NAIH (Hungary) - NAIH-1790-1/2023
From GDPRhub
| NAIH - NAIH-1790-1/2023 | |
|---|---|
 | |
| Authority: | NAIH (Hungary) |
| Jurisdiction: | Hungary |
| Relevant Law: | Article 12(3) GDPR Article 13(4) GDPR Article 15(1) GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 15.02.2022 |
| Decided: | 06.03.2023 |
| Published: | 06.04.2023 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | NAIH-1790-1/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Hungarian |
| Original Source: | NAIH decision (in HU) |
| Initial Contributor: | lszabo |
The Controller is ordered to fulfill the request for access of the data subject, to provide the information according to Art. 15 GDPR and confirm the action taken. The DPA refused the request for fine in spite of the Controller's late response to it.
English Summary
Facts
The Applicant sent the 7th January 2022 a letter to the Controller, attaching the copy of an e-mail sent the 5th January, asking for information about the handling of his personal data. Although the Controller received the letter the 10th January according to the postal receipt, it did not respond to it. The Applicant complained and asked the Authority to start official proceedings against the Controller and also asked the Authority to levy a fine. Applicant asked information about the handling of his personal data, the documents related to his name, their registration data, the erasure of data, the date and reason of erasure as well as about transmission of his personal data to third persons. Additionally, he enquired about e-mails received to the official e-mail address of the priest serving at the Controller their attachments and about the e-mails forwarded to third persons. He also asked for a date for consultation and confession. According to the Controller, it did never collect or process any personal data of the Applicant. The Applicant went to the Church of the Controller and harassed one of the curates there. A private discussion was held between the Applicant and the vicar of the Controller about this. According to the Controller, the personal data related to this discussion are not subject to the GDPR. Controller declared that it processes in its e-mail box the name, assumed address, assumed phone number and assumed e-mail address of the Applicant, which are part of this complaint by the Applicant. The legal basis is the legitimate interest to respond to the complaint. According to the Controller, the purpose of the Applicant with his letter (incorrectly indicated as being dated the 7th January but dated the 5th January) only wanted to enter into contact with the Controller. The e-mail dated the 31st July 2022 submitted by the Controller to prove that was not written by the Applicant according to him, as it was not sent from his e-mail address and thus he submitted a claim to the police alleging an unknown offender. The Controller stated that it did receive only one letter, the one dated the 5th January it did not, and the letter received did not aim access to personal data but only information about the registration number of the e-mail, the response deadline and a data protection notice. Given that the Controller considered itself being continuously harassed, it did not respond based on Article 13 (4) GDPR. The data protection notice could only refer to data provided by the Applicant himself and thus the request did not contain an access request. Controller has a procedure to handle data subject requests and registers them in an Excel file. This file did not contain the request of the Applicant due to the above considerations. Additionally, the Applicant remonstrated that during correspondence about a parish camp the Controller put the recipients into copy instead of blind copy and thus his e-mail address became known to other recipients without his consent. This complaint is subject of another procedure (not yet closed). The Controller did not respond to the questions of the Authority delivered the 3rd June and responded with a delay of 7 days compared to the deadline of the repeated call to clarify the facts. A further enquiry of the Authority was responded to in time. After several insights into the file, the Authority finished the establishment of the facts the 18th November. According to these, the Applicant registered to a camp through a Google form and to the closing mess of the Eucharist Congress and the Applicant and the Controller exchanged e-mails concerning the camp.
Holding
The Authority considers that the Controller processed personal data in the correspondence and the Google form of the Applicant. The Authority assumes based on the duty of good and faithful co-operation (which has to be assumed of the parties according to the procedural rules of sate administration), that the two letters were sent by the Applicant if the Applicant states so. Therefore Controller was obliged to respond to the request of the Applicant as data subject. If the request is manifestly unfounded or excessive, the burden of proof is on the Controller. Thus, Controller infringed Article 12 (3) by not responding to the Applicant. The Controller is obliged to provide to the data subjects the information included in Article 15 (1) GDPR. The request of the Applicant to apply a fine is rejected as the fine does not directly concern a right or legitimate interest of the Applicant and has no legal consequences related to him. Therefore this cannot be requested by the data subject and this part of the complaint cannot be considered an official demand. As the deadline for completing the procedure was exceeded, the Authority pays HUF 10000 (about EUR 25) to the Applicant.
Comment
The Authority sided with the complaining data subject (the Applicant) in that the Controller received the access request and was not entitled to ignore it. The Controller tried to deny its responsibility and also answered only on the second request of the Authio. A fine was, however, not levied.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH-1790-1/2023. Subject: decision establishing a violation of law
(NAIH-5584/2022.)
DECISION
The National Data Protection and Freedom of Information Authority (hereinafter: Authority) [...]
(residential address: […]; hereinafter: Applicant) at the Authority on February 15, 2022
at the request submitted, by the [...] Law Office (administrator lawyer: [...], KASZ: [...])
represented […] (headquarters: […]; hereinafter: Applicant) for the personal data of the Applicant
in a data protection official proceeding to investigate the non-fulfillment of his access request
makes the following decisions.
I. At the request of the Applicant, the Authority determines that the Respondent has violated the
on the protection of natural persons with regard to the management of personal data and
on the free flow of such data and the repeal of Directive 95/46/EC
Regulation (EU) 2016/679 (hereinafter: General Data Protection Regulation) Article 12 (3)
paragraph.
II. At the request of the Applicant, the Authority instructs the Applicant that the general data protection
provide the Applicant with information on the information according to Article 15 (1) of the Decree
and certifies its fulfillment to the Authority.
III. The Authority rejects the part of the Requester's request for the imposition of a data protection fine.
* * *
The II. the taking of the measures prescribed in point 1. This decision is final for the Respondent
must be in writing within 30 days of the divorce - the supporting evidence
along with its submission - certify to the Authority.
In case of non-fulfilment of the prescribed obligation, the Authority orders the execution of the decision.
There is no place for administrative appeal against this decision, but from the announcement
within 30 days from the date of issue, with a letter of claim addressed to the Capital Tribunal
can be challenged in a lawsuit. The claim must be submitted to the Authority electronically, which
forwards it to the court together with the case documents. The request for the holding of the trial is submitted by the
must be indicated in the application. For those who do not receive full personal tax exemption
the fee for the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to record the fee. The capital city
Legal representation is mandatory in court proceedings.
1 The NAIH_K01 form is used to initiate the administrative lawsuit: NAIH_K01 form (16.09.2019)
The form can be filled out using the general form filling program (ÁNYK program).
The form is available from the following link: https://www.naih.hu/kozig-hatarozat-birosagi-felulvizsgalata
................................................... ................................................... ................................................... ................................................... ................................................... ..............
1055 Budapest Tel.: +36 1 391-1400 ugyfelszolgalat@naih.hu
Falk Miksa utca 9-11 Fax: +36 1 391-1410 www.naih.hu 2
JUSTIFICATION
I. Procedure of the procedure
(1) On February 15, 2022, the Applicant's request to initiate data protection official proceedings
applied to the Authority, according to which his postal letter dated January 7, 2022 -
to which he attached a printout of his previous e-mail dated January 5, 2022
version - requested information from the Application regarding the handling of his personal data
in context. The postal letter provided by the Applicant to the Authority
2022, as evidenced by the delivery receipt, the authorized representative of the Applicant.
received the document on January 10, but the Applicant did not receive a response.
(2) The Applicant requested that the Authority establish that the Respondent did not properly
fulfilled your request to exercise your right of access to personal data, and
with this, the Applicant violated Article 15 (1) of the General Data Protection Regulation
his right. The Applicant also requested that the Authority oblige the Applicant to give
for the Applicant according to Article 15 (1) of the General Data Protection Regulation,
adequate content and complete information about the personal data managed by the Applicant.
(3) The Applicant also requested the imposition of a data protection fine against the Applicant.
(4) The Applicant further objected that the Respondent such electronic correspondence
held with him - and other persons - a parish camp organized by the Applicant
during its organization, where without the consent of the Applicant among the recipients of the letter, everything
his e-mail address was visible to the recipient, as the Respondent did not send it as a secret copy
and messages to recipients. Regarding this part of the application, NAIH-2948/2022.
proceedings were initiated.
(5) In the present procedure initiated to investigate the fulfillment of the Applicant's right of access, the Authority a
Dated 1 June 2022, NAIH-5584-2/2022. the facts in the order with case file no
invited the Applicant to make a statement in order to clarify.
(6) According to the evidence of the return receipt certifying postal delivery, the Requested has complied with the Authority's order
Received on June 3, 2022. In its order, the Authority has fifteen days to respond
provided a deadline, which expired on June 20, 2022, but the Respondent did not respond
at the order of the Authority.
(7) Therefore, the Authority dated July 8, 2022, NAIH-5584-4/2022. in the order with file no
repeatedly invited the Applicant to make a statement in order to clarify the facts. THE
The requested representative accepted the Authority's order on July 13, 2022, so the
The deadline for responding expired on July 28, 2022. Despite this, the Applicant
he only answered the Authority's questions on August 4, 2022.
(8) After reviewing the Respondent's answers, it became necessary to clarify further questions,
therefore, the Authority dated 30 August 2022, NAIH-5584-10/2022. case file number
in his ruling, he invited the Applicant to make a statement.
(9) The Respondent answered the Authority's questions on September 27, 2022.
(10) Furthermore, on July 14, 2022, the Authority exercised its right to inspect documents
at its headquarters, about which NAIH-5584-6/2022. a report was made on case file number. 3
(11) After reviewing the documents, the Applicant indicated that NAIH-5584-2/2022.
file number and NAIH-5584-4/2022. 1 of point I of the order on the facts of case file no.
sentence incorrectly states that based on the Applicant's letter dated January 7, 2021
requested information from the Applicant in connection with the management of his personal data. The letter
its correct date, on the other hand, is January 7, 2022.
(12) In order to remedy this, the Authority issued NAIH-5584-9/2022, dated August 9, 2022.
in the order with file number indicated in the order, the Applicant is addressed to the Respondent
“2021. January 7
date "2022. amended to the date of January 7, and other provisions of the orders
left it unchanged.
(13) Pursuant to the Applicant's request dated September 15, 2022, also
wanted to exercise his right to inspect documents in the case NAIH-5584-5/2022. documents with registration number
by sending copies of new documents created after
(14) At the request of the Applicant, the Authority dated September 21, 2022, NAIH-5584-12/2022.
He sent a copy of the requested documents as an attachment to his order with file number.
(15) The Applicant, in his letter filed on September 28, 2022, after reviewing the documents
made a statement.
(16) Subsequently, the Authority dated October 3, 2022, NAIH-5584-16/2022. case file number
in his order, he informed the Applicant that in the official data protection procedure a
evidentiary procedure was completed and drew his attention to the fact that during the clarification of the facts
you can get to know uncovered evidence taking into account the rules of document inspection and
may make further evidentiary motions.
(17) The Authority informed the Applicant about the same, dated October 4, 2022, NAIH-5584-
17/2022. in the order with case file no.
(18) Pursuant to the request dated October 10, 2022, the Applicant repeatedly
wanted to exercise his right in the case NAIH-5584-12/2022. was created after documents with file number
by sending copies of new documents.
(19) At the request of the Applicant, the Authority issued NAIH-5584-19/2022 dated October 12, 2022.
He sent a copy of the requested documents as an attachment to his order with file number.
(20) The Applicant, in his letter filed on October 27, 2022, following the review of the documents
made a statement.
(21) The Applicant is the Authority NAIH-5584-16/2022. to the order of file number 18 October 2022.
responded in a letter filed on
connection, as what is written in it contains information unknown to him.
(22) Based on the Respondent's response, the Authority reviewed NAIH-5584-16/2022. case file number
contained in his order, on the basis of which he established that the facts of its justification
point I is wrong and does not contain information related to this procedure, therefore
5584-16/2022. order dated November 18, 2022, file number NAIH-5584-22/2022.
revoked in order no. The Authority subsequently on November 18, 2022
dated NAIH-5584-23/2022. in order with file number, repeated with correct content
informed the Applicant that the evidence in the data protection authority procedure
procedure was completed and drew his attention to the fact that he had discovered it during the clarification of the facts
you can get to know evidence by taking into account the rules of document inspection and more
can make evidentiary motions. 4
(23) The Respondent did not respond to this order of the Authority, did not exercise its right to inspect documents, and
he did not make any further motions for proof.
II. Clarification of the facts
(24) The Applicant provided the Authority with e-mail correspondence, which a
They were related to a camp organized by the applicant. He also added the
An online Google document created by the applicant, on which he could submit his application for the camp
your application by entering the following personal data: name, date of birth, e-mail address,
telephone number. Based on the correspondence, the Applicant participated in the camping, so that's all
you must have provided the information requested on the application form.
(25) According to the Applicant's statement, the International Eucharistic was also registered
For the closing mass of the Congress, with the participation of the Applicant in his group.
(26) The Applicant also attached the "application for adult catechesis" dated January 7, 2022
a photo taken of his postal letter with the subject "data management information request", in which the
You requested information from the applicant about the personal data it manages, which can be linked to your name
documents, the date of recording of the data and documents, the deletion in case of deletion
date and reason, as well as which personal data was transferred to a third party
for publication and transmission. The Applicant also requested information in the case of e-mails a
It was sent to the official e-mail address of the priests serving with the Respondent and from there to the Applicant
sent letters, their attachments, and which e-mails were sent to a third party
for transmission to. Personal data released to a third party, e-mail,
in the case of a document, he requested the name of the third party and the indication of the legal title of the edition
too. It was also requested in the letter dated January 5, 2022 with the subject "date agreement"
answer as well.
(27) A photo of the Applicant's letter dated January 5, 2022 with the subject "date agreement"
also sent it to the Authority. In this letter, the Applicant requested an appointment from the Application
for confession and personal consultation. Furthermore, in this letter, he also indicated that
had already addressed this kind of request to the Respondent via e-mail, however
based on that, the appointment was not successful. The Applicant also requested this in this letter
information about the e-mail you sent earlier, for the purpose of arranging an appointment
registered with the file number and date, requested information about the response deadline and
about data protection information.
(28) The Applicant's letter dated both January 5, 2022 and January 7, 2022 in one envelope,
sent to the Applicant by post, the receipt confirming the delivery of the letters
according to his testimony, the envelope was delivered to the Applicant on January 10, 2022.
(29) According to his statement, the Respondent never provided any personal data from the Applicant
requested or required. The Applicant is not a member of the Applicant's parish community, he is a church member
does not pay tax. The Applicant attended the Respondent's church at the same time, his relationship with
It originates from here with a request, however, the Respondent did not record anything during this process either
personal data about the Applicant.
(30) According to the Applicant's statement, during his visits to the church, the Applicant
he met one of his former priests (chaplains), with whom he came into "conflict", as a
The applicant continuously harassed the chaplain. The Applicant from conflict and contact
following his conscious seclusion, he turned to the Parish Priest of the Applicant. The Applicant
his discussion with the parish priest took place as a personal conversation, the subject of the conversation was
It was a conversation independent of the activity of the respondent as a data controller, during which 5
and personal data that may have been disclosed within the scope of the General Data Protection Regulation
are excluded, based on Article 2 (2) point c) thereof. Based on the foregoing, the Respondent's position
according to the priest, since data processing is for "household purposes" there is no legal basis for data processing,
nor did it have to have a purpose, considering that the vicar acted as a private person
during conversations.
(31) According to the Respondent's statement, the Applicant's name, assumed
address, assumed phone number and e-mail address, which are provided by the Applicant
are part of the inquiry. The request that the Requested made available to the Authority
issued, was subsequently sent by the Applicant to the Respondent,
that the parish priest had already personally indicated to the Applicant to please the chaplain
stop bullying. In other respects, the Respondent sought to be with the Applicant
to break contact in order to avoid continuous harassment. On this - a
According to the respondent's point of view, the purpose of processing personal data is assumed
substantiation of the provability of allegations in the procedure, and its legal basis is the general one
point f) of Article 6 (1) of the Data Protection Regulation, i.e. the Respondent as a data controller
legitimate interest in connection with the fact that his claims in this official procedure are true
be accepted.
(32) For the same purpose and legal basis, the Respondent handles the Applicant on July 31, 2022
personal data included in the e-mail message you sent - and attached to the Authority. THE
According to the Respondent's statement, the Applicant's email sent on July 31, 2022
it is clear from his message that both the Applicant and the chaplain tried several times
to sever contact with the Applicant. According to the Respondent's statement, it is also
it is clear from the message that the Applicant is in violation of the 2012
has committed harassment capable of establishing a criminal law situation according to § 222 of Act C.
at the expense of the chaplain. It is quite obvious, according to the Respondent's point of view, that the 2022
letter dated January 5 (according to the Applicant's point of view, 2022 is probably wrongly stated in the application
the date of January 7 is stated, however, according to the Applicant's records, the letter is dated January 2022
dated 5) was aimed at exercising the rights of non-stakeholders, the letter to the Applicant is completely different
had intentions. He wanted to get the Respondent to establish a relationship with him. The Authority
reviewed the letter attached by the Applicant, sent by the Applicant on July 31, 2022,
which, according to the Respondent, requires contact with the referred chaplain
to establish, to request an appointment from him for confession. However, the Applicant practiced during the procedure
after inspecting the documents, indicated that this electronic letter sent on July 31, 2022
it was not written by him, as the e-mail address indicated as the sender, […], is not his e-mail address. The Applicant
according to his statement, his real e-mail address is […]. The Applicant is therefore an unknown perpetrator
filed a complaint against.
(33) According to the Applicant's statement dated August 4, 2022, the Applicant mistakenly
could indicate in his application that he addressed the Applicant with his letter dated January 7, 2022,
because according to his records, the only letter sent by the Applicant was on January 5, 2022
dated
(34) According to the Respondent's statement, the Applicant, in its letter dated January 5, 2022, made three
asks for an answer to the following questions: (i) what file number was the e-mail registered under, (ii) what is the response time
deadline, (iii) or requires a data management ("data protection") information sheet, not specified
what personal data you are requesting information about. The Respondent's position
according to you, you cannot expect a data controller who suffers continuous harassment to clarify
calls the Applicant for information regarding the personal data he/she is requesting,
on the other hand, according to his point of view, points (i)-(iii) do not qualify as points (i) and (ii)
personal data, including the Applicant's right to access them
can practice. The data management information indicated in point (iii) is at most the Applicant
to the content of the e-mail message or letter included in the attachment sent by you
may apply. The content of these documents was released by the Applicant himself to the Respondent 6
at your disposal precisely for the purpose of contacting him. That is, the
On the one hand, it is requested to avoid constant harassment, and on the other hand, general data protection
on the basis of Article 13 (4) of the Decree, he repeatedly refrained from answering the letter
emphasizing that the request does not require access to personal data
contained. According to the Respondent's point of view, the Applicant with his letter has the rights of the affected parties
obviously abused his right to access personal data
to practice
(35) In connection with the two letters, the Authority established during the clarification of the facts that the Applicant
In a letter dated January 7, 2022, he addressed the Respondent with the exercise of stakeholder rights, which
attached to a letter dated January 5, 2022, previously sent to the e-mail address of the Applicant
sent letter, about which the Authority informed the Applicant on August 30, 2022
dated NAIH-5584-10/2022. in the order with file no. The Applicant on September 26, 2022.
in his reply letter dated 2022, he stated that he would maintain it on 4 August 2022
dated, the statement made in connection with the Applicant's letter dated January 5, 2022,
however, he did not say anything about his letter dated January 7.
(36) According to its further statement, the Respondent sent it to the Authority as a data controller
according to the relevant provisions of its data protection regulations for the exercise of the data subject's rights
inquiries. Considering that the Applicant is a small organization, so any
a person who experiences an inquiry referring to the exercise of data subject rights, the inquiry is a
it will be forwarded to the parish priest as the internal data protection officer, who will comply with the provisions of the regulations
appropriately decides to take the necessary measures, where appropriate, a legal advisor
enlisting his help. In other respects, the applicant keeps records in a separate excel file
requests for the exercise of rights in accordance with the principle of accountability. The Applicant
according to his statement, the request of the Applicant dated January 5, 2022 was not sent to the
to be entered in the register, as it is considered harassment and the exercise of non-stakeholder rights,
considering in particular that the request does not affect personal data, as well as the person concerned a
during the submission of the letter, he could have received information on data with which
he himself had.
(37) Because of all this, the Respondent, in his opinion, was not there to inform the Applicant
is obliged, the Applicant's letter does not qualify as an exercise of the rights of the data subject, or provided, but not
assuming that the letter is an exercise of the rights of the data subject, Article 13 (4) of the General Data Protection Regulation
based on paragraph 1, the Respondent was not obliged to fulfill it, especially in view of the law
being abusively exercised. According to the Respondent's statement, also for its size
and compared to the volume of its budget, it placed a lot of emphasis on personal data
protection, thus the application of any sanction against the Application in light of the above
would be particularly unfair. Accordingly, the Respondent asked the Authority to a
reject the request and terminate the official procedure.
III. Applicable legal provisions
(38) Based on Article 2 (1) of the General Data Protection Regulation according to the present case
the general data protection regulation shall be applied to data management.
(39) CXII of 2011 on the right to information self-determination and freedom of information.
Act (hereinafter: Infotv.) pursuant to Section 2 (2) of general data protection
regulation shall be applied with the additions contained in the provisions indicated therein.
(40) Infotv. According to Section 60 (1), enforcement of the right to the protection of personal data
In order to do so, the Authority will initiate a data protection official procedure ex officio upon a request to this effect
may initiate a data protection official procedure. The general procedure for data protection authorities
CL of 2016 on public administration. the rules of the Act (hereinafter: Act) must 7
apply with the additions specified in Infotv. and the general data protection
with deviations according to the decree.
(41) Infotv. Based on § 60, paragraph (2): "Regarding the initiation of the official data protection procedure
request in Article 77 (1) of the General Data Protection Regulation, as well as Article 22 b)
can be submitted in the case specified in
(42) Pursuant to Article 77 (1) of the General Data Protection Regulation: "Other
without prejudice to administrative or judicial remedies, all stakeholders are entitled to
make a complaint to a supervisory authority – in particular your habitual residence, a
workplace or in the Member State where the alleged infringement occurred - if the person concerned
in his opinion, the processing of his personal data violates this regulation."
(43) According to Article 4, point 1 of the General Data Protection Regulation: "personal data": identified or
any information relating to an identifiable natural person ("data subject"); can be identified
the natural person who, directly or indirectly, in particular
identifier such as name, number, location data, online identifier or natural
to a person's physical, physiological, genetic, mental, economic, cultural or social identity
can be identified based on one or more relevant factors."
(44) Based on Article 4, Point 2 of the General Data Protection Regulation: "data management": the personal
any automated or non-automated processing of data or data files
operation or a set of operations, such as collection, recording, organization, segmentation, storage,
transformation or change, query, insight, use, transmission of communication,
by means of distribution or other means of making available, coordination or
connection, restriction, deletion or destruction."
(45) Pursuant to Article 4, point 7 of the General Data Protection Regulation: "data controller": the natural
or legal person, public authority, agency or any other body that a
purposes and means of processing personal data independently or together with others
defines; if the purposes and means of data management are determined by EU or member state law
and, the data controller or the special aspects regarding the designation of the data controller
it can also be determined by EU or member state law."
(46) According to paragraphs (1)-(6) of Article 12 of the General Data Protection Regulation: "(1) The data controller
takes appropriate measures to ensure that the personal data is provided to the data subject
all the information referred to in Articles 13 and 14 and Articles 15-22 and
All information according to Article 34 is concise, transparent, understandable and easily accessible
provide it in a clear and comprehensible form, especially to children
for any information received. Information in writing or otherwise - incl
where appropriate, the electronic route must also be provided. Verbal information at the request of the person concerned
can also be given, provided that the identity of the person concerned has been verified in another way.
(2) The data controller facilitates the relevant 15-22. the exercise of his rights according to art. Article 11
In the cases referred to in paragraph (2), the data controller is the person concerned in Articles 15-22. your rights under Art
may not refuse to fulfill your request for exercise, unless you prove that
that the person concerned cannot be identified.
(3) The data controller without undue delay, but in any case the request
within one month of its receipt, informs the person concerned of the 15-22. according to article
on measures taken following a request. If necessary, taking into account the request
complexity and the number of applications, this deadline can be extended by another two months.
Regarding the extension of the deadline, the data controller shall specify the reasons for the delay
informs the person concerned within one month of receiving the request. If it is affected
submitted the application electronically, the information was provided electronically if possible
must be provided, unless the data subject requests otherwise. 8
(4) If the data controller does not take measures following the data subject's request, without delay,
but informs the person concerned no later than one month from the date of receipt of the request
about the reasons for the failure to take action, as well as whether the person concerned can file a complaint
with a supervisory authority and may exercise his right of judicial remedy
(5) Information according to Articles 13 and 14 and Articles 15-22 and information according to Article 34 and
measure must be provided free of charge. If the data subject's request is clearly unfounded
or - especially due to its repetitive nature - excessive, the data controller, taking into account the requested information
or administrative related to providing information or taking the requested action
for costs:
a) may charge a fee of a reasonable amount, or
b) may refuse to take action based on the request.
It is the responsibility of the data controller to prove that the request is clearly unfounded or excessive
is burdened.
(6) Without prejudice to Article 11, if the data controller has well-founded doubts regarding Articles 15-21.
in relation to the identity of the natural person submitting the application pursuant to Article, further, the person concerned
you can request the provision of information necessary to confirm your identity."
(47) Pursuant to Article 15 of the General Data Protection Regulation: "(1) The data subject is entitled to be
receive feedback from the data controller regarding the handling of your personal data
is ongoing, and if such data management is ongoing, you are entitled to have your personal
data and get access to the following information:
a) the purposes of data management;
b) categories of personal data concerned;
c) recipients or categories of recipients with whom or with which the personal
data has been disclosed or will be disclosed, including in particular that of a third country
recipients and international organizations;
d) where appropriate, the planned period of storage of personal data, or if this is not the case
possible aspects of determining this period;
e) the right of the data subject to request from the data controller the personal data relating to him
rectification, deletion or restriction of processing of data, and may object to such
against the processing of personal data;
f) the right to submit a complaint addressed to a supervisory authority;
g) if the data were not collected from the data subject, everything about their source is available
information;
h) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including
profiling as well as, at least in these cases, the applied logic and
understandable information about the importance of such data management,
and the expected consequences for the person concerned.
(2) If personal data is transferred to a third country or international organization
is transmitted, the data subject is entitled to receive information about the transmission
about the corresponding guarantees according to Article 46.
(3) The data controller shall provide the data subject with a copy of the personal data that is the subject of data management
makes available. The data controller is responsible for additional copies requested by the data subject
may charge a reasonable fee based on administrative costs. If it is affected
submitted the application electronically, the information is widely used electronically
format, unless the data subject requests otherwise.
(4) The right to request a copy referred to in paragraph (3) shall not be adversely affected
the rights and freedoms of others."
(48) According to Article 23 (1) of the General Data Protection Regulation: "You belong to the data controller
EU or Member State law applicable to the data processor with legislative measures
can limit 12-22. Article and Article 34, as well as Articles 12–22. in article
with respect to its provisions in accordance with certain rights and obligations
the scope of the rights and obligations contained in Article 5, if the restriction respects Article 9
essential content of fundamental rights and freedoms, as well as for the protection of the following
necessary and proportionate measure in a democratic society:
a) national security;
b) national defense;
c) public safety;
d) prevention, investigation, detection or prosecution of crimes
conducting and enforcing criminal sanctions, including public safety
protection against threats and prevention of these threats;
e) other important general public interest objectives of the Union or a member state,
in particular an important economic or financial interest of the Union or a Member State,
including monetary, fiscal and taxation issues, a
public health and social security;
f) protection of judicial independence and judicial proceedings;
g) in the case of regulated occupations, the prevention and investigation of ethical violations,
detection and the conduct of related procedures;
h) in the cases mentioned in points a)-e) and g) - even occasionally - the public authority
control, investigation or regulation related to the performance of tasks
activity;
i) the protection of the data subject or the protection of the rights and freedoms of others;
j) enforcement of civil law claims."
(49) Based on Article 58 (2) of the General Data Protection Regulation: "The supervisory authority
acting in its corrective capacity:
a) warns the data manager or the data processor that some planned
its data management activities are likely to violate the provisions of this regulation;
b) condemns the data manager or the data processor if its data management activities
violated the provisions of this regulation;
c) instructs the data manager or the data processor to fulfill e
your request regarding the exercise of your rights according to the regulation;
d) instructs the data manager or the data processor that its data management operations - given
in a specified manner and within a specified period of time - harmonize e
with the provisions of the decree;
e) instructs the data controller to inform the data subject about the data protection incident;
f) temporarily or permanently restricts data management, including data management
also its prohibition;
g) in accordance with the provisions of Articles 16, 17 and 18, orders personal data
rectification or deletion, or limitation of data management, as well as Article 17 (2)
in accordance with paragraph and Article 19, the addressees are ordered to do so
notification to whom or to which the personal data has been disclosed;
h) revokes the certificate or instructs the certification body to comply with Articles 42 and 43
to withdraw a duly issued certificate, or instructs the certification body,
not to issue the certificate if the conditions for the certification are not or are no longer met;
i) imposes an administrative fine in accordance with Article 83, depending on the circumstances of the given case
depending, in addition to or instead of the measures mentioned in this paragraph; and
j) orders directed to a recipient in a third country or an international organization
suspension of data flow."
(50) Infotv. Pursuant to § 71, paragraphs (1) and (2): "During the Authority's proceedings - the
to the extent and for the time necessary to conduct it - you can process all personal data,
as well as classified as a secret protected by law and a secret bound to the exercise of a profession
data that are related to the procedure and that are managed by the procedure
necessary in order to conduct it successfully. The Authority lawfully during its procedures
can use the obtained documents, data or other means of proof in other proceedings." 10
(51) The Art. According to paragraphs (1) and (3) of § 6: "(1) All participants in the procedure are obliged
act in good faith and cooperate with other participants.
[…]
(3) The good faith of the client and other participants in the procedure must be presumed in the procedure. THE
the authority bears the burden of proving bad faith."
ARC. Decision
(52) Based on the definitions of the general data protection regulation, the Applicant a
Electronic correspondence related to the camp organized by the applicant and other topics
in part, and also to the Applicant in the Google document created by the Applicant
recorded name, date of birth, e-mail address, telephone number as personal data, the personal
and any operation performed on your data is considered data management.
(53) The purpose of the Authority's present proceedings is not to fully reveal whether the Respondent exactly
which personal data is handled by the Applicant, for what purposes. That to the Applicant a
You must do so in your response to the requester's access request.
(54) It is not the subject of this procedure that the Respondent, on behalf of the Applicant,
but according to his statement, he did not write from the email address he used, dated July 31, 2022
whether the electronic letter was written by the Applicant or by someone else with defamatory intent.
(55) However, based on the definition of the general data protection regulation
it can be established that the Respondent manages the Applicant's referenced personal data.
(56) Therefore, the justification that, in the absence of personal data processing, is not correct
it is necessary to fulfill the Applicant's access request.
(57) The Authority does not accept the Applicant's statement that the Applicant will
sent a letter dated January 5 with the subject of "date agreement" to the Respondent, which
it did not contain personal data according to Article 15 of the General Data Protection Regulation
request for access. The Authority agrees with the Application in that a
In a letter dated January 5, 2022 with the subject "date agreement", the Applicant requests
information that the appointment for the previous, confessional and personal consultation
the file number and date of your email sent for the purpose of consultation
for recording, and requested information on the response deadline and data protection information,
but did not request information about the management of your personal data.
(58) However, the Authority, in the absence of evidence to the contrary, and considering that the 2022.
dated August 30, NAIH-5584-10/2022. specifically in the order with file number
drew the attention of the Applicant to the fact that the Applicant, by letter dated January 7, 2022
addressed to the Respondent by exercising the rights of the affected person, which letter was attached to the 2022.
also the letter dated January 5, previously sent to the e-mail address of the Requested, contradiction
the Applicant did not make a statement to clarify, the Authority assumes that the Applicant
Your request for access to your personal data, dated January 7, 2022, is also for delivery
came from the Respondent.
(59) According to the Authority's point of view, based on the facts, the Applicant had a clear goal,
to receive information about the processing of your personal data to which you have objected
does not send your access request to the Requested. The Akr. Paragraphs (1) and (3) of § 6
pursuant to which all participants in the procedure are obliged to act in good faith and the others
cooperate with a participant, and the client - and other participants in the procedure -
good faith must be presumed in the proceedings. The Authority is proof of bad faith
is burdened. Given that the Applicant's claim that on January 7, 2022, 11
addressed to the Respondent with a request for access to his personal data
- to which the letter dated January 5, 2022 was attached - was not denied by the Respondent,
nor is there any other evidence to the contrary available to the Authority, a
The Authority accepts the Applicant's claims. This is further supported by the Applicant, a
also a photo taken and submitted of a letter.
(60) Based on this, the Authority, considering the available evidence, accepted
that the Applicant's letter dated January 5, 2022 with the subject "date agreement"
sent to the Applicant in an envelope the "application adult" dated January 7, 2022
for catechesis, request for data management information" as well. From this Application
requested information about the personal data it handles, documents linked to its name,
on the recording date of the data and documents, in case of deletion, on the date of deletion and its
about the reason, and which personal data were released to a third party,
for transmission. The Applicant also requested information from the Respondent in the case of e-mails
was received at the official e-mail address of the serving priests and sent to the Applicant from there
about letters, their attachments, and which e-mails were sent to third parties
for transmission. Personal data, e-mails and documents have been released to a third party
requested the name of the third party and the indication of the legal title of the publication. He asked
moreover, they wrote in the letter dated January 5, 2022 with the subject "date agreement"
answer as well. Therefore, the Applicant's "application" dated January 7, 2022 is an adult
for catechesis, request for data management information" in the general data protection
wanted to assert his right of access according to Article 15 of the Decree.
(61) The Applicant sent a copy of the receipt confirming the delivery of the letter, according to which the
Your letter was delivered to the applicant on January 10, 2022.
(62) The general data protection regulation regulates access among the data subject's rights
right. Based on this, according to Article 15 (1) of the General Data Protection Regulation, the data subject
you are entitled to receive feedback from the data controller that it is personal
whether your data is being processed, and if such data processing is underway, you are entitled
to access your personal data and information about data management
get
(63) In relation to the method of providing information on data management, the data controller
obligations are detailed in Article 12 of the General Data Protection Regulation. Based on this, the
information about personal data is concise, transparent, understandable and easily accessible
must be given in a clear and comprehensible form. Information in writing
or must be specified in another way.
(64) Furthermore, according to Article 15 (3) of the General Data Protection Regulation, the data controller is
provides a copy of the personal data subject to data management to the data subject.
For additional copies requested by the data subject, the data controller shall charge administrative costs based on
may charge a reasonable fee. If the person concerned submitted the application electronically,
the information should be available in a widely used electronic format
to forgive, unless the person concerned requests otherwise.
(65) To request a copy based on Article 15 (4) of the General Data Protection Regulation
applicable law may not adversely affect the rights and freedoms of others.
(66) Based on Article 12 (3) of the General Data Protection Regulation, the data controller is unjustified
without delay, but in any case within one month of receipt of the request
is obliged to provide information based on the request for access to personal data
about the measures taken. If necessary, this deadline can be extended by another two months
and the fact of which extension and the reasons for the delay from the receipt of the application
must provide information to the data controller within one month. 12
(67) According to Article 12 (5) of the General Data Protection Regulation, with data subject rights
related requests, such as following a request for access to personal data
the measure taken and the information about it must basically be provided free of charge. If it is
the request of the person concerned is clearly unfounded or – especially due to its repeated nature –
excessive, the data controller, with regard to the provision of the requested information or information or the requested
you can expect a reasonable fee for the administrative costs involved in taking action
or refuse to take action based on the request. The request is clear
however, it is the responsibility of the data controller to prove its unfounded or exaggerated nature.
(68) Article 23 (1) of the General Data Protection Regulation also defines it
special cases, the existence of which may limit the rights of the stakeholders, such as a
right of access.
(69) Based on the above, it can be established in this case that the Respondent did not respond to the Applicant
"application for adult catechesis, request for data management information" dated January 7, 2022
to his letter with reference to the fact that he did not receive such a letter. At the disposal of the Authority
however, based on the available information, the Applicant will not be able to attend on both January 5, 2022 and January 7, 2022.
in an envelope containing your request for access to your personal data dated
sent to the Applicant by post, which letter is the return receipt confirming its delivery
according to his testimony, it was delivered to the Applicant on January 10, 2022.
(70) Based on all of this, the Authority concludes that the Respondent, by not answering the
Applicant dated January 7, 2022 "application for adult catechesis, data management
"request for information", violated the general data protection regulation
Article 12, paragraph 3.
(71) To the Respondent in Article 15 (1) of the General Data Protection Regulation
specified information regarding the processing of the Applicant's personal data
inform the Applicant about the deletion of some personal data and the reason for the deletion
and date is not required by general data protection
decree, while regarding the transmission of personal data to the Applicant about those recipients
or categories of recipients, with whom or with which the
your personal data has been disclosed or will be disclosed, including in particular that of a third country
recipients and international organizations.
(72) The Authority also rejects the Applicant's request for a data protection fine
application, as the application of this legal consequence affects the right or legitimate interest of the Applicant
does not directly affect him, such a decision of the Authority does not create a right or obligation for him
arises, as a result of this - falling within the scope of enforcing the public interest
regarding the application of legal consequences in relation to the imposition of a fine, the Applicant
the Akr. is not considered a customer. Based on paragraph (1) of § 10, and - since the Ákr. Section 35 (1)
paragraph does not comply, there is no place to submit an application in this regard, a
this part of the application cannot be interpreted as a request 13
V. Legal Consequences
(73) The Authority's justification of this decision, IV. in view of what is written in the general
on the basis of Article 58 (2) point b) of the data protection decree, states that the Respondent
violated Article 12 (3) of the General Data Protection Regulation as it did not respond to
Applicant dated January 7, 2022 "application for adult catechesis, data management
access to your personal data submitted in your letter with the subject "request for information".
upon request.
(74) The Authority, due to the established violation, Article 58 (2) of the General Data Protection Regulation
on the basis of point c) of paragraph instructs the Applicant to complete the Applicant's access
your request in accordance with Article 15 of the General Data Protection Regulation and its fulfillment
certify to the Authority.
VI. Other questions
(75) The competence of the Authority is defined by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is
covers the entire territory of the country.
(76) This decision of the Authority is based on Art. 80-81. § and Infotv. It is based on paragraph (1) of § 61. THE
decision of the Akr. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. § 112,
and § 116, paragraph (1) and (4), point d), and on the basis of § 114, paragraph (1)
a decision can be appealed through an administrative lawsuit.
(77) The rules of the administrative procedure are laid down in Act I of 2017 on the Administrative Procedure
hereinafter: Kp.) is defined. The Kp. Based on § 12. (1) by decision of the Authority
the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13, paragraph (3).
Based on subparagraph a) of point a), the Metropolitan Court is exclusively competent. The Kp. Section 27
According to point b) of paragraph (1) in a legal dispute in which the court exclusively
competent, legal representation is mandatory. The Kp. According to § 39, paragraph (6), the statement of claim
its submission does not have the effect of postponing the entry into force of the administrative act.
(78) The Kp. Paragraph (1) of § 29 and, in view of this, CXXX of 2016 on the Code of Civil Procedure.
applicable according to § 604 of the Act, electronic administration and trust services
CCXXII of 2015 on its general rules. according to § 9 (1) point b) of the Act, the
the customer's legal representative is obliged to maintain electronic contact.
(79) The time and place of filing the statement of claim is determined by Kp. It is defined by § 39, paragraph (1). THE
information about the possibility of a request to hold a hearing in Kp. Paragraphs (1)-(2) of § 77
is based on.
(80) The amount of the fee for the administrative lawsuit is determined by the XCIII of 1990 on fees. law
(hereinafter: Itv.) 45/A. Section (1) defines. From the advance payment of the fee
the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the person initiating the procedure
half.
(81) If the Respondent does not adequately certify the fulfillment of the prescribed obligation, the Authority
considers that he has not fulfilled his obligation within the deadline. The Akr. According to § 132, if a
The respondent did not comply with the obligation contained in the Authority's final decision, that is
can be executed. The Authority's decision in Art. according to § 82, paragraph (1) with the communication
becomes permanent. The Akr. Pursuant to § 133, enforcement - if you are a law
government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. 134.
pursuant to § the execution - if it is a law, government decree or municipal authority
in this case, the local government decree does not provide otherwise - the state tax authority 14
undertakes. Infotv. Based on § 61, paragraph (7), contained in the Authority's decision,
to carry out a specific act, to perform a specific behavior, to tolerate or
regarding the obligation to stop, the Authority will implement the decision
undertakes.
(82) During the procedure, the Authority exceeded Infotv. One hundred and fifty days according to paragraph (1) of § 60/A
administrative deadline, therefore the Ákr. Based on point b) of § 51, it pays ten thousand forints to the Applicant
- according to your choice - by bank transfer or postal order.
Budapest, April 6, 2023.
Dr. Habil. In the absence of President Attila Péterfalvi:
Dr. Győző Endre Szabó
vice president
