NAIH (Hungary) - NAIH-1336-12/2023
From GDPRhub
| NAIH - NAIH-1336-12/2023 | |
|---|---|
 | |
| Authority: | NAIH (Hungary) |
| Jurisdiction: | Hungary |
| Relevant Law: | Article 5(1)(c) GDPR Article 5(2) GDPR Article 12(1) GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 13.04.2022 |
| Decided: | |
| Published: | 17.07.2024 |
| Fine: | n/a |
| Parties: | Complainant Real estate franchise office Franchise owner |
| National Case Number/Name: | NAIH-1336-12/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Hungarian |
| Original Source: | naih.hu (in HU) |
| Initial Contributor: | AnnaMaticsek |
The Hungarian DPA found a violation of GDPR Articles 5(1)(c) and 12(1) regarding the storage of personal data without a lawful basis, insufficient data minimization, and lack of transparent information to the complainant.
English Summary
Facts
The Complainant alleged that the Respondent, a real estate franchise office, unlawfully stored personal information collected during a property viewing process, including name, ID number, and contact details. This was based on the fact that the Complainant did not receive any information from the Respondent when their data was collected and they assumed it was based on their consent.
The Complainant requested the Hungarian DPA to examine whether the Respondent's data processing activities complied with GDPR.
Despite requesting the deletion of their data, the Complainant’s information was retained for alleged legal enforcement purposes, due to a breach of contract by the Complainant. During the procedure, it turned out that there was an ongoing civil procedure between the Complainant and the Respondent, which already become legally binding.
The Hungarian DPA also involved the Franchise Owner in the process, because the data processing practices of the Respondent (the real estate franchise office) were tied to procedures and policies mandated by the Franchise Owner.
The Hungarian DPA investigated claims that the Respondent’s data processing practices failed to adhere to GDPR’s transparency and data minimization requirements, specifically regarding proper notification of data processing and storing excessive data.
Holding
First, the DPA held that the Respondent and the Franchise Owner were not deemed joint controllers because, although the Franchise Owner provided data processing guidelines and a standardized system, each party independently determined specific aspects of the data processing activities, e.g. they separately determined the purposes and means, and the activities were not closely linked.
Second, the DPA determined, that it was in the legitimate interest of the Respondent to process the personal data of the Complainant for the enforcement of its claims until a legally binding judgment established that the claim did not exist.
The Respondent submitted the court's final judgment and the decision confirming its legal finality, regarding the lawsuit initiated based on the Respondent's outstanding claim. According to this judgment, the court dismissed the Respondent's claim. Therefore, since the judgment became final on February 16, 2023, the Respondent could no longer process the Complainant's personal data for claim management purposes on the grounds of legitimate interest.
In light of this, the Authority upheld the Complainant's request and ordered the Respondent to delete the Complainant's personal data from its claim management records.
Third, the Hungarian DPA held that the Respondent failed to carry out a legitimate interest assessment and therefore was unable to demonstrate compliance with the data processing principles and infringed Article 5(2) GDPR.
Fourth, the DPA found that processing certain personal data of the Complainant - specifically nationality, email address, ID document number, and phone number - were unnecessary for enforcing legal claims. The Authority determined that the processing was excessive and processing these data elements violated Article 5(1)(c) GDPR.
Fifth, the Hungarian DPA found that the Respondent did not inform the Complainant in a transparent and intelligible way about the processing of their personal data, including details such as the identity of the data controller and the purposes of data processing. This lack of prior information meant the Complainant did not have a full understanding of how their data would be processed, which is a core requirement of Article 12(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH-1336-12/2023.
History: NAIH-3772/2022. Subject: decision and order
The National Data Protection and Freedom of Information Authority (hereinafter: the Authority) [...]
applicant (hereinafter: Applicant) 13.04.2022. on the basis of the application submitted on
storage of personal data without a legal basis, as well as violation of the principle of data saving
in respect of which a data protection official was initiated against [...] (hereinafter: Applicant).
procedure - in which the Authority involved […] (hereinafter: Client) as a client - the following
makes decisions:
I. 1. The Authority in its decision to the Applicant's request
partially correct and
I.2.1. determines that the Respondent and the Customer have violated it
- to natural persons regarding the management of personal data
protection and the free flow of such data, as well as the 95/46/EC Directive
Regulation 2016/679 (EU) on its exclusion (hereinafter: GDPR or general
data protection decree) of Article 12 (1), as no adequate advance notice was given
information to the Applicant, as well as
- GDPR Article 5 (1) point c) of the Applicant's nationality,
management of your document identification number, e-mail address and telephone number
regarding, furthermore
I.2.2. finds that the Respondent has violated Article 5 (2) of the GDPR, as a
The priority of the applicant's legitimate interest in the processing of personal data is appropriate
he did not justify it by considering interests, furthermore
I.3. obliges the Applicant to, within 15 days from the date of this decision becoming final
confirms that he has deleted the Applicant's personal data for claims management purposes
from the register, in view of the final judgment of the [….] District Court No. […], and only the present one
handles them in connection with official data protection procedures.
II. In its decision, the Authority considers the Applicant's request for the Authority to establish
and regarding the Applicant's name, mother's name, address, place and time of birth - the [….]
For the period prior to the final judgment of the District Court No. […] - data management of the Respondent
illegality,
rejects.
III. In its order, the Authority requires the Client to treat the franchise contract as a business secret
grants your request. * * *
There is no place for administrative appeal against this decision and order, but a
within 30 days from the date of notification, with a letter of claim addressed to the Capital Court
can be challenged in a lawsuit. A letter of claim must be submitted electronically to the Authority, which is
forwards it to the court together with the case documents. The request for holding the trial in the statement of claim
must be indicated. For those who do not receive the full personal tax exemption, the administrative lawsuit
the fee is HUF 30,000, the lawsuit is subject to the right to record fees. In the proceedings before the Metropolitan Court
legal representation is mandatory.
The Authority draws the attention of the Applicant and the Client that the decision is open to appeal
until the expiry of the existing deadline for filing an action, or in the case of an administrative lawsuit, the court is final
the data affected by the disputed data processing may not be deleted or destroyed until the decision is reached.
JUSTIFICATION
I. Procedure of the procedure
(1) At the request of the Applicant, on the right to self-determination of information and freedom of information
CXII of 2011 2022 based on Section 60 (1) of the Act (hereinafter: Infotv.).
04.14. on the day of - after fulfilling the requirements written in the notice to make up the gap - data protection authority
proceedings have been initiated.
(2) In its order, the Authority invited the Applicant to make a statement to clarify the facts
order, with reference to the 2016 CL.
Act (hereinafter: Act) to § 63, to which the Respondent's response within the deadline
arrived at the Authority.
(3) The Authority granted the Client legal status as a client pursuant to Art. Based on § 10, paragraph (1),
about which he notified both the Applicant and the Respondent, as well as the Client's facts
for the purpose of clarification, he was invited to make a statement on two occasions.
(4) The Authority notified the Applicant and the Respondent, as well as the Client, that the
proof procedure is completed and you have drawn their attention to the fact that you are a statement
can comment. In response to this, none of those notified exercised their right to inspect documents,
and a statement was made by the Client and the Requested Party, after which the Authority recognized the Requested Party
called him to support his claim, which the Respondent complied with.
II. Clarification of facts
II.1. The Applicant's application and deficiency statement (NAIH-3772-1/2022., NAIH-3772-
3/2022., NAIH-3772-5/2022.)
(5) In his application submitted to the Authority on March 16, 2022, the Applicant requested that the
The Authority will examine the data processing of the Applicant and determine that the Applicant
did not provide adequate information about data management to the Applicant in advance, that is
about the data controller, and also oblige the Applicant to the principle of data saving
compliance and deletion of unnecessary data.
1 The NAIH_KO1 form is used to initiate an administrative lawsuit: NAIH KO1 form (16.09.2019) The
form can be filled out using the general form filling program (ÁNYK program).
https://www.naih.hu/kozig-hatarozat-birosagi-felulvizsgalata
2 The Applicant attached a copy of the following document to the application:
- by the Applicant on 05.06.2020. "viewing certificate" signed on
- Sent to [….] on 01.09.2021. cancellation request dated
- [….] Letter to the applicant dated September 30, 2021.
(6) The Applicant submitted that he viewed a property through the mediation of the Respondent, and therefore
signed a viewing certificate at the request of the estate agent. The document is the same
included the data management information, but according to the Applicant's point of view, it is not sufficient
and GDPR "7. of Article (2), which states that if the data subject's consent is such
gives the consent in the form of a written statement, which also applies to other matters
the application must be clearly distinguishable from these other cases
be presented in an understandable and easily accessible form, with clear and simple language. The
data management information is displayed in a particularly small font size, with small line spacing."
(7) According to the Applicant's point of view, in addition to the above, the Respondent violated the GDPR
Article 13, point a), which states that the data controller is responsible for the acquisition of personal data
at the time of the data subject's disposal to the data controller - and if there is one - it is
the identity and contact information of the representative of the data controller. According to the Applicant, the GDPR is on this
despite its requirement, the name of the Applicant is not mentioned anywhere on the document, except for one
on a very faded and illegible seal impression.
(8) The Applicant addressed the Respondent with a cancellation request, to which the Respondent
In response, his representative informed him on September 30, 2021 that the request would be rejected because
no, due to the processing of personal data for the purpose of asserting a claim
can be deleted. In this way, according to the Applicant's point of view, the Respondent has violated "GDPR Article 5
point c), i.e. the principle of data saving, since the following personal data of the Applicant
store:
- name,
- his mother's name,
- citizenship,
- residential address,
- identification document number,
- phone number,
- email address,
- place and time of birth.
According to the Applicant, the above-mentioned personal
data are not necessary, therefore the Respondent violated the principle of data saving.
(9) The Applicant stated the following in the deficiency correction sent on E-paper (NAIH-3772-
5/2022.), and explained the content of the data subject's request, which contains the following text
regarding stakeholder request:
"Dear [….] !"
"[…] I would like to ask you and your client T. that my previously provided personal data
please delete it from your database, the previous one given to store my personal data
I hereby withdraw my consent. [...]"
(10) According to the attached document, the above text is dated 09.01.2021. date of The Applicant a
sent your cancellation request by post to […] ([…].). To support his claims, a
Applicant attached in copy [….] lawyer Addressed to applicant September 30, 2021.
dated - with the subject of a reply letter - (hereinafter referred to as: Reply Letter), the return receipt and
A copy of the proof of delivery with the identification number RL […]. According to the copy of the proof of delivery
the shipment on 13.09.2021. took over on [….].
3(11) The Response Letter details the Respondent's claim (origination) on the one hand, and also partly
the Applicant is related to the management of his personal data. Personal data of the Applicant
regarding its handling, the Response Letter contains the following:
(12) “[…] We process your personal data for the purpose of validating the claim, so you
based on the withdrawal of your consent, we do not and cannot cancel it, I note,
that you indicate in your letter that your address has changed, so it is just another personal one
provides data. [...]"
II.2. Statement of the Applicant (NAIH-3772-7/2022.)
(13) […] is a franchise network operated by the Customer. Each franchise partner is
Based on a franchise contract concluded with a customer, they open [...] an office. The franchise agreement
regulates in detail the activities of individual franchise partners, thus each
partners are obliged to submit the documents and forms specified by the Customer,
to use an IT system, to follow the procedure defined by the Customer, on this
in addition, however, they act as an independent business company. The individual real estate agents
they carry out their activities as an individual entrepreneur or as an employee of the company.
(14) The Applicant visited and inspected the Respondent's office for the purpose of purchasing real estate
a property, signed the inspection certificate confirming this. The Applicant changed several times
message with the Respondent's job opening, but later it turned out that he hired him directly
the relationship with the owner as well, and concluded a sales contract with him, but about this a
He did not inform the applicant, despite what he undertook in the inspection statement, so a
The applicant did not get the fine he was entitled to. After that, the Respondent made legal
steps, commissioned a lawyer for the claim arising from the fact of the breach of contract
for validation. During this, the law firm contacted the Applicant and called on the
for the payment of a penalty which he also learned and accepted in the viewing statement. The Applicant
disputed the claim of the Respondent and requested the personal
deletion of data from the lawyer and the Application. In his response, the lawyer stated this
refused in view of the ongoing procedure.
(15) Regarding the Applicant, the Respondent manages the following personal data: name,
mother's name, nationality, permanent residence, type and number of identification document,
phone number, e-mail address, place and time of birth, address of property viewed and the viewing
date.
(16) In all cases, the customer intending to view the property must obtain the viewing certificate
before signing, read, interpret and, if necessary, ask for an explanation of what is written in it
about, then signs. The Applicant did the same. The certificate includes data management
information, which names the data controllers, the purpose of the data management, and contains the
also other elements defined in GDPR. The prospectus also states that a
detailed data management information is available on this website. The viewing certificate is issued by the
The applicant was able to familiarize himself with it, read it, sign it, and received a copy of it.
(17) There was a court proceeding in the case at […]. To prove this, the Applicant
attached a copy of the summons of the […] District Court dated March 21, 2022.
(18) According to its declaration, the Respondent is an independent data controller, so it is not joint with the Client
data controllers, this is also included in its data management information. The purpose of data management and
means are not determined jointly by the Client and the Requested Party.
(19) However, contrary to the above, the Respondent also stated that the Respondent a
conducts its activities as defined by the Customer, and the purpose of data management,
and the scope of the data is determined by the Customer. Moreover, the Respondent also referred to
4 that the data management information on the Customer's website is applicable to its data management: [...]
(hereinafter: Data Management Information).
(20) The data of the data subjects is recorded in the IT system provided by the Customer, furthermore
stored in a closed manner on a paper basis. For property search and viewing certificate
the content of related data management can be found in Data Management Information 4.2. and 4.3. points are determined
yes.
(21) The purpose of handling the data on the viewing certificate - as written in the information sheet
according to - partly the identification of the person concerned, partly the contact, partly the need
in case of enforcement of claims. No processing of citizenship data
justified, the Applicant will delete this from the documents and records in the future.
(22) Requests from data subjects are processed in accordance with Section 6.1 of the Data Management Information. and 6.2. written in point
is handled by the Applicant, their legal representatives are not involved in the handling of such requests
part. In the present case, the Applicant's letter was answered by his legal representative because
the data subject sent it to him: the data subject had not previously sent it to the Respondent or the Customer
contacted, did not request information or cancellation. The acting legal representative for the legal profession
according to the relevant rules, he contacted the Applicant for the purpose of validating the claim, who
replied to the legal representative. The Applicant attached the mandate of his legal representative
a copy of your contract and power of attorney.
(23) According to the Respondent's opinion, the response letter from its legal representative is inaccurate to the extent that
does not explain in detail the purpose of data management, the data management information sheet 4.4. and the
based on point d) of the information on the inspection certificate.
II.3. The Customer's statements (NAIH-3772-14/2022., NAIH-3772-15/2022.)
II.3.1. The Client NAIH-3772-14/2022. no. statement
(24) The Customer presented in detail the franchise established between the Respondent and the Customer
agreement and specifically highlighted that the Respondent cannot freely decide that
The Client is obliged to enter into an assignment contract with the owners of the properties
to use a form specified by At the same time, the Respondent is an independent business
conducts activities, searches for properties and buyers that can be sold, independently decides on
whether he makes a claim with the customer who viewed the property - with the assistance of the Requested Party
against, whether to file a lawsuit.
(25) In summary, the Customer highlighted that in the system defined by the Customer and
according to the documents, the Respondent carries out its activities as an independent legal entity, its own
on his responsibility.
(26) With reference to the above, in the Customer's opinion, the Respondent and the Customer are common
data controllers, and the Respondent is an independent data controller with respect to its own customers.
(27) The Customer declared that the franchise contract concluded with the Application is complete
as a whole it is a business secret, it cannot be made public even in part.
(28) The Customer has attached the Data Management information to his statement, the essence of which is as follows
from the point of view of the data controller, the following:
The data management activities may be performed by several persons, which are as follows:
- the Customer, who is the owner of the franchise system and the operator of the network,
- the so-called "franchise partner": the member of the franchise network that is with the Customer
operated an office and real estate agency based on a franchise agreement
finishes
5 - the so-called "sub-franchise partner": the member of the franchise network that is the Customer
has a contractual relationship with its partner and is operated by the franchise partner
conducts real estate brokerage activities in the office.
(29) It is also recorded in the Data Management information sheet - the statements made by the Requested Party and the Customer
accordingly - that the Customer determines used during data management
forms, contracts, sales processes, in case of breach of contract
procedure to be followed.
(30) The Data Management Information - 1.3. in point - expressly records the following:
"[…] Based on the above, the purpose, tools and rules of Data Management are determined by [...] THE
Partners provide the data based on the contract concluded with the Data Subject or the Data Subject's consent
are handled on the basis of, taking into account that the Partners are directly involved
in connection. Noting that the purpose and means of data management are the Data Managers
they are not defined jointly, they are not considered joint data controllers. The individual data controllers
its data management is thus independent, but at the same time most of the data management activities are carried out by the Data Controllers
is implemented on the basis of its joint activity, so both [….] and the Partners are data controllers
qualify. [...]"
(31) The Data Management information is in 4.3. related to the viewing certificate
also details data management as follows:
Scope of processed data in relation to the viewing person Data management information 3.4.
point a. and c. is determined by subsection, and the Data Management Information also states that it is
data is kept by the "Data Controller" for five years from the termination of the legal relationship. "The
period of time to assert claims after the termination of the legal relationship
may take place."
(32) In contrast to the above, it is not point 3.4, but point 3.3 that defines the scope of the processed data
lists according to data management purposes, of which purposes in the present case are the following two purposes
relevant:
- "Data required for identification: surname and first name; birth name; place and time of birth;
his mother's name; permanent address, if not, place of residence, type of identification document
and number. In relation to the above, the Data Management Information specifically highlights that "That
provision of data, conclusion of a contract, other relationship creating a legal relationship (e.g.
signing a viewing certificate) is mandatory, in the absence of these, the contract is not
can be concluded, bearing in mind that the contract is not possible in the absence of data
performance, enforcement of claims arising from the contract."
- "Request-related data: If there is a legal dispute between the data subject and the Data Managers
is formed (in particular, the person concerned does not pay the fee, or the property is owned by the Partners
sold to an intermediary buyer by bypassing the Partners), the Data Controllers handle the request
data regarding its legal basis and nature, as well as the validation of the claim
supporting evidence.”
(33) Section 4.4 of the Data Management Information is entitled "Enforcement of demands and claims".
According to what is written in this section, the most common legal dispute is related to "circumvention",
when the parties involved bypass the Applicant and the Client and establish a legal relationship with it
with the aim of exempting them from the obligation to pay fees. According to the Data Management Information
the franchise partners can entrust the Customer with validating the claim, in this case
the Customer acts as an agent and joint data management is carried out.
(34) The Data Management Information contains a section entitled: "Weighing of interests test
brief introduction".
6(35) The Data Management information sheet VI. also contains information on the rights of data subjects,
however, it only mentions "Data Controllers" throughout, so it does not name the previously mentioned
which of the three is the data controller, namely the Customer or the franchise partner
or whether it is the sub-partner.
II.3.2. The Client NAIH-3772-15/2022. no. statement
(36) The Customer again explained that the Requested data controller and not data processor
in the course of his activity as a real estate agent. The Customer also stated that it was not much
requests from stakeholders are received, and he handles only a few each year. That's why they haven't seen it until now
the development of the detailed procedure is necessary. in 2023 from the outcome of this procedure
they plan to independently develop a procedure for handling stakeholder requests.
(37) The Customer sent the inspection certificate to the Authority
form, on which the following personal data must be entered: name,
mother's name, nationality, permanent residence, type and number of identification document, telephone, e-
email, place and time of birth.
(38) The viewing certificate provides brief information under the heading "Data management" that a
personal data by the "Real Estate Agency" (in this case, the Applicant) and the Customer
manages. It lists the data management purposes, including: contact, requests
validation. The information also contains a reference to the fact that if the "Data Subject"
does not comply voluntarily, then it will be enforced by legal means, and for this they will use the
your personal data. The information also mentions the rights of stakeholders, and also indicates that
more detailed information can be found on the Customer's website and provided to it
access path.
II.3.3. The Applicant NAIH-1336-6/2023. no. and NAIH-1336-11/2023. statements
(39) In the lawsuit between the Respondent and the Applicant [….] District Court dated January 16, 2023, the
with the judgment received by the legal representative on January 31, 2023, the claim of the Respondent
rejected. The management and owners of the Respondent decided that the first degree
judgment is accepted, no appeal is presented. Thus, if neither the Applicant
submits an appeal, the judgment will become final.
After the judgment becomes final, if the official procedure is further
is not necessary to continue, the Applicant's data will be deleted.
(40) Following the Respondent's above statement, the Authority called the Respondent to verify
that the judgment has become final. The Applicant to the Authority on June 22, 2023
with the statement he received, he sent a copy of the judgment of […] District Court No. […],
in which the court rejected the claim of the Respondent as plaintiff, and the Respondent
attached in copy […] District Court […] no. order, in which [….] District Court
established that judgment No. […] entered into force on February 16, 2023.
III. Applicable legal provisions
(41) The GDPR must be applied to the processing of personal data in whole or in part in an automated manner
processing, as well as those personal data in a non-automated manner
which are part of a registration system or which
they want to make it part of a registration system. Subject to GDPR
for data management by Infotv. According to Section 2 (2), the GDPR is indicated there
must be applied with supplements.
(42) According to Article 4, point 1 of the GDPR, "personal data": identified or identifiable
any information relating to a natural person ("data subject"); it is possible to identify the a
natural person who directly or indirectly, in particular an identifier,
7 for example name, number, location data, online identifier or the natural person
physical, physiological, genetic, mental, economic, cultural or social identity
identifiable on the basis of one or more relevant factors;
(43) "data management" based on Article 4, point 2 of the GDPR: you are on personal data
any operation performed on data files in an automated or non-automated manner or
a set of operations, such as collection, recording, organization, segmentation, storage, transformation
or change, query, insight, use, communication, transmission, distribution
or otherwise by making available, coordinating or connecting,
restriction, deletion or destruction;
(43) Pursuant to Article 4, point 7 of the GDPR, "data controller": the natural or legal person,
public authority, agency or any other body that personal data
determines the goals and means of its management independently or together with others; if it is
the purposes and means of data management are determined by EU or member state law, the data controller
or special considerations for the appointment of the data controller by the EU or the Member States
can also be determined by law;
(44) Pursuant to GDPR Article 4, point 8, "data processor": the natural or legal person,
public authority, agency or any other body acting on behalf of the data controller
manages personal data;
(44) Based on paragraphs (1)-(6) of Article 12 of the GDPR:
(1) The data controller shall take appropriate measures in order to ensure that the data subject a
all those referred to in Articles 13 and 14 relating to the management of personal data
information and 15-22. and each information according to Article 34 is concise, transparent,
in an understandable and easily accessible form, clearly and intelligibly formulated
provide, especially for any information directed at children. The information
must be given in writing or in another way - including, where applicable, the electronic way. The
at the request of the data subject, oral information can also be given, provided that the data subject has confirmed otherwise
identity.
(2) The data controller facilitates the relevant 15-22. the exercise of his rights according to art. Article 11
In the cases referred to in paragraph (2), the data controller is the data subject concerned in Articles 15-22. rights according to Art
may not refuse to fulfill your request for exercise, unless you prove that
that the person concerned cannot be identified.
(3) The data controller without undue delay, but in any case the request
within one month of its receipt, informs the person concerned of the 15-22 according to article
on measures taken following a request. If necessary, taking into account the request
complexity and the number of applications, this deadline is extended by two more months
can be extended. Regarding the extension of the deadline, the data controller explains the reasons for the delay
indicating within one month from the receipt of the request
concerned. If the person concerned submitted the request electronically, the information is possible
must be provided electronically, unless the data subject requests otherwise.
(45) Based on Article 15 (1) of the GDPR:
(1) The data subject is entitled to receive feedback from the data controller regarding
whether your personal data is being processed and if such data is being processed
is entitled to access to personal data and the following information
get:
a) the purposes of data management;
b) categories of personal data concerned;
c) recipients or categories of recipients with whom or with which the personal
data has been disclosed or will be disclosed, including in particular third-country recipients,
and international organizations;
d) where appropriate, the planned period of storage of personal data, or if this is not the case
possible aspects of determining this period;
8 e) the right of the data subject to request from the data controller the personal data relating to him
rectification, deletion or restriction of processing of data, and may object to such
against processing personal data;
f) the right to submit a complaint addressed to a supervisory authority;
g) if the data were not collected from the data subject, everything about their source is available
information;
h) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including
profiling as well, and at least in these cases to the applied logic and that
comprehensible information about the significance of such data management and
what are the expected consequences for the person concerned.
(46) Based on paragraphs (1) – (3) of Article 26 of the GDPR:
(1) If the purposes and means of data management are determined jointly by two or more data controllers,
they are considered joint data controllers. The common data controllers transparently, between them
the obligations according to this regulation are defined in the agreement reached
for its performance, in particular by exercising the rights of the data subject and in Articles 13 and 14
related to their tasks related to the provision of said information
the distribution of their responsibility, except in the case and to the extent that it is
the distribution of responsibility for data controllers in the EU or Member State applicable to them
determined by law. In the agreement, a contact person can be designated for those concerned.
(2) The agreement referred to in paragraph (1) must reflect the common
the role of data controllers vis-à-vis stakeholders and their relationship with them. The agreement
its essence must be made available to the person concerned.
(3) The person concerned is everyone, regardless of the terms of the agreement referred to in paragraph (1).
in relation to the data controller and against each data controller, e
rights according to the decree.
(47) Pursuant to Article 28 of the GDPR:
(1) If the data management is carried out by someone else on behalf of the data controller, the data controller is exclusively such
you can use data processors who provide adequate guarantees
data management compliance with the requirements of this regulation and the rights of the data subjects
to implement appropriate technical and organizational measures ensuring its protection.
(2) The data processor is ad hoc or general with the prior written consent of the data controller
you may not use additional data processors without your authorization. The general written
in case of authorization, the data processor informs the data controller of all such planned
about a change that affects the use of additional data processors or their replacement, thereby
providing the data controller with the opportunity to oppose these changes
raise an objection.
(3) Data processing carried out by the data processor based on EU law or Member State law
was created - the subject, duration, nature and purpose of the data management, the personal data
type, categories of data subjects, as well as the obligations and rights of the data controller
must be governed by a defining contract or other legal act, which binds it
data processor against the data controller. The contract or other legal act in particular
stipulates that the data processor:
a) personal data is handled exclusively on the basis of the written instructions of the data controller - including
of personal data for a third country or international organization
transmission - unless the data processing is governed by the EU law applicable to the data processor
or is required by Member State law; in this case, the data processor is responsible for this legal requirement
notifies the data controller prior to data processing, unless the data controller is notified by
a given law prohibits it for reasons of important public interest;
b) ensures that the persons authorized to handle personal data are kept confidential
undertake an obligation or are under an appropriate confidentiality obligation based on law
they stand;
c) take the measures prescribed in Article 32;
9 d) respects (2) and (4) regarding the use of the additional data processor
conditions mentioned in paragraph;
e) appropriate technical and organizational, taking into account the nature of data management
measures to the extent possible to help the data controller to fulfill
obligation of the concerned III. requests related to the exercise of your rights contained in chapter
regarding your answer;
f) assists the data controller in accordance with Art. 32-36. in the fulfillment of obligations under Article, taking into account
the nature of the data management and the information available to the data processor;
g) the decision of the data controller after the completion of the provision of the data management service
deletes or returns all personal data to the data controller and deletes the existing data
copies, unless EU or Member State law requires the storage of personal data;
h) provides the data controller with all information that is in this article
necessary to prove the fulfillment of certain obligations, and which
enabled and facilitated by the data controller or another controller commissioned by the data controller
conducted audits, including on-site inspections.
Regarding point h) of the first subparagraph, the data processor shall inform you immediately
the data controller, if he believes that any of his instructions violate this regulation or the
Member State or EU data protection provisions.
(48) Based on points b) and d) of Article 58 (2) of the GDPR, the supervisory authority
acting within its competence:
b) condemns the data manager or the data processor if its data management activities
violated the provisions of this regulation.
d) instructs the data manager or the data processor that its data management operations - given
in a specified manner and within a specified period of time - harmonized by this regulation
with its provisions.
(49) Pursuant to Article 77 (1) of the GDPR, other administrative or judicial remedies
without prejudice, all data subjects are entitled to lodge a complaint with a supervisory authority
- in particular your usual place of residence, place of work or the place of the alleged infringement
in the Member State of origin - if, according to the judgment of the data subject, the personal data relating to him/her
handling violates this regulation.
(50) Infotv. On the basis of § 38, paragraph (2b), the Authority is provided with personal data in paragraph (2).
with respect to the defined scope of the litigation aimed at making a court decision and
performed by the court in non-litigation proceedings, based on the relevant regulations
in relation to data management operations, it does not cover the provisions specified in paragraph (3).
to exercise powers.
(51) Infotv. § 60 (1) In order to assert the right to the protection of personal data a
At the request of the data subject, the authority initiates official data protection proceedings ex officio
may initiate a data protection official procedure.
(52) Infotv. On the basis of § 61, subsection (6), open to challenge the decision
until the deadline expires, or in the case of an administrative lawsuit, until the final decision of the court a
data affected by disputed data processing cannot be deleted or destroyed.
(53) Infotv. On the basis of § 71, paragraph (1) during the Authority's procedure - for its conduct
to the necessary extent and for the duration - can manage all personal data, as well as the law
data classified as secrets protected by and secrets bound to the exercise of a profession, which are
are related to the procedure, and the management of which is the successful completion of the procedure
necessary for
(54) LIV of 2018 on the protection of business secrets. Act (hereinafter: Trade secret) Section 1 (1)
pursuant to paragraph 1, a business secret related to economic activity, secret – in its entirety,
or as a totality of its elements is not well known, or the economic activity concerned
it is not easily accessible to performing persons, and therefore has a property value
10 facts, information, other data and the compilation of them, which are kept secret
in order to maintain the rightful conduct of the secret in the given situation
attests.
ARC. Decision:
IV.1. The personal data of the Applicant stored by the Respondent, data processing carried out on them,
data manager and data processor quality recorded on the viewing certificate
in relation to data management
IV.1.1. Personal data and its source
(55) According to Article 4, Point 1 of the General Data Protection Regulation, the Applicant's name, mother's name,
your nationality, address, ID document number, telephone number, e-mail address, date of birth
place and time are considered personal data of the Applicant, the storage of which data,
use of data management according to Article 4, Point 2 of the General Data Protection Regulation
qualifies.
(56) The source of the above personal data is the Applicant, as these data are so-called
made available to the Applicant on a viewing statement. The viewing
declaration as a form was made by the Customer as a franchise owner
binding for the Applicant.
IV.1.2. Data processing carried out on the Applicant's personal data - investigated in this procedure
operations
(57) Recording, storage and transmission of the data indicated on the inspection certificate
it can be considered data processing based on Article 4, point 2 of the General Data Protection Regulation. The present
In the official data protection procedure, the Authority separately examined these personal data
recording, and separately, this personal data by the Respondent for claim management purposes
data management related to its transmission. The latter is a data management operation
regarding IV.2. the Authority made findings in point
IV.1.3. The Applicant IV.1.1. related to the recording of personal data according to point
data manager and data processor established in terms of data management
(58) The concept of data controller is defined in Article 4, point 7 of the GDPR, and the concept of data processor is defined in Article 4 of the GDPR.
Article 8. According to Article 4, point 7 of the GDPR, the natural person is a data controller
or legal entity [...] which independently manages the purposes and means of processing personal data
or defines together with others […]. Based on point 8 of the same article
data processor is the natural or legal person [...] that, on behalf of the data controller
manages personal data.
(59) The Data Management Regulations, compiled by the Customer, relating to the data management of the Respondent
is also recorded in the information sheet - in accordance with the statements made by the Requested Party and the Customer -,
that the Customer determines the forms used during data management,
contracts, sales processes, the procedure to be followed in case of breach of contract.
The Data Management Information - as explained in paragraph (30) of this decision, 1.3.
- expressly states that the purpose, means and rules of data management are
The customer defines, and at the same time records that the purpose and means of data management are determined by the customer
data controllers (i.e. the Requested Party and the Customer) do not jointly determine it, no
are considered joint data controllers. The Data Management Notice refers to the fact that
the data management of the individual data controllers (in this case, the Requested Party and the Customer) is thus independent,
at the same time, most data management activities are based on the joint activities of the data controllers
is realized.
11(60) In the opinion of the Authority, the above information is rather contradictory, and it is
it is also contradictory that the Customer determines all forms, so a
The respondent has no say in it, but at the same time, everything is an independent data controller
regarding.
(61) The European Data Protection Board 07/2020. no. guidelines (hereinafter: Guidelines),
which is the data controller and that
about the concept of data processor according to the GDPR, and also details in which case
we can talk about joint data management. Joint data management is on page 3 of the Guidelines
regarding the summary of its essence, the following can be read: "[…] An important aspect,
that data management is not possible without the participation of two parties in the sense that it is
data processing carried out by some parties is inseparable, i.e. untangleable
are connected. Joint participation must include goals on the one hand and goals on the other
the definition of the means. [...]"
(62) The Respondent cannot be considered an independent data controller, but at the same time the Respondent and the Customer are
the data management related to the viewing certificate cannot be considered a joint data manager either
regarding, as the Customer determined its data content, and also by the Customer
it is done in relation to it as written in the prepared Data Management information sheet
data management. This also follows from the operating principles of the franchise system
within the framework of all aspects of the Respondent's activity - and related to it
data management - are regulated in detail. Used under the franchise system
documents, such as the viewing certificate, also contain a reference to the franchise system,
therefore, to continue their activities as specified by the Customer a
partners. The viewing certificate form has the Customer's name and logo
is included, the franchise partners' names are included only to the extent that the customer is aware of it
declares that he learned about the property through XY Real Estate Agency. THE
inspection certificate is not a document required by law, its design,
its content is solely the decision of the data manager, in this case the Customer.
(63) 11.6 of the attached franchise agreement (as an attachment to document NAIH-3772-7/2022). point
the Customer may delete data from its system to which the Requested Party has access
provides and in which the Requested data can be entered.
(64) The following can also be read on page 4 of the Guidelines: "[…] For the data processor
qualification has two basic conditions: an organization separate from the data controller, and
manages personal data on behalf of the data controller. The data processor is the data controller
you may not process the data in a way other than your instructions. Instructions of the data controller
they still give some degree of discretion as to how
the interests of the data controller can be best represented, which enables the data processor
to select the most appropriate technical and organizational measures. [...]"
The Respondent actually handles the data on behalf of the Client, since with them
you cannot make any data management decisions, except for the commission fee
decision on collection. This was decided by the Respondent and forwarded by him
the Applicant's personal data to his lawyer in order to enforce his claim. THE
The Respondent therefore asserts the fee in its own name, this is the Respondent's claim. The present
in this case, the separate organization also exists as a criterion, since the Client and the Respondent
two separate legal entities. In this respect, therefore, the Respondent is independent in this case
data controller. However, this is not the case in all cases, according to Data Management Information 4.4.
point, based on what was written in paragraph (33) of this decision.
(65) Due to the above, the Authority to the Client data controller, the Requested data processor
considers the management of the Applicant's data provided on the viewing certificate,
regarding the recording, in relation to the period until the Data is requested
it does not independently decide on its further use for other purposes, i.e. not for claims management purposes
handles them. Additional data management operations performed on this personal data, i.e. on
handling (storage) of personal data for the purpose of claims management, and […] to the District Court
12 - in connection with legal proceedings -) is subject to a different judgment in IV.2.
as explained in point.
IV.2. Claims management by the Respondent on the Applicant's personal data,
data processing for the purpose of claim validation
IV.2.1. Legitimate interest as a legal basis
(66) The Respondent is a separate legal entity from the Client. It follows from its independent legal personality
is that the Respondent may have a claim against other persons, i.e. the Respondent
in this capacity, it can be considered a data controller, since it can make decisions as an independent legal entity
about whether it takes steps to enforce the given debt. For viewing
certificate also refers, because it refers to the fact that the real estate agency is entitled to
entrusts the Customer with the claim validation. Economic decisions of independent legal entities,
thus, the claims are also independent. So while the franchise system may stipulate that a
using the name of the franchise system, how should the Applicant perform his real estate brokerage
activities, the management of its finances is independent of this. So until the viewing
personal data recorded on the certificate will not be used for claim validation purposes
for use, until then the Requested is considered a data processor, but as soon as it is
data processing for the purpose of claim enforcement begins, from that date the Requested
becomes a data controller.
(67) Based on the above, therefore, the Respondent registered a claim as long as
Against the Applicant, in relation to whom the Applicant has not filed any court proceedings
decision, which would establish that it does not exist, regarding the requested data management
had a legitimate interest, especially considering that court proceedings were ongoing. THE
For the applicant's personal data - natural personal identification data, as well as a
claim data - and to validate your claim, as well as for this
legitimate interest in the processing of necessary data, i.e. Article 6 (1) Paragraph f) of the GDPR
point existed against the Applicant, as long as it was not established by a final judgment
and that the claim does not exist. With reference to this, the Respondent is the Applicant
his personal data was legally handled (stored and forwarded to the court) by his request
for the purpose of validation.
(68) According to the Respondent's statement, the judgment on the rejection of his claim has become final
deletes the Applicant's personal data, if it is not relevant to this official procedure
necessary. After the judgment becomes final, no longer with reference to claim enforcement,
only in the legitimate interest of the Requested Party and the Customer with reference to this official procedure
the personal data of the Applicant can be managed by reference.
(69) At the request of the Authority, the Respondent attached the final judgment of the court and the final
order in the lawsuit initiated with reference to the Respondent's outstanding claim. According to the court
rejected the Respondent's claim, therefore the Respondent's judgment becomes final
after (since 16.02.2023) no longer for claim management purposes with reference to your legitimate interest
can manage the Applicant's personal data.
(70) In view of the above, the Authority granted the Applicant's request and obliged the
The request is from the record of the Applicant's personal data for claim purposes
to delete.
IV.2.2. Consideration of interests
(71) Based on recital (47) of the GDPR, to establish the existence of a legitimate interest
in any case, it must be carefully examined, among other things, that the interests of the person concerned
and your fundamental rights may take precedence over the interest of the data controller if a
personal data are processed in circumstances where the data subjects are not
13 expect further data processing. However, this decision (70)
as established in paragraph 16.02.2023. is no longer relevant after
so it is only 16.02.2023. governing data management up to date.
(72) According to the Authority's finding, it concerns the primacy of the Respondent's legitimate interests
on the one hand, their statement does not specifically refer to the Applicant's personal data, but
made some very brief statements regarding his legitimate interests in general,
on the other hand, it does not cover the circumstances mentioned in recital (47) of the GDPR either. THE
The respondent did not identify the interests of the data subject and did not compare them
interest of the data controller, as well as the necessity and proportionality of the data management
nor was it examined or substantiated. As part of the attached Data Management Information
the “Brief Introduction to the Weighing of Interests Test” emphasizes that if the data subject voluntarily
does not meet the requirements of the data controllers, then there is no other way to achieve the goal, and that
manages the personal data required to validate claims.
(73) According to the Authority's finding, it concerns the primacy of the Respondent's legitimate interest
on the one hand, his statement does not specifically refer to the Applicant's personal data, but
made some very brief statements regarding his legitimate interest in general,
on the other hand, it does not cover the circumstances mentioned in recital (47) of the GDPR either. THE
The respondent did not identify the interests of the data subject and did not compare them
interest of the data controller, as well as the necessity and proportionality of the data management
nor was it examined or substantiated. Given that the Respondent only
made general findings regarding his legitimate interest, therefore the Applicant
in relation to it, he completely failed to carry out the consideration of interests, in general
and its findings cannot be considered sufficient, since the GDPR (47)
it does not meet the requirements of the preamble.
(74) Due to the above, it can be established that the Respondent did not comply with Article 5 (2) of the GDPR
of his obligation according to paragraph
(75) According to the Authority's point of view, in relation to the following personal data - 16.02.2023.
to date - the legitimate interest of the data controller existed, or its priority, as legal claims
scope of personal data required for the purpose of enforcement based on legal provisions
can be determined as follows:
- CXXX of 2016 on the Code of Civil Procedure. Act (hereinafter: Law) § 7 § 3.
identification data in the case of a natural person: place of residence (place of residence
if not, place of residence), delivery address (if from place of residence or place of residence
differs), place and time of birth, mother's name.
- The Pp. According to § 170, paragraph (1), point b), it must be stated in the introductory part of the statement of claim
to indicate the names of the parties, their position in the lawsuit, the identification data of the plaintiff, the defendant is known
his identification data, at least his place of residence, and based on point e) of paragraph (2) a
evidence, which in this case is documents supporting the claim. This list
supplements applicable in civil proceedings and administrative court proceedings
1.4 of Annex 1 of IM Decree 21/2017 (XII.22.) on forms point is
defendant's birth name.
- Act L of 2009 on the payment order procedure § 20 (1) point a)
based on the personal data of the debtors, the payment order procedure
to start, the name of the obligee is required, the Pp. according to the identification data, but
at least to your place of residence.
- The Vht. Paragraphs (2)-(3) of § 11 determine which of the persons requesting enforcement is personal
must provide data when submitting the enforcement application. These data a
following: debtor's name, identification data (place of birth, time, mother
14 name), depending on the circumstances of the case, the debtor's place of residence, workplace and execution
the location of the subject property, or in case of real estate execution, the real estate
registration data.
(76) The Respondent could manage the Applicant's personal data listed above until 16.02.2023
for claims management purposes or for the purpose of asserting legal claims, Article 6 (1) of the GDPR
with reference to paragraph f). At the same time, the Respondent is, in addition to the above, the Applicant
regarding your nationality, e-mail address, document ID and telephone number
also manages data that is not used to assert legal claims based on the above legislation
were necessary. The Applicant also stated that the citizenship data was not necessary
he admitted, because he stated that the processing of citizenship data is not
justified, the Applicant will delete this from the documents and records in the future.
(77) In view of the above, the Authority has the citizenship, document identification, e-mail address and
regarding the management of telephone numbers, it is established by point c) of Article 5 (1) of the GDPR
violation, with regard to the Applicant's other personal data, the Applicant rejects it
request that the Authority establish a violation of the principle of data saving.
At the same time, the Authority obliges the Applicant to provide the Applicant's personal data
not for claim management purposes, only in connection with this official data protection procedure
handle with regard to the judgment of the District Court No. […].
IV.3. Advance information
(78) The Respondent referred to the fact that the inspection certificate is provided by the client in all cases
before signing, read, interpret and, if necessary, ask for an explanation of what is written in it
connection, then signs, and the Applicant did the same. The certificate includes data management
information, which names the data controllers, the purpose of the data management, and includes the GDPR
other elements specified in The prospectus also states that the detailed
data management information which is available on the website. The inspection certificate is issued by the Applicant
he got to know it, read it, signed it, and received a copy of it.
(79) Litigation was ongoing between the Applicant and the Respondent. With the litigation process
regarding data management related to IV.2.1. point, the Authority established that a
data processing based on a legitimate interest was lawful as defined by the Applicant
regarding your data until the final conclusion of the legal proceedings.
(80) If personal data concerning the data subject are collected from the data subject, the data controller shall have a
fair and transparent data management at the time of obtaining personal data
in order to provide data subjects with detailed information pursuant to Article 13 (1) of the GDPR
of what is written in paragraph
(81) Recital (39) of the GDPR stipulates that information on data management
it must be transparent, which must be made available to those concerned in an appropriate way (e.g.
on the website of the data controller) subject to possible additional conditions of the chosen legal bases.
(82) Article 12 of the GDPR defines the formal requirements that must be observed
to be the data controllers when they enable and ensure the exercise of data subjects' rights, including
also the prior information of those concerned. Based on this, the personal data of the data controllers
all information regarding its handling is concise, transparent, comprehensible and easily accessible
form, in a clear and comprehensible manner.
(83) According to the Applicant's point of view, it does not comply with GDPR "7. of Article (2), which
states that if the data subject gives his consent in the form of a written statement,
which also applies to other matters, the request for consent from those other matters
it must be presented in a clearly distinguishable manner, comprehensible and easily accessible
form, with clear and simple language. The data management information sheet is particularly small
it was indicated in font size, with small line spacing."
15(84) The consent given on the inspection certificate applies to two separate purposes, namely a
according to information, gives consent regarding the personal data listed there, which a
they can be processed for the purpose of viewing and claiming, if this is the case. As it is a
It also happened in the case of the applicant.
(85) The Authority agrees that the font size of the inspection certificate is rather small, however
the link to the website is also included, and the data management information can be found on the given link
font size is normal. According to the Authority, in addition, the text on the inspection certificate
bulk, not segmented, so that the requirement of transparent information is not met. The
Guideline 5/2020 of the European Data Protection Board pursuant to Regulation (EU) 2016/679
according to point 71 of consent “[…] For small screens or situations
in order to adapt when there is little space for information, where appropriate - a
in order to avoid excessive interference with user experience or product design –
a multi-level way of presenting information that can be considered." According to the position of the Authority
therefore, it could be solved with multi-level information, or simply by having one
a one-page viewing certificate is extended to two-page so that it is properly readable
be.
(86) Due to the above, the Authority concludes that the Respondent for the purpose of asserting the claim
did not provide adequate information regarding his - independent - data management a
As a respondent, you have therefore violated Article 12 (1) of the GDPR.
IV.4. Cancellation request submitted by the Applicant to the Respondent's lawyer
(87) The Applicant, addressed to the Respondent and the Respondent's legal representative, […]
sent a stakeholder request to a lawyer (hereinafter: Lawyer). The Applicant a
in his application, the lawyer did not object or request the response to the request of the affected party
the examination of data management, so the Authority did not examine it.
IV.5. Decision on trade secrets
(88) The publication of the franchise agreement concluded between the Respondent and the Client is also not general
neither the data protection decree nor the sectoral legislation require it, therefore the Customer
it can be treated as a business secret based on its own decision, so in this respect the Customer
the Authority approves his request, and the franchise established between the Applicant and the Customer
contract is treated as a business secret by the Ákr. Based on § 27, paragraph (2).
IV.6. Violations beyond the request of the Applicant
(89) The present case was brought to the attention of the Applicant in relation to the Applicant's request
to be conducted, a separate procedure regarding the general practice of the Client and the Respondent
may be removed from office due to perceived violations of law.
IV.7. Legal consequences
(90) The Authority condemned the Applicant based on GDPR Article 58 (2) point b) and
the Customer, because they have violated Article 5 (1) point (c), Article 12 (1) of the GDPR
paragraph, and also condemned the Applicant for violating Article 5 (2) of the GDPR
paragraph.
Based on point d) of Article 58 (2) of the GDPR, the Authority instructed the Applicant to
to delete the Applicant I.2. your personal data listed in point 1, and the deletion is confirmed
happening.
16(91) The Authority exceeded Infotv. administrative deadline according to § 60/A. (1), therefore
HUF 10,000, i.e. ten thousand forints, is due to the Applicant - according to his choice - to a bank account
by money order or postal order On the basis of point b) of paragraph (1) of § 51.
A. Other questions:
(92) The competence of the Authority is defined by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is
covers the entire territory of the country.
(93) The decision in Art. 80-81 § and Infotv. It is based on paragraph (1) of § 61. The decision is
Acr. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. § 112 and § 116
(1) and on the basis of § 114, paragraph (1) administrative against the decision
there is room for legal redress through a lawsuit.
* * *
(94) The rules of the administrative procedure are laid down in Act I of 2017 on the Administrative Procedure
hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority
the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13 (3)
Based on subparagraph a) point aa), the Metropolitan Court is exclusively competent. The Kp.
Pursuant to § 27, paragraph (1) point b) in a lawsuit within the jurisdiction of the court, the legal
representation is mandatory. The Kp. According to paragraph (6) of § 39, the submission of the statement of claim a
does not have the effect of postponing the entry into force of an administrative act.
(95) The Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, it is applicable
of 2015 on the general rules of electronic administration and trust services
CCXXII. Act (hereinafter: E-Administration Act) according to Section 9 (1) point b) of the
the client's legal representative is obliged to maintain electronic contact.
(96) The time and place of filing the statement of claim is determined by Kp. It is defined by § 39, paragraph (1). THE
information on the possibility of a request to hold a hearing in Kp. Section 77 (1)-(2)
based on paragraph The amount of the administrative lawsuit fee is determined by the 1990 Law on Fees
XCIII. Act (hereinafter: Itv.) 45/A. Section (1) defines. The fee is in advance
from the payment of the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt it
party initiating the procedure.
(97) During the procedure, the Authority exceeded Infotv. One hundred and fifty days according to paragraph (1) of § 60/A
administrative deadline, therefore the Ákr. Based on point b) of § 51, he pays ten thousand forints a
To the applicant.
dated: Budapest, according to the electronic signature
Dr. Habil. Attila Péterfalvi
president, c. in the absence of a university professor
dr. Tamás Bendik
vice president
17
