NAIH (Hungary) - NAIH-1336-12/2023

From GDPRhub
Revision as of 16:39, 8 November 2024 by AnnaMaticsek (talk | contribs) (→‎English Summary)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
NAIH - NAIH-1336-12/2023
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(c) GDPR
Article 5(2) GDPR
Article 12(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 13.04.2022
Decided:
Published: 17.07.2024
Fine: n/a
Parties: Complainant
Real estate franchise office
Franchise owner
National Case Number/Name: NAIH-1336-12/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: naih.hu (in HU)
Initial Contributor: AnnaMaticsek

The Hungarian DPA found a violation of Articles 5(1)(c) and 12(1) GDPR regarding the storage of personal data without a lawful basis, insufficient data minimization, and lack of transparent information to the complainant.

English Summary

Facts

The Complainant alleged that the Respondent, a real estate franchise office, unlawfully stored personal information collected during a property viewing process, including name, ID number, and contact details. This was based on the fact that the Complainant did not receive any information from the Respondent when their data was collected and they assumed it was based on their consent.

The Complainant requested the Hungarian DPA to examine whether the Respondent's data processing activities complied with GDPR.

Despite requesting the deletion of their data, the Complainant’s information was retained for alleged legal enforcement purposes, due to a breach of contract by the Complainant. During the procedure, it turned out that there was an ongoing civil procedure between the Complainant and the Respondent, which already become legally binding.

The Hungarian DPA also involved the Franchise Owner in the process, because the data processing practices of the Respondent (the real estate franchise office) were tied to procedures and policies mandated by the Franchise Owner.

The Hungarian DPA investigated claims that the Respondent’s data processing practices failed to adhere to GDPR’s transparency and data minimization requirements, specifically regarding proper notification of data processing and storing excessive data.

Holding

First, the DPA held that the Respondent and the Franchise Owner were not deemed joint controllers because, although the Franchise Owner provided data processing guidelines and a standardized system, each party independently determined specific aspects of the data processing activities, e.g. they separately determined the purposes and means, and the activities were not closely linked.

Second, the DPA determined, that it was in the legitimate interest of the Respondent to process the personal data of the Complainant for the enforcement of its claims until a legally binding judgment established that the claim did not exist.

The Respondent submitted the court's final judgment and the decision confirming its legal finality, regarding the lawsuit initiated based on the Respondent's outstanding claim. According to this judgment, the court dismissed the Respondent's claim. Therefore, since the judgment became final on February 16, 2023, the Respondent could no longer process the Complainant's personal data for claim management purposes on the grounds of legitimate interest.

In light of this, the Authority upheld the Complainant's request and ordered the Respondent to delete the Complainant's personal data from its claim management records.

Third, the Hungarian DPA held that the Respondent failed to carry out a legitimate interest assessment and therefore was unable to demonstrate compliance with the data processing principles and infringed Article 5(2) GDPR.

Fourth, the DPA found that processing certain personal data of the Complainant - specifically nationality, email address, ID document number, and phone number - were unnecessary for enforcing legal claims. The Authority determined that the processing was excessive and processing these data elements violated Article 5(1)(c) GDPR.

Fifth, the Hungarian DPA found that the Respondent did not inform the Complainant in a transparent and intelligible way about the processing of their personal data, including details such as the identity of the data controller and the purposes of data processing. This lack of prior information meant the Complainant did not have a full understanding of how their data would be processed, which is a core requirement of Article 12(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-1336-12/2023.
History: NAIH-3772/2022.                           Subject: decision and order






The National Data Protection and Freedom of Information Authority (hereinafter: the Authority) [...]

applicant (hereinafter: Applicant) 13.04.2022. on the basis of the application submitted on
storage of personal data without a legal basis, as well as violation of the principle of data saving
in respect of which a data protection official was initiated against [...] (hereinafter: Applicant).
procedure - in which the Authority involved […] (hereinafter: Client) as a client - the following
makes decisions:




I. 1. The Authority in its decision to the Applicant's request

                                    partially correct and

I.2.1. determines that the Respondent and the Customer have violated it

    - to natural persons regarding the management of personal data

       protection and the free flow of such data, as well as the 95/46/EC Directive
       Regulation 2016/679 (EU) on its exclusion (hereinafter: GDPR or general
       data protection decree) of Article 12 (1), as no adequate advance notice was given
       information to the Applicant, as well as
    - GDPR Article 5 (1) point c) of the Applicant's nationality,
       management of your document identification number, e-mail address and telephone number
       regarding, furthermore


I.2.2. finds that the Respondent has violated Article 5 (2) of the GDPR, as a
The priority of the applicant's legitimate interest in the processing of personal data is appropriate
he did not justify it by considering interests, furthermore

I.3. obliges the Applicant to, within 15 days from the date of this decision becoming final
confirms that he has deleted the Applicant's personal data for claims management purposes

from the register, in view of the final judgment of the [….] District Court No. […], and only the present one
handles them in connection with official data protection procedures.


II. In its decision, the Authority considers the Applicant's request for the Authority to establish
and regarding the Applicant's name, mother's name, address, place and time of birth - the [….]

For the period prior to the final judgment of the District Court No. […] - data management of the Respondent
illegality,

                                         rejects.

III. In its order, the Authority requires the Client to treat the franchise contract as a business secret
grants your request.                                               * * *
There is no place for administrative appeal against this decision and order, but a
within 30 days from the date of notification, with a letter of claim addressed to the Capital Court
can be challenged in a lawsuit. A letter of claim must be submitted electronically to the Authority, which is
forwards it to the court together with the case documents. The request for holding the trial in the statement of claim

must be indicated. For those who do not receive the full personal tax exemption, the administrative lawsuit
the fee is HUF 30,000, the lawsuit is subject to the right to record fees. In the proceedings before the Metropolitan Court
legal representation is mandatory.


The Authority draws the attention of the Applicant and the Client that the decision is open to appeal

until the expiry of the existing deadline for filing an action, or in the case of an administrative lawsuit, the court is final
the data affected by the disputed data processing may not be deleted or destroyed until the decision is reached.





                                          JUSTIFICATION

I. Procedure of the procedure

(1) At the request of the Applicant, on the right to self-determination of information and freedom of information
    CXII of 2011 2022 based on Section 60 (1) of the Act (hereinafter: Infotv.).

    04.14. on the day of - after fulfilling the requirements written in the notice to make up the gap - data protection authority
    proceedings have been initiated.

(2) In its order, the Authority invited the Applicant to make a statement to clarify the facts
    order, with reference to the 2016 CL.

    Act (hereinafter: Act) to § 63, to which the Respondent's response within the deadline
    arrived at the Authority.

(3) The Authority granted the Client legal status as a client pursuant to Art. Based on § 10, paragraph (1),
    about which he notified both the Applicant and the Respondent, as well as the Client's facts
    for the purpose of clarification, he was invited to make a statement on two occasions.


(4) The Authority notified the Applicant and the Respondent, as well as the Client, that the
    proof procedure is completed and you have drawn their attention to the fact that you are a statement
    can comment. In response to this, none of those notified exercised their right to inspect documents,
    and a statement was made by the Client and the Requested Party, after which the Authority recognized the Requested Party
    called him to support his claim, which the Respondent complied with.



II. Clarification of facts

II.1. The Applicant's application and deficiency statement (NAIH-3772-1/2022., NAIH-3772-
    3/2022., NAIH-3772-5/2022.)


(5) In his application submitted to the Authority on March 16, 2022, the Applicant requested that the
    The Authority will examine the data processing of the Applicant and determine that the Applicant
    did not provide adequate information about data management to the Applicant in advance, that is
    about the data controller, and also oblige the Applicant to the principle of data saving
    compliance and deletion of unnecessary data.



1 The NAIH_KO1 form is used to initiate an administrative lawsuit: NAIH KO1 form (16.09.2019) The
form can be filled out using the general form filling program (ÁNYK program).
https://www.naih.hu/kozig-hatarozat-birosagi-felulvizsgalata
                                                                                                2 The Applicant attached a copy of the following document to the application:


      - by the Applicant on 05.06.2020. "viewing certificate" signed on
      - Sent to [….] on 01.09.2021. cancellation request dated
      - [….] Letter to the applicant dated September 30, 2021.

(6) The Applicant submitted that he viewed a property through the mediation of the Respondent, and therefore
    signed a viewing certificate at the request of the estate agent. The document is the same
    included the data management information, but according to the Applicant's point of view, it is not sufficient

    and GDPR "7. of Article (2), which states that if the data subject's consent is such
    gives the consent in the form of a written statement, which also applies to other matters
    the application must be clearly distinguishable from these other cases
    be presented in an understandable and easily accessible form, with clear and simple language. The
    data management information is displayed in a particularly small font size, with small line spacing."

(7) According to the Applicant's point of view, in addition to the above, the Respondent violated the GDPR

    Article 13, point a), which states that the data controller is responsible for the acquisition of personal data
    at the time of the data subject's disposal to the data controller - and if there is one - it is
    the identity and contact information of the representative of the data controller. According to the Applicant, the GDPR is on this
    despite its requirement, the name of the Applicant is not mentioned anywhere on the document, except for one
    on a very faded and illegible seal impression.

(8) The Applicant addressed the Respondent with a cancellation request, to which the Respondent

    In response, his representative informed him on September 30, 2021 that the request would be rejected because
    no, due to the processing of personal data for the purpose of asserting a claim
    can be deleted. In this way, according to the Applicant's point of view, the Respondent has violated "GDPR Article 5
    point c), i.e. the principle of data saving, since the following personal data of the Applicant
    store:

    - name,

    - his mother's name,
    - citizenship,
    - residential address,
    - identification document number,
    - phone number,
    - email address,
    - place and time of birth.


    According to the Applicant, the above-mentioned personal
    data are not necessary, therefore the Respondent violated the principle of data saving.

(9) The Applicant stated the following in the deficiency correction sent on E-paper (NAIH-3772-
    5/2022.), and explained the content of the data subject's request, which contains the following text
    regarding stakeholder request:


    "Dear [….] !"

    "[…] I would like to ask you and your client T. that my previously provided personal data
    please delete it from your database, the previous one given to store my personal data
    I hereby withdraw my consent. [...]"


(10) According to the attached document, the above text is dated 09.01.2021. date of The Applicant a
    sent your cancellation request by post to […] ([…].). To support his claims, a
    Applicant attached in copy [….] lawyer Addressed to applicant September 30, 2021.
    dated - with the subject of a reply letter - (hereinafter referred to as: Reply Letter), the return receipt and
    A copy of the proof of delivery with the identification number RL […]. According to the copy of the proof of delivery
    the shipment on 13.09.2021. took over on [….].


                                                                                              3(11) The Response Letter details the Respondent's claim (origination) on the one hand, and also partly

    the Applicant is related to the management of his personal data. Personal data of the Applicant
    regarding its handling, the Response Letter contains the following:

(12) “[…] We process your personal data for the purpose of validating the claim, so you
    based on the withdrawal of your consent, we do not and cannot cancel it, I note,
    that you indicate in your letter that your address has changed, so it is just another personal one
    provides data. [...]"



II.2. Statement of the Applicant (NAIH-3772-7/2022.)

(13) […] is a franchise network operated by the Customer. Each franchise partner is
    Based on a franchise contract concluded with a customer, they open [...] an office. The franchise agreement
    regulates in detail the activities of individual franchise partners, thus each

    partners are obliged to submit the documents and forms specified by the Customer,
    to use an IT system, to follow the procedure defined by the Customer, on this
    in addition, however, they act as an independent business company. The individual real estate agents
    they carry out their activities as an individual entrepreneur or as an employee of the company.

(14) The Applicant visited and inspected the Respondent's office for the purpose of purchasing real estate
    a property, signed the inspection certificate confirming this. The Applicant changed several times

    message with the Respondent's job opening, but later it turned out that he hired him directly
    the relationship with the owner as well, and concluded a sales contract with him, but about this a
    He did not inform the applicant, despite what he undertook in the inspection statement, so a
    The applicant did not get the fine he was entitled to. After that, the Respondent made legal
    steps, commissioned a lawyer for the claim arising from the fact of the breach of contract
    for validation. During this, the law firm contacted the Applicant and called on the
    for the payment of a penalty which he also learned and accepted in the viewing statement. The Applicant

    disputed the claim of the Respondent and requested the personal
    deletion of data from the lawyer and the Application. In his response, the lawyer stated this
    refused in view of the ongoing procedure.

(15) Regarding the Applicant, the Respondent manages the following personal data: name,
    mother's name, nationality, permanent residence, type and number of identification document,
    phone number, e-mail address, place and time of birth, address of property viewed and the viewing

    date.

(16) In all cases, the customer intending to view the property must obtain the viewing certificate
    before signing, read, interpret and, if necessary, ask for an explanation of what is written in it
    about, then signs. The Applicant did the same. The certificate includes data management
    information, which names the data controllers, the purpose of the data management, and contains the
    also other elements defined in GDPR. The prospectus also states that a

    detailed data management information is available on this website. The viewing certificate is issued by the
    The applicant was able to familiarize himself with it, read it, sign it, and received a copy of it.

(17) There was a court proceeding in the case at […]. To prove this, the Applicant
    attached a copy of the summons of the […] District Court dated March 21, 2022.

(18) According to its declaration, the Respondent is an independent data controller, so it is not joint with the Client

    data controllers, this is also included in its data management information. The purpose of data management and
    means are not determined jointly by the Client and the Requested Party.

(19) However, contrary to the above, the Respondent also stated that the Respondent a
    conducts its activities as defined by the Customer, and the purpose of data management,
    and the scope of the data is determined by the Customer. Moreover, the Respondent also referred to


                                                                                                4 that the data management information on the Customer's website is applicable to its data management: [...]
    (hereinafter: Data Management Information).


(20) The data of the data subjects is recorded in the IT system provided by the Customer, furthermore
    stored in a closed manner on a paper basis. For property search and viewing certificate
    the content of related data management can be found in Data Management Information 4.2. and 4.3. points are determined
    yes.

(21) The purpose of handling the data on the viewing certificate - as written in the information sheet

    according to - partly the identification of the person concerned, partly the contact, partly the need
    in case of enforcement of claims. No processing of citizenship data
    justified, the Applicant will delete this from the documents and records in the future.

(22) Requests from data subjects are processed in accordance with Section 6.1 of the Data Management Information. and 6.2. written in point
    is handled by the Applicant, their legal representatives are not involved in the handling of such requests
    part. In the present case, the Applicant's letter was answered by his legal representative because

    the data subject sent it to him: the data subject had not previously sent it to the Respondent or the Customer
    contacted, did not request information or cancellation. The acting legal representative for the legal profession
    according to the relevant rules, he contacted the Applicant for the purpose of validating the claim, who
    replied to the legal representative. The Applicant attached the mandate of his legal representative
    a copy of your contract and power of attorney.

(23) According to the Respondent's opinion, the response letter from its legal representative is inaccurate to the extent that

    does not explain in detail the purpose of data management, the data management information sheet 4.4. and the
    based on point d) of the information on the inspection certificate.

II.3. The Customer's statements (NAIH-3772-14/2022., NAIH-3772-15/2022.)

II.3.1. The Client NAIH-3772-14/2022. no. statement


(24) The Customer presented in detail the franchise established between the Respondent and the Customer
    agreement and specifically highlighted that the Respondent cannot freely decide that
    The Client is obliged to enter into an assignment contract with the owners of the properties
    to use a form specified by At the same time, the Respondent is an independent business
    conducts activities, searches for properties and buyers that can be sold, independently decides on
    whether he makes a claim with the customer who viewed the property - with the assistance of the Requested Party
    against, whether to file a lawsuit.


(25) In summary, the Customer highlighted that in the system defined by the Customer and
    according to the documents, the Respondent carries out its activities as an independent legal entity, its own
    on his responsibility.

(26) With reference to the above, in the Customer's opinion, the Respondent and the Customer are common
    data controllers, and the Respondent is an independent data controller with respect to its own customers.


(27) The Customer declared that the franchise contract concluded with the Application is complete
    as a whole it is a business secret, it cannot be made public even in part.

(28) The Customer has attached the Data Management information to his statement, the essence of which is as follows
    from the point of view of the data controller, the following:


    The data management activities may be performed by several persons, which are as follows:

    - the Customer, who is the owner of the franchise system and the operator of the network,
    - the so-called "franchise partner": the member of the franchise network that is with the Customer
       operated an office and real estate agency based on a franchise agreement
       finishes


                                                                                                5 - the so-called "sub-franchise partner": the member of the franchise network that is the Customer
       has a contractual relationship with its partner and is operated by the franchise partner

       conducts real estate brokerage activities in the office.

(29) It is also recorded in the Data Management information sheet - the statements made by the Requested Party and the Customer
    accordingly - that the Customer determines used during data management
    forms, contracts, sales processes, in case of breach of contract
    procedure to be followed.


(30) The Data Management Information - 1.3. in point - expressly records the following:

    "[…] Based on the above, the purpose, tools and rules of Data Management are determined by [...] THE
    Partners provide the data based on the contract concluded with the Data Subject or the Data Subject's consent
    are handled on the basis of, taking into account that the Partners are directly involved
    in connection. Noting that the purpose and means of data management are the Data Managers
    they are not defined jointly, they are not considered joint data controllers. The individual data controllers

    its data management is thus independent, but at the same time most of the data management activities are carried out by the Data Controllers
    is implemented on the basis of its joint activity, so both [….] and the Partners are data controllers
    qualify. [...]"

(31) The Data Management information is in 4.3. related to the viewing certificate
      also details data management as follows:


      Scope of processed data in relation to the viewing person Data management information 3.4.
      point a. and c. is determined by subsection, and the Data Management Information also states that it is
      data is kept by the "Data Controller" for five years from the termination of the legal relationship. "The
      period of time to assert claims after the termination of the legal relationship
      may take place."

(32) In contrast to the above, it is not point 3.4, but point 3.3 that defines the scope of the processed data

      lists according to data management purposes, of which purposes in the present case are the following two purposes
      relevant:

      - "Data required for identification: surname and first name; birth name; place and time of birth;
      his mother's name; permanent address, if not, place of residence, type of identification document
      and number. In relation to the above, the Data Management Information specifically highlights that "That
      provision of data, conclusion of a contract, other relationship creating a legal relationship (e.g.

      signing a viewing certificate) is mandatory, in the absence of these, the contract is not
      can be concluded, bearing in mind that the contract is not possible in the absence of data
      performance, enforcement of claims arising from the contract."

      - "Request-related data: If there is a legal dispute between the data subject and the Data Managers
      is formed (in particular, the person concerned does not pay the fee, or the property is owned by the Partners
      sold to an intermediary buyer by bypassing the Partners), the Data Controllers handle the request

      data regarding its legal basis and nature, as well as the validation of the claim
      supporting evidence.”

(33) Section 4.4 of the Data Management Information is entitled "Enforcement of demands and claims".
    According to what is written in this section, the most common legal dispute is related to "circumvention",
    when the parties involved bypass the Applicant and the Client and establish a legal relationship with it
    with the aim of exempting them from the obligation to pay fees. According to the Data Management Information

    the franchise partners can entrust the Customer with validating the claim, in this case
    the Customer acts as an agent and joint data management is carried out.

(34) The Data Management Information contains a section entitled: "Weighing of interests test
      brief introduction".



                                                                                                6(35) The Data Management information sheet VI. also contains information on the rights of data subjects,
    however, it only mentions "Data Controllers" throughout, so it does not name the previously mentioned

    which of the three is the data controller, namely the Customer or the franchise partner
    or whether it is the sub-partner.

II.3.2. The Client NAIH-3772-15/2022. no. statement

(36) The Customer again explained that the Requested data controller and not data processor
    in the course of his activity as a real estate agent. The Customer also stated that it was not much

    requests from stakeholders are received, and he handles only a few each year. That's why they haven't seen it until now
    the development of the detailed procedure is necessary. in 2023 from the outcome of this procedure
    they plan to independently develop a procedure for handling stakeholder requests.

(37) The Customer sent the inspection certificate to the Authority
    form, on which the following personal data must be entered: name,
    mother's name, nationality, permanent residence, type and number of identification document, telephone, e-

    email, place and time of birth.

(38) The viewing certificate provides brief information under the heading "Data management" that a
    personal data by the "Real Estate Agency" (in this case, the Applicant) and the Customer
    manages. It lists the data management purposes, including: contact, requests
    validation. The information also contains a reference to the fact that if the "Data Subject"
    does not comply voluntarily, then it will be enforced by legal means, and for this they will use the

    your personal data. The information also mentions the rights of stakeholders, and also indicates that
    more detailed information can be found on the Customer's website and provided to it
    access path.

II.3.3. The Applicant NAIH-1336-6/2023. no. and NAIH-1336-11/2023. statements

(39) In the lawsuit between the Respondent and the Applicant [….] District Court dated January 16, 2023, the

    with the judgment received by the legal representative on January 31, 2023, the claim of the Respondent
    rejected. The management and owners of the Respondent decided that the first degree
    judgment is accepted, no appeal is presented. Thus, if neither the Applicant
    submits an appeal, the judgment will become final.

    After the judgment becomes final, if the official procedure is further
    is not necessary to continue, the Applicant's data will be deleted.


(40) Following the Respondent's above statement, the Authority called the Respondent to verify
    that the judgment has become final. The Applicant to the Authority on June 22, 2023
    with the statement he received, he sent a copy of the judgment of […] District Court No. […],
    in which the court rejected the claim of the Respondent as plaintiff, and the Respondent
    attached in copy […] District Court […] no. order, in which [….] District Court
    established that judgment No. […] entered into force on February 16, 2023.


III. Applicable legal provisions

(41) The GDPR must be applied to the processing of personal data in whole or in part in an automated manner
    processing, as well as those personal data in a non-automated manner
    which are part of a registration system or which
    they want to make it part of a registration system. Subject to GDPR

    for data management by Infotv. According to Section 2 (2), the GDPR is indicated there
    must be applied with supplements.

(42) According to Article 4, point 1 of the GDPR, "personal data": identified or identifiable
    any information relating to a natural person ("data subject"); it is possible to identify the a
    natural person who directly or indirectly, in particular an identifier,


                                                                                               7 for example name, number, location data, online identifier or the natural person
    physical, physiological, genetic, mental, economic, cultural or social identity

    identifiable on the basis of one or more relevant factors;

(43) "data management" based on Article 4, point 2 of the GDPR: you are on personal data
    any operation performed on data files in an automated or non-automated manner or
    a set of operations, such as collection, recording, organization, segmentation, storage, transformation
    or change, query, insight, use, communication, transmission, distribution
    or otherwise by making available, coordinating or connecting,

    restriction, deletion or destruction;

(43) Pursuant to Article 4, point 7 of the GDPR, "data controller": the natural or legal person,
    public authority, agency or any other body that personal data
    determines the goals and means of its management independently or together with others; if it is
    the purposes and means of data management are determined by EU or member state law, the data controller
    or special considerations for the appointment of the data controller by the EU or the Member States

    can also be determined by law;

(44) Pursuant to GDPR Article 4, point 8, "data processor": the natural or legal person,
    public authority, agency or any other body acting on behalf of the data controller
    manages personal data;

(44) Based on paragraphs (1)-(6) of Article 12 of the GDPR:


    (1) The data controller shall take appropriate measures in order to ensure that the data subject a
    all those referred to in Articles 13 and 14 relating to the management of personal data
    information and 15-22. and each information according to Article 34 is concise, transparent,
    in an understandable and easily accessible form, clearly and intelligibly formulated
    provide, especially for any information directed at children. The information
    must be given in writing or in another way - including, where applicable, the electronic way. The

    at the request of the data subject, oral information can also be given, provided that the data subject has confirmed otherwise
    identity.
    (2) The data controller facilitates the relevant 15-22. the exercise of his rights according to art. Article 11
    In the cases referred to in paragraph (2), the data controller is the data subject concerned in Articles 15-22. rights according to Art
    may not refuse to fulfill your request for exercise, unless you prove that
    that the person concerned cannot be identified.
    (3) The data controller without undue delay, but in any case the request

    within one month of its receipt, informs the person concerned of the 15-22 according to article
    on measures taken following a request. If necessary, taking into account the request
    complexity and the number of applications, this deadline is extended by two more months
    can be extended. Regarding the extension of the deadline, the data controller explains the reasons for the delay
    indicating within one month from the receipt of the request
    concerned. If the person concerned submitted the request electronically, the information is possible
    must be provided electronically, unless the data subject requests otherwise.


(45) Based on Article 15 (1) of the GDPR:
    (1) The data subject is entitled to receive feedback from the data controller regarding
    whether your personal data is being processed and if such data is being processed
    is entitled to access to personal data and the following information
    get:
    a) the purposes of data management;

    b) categories of personal data concerned;
    c) recipients or categories of recipients with whom or with which the personal
    data has been disclosed or will be disclosed, including in particular third-country recipients,
    and international organizations;
    d) where appropriate, the planned period of storage of personal data, or if this is not the case
    possible aspects of determining this period;


                                                                                               8 e) the right of the data subject to request from the data controller the personal data relating to him
    rectification, deletion or restriction of processing of data, and may object to such

    against processing personal data;
    f) the right to submit a complaint addressed to a supervisory authority;
    g) if the data were not collected from the data subject, everything about their source is available
    information;
    h) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including
    profiling as well, and at least in these cases to the applied logic and that
    comprehensible information about the significance of such data management and

    what are the expected consequences for the person concerned.

(46) Based on paragraphs (1) – (3) of Article 26 of the GDPR:

    (1) If the purposes and means of data management are determined jointly by two or more data controllers,
    they are considered joint data controllers. The common data controllers transparently, between them
    the obligations according to this regulation are defined in the agreement reached

    for its performance, in particular by exercising the rights of the data subject and in Articles 13 and 14
    related to their tasks related to the provision of said information
    the distribution of their responsibility, except in the case and to the extent that it is
    the distribution of responsibility for data controllers in the EU or Member State applicable to them
    determined by law. In the agreement, a contact person can be designated for those concerned.
    (2) The agreement referred to in paragraph (1) must reflect the common
    the role of data controllers vis-à-vis stakeholders and their relationship with them. The agreement

    its essence must be made available to the person concerned.
    (3) The person concerned is everyone, regardless of the terms of the agreement referred to in paragraph (1).
    in relation to the data controller and against each data controller, e
    rights according to the decree.

(47) Pursuant to Article 28 of the GDPR:


    (1) If the data management is carried out by someone else on behalf of the data controller, the data controller is exclusively such
    you can use data processors who provide adequate guarantees
    data management compliance with the requirements of this regulation and the rights of the data subjects
    to implement appropriate technical and organizational measures ensuring its protection.
    (2) The data processor is ad hoc or general with the prior written consent of the data controller
    you may not use additional data processors without your authorization. The general written
    in case of authorization, the data processor informs the data controller of all such planned

    about a change that affects the use of additional data processors or their replacement, thereby
    providing the data controller with the opportunity to oppose these changes
    raise an objection.
    (3) Data processing carried out by the data processor based on EU law or Member State law
    was created - the subject, duration, nature and purpose of the data management, the personal data
    type, categories of data subjects, as well as the obligations and rights of the data controller
    must be governed by a defining contract or other legal act, which binds it

    data processor against the data controller. The contract or other legal act in particular
    stipulates that the data processor:
    a) personal data is handled exclusively on the basis of the written instructions of the data controller - including
    of personal data for a third country or international organization
    transmission - unless the data processing is governed by the EU law applicable to the data processor
    or is required by Member State law; in this case, the data processor is responsible for this legal requirement
    notifies the data controller prior to data processing, unless the data controller is notified by

    a given law prohibits it for reasons of important public interest;
    b) ensures that the persons authorized to handle personal data are kept confidential
    undertake an obligation or are under an appropriate confidentiality obligation based on law
    they stand;
    c) take the measures prescribed in Article 32;



                                                                                                9 d) respects (2) and (4) regarding the use of the additional data processor
    conditions mentioned in paragraph;

    e) appropriate technical and organizational, taking into account the nature of data management
    measures to the extent possible to help the data controller to fulfill
    obligation of the concerned III. requests related to the exercise of your rights contained in chapter
    regarding your answer;
    f) assists the data controller in accordance with Art. 32-36. in the fulfillment of obligations under Article, taking into account
    the nature of the data management and the information available to the data processor;
    g) the decision of the data controller after the completion of the provision of the data management service

    deletes or returns all personal data to the data controller and deletes the existing data
    copies, unless EU or Member State law requires the storage of personal data;
    h) provides the data controller with all information that is in this article
    necessary to prove the fulfillment of certain obligations, and which
    enabled and facilitated by the data controller or another controller commissioned by the data controller
    conducted audits, including on-site inspections.
    Regarding point h) of the first subparagraph, the data processor shall inform you immediately

    the data controller, if he believes that any of his instructions violate this regulation or the
    Member State or EU data protection provisions.

(48) Based on points b) and d) of Article 58 (2) of the GDPR, the supervisory authority
    acting within its competence:
    b) condemns the data manager or the data processor if its data management activities
    violated the provisions of this regulation.

    d) instructs the data manager or the data processor that its data management operations - given
    in a specified manner and within a specified period of time - harmonized by this regulation
    with its provisions.

(49) Pursuant to Article 77 (1) of the GDPR, other administrative or judicial remedies
    without prejudice, all data subjects are entitled to lodge a complaint with a supervisory authority

    - in particular your usual place of residence, place of work or the place of the alleged infringement
    in the Member State of origin - if, according to the judgment of the data subject, the personal data relating to him/her
    handling violates this regulation.

(50) Infotv. On the basis of § 38, paragraph (2b), the Authority is provided with personal data in paragraph (2).
    with respect to the defined scope of the litigation aimed at making a court decision and

    performed by the court in non-litigation proceedings, based on the relevant regulations
    in relation to data management operations, it does not cover the provisions specified in paragraph (3).
    to exercise powers.

(51) Infotv. § 60 (1) In order to assert the right to the protection of personal data a
    At the request of the data subject, the authority initiates official data protection proceedings ex officio

    may initiate a data protection official procedure.

(52) Infotv. On the basis of § 61, subsection (6), open to challenge the decision
    until the deadline expires, or in the case of an administrative lawsuit, until the final decision of the court a
    data affected by disputed data processing cannot be deleted or destroyed.


(53) Infotv. On the basis of § 71, paragraph (1) during the Authority's procedure - for its conduct
    to the necessary extent and for the duration - can manage all personal data, as well as the law
    data classified as secrets protected by and secrets bound to the exercise of a profession, which are
    are related to the procedure, and the management of which is the successful completion of the procedure
    necessary for


(54) LIV of 2018 on the protection of business secrets. Act (hereinafter: Trade secret) Section 1 (1)
    pursuant to paragraph 1, a business secret related to economic activity, secret – in its entirety,
    or as a totality of its elements is not well known, or the economic activity concerned
    it is not easily accessible to performing persons, and therefore has a property value

                                                                                               10 facts, information, other data and the compilation of them, which are kept secret
    in order to maintain the rightful conduct of the secret in the given situation

    attests.


ARC. Decision:

IV.1. The personal data of the Applicant stored by the Respondent, data processing carried out on them,

data manager and data processor quality recorded on the viewing certificate
in relation to data management

IV.1.1. Personal data and its source

(55) According to Article 4, Point 1 of the General Data Protection Regulation, the Applicant's name, mother's name,
    your nationality, address, ID document number, telephone number, e-mail address, date of birth

    place and time are considered personal data of the Applicant, the storage of which data,
    use of data management according to Article 4, Point 2 of the General Data Protection Regulation
    qualifies.

(56) The source of the above personal data is the Applicant, as these data are so-called
    made available to the Applicant on a viewing statement. The viewing
    declaration as a form was made by the Customer as a franchise owner

    binding for the Applicant.

IV.1.2. Data processing carried out on the Applicant's personal data - investigated in this procedure
    operations

(57) Recording, storage and transmission of the data indicated on the inspection certificate
    it can be considered data processing based on Article 4, point 2 of the General Data Protection Regulation. The present

    In the official data protection procedure, the Authority separately examined these personal data
    recording, and separately, this personal data by the Respondent for claim management purposes
    data management related to its transmission.  The latter is a data management operation
    regarding IV.2. the Authority made findings in point

IV.1.3. The Applicant IV.1.1. related to the recording of personal data according to point
    data manager and data processor established in terms of data management


(58) The concept of data controller is defined in Article 4, point 7 of the GDPR, and the concept of data processor is defined in Article 4 of the GDPR.
    Article 8. According to Article 4, point 7 of the GDPR, the natural person is a data controller
    or legal entity [...] which independently manages the purposes and means of processing personal data
    or defines together with others […]. Based on point 8 of the same article
    data processor is the natural or legal person [...] that, on behalf of the data controller
    manages personal data.


(59) The Data Management Regulations, compiled by the Customer, relating to the data management of the Respondent
    is also recorded in the information sheet - in accordance with the statements made by the Requested Party and the Customer -,
    that the Customer determines the forms used during data management,
    contracts, sales processes, the procedure to be followed in case of breach of contract.
    The Data Management Information - as explained in paragraph (30) of this decision, 1.3.
    - expressly states that the purpose, means and rules of data management are

    The customer defines, and at the same time records that the purpose and means of data management are determined by the customer
    data controllers (i.e. the Requested Party and the Customer) do not jointly determine it, no
    are considered joint data controllers. The Data Management Notice refers to the fact that
    the data management of the individual data controllers (in this case, the Requested Party and the Customer) is thus independent,
    at the same time, most data management activities are based on the joint activities of the data controllers
    is realized.



                                                                                             11(60) In the opinion of the Authority, the above information is rather contradictory, and it is
    it is also contradictory that the Customer determines all forms, so a

    The respondent has no say in it, but at the same time, everything is an independent data controller
    regarding.

(61) The European Data Protection Board 07/2020. no. guidelines (hereinafter: Guidelines),
    which is the data controller and that
    about the concept of data processor according to the GDPR, and also details in which case
    we can talk about joint data management. Joint data management is on page 3 of the Guidelines

    regarding the summary of its essence, the following can be read: "[…] An important aspect,
    that data management is not possible without the participation of two parties in the sense that it is
    data processing carried out by some parties is inseparable, i.e. untangleable
    are connected. Joint participation must include goals on the one hand and goals on the other
    the definition of the means. [...]"

(62) The Respondent cannot be considered an independent data controller, but at the same time the Respondent and the Customer are

    the data management related to the viewing certificate cannot be considered a joint data manager either
    regarding, as the Customer determined its data content, and also by the Customer
    it is done in relation to it as written in the prepared Data Management information sheet
    data management. This also follows from the operating principles of the franchise system
    within the framework of all aspects of the Respondent's activity - and related to it
    data management - are regulated in detail. Used under the franchise system
    documents, such as the viewing certificate, also contain a reference to the franchise system,

    therefore, to continue their activities as specified by the Customer a
    partners. The viewing certificate form has the Customer's name and logo
    is included, the franchise partners' names are included only to the extent that the customer is aware of it
    declares that he learned about the property through XY Real Estate Agency. THE
    inspection certificate is not a document required by law, its design,
    its content is solely the decision of the data manager, in this case the Customer.


(63) 11.6 of the attached franchise agreement (as an attachment to document NAIH-3772-7/2022). point
    the Customer may delete data from its system to which the Requested Party has access
    provides and in which the Requested data can be entered.

(64) The following can also be read on page 4 of the Guidelines: "[…] For the data processor
    qualification has two basic conditions: an organization separate from the data controller, and
    manages personal data on behalf of the data controller. The data processor is the data controller

    you may not process the data in a way other than your instructions. Instructions of the data controller
    they still give some degree of discretion as to how
    the interests of the data controller can be best represented, which enables the data processor
    to select the most appropriate technical and organizational measures. [...]"
    The Respondent actually handles the data on behalf of the Client, since with them
    you cannot make any data management decisions, except for the commission fee
    decision on collection. This was decided by the Respondent and forwarded by him

    the Applicant's personal data to his lawyer in order to enforce his claim. THE
    The Respondent therefore asserts the fee in its own name, this is the Respondent's claim. The present
    in this case, the separate organization also exists as a criterion, since the Client and the Respondent
    two separate legal entities. In this respect, therefore, the Respondent is independent in this case
    data controller. However, this is not the case in all cases, according to Data Management Information 4.4.
    point, based on what was written in paragraph (33) of this decision.


(65) Due to the above, the Authority to the Client data controller, the Requested data processor
    considers the management of the Applicant's data provided on the viewing certificate,
    regarding the recording, in relation to the period until the Data is requested
    it does not independently decide on its further use for other purposes, i.e. not for claims management purposes
    handles them. Additional data management operations performed on this personal data, i.e. on
    handling (storage) of personal data for the purpose of claims management, and […] to the District Court


                                                                                           12 - in connection with legal proceedings -) is subject to a different judgment in IV.2.
    as explained in point.



IV.2.  Claims management by the Respondent on the Applicant's personal data,
    data processing for the purpose of claim validation

IV.2.1. Legitimate interest as a legal basis


(66) The Respondent is a separate legal entity from the Client. It follows from its independent legal personality
    is that the Respondent may have a claim against other persons, i.e. the Respondent
    in this capacity, it can be considered a data controller, since it can make decisions as an independent legal entity
    about whether it takes steps to enforce the given debt. For viewing
    certificate also refers, because it refers to the fact that the real estate agency is entitled to
    entrusts the Customer with the claim validation. Economic decisions of independent legal entities,
    thus, the claims are also independent. So while the franchise system may stipulate that a

    using the name of the franchise system, how should the Applicant perform his real estate brokerage
    activities, the management of its finances is independent of this. So until the viewing
    personal data recorded on the certificate will not be used for claim validation purposes
    for use, until then the Requested is considered a data processor, but as soon as it is
    data processing for the purpose of claim enforcement begins, from that date the Requested
    becomes a data controller.


(67) Based on the above, therefore, the Respondent registered a claim as long as
    Against the Applicant, in relation to whom the Applicant has not filed any court proceedings
    decision, which would establish that it does not exist, regarding the requested data management
    had a legitimate interest, especially considering that court proceedings were ongoing. THE
    For the applicant's personal data - natural personal identification data, as well as a
    claim data - and to validate your claim, as well as for this
    legitimate interest in the processing of necessary data, i.e. Article 6 (1) Paragraph f) of the GDPR

    point existed against the Applicant, as long as it was not established by a final judgment
    and that the claim does not exist. With reference to this, the Respondent is the Applicant
    his personal data was legally handled (stored and forwarded to the court) by his request
    for the purpose of validation.

 (68) According to the Respondent's statement, the judgment on the rejection of his claim has become final
    deletes the Applicant's personal data, if it is not relevant to this official procedure

    necessary. After the judgment becomes final, no longer with reference to claim enforcement,
    only in the legitimate interest of the Requested Party and the Customer with reference to this official procedure
    the personal data of the Applicant can be managed by reference.

(69) At the request of the Authority, the Respondent attached the final judgment of the court and the final
    order in the lawsuit initiated with reference to the Respondent's outstanding claim. According to the court
    rejected the Respondent's claim, therefore the Respondent's judgment becomes final

    after (since 16.02.2023) no longer for claim management purposes with reference to your legitimate interest
    can manage the Applicant's personal data.

(70) In view of the above, the Authority granted the Applicant's request and obliged the
    The request is from the record of the Applicant's personal data for claim purposes
    to delete.


IV.2.2. Consideration of interests

(71) Based on recital (47) of the GDPR, to establish the existence of a legitimate interest
    in any case, it must be carefully examined, among other things, that the interests of the person concerned
    and your fundamental rights may take precedence over the interest of the data controller if a
    personal data are processed in circumstances where the data subjects are not


                                                                                             13 expect further data processing. However, this decision (70)
    as established in paragraph 16.02.2023. is no longer relevant after

    so it is only 16.02.2023. governing data management up to date.

(72) According to the Authority's finding, it concerns the primacy of the Respondent's legitimate interests
    on the one hand, their statement does not specifically refer to the Applicant's personal data, but
    made some very brief statements regarding his legitimate interests in general,
    on the other hand, it does not cover the circumstances mentioned in recital (47) of the GDPR either. THE
    The respondent did not identify the interests of the data subject and did not compare them

    interest of the data controller, as well as the necessity and proportionality of the data management
    nor was it examined or substantiated. As part of the attached Data Management Information
    the “Brief Introduction to the Weighing of Interests Test” emphasizes that if the data subject voluntarily
    does not meet the requirements of the data controllers, then there is no other way to achieve the goal, and that
    manages the personal data required to validate claims.

(73) According to the Authority's finding, it concerns the primacy of the Respondent's legitimate interest

    on the one hand, his statement does not specifically refer to the Applicant's personal data, but
    made some very brief statements regarding his legitimate interest in general,
    on the other hand, it does not cover the circumstances mentioned in recital (47) of the GDPR either. THE
    The respondent did not identify the interests of the data subject and did not compare them
    interest of the data controller, as well as the necessity and proportionality of the data management
    nor was it examined or substantiated. Given that the Respondent only
    made general findings regarding his legitimate interest, therefore the Applicant

    in relation to it, he completely failed to carry out the consideration of interests, in general
    and its findings cannot be considered sufficient, since the GDPR (47)
    it does not meet the requirements of the preamble.

(74) Due to the above, it can be established that the Respondent did not comply with Article 5 (2) of the GDPR
    of his obligation according to paragraph



(75) According to the Authority's point of view, in relation to the following personal data - 16.02.2023.
    to date - the legitimate interest of the data controller existed, or its priority, as legal claims
    scope of personal data required for the purpose of enforcement based on legal provisions
    can be determined as follows:

   - CXXX of 2016 on the Code of Civil Procedure. Act (hereinafter: Law) § 7 § 3.

       identification data in the case of a natural person: place of residence (place of residence
       if not, place of residence), delivery address (if from place of residence or place of residence
       differs), place and time of birth, mother's name.

   - The Pp. According to § 170, paragraph (1), point b), it must be stated in the introductory part of the statement of claim
       to indicate the names of the parties, their position in the lawsuit, the identification data of the plaintiff, the defendant is known
       his identification data, at least his place of residence, and based on point e) of paragraph (2) a

       evidence, which in this case is documents supporting the claim. This list
       supplements applicable in civil proceedings and administrative court proceedings
       1.4 of Annex 1 of IM Decree 21/2017 (XII.22.) on forms point is
       defendant's birth name.

   - Act L of 2009 on the payment order procedure § 20 (1) point a)
       based on the personal data of the debtors, the payment order procedure

       to start, the name of the obligee is required, the Pp. according to the identification data, but
       at least to your place of residence.

   - The Vht. Paragraphs (2)-(3) of § 11 determine which of the persons requesting enforcement is personal
       must provide data when submitting the enforcement application. These data a
       following: debtor's name, identification data (place of birth, time, mother


                                                                                             14 name), depending on the circumstances of the case, the debtor's place of residence, workplace and execution
         the location of the subject property, or in case of real estate execution, the real estate

         registration data.

(76) The Respondent could manage the Applicant's personal data listed above until 16.02.2023
    for claims management purposes or for the purpose of asserting legal claims, Article 6 (1) of the GDPR
    with reference to paragraph f). At the same time, the Respondent is, in addition to the above, the Applicant
    regarding your nationality, e-mail address, document ID and telephone number
    also manages data that is not used to assert legal claims based on the above legislation

    were necessary. The Applicant also stated that the citizenship data was not necessary
    he admitted, because he stated that the processing of citizenship data is not
    justified, the Applicant will delete this from the documents and records in the future.

(77) In view of the above, the Authority has the citizenship, document identification, e-mail address and
    regarding the management of telephone numbers, it is established by point c) of Article 5 (1) of the GDPR
    violation, with regard to the Applicant's other personal data, the Applicant rejects it

    request that the Authority establish a violation of the principle of data saving.
    At the same time, the Authority obliges the Applicant to provide the Applicant's personal data
    not for claim management purposes, only in connection with this official data protection procedure
    handle with regard to the judgment of the District Court No. […].

IV.3. Advance information


(78) The Respondent referred to the fact that the inspection certificate is provided by the client in all cases
    before signing, read, interpret and, if necessary, ask for an explanation of what is written in it
    connection, then signs, and the Applicant did the same. The certificate includes data management
    information, which names the data controllers, the purpose of the data management, and includes the GDPR
    other elements specified in The prospectus also states that the detailed
    data management information which is available on the website. The inspection certificate is issued by the Applicant
    he got to know it, read it, signed it, and received a copy of it.


(79) Litigation was ongoing between the Applicant and the Respondent. With the litigation process
    regarding data management related to IV.2.1. point, the Authority established that a
    data processing based on a legitimate interest was lawful as defined by the Applicant
    regarding your data until the final conclusion of the legal proceedings.

(80) If personal data concerning the data subject are collected from the data subject, the data controller shall have a

    fair and transparent data management at the time of obtaining personal data
    in order to provide data subjects with detailed information pursuant to Article 13 (1) of the GDPR
    of what is written in paragraph

(81) Recital (39) of the GDPR stipulates that information on data management
    it must be transparent, which must be made available to those concerned in an appropriate way (e.g.
    on the website of the data controller) subject to possible additional conditions of the chosen legal bases.


(82) Article 12 of the GDPR defines the formal requirements that must be observed
    to be the data controllers when they enable and ensure the exercise of data subjects' rights, including
    also the prior information of those concerned. Based on this, the personal data of the data controllers
    all information regarding its handling is concise, transparent, comprehensible and easily accessible
    form, in a clear and comprehensible manner.


(83) According to the Applicant's point of view, it does not comply with GDPR "7. of Article (2), which
    states that if the data subject gives his consent in the form of a written statement,
    which also applies to other matters, the request for consent from those other matters
    it must be presented in a clearly distinguishable manner, comprehensible and easily accessible
    form, with clear and simple language. The data management information sheet is particularly small
    it was indicated in font size, with small line spacing."


                                                                                               15(84) The consent given on the inspection certificate applies to two separate purposes, namely a

    according to information, gives consent regarding the personal data listed there, which a
    they can be processed for the purpose of viewing and claiming, if this is the case. As it is a
    It also happened in the case of the applicant.

(85) The Authority agrees that the font size of the inspection certificate is rather small, however
    the link to the website is also included, and the data management information can be found on the given link
    font size is normal. According to the Authority, in addition, the text on the inspection certificate

    bulk, not segmented, so that the requirement of transparent information is not met. The
    Guideline 5/2020 of the European Data Protection Board pursuant to Regulation (EU) 2016/679
    according to point 71 of consent “[…] For small screens or situations
    in order to adapt when there is little space for information, where appropriate - a
    in order to avoid excessive interference with user experience or product design –
    a multi-level way of presenting information that can be considered." According to the position of the Authority
    therefore, it could be solved with multi-level information, or simply by having one

    a one-page viewing certificate is extended to two-page so that it is properly readable
    be.

(86) Due to the above, the Authority concludes that the Respondent for the purpose of asserting the claim
    did not provide adequate information regarding his - independent - data management a
    As a respondent, you have therefore violated Article 12 (1) of the GDPR.


 IV.4. Cancellation request submitted by the Applicant to the Respondent's lawyer

 (87) The Applicant, addressed to the Respondent and the Respondent's legal representative, […]
      sent a stakeholder request to a lawyer (hereinafter: Lawyer). The Applicant a
      in his application, the lawyer did not object or request the response to the request of the affected party
      the examination of data management, so the Authority did not examine it.



 IV.5. Decision on trade secrets

 (88) The publication of the franchise agreement concluded between the Respondent and the Client is also not general
      neither the data protection decree nor the sectoral legislation require it, therefore the Customer
      it can be treated as a business secret based on its own decision, so in this respect the Customer
      the Authority approves his request, and the franchise established between the Applicant and the Customer

      contract is treated as a business secret by the Ákr. Based on § 27, paragraph (2).


 IV.6. Violations beyond the request of the Applicant

 (89) The present case was brought to the attention of the Applicant in relation to the Applicant's request
      to be conducted, a separate procedure regarding the general practice of the Client and the Respondent

      may be removed from office due to perceived violations of law.

 IV.7. Legal consequences

 (90) The Authority condemned the Applicant based on GDPR Article 58 (2) point b) and
       the Customer, because they have violated Article 5 (1) point (c), Article 12 (1) of the GDPR
       paragraph, and also condemned the Applicant for violating Article 5 (2) of the GDPR

       paragraph.

       Based on point d) of Article 58 (2) of the GDPR, the Authority instructed the Applicant to
       to delete the Applicant I.2. your personal data listed in point 1, and the deletion is confirmed
       happening.



                                                                                               16(91) The Authority exceeded Infotv. administrative deadline according to § 60/A. (1), therefore
      HUF 10,000, i.e. ten thousand forints, is due to the Applicant - according to his choice - to a bank account

      by money order or postal order On the basis of point b) of paragraph (1) of § 51.

A. Other questions:

(92) The competence of the Authority is defined by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is
    covers the entire territory of the country.


(93) The decision in Art. 80-81 § and Infotv. It is based on paragraph (1) of § 61. The decision is
    Acr. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. § 112 and § 116
    (1) and on the basis of § 114, paragraph (1) administrative against the decision
    there is room for legal redress through a lawsuit.
                                                * * *
(94) The rules of the administrative procedure are laid down in Act I of 2017 on the Administrative Procedure
    hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority

    the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13 (3)
    Based on subparagraph a) point aa), the Metropolitan Court is exclusively competent. The Kp.
    Pursuant to § 27, paragraph (1) point b) in a lawsuit within the jurisdiction of the court, the legal
    representation is mandatory. The Kp. According to paragraph (6) of § 39, the submission of the statement of claim a
    does not have the effect of postponing the entry into force of an administrative act.

(95) The Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, it is applicable

    of 2015 on the general rules of electronic administration and trust services
    CCXXII. Act (hereinafter: E-Administration Act) according to Section 9 (1) point b) of the
    the client's legal representative is obliged to maintain electronic contact.

(96) The time and place of filing the statement of claim is determined by Kp. It is defined by § 39, paragraph (1). THE
    information on the possibility of a request to hold a hearing in Kp. Section 77 (1)-(2)
    based on paragraph The amount of the administrative lawsuit fee is determined by the 1990 Law on Fees

    XCIII. Act (hereinafter: Itv.) 45/A. Section (1) defines. The fee is in advance
    from the payment of the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt it
    party initiating the procedure.

(97) During the procedure, the Authority exceeded Infotv. One hundred and fifty days according to paragraph (1) of § 60/A
    administrative deadline, therefore the Ákr. Based on point b) of § 51, he pays ten thousand forints a
    To the applicant.


dated: Budapest, according to the electronic signature


                                                            Dr. Habil. Attila Péterfalvi
                                                        president, c. in the absence of a university professor
                                                                dr. Tamás Bendik

                                                                  vice president















                                                                                                17