NAIH (Hungary) - NAIH-1743/2021: Difference between revisions
m (→Comment) |
No edit summary |
||
Line 54: | Line 54: | ||
}} | }} | ||
Hungarian DPA | The Hungarian DPA issued a reprimand against a controller for the unlawful recording and sharing of a private conversation between two parents and a daycare employee which contained special categories of data. | ||
== English Summary == | == English Summary == |
Revision as of 09:18, 20 December 2021
NAIH (Hungary) - NAIH-1743/2021 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(1) GDPR Article 6(1) GDPR Article 9 GDPR Article 58 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 23.09.2021 |
Published: | 09.12.2021 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | NAIH-1743/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | Tapir |
The Hungarian DPA issued a reprimand against a controller for the unlawful recording and sharing of a private conversation between two parents and a daycare employee which contained special categories of data.
English Summary
Facts
A data subject submitted a complaint with the Hungarian DPA for the unlawful processing of their personal data and the personal data of their child, including special categories of data. The complaint was made regarding the recording and subsequent sharing of a private conversation between the defendant and the complainant, as well as an employee of a daycare attended by both of their respective children. The recording contained personal data, including sensitive information about the health of a minor. It was then shared by the controller within a Facebook group containing of all the parents whose children attend the daycare, as well as via e-mail with other parties. Upon questioning, the defendant admitted that they had no legal grounds for the collection or sharing of this data.
Holding
The Hungarian DPA noted that both recording the conversation for purely personal use or sharing information about the meeting with other interested parents could have fallen under the household exemption of the GDPR under Article 2(2)(c). However, NAIH held that sharing this information via a recording was contrary to the principles of purpose limitation and data minimisation under Articles 5(1)(b) and 5(1)(c) GDPR. Moreover, the DPA held that the defendant had no legal ground for the processing of the data, including special categories of data, under Article 6(1) and Article 9. Subsequently, NAIH decided to reprimand the controller under Article 58(2)(b) and impose a ban on any further processing under Article 58(2)(f). The DPA also ordered the controller to inform those with whom the data was shared to erase it without undue delay under Article 58(2)(g). However, NAIH did not find it necessary to impose an administrative fine under Article 83(2), taking into account that the controller is a natural person who had accepted that their conduct had been unlawful.
Comment
In the DPA's Opinion, the recording of the conversation between two parents and the daycare employee in secret is 'concerning and unacceptable from an ethical point of view'. However, they state that it would have still fallen under the household exemption, as long as the data is not shared with others (but only serves as an aid to help remembering what was said during the meeting). One could argue that this interpretation of Article 2(2)(c) allows natural persons to record all of their phone conversations for example, as long as they don't share them with anyone. One risk could be that given that the this processing would fall outside the scope of the GDPR, even the general principles (especially 'integrity and confidentiality') wouldn't apply.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case No: NAIH-1743- / 2021 Subject: Approval of application decision DECISION Before the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority) […] with regard to the minority of the applicant (hereinafter referred to as the Applicant): […] (address: […], Hereinafter referred to as "the Representative", against […] (address: […]) (hereinafter referred to as "the Applicant") unauthorized data processing submitted to the Authority on 28 January 2021 In the data protection authority proceedings initiated following the request of the Authority, the Authority shall take the following decisions: I. The Authority will grant the applicant 's request and 1) condemn the Applicant, taking into account that the Applicant 's personal data and special personal data of natural persons for the processing of personal data and the free movement of such data, and Regulation (EU) 2016/679 repealing Directive 95/46 / EC (a hereinafter referred to as the GDPR) in accordance with Article 5 (1) (a), a The principle of purpose limitation under Article 5 (1) (b) of the GDPR and Article 5 (1) the principle of data retention referred to in paragraph 1 (c) and Articles 6 and 9 of the GDPR unlawfully handled the data when disclosed to third parties made it available; 2) prohibits the Applicant from recording with third parties - either online or otherwise; 3) oblige the Applicant to provide the recipients to whom the recording by e-mail personal and special personal data of the Applicant notified of the need to delete the recording. The Applicant is the completion of the measure must be duly substantiated to the Authority by the present decision within 30 days of becoming final. II. The Authority shall issue the Applicant ex officio for the infringements set out in point I. in the warning gives. There is no administrative remedy against this decision, but from the date of notification within 30 days of the application to the Metropolitan Court in an administrative lawsuit can be challenged. The application must be submitted to the Authority, electronically, which is the case forward it to the court together with his documents. Those who do not benefit from full personal exemption ………………………………………………………………………………………………………… 1055 Budapest Tel .: +36 1 391-1400 ugyfelszolgalat@naih.hu Falk Miksa utca 9-11. Fax: +36 1 391-1410 www.naih.huszám The fee for the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to record material fees. The Capital Legal proceedings are mandatory in proceedings before the General Court. I N D O K O L Á S I. Procedure (1) The Representative, represented by the Applicant, received a letter from the Authority on 28 January submitted a request for data protection authority proceedings against the Applicant, in which he complained that the Requested was secretly made and then a Facebook published a recording of a conversation in which the Applicant 's personal and information classified as special data was provided. (2) The Applicant shall, in order to investigate the matter, discover the violation, and the legal consequences for the Applicant requested the Authority to apply. (3) The Authority issued its decision of 5 March 2021, NAIH-1743-2 / 2021. Order No. of the Applicant on 17 March 2021 In its letter to the Authority and the annexes thereto deed. (4) The Authority found that the detail of the screenshot was not suitable for the objected subject to prove the processing of data, therefore NAIH-1743-4 / 2021 dated 14 April 2021. number In his order, he called on the Representative to do so within 8 days of receiving the order send a screenshot of the recording to the Authority. (5) Following the receipt of the above-mentioned order on 16 April 2021, the Applicant shall by post and attached to the letter received by the Authority on 27 April complied with the Authority's order. (6) The Authority issued NAIH-1743-6 / 2021 on 13 May 2021. In its order No To give an application within fifteen days of receipt of the order information on the purpose and legal basis for sharing the recording on the Facebook group, as well as who in the process got to know the Applicant’s personal and special personal data and whether the recording was sent by e-mail, to whom (s), for what purpose and on what legal basis. 2 (7) On 2 June 2021, the Applicant sent NAIH-1743-6 / 2021. Order no NAIH-1743-9 / 2021. on 14 June 2021 via the e-paper service in his letter sent. (8) On 25 June 2021, the Authority informed the Applicant and the Applicant that the in the data protection authority proceedings, the evidentiary procedure was completed and drew their attention the right to inspect the file and to submit further requests for evidence the possibility of exercising it. (9) On 2 July 2021, the Representative indicated that he wished to exercise his right of access to the file. The Authority has issued NAIH-1743-14 / 2021. submitted by the Representative in his order no limited access to personal data that is not known to him and sent it to the specified postal address from the non-Applicant copies of documents originating from and not sent to the Applicant. (10) No further request for access to the file or request for proof was received by the Authority. II. Facts (11) In a request received by the Authority on 28 January 2021, the Applicant complained that. discussing the problem related to the Applicant - indicated by the kindergarten teacher A meeting was organized with the Representative and the head of the kindergarten also taken the Applicant, who is the mother of one of the kindergarten groupmates. Included in the application According to He requested from the first 46 minutes of the meeting with his mobile phone in secret made a video recording that is more of an audio recording because the recording when it was made, the device was in his pocket, so it only recorded sound. The Applicant submitted that Applicant “uploaded the audio recording to the Facebook community page of a kindergarten to the side of the group created for the parents, that is, to the public made it directly accessible, ’. According to the application, the applicant is included in the recording information that constitutes your personal and special personal information notwithstanding, the Applicant has not requested the Representative - ie Applicant 's legal representative - consent to the recording of the sound recording, and neither the fact of its preparation nor its use, that is, to the public did not inform the Representative. (12) According to the Applicant, the Applicant violated the information self-determination CXII of 2011 on the right to freedom of information and freedom of information Act (hereinafter: the Information Act) Section 4 (1), Section 5 (1) (b), Section (2) (a) and Section 14 therefore processing is unlawful. The Applicant requested the Authority to investigate expose the case, detect the breach and prohibit the infringing controller from further infringement, and apply legal sanctions against him. 3 (13) The Applicant attached to his application a piece of data carrier on which it can be found one that contains a visual display only in its first seconds, but is natural a non-personal video recording of the conversation described in the application audible. There are also two Word documents on the flash drive, one of which presumably an online conversation between the Applicant and the Applicant, while another is likely to be between the parents of children in the affected kindergarten group online conversation was recorded in typed form. (14) In response to the Authority's request for rectification, the Representative clarified his request that infringes the processing of your child's personal and special personal data, and provided the personal data requested by the Authority and Facebook referred to in the request group information. The impugned recording was attached to the letter a detail of the screenshot to verify the publication of the […] Screenshot of a Facebook group. (15) The Applicant shall send another flash drive - with the screenshots on it - confirmed that the recording in question was in a Facebook group used by several persons publication, its date and the identity of the publisher, and the fact that the group includes a discourse on the conversation you hear on the recording. (16) At the request of the Authority, the Applicant submitted that the audio material was submitted on 21 January 2021 was made for the reason that such a conversation also had professional reasons they utter what he can hardly recall later. The Applicant explained that he was not bad intentions, and in this conversation it became clear to the children they are in danger, and neither the kindergarten teacher nor the Representative want a substantive take steps. The Applicant further submitted that to his knowledge, in addition to one nor was a parent aware that he was “suffering from a severe nervous system problem a small child joins the group, ”and feared the children. He therefore claims to have published the audio material on January 22, 2021 at 5:12 a.m. parents of preschoolers - a total of 23 people - used by the messenger group. He stressed that the purpose was to inform and that he realized that this should not have been the case when the kindergarten teacher a on the day of publication, he wrote to him at 10:30 a.m. to remove the recording because he had not consented to it. The Applicant therefore removed the recording from the group at 10:15 a.m. THE According to the applicant, since many parents are working at the time of publication, and recording was available for a very short time, "almost no one could listen." THE Based on his statement, the applicant also immediately deleted the recording from the conversation. THE Applicant also cited the group discussions as well as his statement also attached screenshots to prove this. 4 (17) To the Authority's question on the legal basis for sending the recording by e-mail in response, the Applicant admitted that he had no right to send the recording to anyone who he asked, and again pointed out that he had done so not with malicious intent, but for the benefit of the children. He further submitted that the recording was sent only to the person who requested it from one of the parents. (18) In its clarified statement, the Applicant identified the three persons to whom the recording has been sent via email. (19) On the basis of the information available, the Authority concluded that the application between the Representative, the Applicant and the head of the kindergarten talk. (20) During the discussion, the following points concerning the Applicant were made, inter alia information: name ([…]), place of residence, fact that it does not belong to the given kindergarten district, as well as the finding in a particularly sensitive area of the private sector that there have been three recent deaths in his family. It can also be heard on the recording a lot of information that the Applicant's behavior, behavioral problems whether it is to mention a specific conflict or a problem duration of its existence. (21) In addition, the following information on the Applicant 's state of health was recorded on the audio recording information can also be heard: they accompany […]; You are taking a 'active' medicine; […] Will be investigated (Due to […] problem); twice a week and related statements referring to the fact of illness (eg by the Applicant to the Representative) statement: "I do not see you admitting that [”]. "). (22) The recording was published in a chat group of which the Applicant is a member parents of children attending kindergarten group also visited. To publish a link to the recording the day after the conversation on the recording, that is to say, on 22 January 2021, and a messenger was also deleted from the group that day. III. Applicable law Article 2 (1) GDPR: This Regulation shall apply to personal data in part or fully automated processing of personal data and the processing of personal data which are part of a registration system which are intended to be part of a registration system. 5GDPR Article 2 (2) (c): 'This Regulation shall not apply to personal data natural persons solely for their personal or domestic activities carried out in the framework of the GDPR Article 4 (1): "personal data" means identified or identifiable natural data any information about the person ("data subject"); identifiable by that natural a person who, directly or indirectly, in particular by means of an identifier such as a name, number, location data, online identification or physical, physiological, genetic, intellectual, economic, cultural or social identity identifiable by several factors; GDPR Article 4 (2): "processing of personal data" means personal data or data files any operation or set of operations carried out in an automated or non-automated manner, thus collecting, recording, organizing, sorting, storing, transforming or altering, querying, available for inspection, use, communication, transmission or other means harmonization or interconnection, restriction, deletion or destruction. Article 4 (15) of the GDPR: '' health data 'means a physical or mental substance of a natural person personal data concerning his state of health, including for a natural person also provide information on the health services provided the state of health of the natural person; " Article 5 (1) (a) GDPR: “the processing of personal data lawfully and lawfully be carried out fairly and in a way that is transparent to the data subject ("legality, fair procedure and transparency ");" Article 5 (1) (b) GDPR: "the collection of personal data shall be limited to specified, for a clear and legitimate purpose and not be treated in a way that is incompatible with those purposes in a compatible manner; does not constitute an original purpose in accordance with Article 89 (1) incompatible for the purpose of archiving in the public interest, scientific and historical research further processing for personal or statistical purposes ("purpose limitation"); " Article 5 (1) (c) GDPR: personal data shall have “the purposes for which they are processed they must be appropriate and relevant and necessary limited to "data saving"; " GDPR Article 6 (1): Processing of personal data only if and to the extent that lawful if at least one of the following is met: (a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes treatment; (b) processing is necessary for the performance of a contract to which one of the parties is a party; or to take action at the request of the data subject prior to the conclusion of the contract required; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; 6d) the processing is in the vital interests of the data subject or of another natural person necessary for its protection; (e) the exercise of a public interest or the exercise of official authority vested in the controller necessary for the performance of its task; (f) processing for the legitimate interests of the controller or of a third party necessary, unless the interests of the data subject take precedence over those interests or fundamental rights and freedoms which call for the protection of personal data, especially if the child concerned. Point (f) of the first subparagraph shall not apply to the performance of their duties by public authorities data management. 3. The legal basis for the processing referred to in points (c) and (e) of paragraph 1 shall be the following state: (a) Union law, or (b) the law of the Member State to which the controller is subject. The purpose of the processing shall be determined by reference to this legal basis and in accordance with paragraph 1 (e). with regard to the processing of data referred to in point (a), it must be necessary in the public interest or a task performed in the exercise of a public authority conferred on the controller to implement. This legal basis may include the application of the rules contained in this Regulation adjusting provisions, including the lawfulness of the processing by the controller general conditions, the type of data subject to data processing, the data subjects, the the entities with which personal data may be disclosed and the purposes of such disclosure, restrictions on the purpose of the data processing, the duration of the data storage and the data processing operations and other data processing procedures, such as lawful and fair data processing measures necessary to ensure compliance, including the other as defined in Chapter for specific data management situations. EU or national law must pursue an objective in the public interest must be proportionate to the legitimate aim pursued. Article 9 of the GDPR: Management of special categories of personal data (1) Racial or ethnic origin, political opinion, religion or belief or personal data referring to trade union membership, as well as genetic data, natural biometric data for personal identification, health data and personal information concerning the sexual life or sexual orientation of natural persons data processing is prohibited. * 2. Paragraph 1 shall not apply if: (a) the data subject has given his or her explicit consent to one or more specific transfers of such personal data unless Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted with the consent of the data subject; (b) the processing of data by the controller or the data subject concerning employment and social fulfillment of its obligations under legal provisions governing security and social protection and in order to exercise his specific rights, if he is defending the fundamental rights and interests of the data subject 7 under EU or national law which also provides adequate guarantees or under the law of a Member State a collective agreement allows for this; (c) processing for the protection of the vital interests of the data subject or of another natural person necessary if, due to the physical or legal incapacity of the person concerned, he is unable to a give its consent; (d) the processing is carried out by a foundation for political, ideological, religious or trade union purposes, association or any other non-profit organization with appropriate guarantees provided that the processing is carried out exclusively by such a body applies to current or former members or to persons who are regular members of the organization are related to the purposes of the organization and that personal data are shall not be made available to persons outside the organization without the consent of the persons concerned for; (e) the processing relates to personal data which are specifically requested by the data subject disclosed; f) the processing is necessary for the establishment, enforcement or protection of legal claims, or when the courts are acting in their judicial capacity; * (g) processing is necessary for overriding reasons of public interest under Union law or the law of a Member State which: proportionate to the aim pursued, respects the right to the protection of personal data appropriate to ensure the fundamental rights and interests of the data subject and prescribes concrete measures; (h) for the purposes of pre - processing health or occupational health purposes, assessment of an employee's ability to work, medical diagnosis, health care or the provision of social care or treatment, or health or social systems and necessary for the management of the service, under Union or Member State law, or under a contract with a healthcare professional and referred to in paragraph 3 subject to conditions and warranties; (i) the processing is necessary in the public interest in the field of public health, such as: protection against serious cross-border threats to health or health the high quality and safety of care, medicines and medical devices under EU or Member State law that is appropriate and specific provides for measures to safeguard the rights and freedoms of the data subject, and in particular to: professional secrecy; (j) data processing in accordance with Article 89. for archiving in the public interest in accordance with Article necessary for scientific and historical research or statistical purposes under the law of a Member State, which is proportionate to the aim pursued, respects personal data the essential content of the right to the protection of the individual and the fundamental rights and interests of the data subject provides for appropriate and concrete measures to ensure 3. The personal data referred to in paragraph 1 may be exchanged in accordance with paragraph 2 (h). for the purposes referred to in paragraph 1, if the processing of such data by or on behalf of a professional under the responsibility of a professional who is competent or competent under Union or Member State law professional secrecy laid down in the rules laid down by the competent authorities of the Member States or by another person who is also a Member State or a Member State rules laid down by the competent authorities of the Member States subject to a specific obligation of confidentiality. Member States may maintain additional conditions, including restrictions, or may be introduced for the management of genetic data, biometric data and health data regarding. Article 58 (2) GDPR: Acting in the corrective power of the supervisory authority: (b) reprimands the controller or the processor if he or she is acting in a data-processing capacity infringed the provisions of this Regulation. (f) temporarily or permanently restrict data processing, including data processing prohibition; (g) order personal data in accordance with Articles 16, 17 and 18 respectively rectification or erasure of data and restrictions on data processing, as well as Article 17 (2) order notification to the addressees in accordance with with whom or with whom the personal data have been communicated; Article 77 (1) GDPR: Without prejudice to other administrative or judicial remedies, all parties concerned shall have the right to lodge a complaint with a supervisory authority, in particular the according to his habitual residence, place of employment or the place of the alleged infringement in a Member State, if the data subject considers that the processing of personal data concerning him or her infringes this Regulation. Infotv. § 2 (2): Personal data shall be processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council covered by the Council Regulation (hereinafter referred to as the General Data Protection Regulation) General Data Protection Regulation in Annexes III-V. and VI / A. Chapter and Section 3, Sections 3, 4, 6, 11, 12, 13, 16, 17, 21, 23-24. Section 4 (5), Section 5 (3) to (5), (7) and (8) § 13 (2), § 23, § 25, § 25 / G. § (3), (4) and (6) in paragraph 25 / H. § (2), 25 / M. § (2), 25 / N. §, 51 / A. § (1), Articles 52-54. § 55 (1) - (2), 56-60. §, 60 / A. § (1) - (3) and (6), Section 61 (1) (a) and (c), Section 61 (2) and (3) paragraph 4 (b) and paragraphs 6 to 10, paragraphs 62 to 71. § 72 in Section 75 (1) - (5), Section 75 / A. With the additions specified in § and Annex 1 should be used. Infotv. Enforcement of the right to the protection of personal data pursuant to Section 60 (1) the Authority shall, at the request of the data subject, initiate a data protection authority procedure. The data protection authority procedure is governed by the CL of 2016 on General Administrative Procedure. (hereinafter: Ákr.) shall be applied in accordance with the provisions of the Infotv additions and derogations under the General Data Protection Regulation. Infotv. 75 / A. §: The Authority is set out in Article 83 (2) to (6) of the General Data Protection Regulation exercise its powers in accordance with the principle of proportionality, in particular by: legislation on the processing of personal data or binding European Union law for the first time in the event of a breach of the rules laid down in 9 in accordance with Article 58 of the General Data Protection Regulation by alerting the controller or processor. ARC. Decision (23) The processing of data by recording consisted of two different data processing operations. The first operation was to record the recording, while the second operation was to communicate the recording, and the latter it took two different forms when the Applicant first appeared in the group shared the recording and then e-mailed his statement - and the attached evidence - according to three people. Both operations, including the recording and communication of the recording considered as data processing within the meaning of Article 4 (2) of the GDPR. IV.1 Data management related to the communication of the recording (24) The Authority found that personal data within the meaning of Article 4 (1) of the GDPR the following information about the Applicant on the audio recording shall be considered: a name ([…]), place of residence, that it does not belong to the given kindergarten district; in his family a there have been three recent deaths; the Applicant's conduct, behavioral information about your problem. (25) It was also found that the GDPR was a health claim within the meaning of Article 4 (15) and therefore special personal data under Article 9 (1) of the GDPR statements made by the Applicant that […] are taking “[…]” medication, […] will have a test […] problem, two weeks a week times of development, as well as to provide indications that he is ill. (26) The Applicant indicated different data processing purposes for the two data processing operations me. According to the Applicant 's statement, the recording was made for the purpose of: later recall the conversation and the communication to the other parents - ie to inform the addressees of the communication. (27) As regards the recording of the recording, the Authority noted that as long as is for purely private purposes, that is to say, as the Applicant has pointed out, the recording will help the Recaller to recall what was said during the interview the so-called "household data management" category, and the GDPR - a Article 2 (2) (c) shall not apply to it. However, not it may be disregarded that the recording was made in secret - subject to the 10 the sensitivity of the topic of discussion - ethically concerned and not acceptable. (28) However, at the moment, as between the Applicant and the Representative and the a recording of a conversation between the kindergarten teacher for other people made it available - thus making the Applicant’s personal and special personal data - the private nature of the recording, ie also by the Applicant emphasized, his own self-interest ceased to exist. Consequently, the position of the Authority according to the division of the recording goes beyond the household exception to the GDPR the concept of data management. (29) With regard to the sharing of recordings as a data processing operation, the Authority should the purpose indicated by the applicant - ie to inform the other parents about the Applicant stated the following. THE conversation with two people involved in the main topic, the kindergarten teacher with the help, so between three people, it took place in a closed circle, and although it was uttered differently also conflicts and general problems related to children, starting from the There was a conflict between the Applicant's child and the Applicant. The Applicant himself is a in the attached messenger conversation: “Monday afternoon, a after another incident with my son, I had another parental complaint with the head of the kindergarten. ” […] “At the initiative of yesterday […], we sat down with his kindergarten teacher to discuss things. ” The Representative also intends to have a child and the Applicant in a conversation between the two of them to resolve a conflict between their children informing all parents about what has been said is not considered lawful under the GDPR purpose. (30) In addition to the illegality of the stated objective, the Authority found that if the others an oral conversation about general, relevant information that concerns them exclusively also due to its household nature does not qualify as GDPR therefore cannot be objected to from a data protection point of view. (31) However, sharing the recording in this way was an unnecessary intervention to the privacy of the data subject, ie the Applicant, by being personal and special your personal data has thus become accessible to more than one person. (32) In addition to the above, the Authority did not consider that the online communication was made appropriate way to pass on the information in this case, as it carries the possibility and risk of the link - or, in the case of an e-mail, the file - the recipient may transfer the recording to other persons. 11 (33) In view of the above, the Applicant violated Article 5 of the GDPR by sharing the recording. the principle of purpose limitation under Article 5 (1) (b) and Article 5 (1) of the GDPR. the principle of data protection set out in paragraph 1 (c). IV.2 Legal basis for data processing (34) Based on the above, the Applicant's personal data of the Applicant is third activities under the GDPR in which case the lawfulness of the processing is subject to one of the conditions laid down in Article 6 of the GDPR Existence of a legal basis governed by paragraph 1. (35) In addition, the processing of special personal data is in principle prohibited. The special personal data may be lawfully processed only if Article 6 (1) of the GDPR in addition to a specific legal basis, a circumstance within the meaning of Article 9 (2) of the GDPR which allows an exception to the prohibition on the processing of special data. (36) The Applicant did not have the consent of the Applicant for the data processing. THE Authority invited the Applicant to indicate his data processing however, the Applicant did not comply with this during the proceedings. To the Authority he stated, “I did not have the right to send the recording to anyone who asked for it now I know.". With the consent of the Applicant or the legal representative did not in fact have any provisions or prove the existence of any other plea in law. (37) In view of the specific circumstances of the case, the Authority concluded that both The processing of both the applicant's personal data and his special personal data is a legal basis therefore, the Applicant violated Articles 6 (1) and 9 of the GDPR. (38) In view of the above, the Authority granted the applicant's request pursuant to Article 58 (2) of the GDPR. Pursuant to paragraph 1 (f), the Applicant is prohibited from recording the sound by third parties to the Commission. IV.3. Principle of fair data management (39) The fairness of data processing is the principle governing data processing, the data subject respect for his or her privacy and human dignity. THE in accordance with the principle of fair data processing, the data subject may not become vulnerable to against the data controller or another person. (40) About the conversation about the Applicant with his legal representative without the Representative's knowledge was taken when the Applicant secretly, without informing those present, into his pocket used the recording device in secret. He did this to record a conversation 12 during which the Representative, i.e. the mother of the minor Applicant, did nothing about the recording suspecting her child has a number of sensitive privacy and health issues shared status information with the other two participants in the conversation. Given that the Representative did not know how to make the recording, and given he could not even count on him in the circumstances, so he could not protest against him. (41) The purpose of the meeting was to be the child of the Applicant and the Applicant to talk about the situation caused by conflicts and other problems between the two countries, and try to find a solution together. The Applicant was therefore aware of this put the conversation from the very beginning to be the focus of the Applicant will have problems with their behavior and their background. (42) In addition, the Applicant emphasized on several occasions during the discussion that with his questions or comments he tried to confirm that the Applicant was ill. An example of this phenomenon is the dialogue on the recording when the Requested To his representative that "I do not see you admitting that […]. ” the Representative begins his response with “I acknowledge,”. Also during the conversation the Applicant is repeatedly compared to other preschoolers as healthy with children. The Applicant also mentions his own child in such a context, indirectly referring to the Applicant's patient status: "I have the right to protect my healthy child." (43) The Applicant was therefore aware not only of the conversation but also of the knowing the sensitivity of what was said in the conversation - as an active participant in it and Shaper - shared the recording with third parties. (44) Sensitive, special data about the Applicant and the allusions to his behavior were made. The data transmission was suitable for a Applicant's judgment in the microenvironment, the parents of the kindergarten peers adversely affected. (45) In view of the above, the Authority finds that the Applicant has infringed Article 5 of the GDPR The principle of fair treatment under paragraph 1 (a) because in a situation decided to be uncomfortable for the Applicant, to the detriment of his fellow preschoolers indicating, emphasizing his illness, and distinguishing him from others transmission of a recording of a conversation when it would not have existed at all need to process personal and special personal data. IV.4. Other findings of the Authority (46) According to the Applicant, the Applicant violated the information self-determination CXII of 2011 on the right to freedom of information and freedom of information Act (hereinafter: the Information Act) Section 4 (1), Section 5 (1) (b), Section (2) (a) and Section 14 therefore processing is unlawful. 13 (47) The Authority firstly points out that the General Data Protection Regulation is applicable Infotv. protection of personal data the scope of the relevant provisions of The “new Infotv.”, I.e. Infotv Act CXII of 2011 on the right to information self-determination and freedom of information. amending the law in connection with the data protection reform of the European Union, and Act XXXVIII of 2018 amending other related laws. by law (a hereinafter referred to as the Modified Act) - § 2 (2) effective from 26 July 2018 states that personal data fall within the scope of the General Data Protection Regulation the general data protection regulation of the Infotv. in which provisions shall apply with specific additions. These do not include the Applicant provisions referred to in its request. (48) In view of the above, subject to the provisions of Article 2 of the GDPR, the present case The GDPR shall apply to the processing of data pursuant to IV.5. Legal consequences (49) The Authority granted the applicant's request pursuant to Article 58 (2) (b) of the GDPR. condemns the Applicant for violating Article 5 (1) (a) of the GDPR; (b) and (c), Article 6 and Article 9. (50) The Authority granted the Applicant’s request, the termination of the infringement and the in order to restore data protection in Article 58 (2) (f) GDPR prohibits recording, whether online or otherwise - and instructs the Applicant to refrain from such conduct in the future. (51) In addition, in accordance with Article 58 (2) (g) of the GDPR, the Authority instructs the The applicant shall be notified of the need to delete the recording to the addressees to whom the recording has been forwarded by e-mail. (52) The Authority examined of its own motion whether it was justified to impose a data protection imposition of a fine. In this context, the Authority will amend Article 83 (2) of the GDPR and Infotv. 75 / A. § considered all the circumstances of the case. In view of the circumstances of the case, The Authority found that in the case of the infringement found in the present proceedings, warning is a proportionate and dissuasive sanction, so the imposition of a fine is not required. (53) In its decision, the Authority took into account that the Requested Individual and the case in all its circumstances, it is presumed that it is possible to impose a fine without the imposition of a fine fully comply with the decision of the Authority and ensure the personal identity of the Applicant protection of your data. The Authority will specifically monitor compliance with this Decision, and in the event of non-compliance, impose a procedural fine or another data protection authority may initiate proceedings. Legal consequences in the event of a further data breach the present infringement will be taken into account as an antecedent with greater weight. 14V. Other issues (54) The powers of the Authority are limited to Infotv. Section 38 (2) and (2a) defines its jurisdiction it covers the entire territory of the country. (55) The decision is based on Article 80.-81. § and Infotv. It is based on Section 61 (1). The decision is Ákr. Pursuant to Section 82 (1), it becomes final upon its communication. (56) Art. Pursuant to Section 112 and Section 116 (1) and Section 114 (1) a administrative action against the decision and the winding-up order redress. (57) The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a hereinafter: Kp.). A Kp. Pursuant to Section 12 (1), the Authority The administrative lawsuit against the decision of the Criminal Court falls within the jurisdiction of the court. 13. § (3) (a) (aa), the Metropolitan Court has exclusive jurisdiction. A Kp. Pursuant to Section 27 (1) (b), in proceedings falling within the jurisdiction of the General Court, the representation is mandatory. A Kp. Pursuant to Section 39 (6), the filing of the application a has no suspensory effect on the entry into force of an administrative act. (58) A Kp. Section 29 (1) and with this regard Pp. Applicable pursuant to Section 604, the of 2015 on the general rules of electronic administration and trust services CCXXII. Pursuant to Section 9 (1) (b) of the Act (hereinafter: E-Administration Act) the client's legal representative is obliged to communicate electronically. (59) The time and place of the application were set out in Kp. Section 39 (1). THE Information on the possibility of requesting a hearing is provided in the CM. Section 77 (1) - (2) based on paragraph The rate of the fee for an administrative lawsuit is set out in the 1990 Fees Act XCIII. Act (hereinafter: Itv.) 45 / A. § (1). The fee is preliminary from the payment of the Itv. Section 59 (1) and Section 62 (1) (h) exempt initiating proceedings. (60) If the Debtor does not duly prove the fulfillment of the prescribed obligation, a The Authority considers that it has not complied with the obligation within the time limit. The Ákr. Section 132 if the debtor has not made the obligation contained in the final decision of the authority meet, it is doable. The decision of the Authority Pursuant to Section 82 (1) a becomes final upon communication. The Ákr. Section 133 enforcement - if you are a law Government decree does not provide otherwise - it is ordered by the decision-making authority. The Ákr. Under Article 134 of the Enforcement - if by law, government decree or municipal local government decree does not provide otherwise in an official matter - the state tax authority. Infotv. Pursuant to Section 60 (7) in the decision of the Authority to perform a specific act, conduct or tolerate a specific act 15 the obligation to suspend the enforcement of the decision by the Authority implements. Budapest, September 23, 2021 Dr. Attila Péterfalvi President c. professor 16