufficient, not easily accessible and not transparent. As a consequence, it found a violation of Article 5(1)(a), 12(1), 13(1) and 13(2) GDPR. Secondly, the DPA noted that Article 16/A(4) of the Consumer Protection Act of 1997 ([https://njt.hu/jogszabaly/1997-155-00-00.44 1997. évi CLV. Törvény a fogyasztóvédelemről]) requires alcohol sellers to ask for an ID card only when they are in doubt that the buyer could be under 18 years old. When this doubt does not exist, like in the case of a 70-year-old man, this obligation does not apply. Therefore, the controller could not rely on Article 6(1)(c) GDPR. As a consequence, the DPA found a violation of Article 6(1) GDPR. Thirdly, the DPA found that recording the date of birth in the cash register system violated Article 5(1)(c) GDPR. Indeed, the DPA considere
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The controller, a supermarket company, conducted verifications about the age of customers wanting to buy alcoholic beverages. In addition to asking for an ID card, in some shops the controller also recorded the date of birth of the data subjects, while in other shops it did not. Moreover, another complaint concerned the fact that the controller asked elderly data subjects for an ID, even though it was evident that they were not under 18. Finally, according to the data subjects, no information under Article 13 GDPR was not provided to them. Therefore, they could not know which was the legal basis and the duration of the processing. For these reasons, several data subjects filed a complaint with the DPA. First, the DPA found that the data subjects were not able to have sufficient information about the processing at hand, since no sign was put in the controller’s shops. Moreover, the staff were not able to provide more information or to inform the data subjects where to find more information about the data processing. Furthermore, the DPA noted that the practices varied between the stores. Therefore, the DPA held that the information provided by the controller was insufficient, not easily accessible and not transparent. As a consequence, it found a violation of Article 5(1)(a), 12(1), 13(1) and 13(2) GDPR. Secondly, the DPA noted that Article 16/A(4) of the Consumer Protection Act of 1997 ([https://njt.hu/jogszabaly/1997-155-00-00.44 1997. évi CLV. Törvény a fogyasztóvédelemről]) requires alcohol sellers to ask for an ID card only when they are in doubt that the buyer could be under 18 years old. When this doubt does not exist, like in the case of a 70-year-old man, this obligation does not apply. Therefore, the controller could not rely on Article 6(1)(c) GDPR. As a consequence, the DPA found a violation of Article 6(1) GDPR. Thirdly, the DPA found that recording the date of birth in the cash register system violated Article 5(1)(c) GDPR. Indeed, the DPA considere
Related Enforcement Actions (0)
No other enforcement actions found for ALDI MAGYARORSZÁG ÉLELMISZER Élelmiszer Kereskedelmi Betéti Társaság in HU
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
2 July 2024
Authority
Nemzeti Adatvédelmi és Információszabadság Hatóság
Fine Amount
€200,000
80,000,000 HUF
GDPRhub ID
gdprhub-8237About this data
Cite as: Cookie Fines. ALDI MAGYARORSZÁG ÉLELMISZER Élelmiszer Kereskedelmi Betéti Társaság - Hungary (2024). Retrieved from cookiefines.eu
Last updated: