NAIH (Hungary) - NAIH-13-10/2022: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=N...")
 
 
(2 intermediate revisions by 2 users not shown)
Line 65: Line 65:
}}
}}


The Hungarian DPA issued a warning to a public body responsible for child protection, for the obstruction of the exercise of the right of access to an audio recording containing the data subject’s voice.
The Hungarian DPA reprimanded a public body responsible for child protection for obstructing the exercise of the right of access to an audio recording containing the data subject’s voice in violation of [[Article 5 GDPR|Articles 5]] and [[Article 6 GDPR|6 GDPR]].  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 7 June 2021, the data subject filed a complaint to the DPA, as he became aware that the data controller – the Family Counselling and Child Protection Centre of Budapest, District III (Óbuda) –
On 7 June 2021, the data subject filed a complaint with the DPA, as they became aware that the data controller – the Family Counselling and Child Protection Centre of Budapest, District III (Óbuda) –
forwarded an audio recording of domestic violence (abuse) to the competent Child Welfare Centre, and this recording also contained the voice of the data subject. The recording was originally made and sent by the data subject’s estranged wife.
forwarded an audio recording of domestic violence (abuse) to the competent Child Welfare Centre, and this recording also contained the voice of the data subject. The recording was originally made and sent by the data subject’s estranged wife.


On 14 June 2021, the data subject also exercised his right of access to the file with the controller in person. As the audio material was not made available to him during his visit, he requested it to be sent to him by e-mail.
On 14 June 2021, the data subject exercised their right of access with the controller in person. As the audio material was not made available during the visit, the data subject requested it to be sent via e-mail. The controller refused to provide the file despite multiple further requests by the data subject.  
On 17 June 2021, the controller informed that it was not possible to send him the requested audio material because it was not part of the file. Subsequently, on 17 and 18 June 2021, the data subject contacted the controller again, referring to his right of access. On 18 June 2021, the controller replied that it had not received any audio material.  


However, in a letter dated 1 July 2021, the controller informed the data subject that the audio material requested by him was not physically part of the file, but it is available in file format. The audio material was then sent electronically to the competent Child Welfare Centre and subsequently deleted. The data subject therefore requested the DPA to declare that the controller unlawfully processed and transmitted his personal data to the Child Welfare Centre and that it unlawfully refused him request for access.
However, in a letter dated 1 July 2021, the controller informed the data subject that the audio material requested by him was not physically part of the file, but it was available in file format. The audio material was then sent electronically to the competent Child Welfare Centre and subsequently deleted. The data subject therefore requested the DPA to declare that the controller unlawfully processed and transmitted their personal data to the Child Welfare Centre and that it unlawfully refused him request for access.


In its reply to the DPA, the controller stated that it stored the audio recording. The data subject's child and the child's mother previously moved from their address in the 3rd district of Budapest and the controller's jurisdiction extended only to the 3rd district. Therefore, the complete file was transferred by the controller to the Child Welfare Centre pursuant to [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]. The controller also stated that it subsequently considered the storage and transmission of the audio recording to be an error, and therefore took immediate action to delete the e-mail containing the audio recording.
In its reply to the DPA, the controller stated that it stored the audio recording. Allegedly, the complete file was transferred to the Child Welfare Centre pursuant to [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]. The controller also stated that it subsequently considered the storage and transmission of the audio recording to be an error, and therefore took immediate action to delete the e-mail containing the audio recording.


In relation to the data subject's requests for a copy of the audio recording, the controller stated that on 17 and 18 June 2021, it wrongly refused to disclose the audio recording. The controller contemplated at first that it was not competent to process the information of the data subject and because if that, it was transferred to the Child Welfare Centre. As for the audio recording, the controller instead found that it was not entitled to process the audio recording is and therefore deleted it based on [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]].
In relation to the data subject's requests for a copy of the audio recording, the controller stated that on 17 and 18 June 2021, it wrongly refused to disclose the audio recording. The controller contemplated at first that it was not competent to process the information of the data subject and because if that, it was transferred to the Child Welfare Centre. As for the audio recording, the controller instead found that it was not entitled to process the audio recording is and therefore deleted it based on [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]].
=== Holding ===
=== Holding ===
The DPA stated that an audio recording containing the voice of the estranged wife and the voice of the data subject is considered to be personal data shared between the data subject and the estranged wife.
The DPA stated that an audio recording containing the voice of the estranged wife and the voice of the data subject is considered to be personal data shared between the data subject and the estranged wife.


The DPA further stated that the controller, as a family and child welfare center, performs a public task related to the protection of children. Therefore it is entitled to process the data of parents in relation to the upbringing of children. As the audio recording submitted as evidence by one of the parents in the guardianship proceedings is part of the file, the DPA considered that the data controller's processing was lawful. Therefore, the DPA rejected the part of the complaint seeking a redress for the unlawful transfer.
The DPA further stated that the controller, as a family and child welfare centre, performs a public task related to the protection of children. Therefore, it is entitled to process the data of parents in relation to the upbringing of children. As the audio recording submitted as evidence by one of the parents in the guardianship proceedings is part of the file, the DPA considered that the data controller's processing was lawful. Therefore, the DPA rejected the part of the complaint seeking a redress for the unlawful transfer.


However, in the DPA's view, following the transfer of the file on 17 June 2021, the further processing of this audio recording by the controller became unnecessary due to lack of competence. By failing to take action after the transfer, the controller unlawfully processed the audio recording in the period between the transfer of the file and the deletion of the audio recording on 2 July 2021. The controller thereby infringed [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] and [[Article 6 GDPR#1|Article 6(1) GDPR]].
However, in the DPA's view, following the transfer of the file on 17 June 2021, the further processing of this audio recording by the controller became unnecessary due to lack of competence. By failing to take action after the transfer, the controller unlawfully processed the audio recording in the period between the transfer of the file and the deletion of the audio recording on 2 July 2021. The controller thereby infringed [[Article 5 GDPR#1b|Articles 5(1)(b) GDPR]] and [[Article 6 GDPR#1|6(1) GDPR]].


The DPA further emphasized that the controller misleadingly claimed that the audio recording was not part of the file, i.e. that it had not acted fairly, thus infringing [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] on transparent and fair processing. The DPA considered the non-disclosure of personal data to be such a serious infringement that it was justified to publish the present decision with the name of the controller included.
The DPA further emphasised that the controller wrongly claimed that the audio recording was not part of the file, i.e. that it had not acted fairly, thus infringing [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] on transparent and fair processing. The DPA considered the non-disclosure of personal data to be such a serious infringement that it was justified to publish the present decision with the name of the controller included.


However, the DPA also took into consideration that it significantly exceeded the 150-day time limit of the procedure and that the controller provides social and child welfare services, including child welfare services and care for persons in need. It also took into account that the controller itself admitted that it had wrongly claimed that the audio recording was not part of the file. For these reasons, the DPA decided not to impose a fine and to issue a warning.  
However, the DPA also took into consideration several mitigating factors, such as that the controller provides social and child welfare services for persons in need. It also took into account that the controller itself admitted that it had wrongly claimed that the audio recording was not part of the file. For these reasons, the DPA decided not to impose a fine and to issue a warning.  


== Comment ==
== Comment ==

Latest revision as of 14:49, 12 October 2022

NAIH - NAIH-13-10/2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 07.06.2021
Decided: 25.08.2022
Published: 25.08.2022
Fine: n/a
Parties: Óbuda Family Counselling and Child Protection Centre
National Case Number/Name: NAIH-13-10/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Abel Kaszian

The Hungarian DPA reprimanded a public body responsible for child protection for obstructing the exercise of the right of access to an audio recording containing the data subject’s voice in violation of Articles 5 and 6 GDPR.

English Summary

Facts

On 7 June 2021, the data subject filed a complaint with the DPA, as they became aware that the data controller – the Family Counselling and Child Protection Centre of Budapest, District III (Óbuda) – forwarded an audio recording of domestic violence (abuse) to the competent Child Welfare Centre, and this recording also contained the voice of the data subject. The recording was originally made and sent by the data subject’s estranged wife.

On 14 June 2021, the data subject exercised their right of access with the controller in person. As the audio material was not made available during the visit, the data subject requested it to be sent via e-mail. The controller refused to provide the file despite multiple further requests by the data subject.

However, in a letter dated 1 July 2021, the controller informed the data subject that the audio material requested by him was not physically part of the file, but it was available in file format. The audio material was then sent electronically to the competent Child Welfare Centre and subsequently deleted. The data subject therefore requested the DPA to declare that the controller unlawfully processed and transmitted their personal data to the Child Welfare Centre and that it unlawfully refused him request for access.

In its reply to the DPA, the controller stated that it stored the audio recording. Allegedly, the complete file was transferred to the Child Welfare Centre pursuant to Article 6(1)(e) GDPR. The controller also stated that it subsequently considered the storage and transmission of the audio recording to be an error, and therefore took immediate action to delete the e-mail containing the audio recording.

In relation to the data subject's requests for a copy of the audio recording, the controller stated that on 17 and 18 June 2021, it wrongly refused to disclose the audio recording. The controller contemplated at first that it was not competent to process the information of the data subject and because if that, it was transferred to the Child Welfare Centre. As for the audio recording, the controller instead found that it was not entitled to process the audio recording is and therefore deleted it based on Article 5(1)(b) GDPR.

Holding

The DPA stated that an audio recording containing the voice of the estranged wife and the voice of the data subject is considered to be personal data shared between the data subject and the estranged wife.

The DPA further stated that the controller, as a family and child welfare centre, performs a public task related to the protection of children. Therefore, it is entitled to process the data of parents in relation to the upbringing of children. As the audio recording submitted as evidence by one of the parents in the guardianship proceedings is part of the file, the DPA considered that the data controller's processing was lawful. Therefore, the DPA rejected the part of the complaint seeking a redress for the unlawful transfer.

However, in the DPA's view, following the transfer of the file on 17 June 2021, the further processing of this audio recording by the controller became unnecessary due to lack of competence. By failing to take action after the transfer, the controller unlawfully processed the audio recording in the period between the transfer of the file and the deletion of the audio recording on 2 July 2021. The controller thereby infringed Articles 5(1)(b) GDPR and 6(1) GDPR.

The DPA further emphasised that the controller wrongly claimed that the audio recording was not part of the file, i.e. that it had not acted fairly, thus infringing Article 5(1)(a) GDPR on transparent and fair processing. The DPA considered the non-disclosure of personal data to be such a serious infringement that it was justified to publish the present decision with the name of the controller included.

However, the DPA also took into consideration several mitigating factors, such as that the controller provides social and child welfare services for persons in need. It also took into account that the controller itself admitted that it had wrongly claimed that the audio recording was not part of the file. For these reasons, the DPA decided not to impose a fine and to issue a warning.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

 Registration number: NAIH-13-10/2022. Subject: partially granting the request
 History: NAIH-6003/2021. decision





                                           DECISION



The National Data Protection and Freedom of Information Authority (hereinafter: Authority) [...]
at the request of the applicant (hereinafter: Applicant), the Óbuda Family Counseling and Child Protection
Opposite Központ (address: 1035 Budapest, Váradi u. 9-11, hereinafter: Applicant) audio recording
regarding unauthorized processing and forwarding, as well as unauthorized refusal of data subject requests
makes the following decisions in the initiated data protection official procedure:


I.1. The Authority partially grants the Applicant's request and finds that the Applicant
by failing to comply with the Applicant's access request, he violated the natural
on the protection of persons with regard to the management of personal data and such data

2016/679/EU on free circulation and repealing Directive 95/46/EC
Regulation (hereinafter: general data protection regulation) Article 15 (3) and Article 5 (1)
point a) of paragraph 1, and also by making the personal data of the Respondent June 17 and July 2021
between 2. without purpose, handled without authorization, violated point b) of Article 5 (1) and Article 6
(1) paragraph.


I.2. The Authority ex officio condemns the Applicant for violating the data protection regulation
Violating the requirement of accountability according to Article 5 (2) about the fact of data management and
did not provide the Applicant with false information about its essential circumstances
the transparency of its data management process, and since it denied that the audio recording was a
is available.


I.3. The Authority is the I.1. and I.2. due to legal violations established in point - with the fact that another data protection
in the event of a violation of the law, when determining the legal consequences, the present violation, as
antecedents will be taken into account with increased weight - Requested ex officio in a warning
favors

I.4. The Authority ex officio orders this decision with the Applicant's identification data - the Authority

its publication on its website.

II. The part of the request for the Authority to establish that the Respondent was unlawfully
forwarded the audio recording containing his personal data to the [...] Children's Welfare Center
rejects.


There is no place for administrative appeal against the decision, but the 30th from the date of notification
can be challenged in an administrative lawsuit within days with a claim addressed to the Metropolitan Court.
You must submit the statement of claim electronically to the Authority, which will submit it together with the case documents
forward to the court. The request to hold a hearing must be indicated in the statement of claim. The entire
for those who do not receive a personal tax exemption, the fee for the administrative lawsuit is HUF 30,000, the lawsuit

is subject to the right of material levy record. Legal representation is mandatory in proceedings before the Metropolitan Court.



1https://www.naih.hu/kozig-hatarozat-birosagi-felulvizsgalata. The NAIH_K01 form is used to initiate the administrative lawsuit: NAIH_K01
form (16.09.2019) The form can be filled out using the general form filling program (ÁNYK program). JUSTIFICATION

I. Procedure

The Applicant submitted a request for an official data protection procedure to the Authority on June 7, 2021

in, according to which he became aware that the Respondent had transmitted such a recording to […]
For the Children's Welfare Center (hereafter: Children's Welfare Center), which is also His voice
included. For this reason, on June 14, 2021, he sent a written inquiry to the Respondent, who on 2021
responding to your inquiry on June 17, informed that they could not provide the requested audio material
to be forwarded to him, because it is not part of the documents. After that, the Applicant on June 17, 2021
and contacted the Applicant again on 18 June 2021, during which the Applicant on 18 June 2021
he replied to his part that he did not receive audio material. In the Applicant's letter dated July 1, 2021
however, he informed the Applicant that the audio material he requested was not in the physical sense

it is part of the documents handled by him, because it was not on physical data carriers, but in electronic form
to be sent to you. He transmitted the audio material electronically to the Child Welfare Center,
and subsequently deleted it.

Because of all this, the Applicant requested that the Authority establish that the Respondent was unlawfully
managed and forwarded your personal data to the Children's Welfare Center, as well as illegally
denied your access request.


NAIH-6003-2/2021 of the Authority dated July 13, 2021. in order no
Applicant, as the application did not contain the allegations related to the alleged infringement
supporting facts and their evidence, when and when the applicant submitted this access request
with what content did you send it to the Applicant

On July 15, July 20 and July 28, 2021, the Applicant responded to the Authority's notice
responded and attached a copy to the access requests sent to the Respondent and to the Authority

the responses received from the Petitioner to his inquiries referred to in his request.

The Authority NAIH-6003-6/2021. No., dated July 29, 2021, notified the
Requested that, based on the Applicant's request, a data protection official proceeding against him
started and invited him to make a statement in order to clarify the facts.

In its response to the Authority's inquiry received on August 23, 2021, the Respondent

made a statement and attached his correspondence with the Applicant. This information was provided by
The applicant added it on September 30, 2021.

The Authority NAIH-6003-10/2022 dated December 9, 2021. and NAIH-6003-11/2022. with his orders
notified the Applicant and the Respondent that the evidence in the procedure was completed and called,
that he can get to know the uncovered evidence and make further evidentiary motions.

On December 13, 2021, the Applicant stated that he wished to exercise his right to inspect documents, which the

Authority NAIH-6003-13/2021. limited by order no., it cannot be recognized by him
performed while masking personal data. Thereafter, the Applicant on January 3, 2022
made a statement and also requested that the Authority extend the procedure [...]

From the attached documents and statements, it was not clear to the Authority that a
audio recording before or after the Respondent exercises the rights of the Applicant
canceled it, therefore it was revoked by NAIH-6003/10/2021 on March 31, 2022. Order No. and

contacted the Applicant to prove with documents that the audio recording was filed and
the date of its deletion, as well as the time and place of receipt of all documents created in the case a
along with treatment notes.

                                                  2 The Authority also contacted the Child Welfare Center to verify when the
the audio recording for him, and when and how he released it to the Applicant.

At the request of the Authority, the Applicant made a statement on April 13, 2022, and also sent the

658/2021/ÓCSTGYVK archived in the file management system and archive
copies of all your documents.

The Child Welfare Center responded to the Authority's request on April 13, 2022.

The Authority NAIH-13-6/2022 dated August 2, 2022. and NAIH-13-7/2022. with his orders
notified the Applicant and the Respondent that the evidence in the procedure was completed and called,
that he can get to know the uncovered evidence and make further evidentiary motions.


On August 2, 2022, the Applicant requested that the Authority provide him with access to documents,
which the Authority issued in NAIH-13-8/2022. limited by order no., it cannot be recognized by him
in addition to concealing personal data, and in the child protection procedure, the parent is a
the right to information about your child is guaranteed by law and in official procedures
August 15, 2022, with the exception of documents that can be known based on the right of access to documents or that have been known.
performed on the day


II. Fact

In its application for the data protection authority procedure, the Applicant stated that the Respondent is
forwarded an audio recording to the Child Welfare Center, which also contains his voice.

On June 14, 2021, the Applicant exercised its right to inspect the documents of the Respondent. Document inspection
became aware that in the procedure [...] on May 14, 2021, the abuse

he attached visual and audio material to support it. Because the audio during document review
it was not made available to him, so he requested that it be sent to him additionally by e-mail.

In its letter dated June 17, 2021, in response to the request for document inspection, the Respondent
informed the Applicant that it is not possible to release the requested audio material, because it is not
part of the documentation.


Subsequently, on June 17, 2021, the Applicant requested the
sound recording release. The Respondent replied to the request on June 18, 2021 that it had not received
audio material, therefore, it is not part of the document material, therefore it cannot be transmitted
that to the Applicant.

In response to the Respondent's rejection, in the Applicant's letter dated June 18, 2021, another
submitted an access request, in which he referred to the fact that "I obtained it while copying documents
to inform you that an audio file, which is my audio material, has been sent to your email address

included. I trust that it has not been deleted and that it will be handed over to me in accordance with the GDPR!"

In its response letter dated July 1, 2021, the Respondent repeatedly rejected the access
request with reference to the fact that the requested audio material was not physically handled by him
part of the document, because it was not sent on a physical data carrier, but in electronic form
for. He sent the audio material electronically to the Children's Welfare Center, this
after deleting it from your electronic system.


Because of all these, the Applicant requested in his application for the data protection authority procedure that a
Authority to determine that the Respondent handled and forwarded his personal data without authorization

                                                  3 audio recording for the Children's Welfare Center, as well as unlawfully refused the
fulfilling your access request.

The Applicant is Authority NAIH-6003-6/2021. sent on August 23, 2021 for order no
in his answer, he stated that he had stored the recording containing the Applicant's voice, which the Applicant

his ex-wife sent it to him by e-mail. Given that the Petitioner is a minor child and
the child's mother moved to Budapest III in June 2021. about their district address and the
The applicant's area of competence is exclusively III. covers the district, therefore the entire document material is
was handed over to the Children's Welfare Center on the basis of Article 6 (1) point e) of the General Data Protection Regulation
for. The Respondent also stated that the storage and transmission of the audio recording
he subsequently assessed it as a wrong step, so the e-mail containing the audio recording took immediate action
and to the deletion of the audio recording contained therein.


The Respondent with the Petitioner's requests to issue a copy of the audio recording
stated that on June 17 and 18, 2021, he wrongly refused to issue them
on the grounds that in the absence of competence they were not entitled to treat the Applicant
relevant information and were therefore handed over to the Child Welfare Center. The sound recording
in relation to what was described in the Respondent's response letters sent in July 2021 instead
considers it well-founded, that is, that he is not authorized to handle the audio recording anyway, and that is what it is for
was deleted on the basis of Article 5 (1) point b) of the General Data Protection Regulation.


The Respondent also sent the Authority a copy of the Applicant's requests.

On September 30, 2021, the Applicant supplemented the above statement by stating that the Authority
NAIH-2639/2021. according to the general information provided on February 17, 2021 in case no. "a
the child is an employee of a child welfare center as an institution providing child welfare services
in order to protect his interests, by revealing the causes of the child's vulnerability
during the performance of his or her (public) duties, he is entitled to inspect and during the guardianship proceedings,

or to use the recordings in question to initiate other guardianship proceedings, which
otherwise, they are considered the same source as a private document or a client statement
would attach.”

According to the Applicant, based on the above, as well as Gyvt. Paragraph (1) of § 134 and Ákr. Section 27 (3)
according to paragraph, the Respondent is generally entitled to handle audio and video recordings
if they are used for the procedure to be conducted to protect the rights of children

in order to need In the specific case, the use and storage of the audio recording that came into his possession
according to the Respondent's opinion, the data management is in the public interest or is a public authority entrusted to the data controller
however, it was not necessary to carry out the task performed in the context of exercising a driver's license,
you acted accordingly when you deleted it.

In the statement received by the Authority on January 3, 2022, the Applicant stated that the
a copy of the audio recording was made available by the Child Welfare Center on July 21, 2021.


At the same time, the Applicant requested that the Authority distribute it regarding the transmission of the audio material
the process […] and get your statement about who made the audio, who and what
stored it in a way before transmitting it to the Respondent, why did you transmit the audio material to
without his consent, as well as to whom and when he transmitted it in the time since recording.

According to the documents sent by the Applicant and the Child Welfare Center on April 13, 2022
the audio material, accompanied by a letter dated July 1, 2021, at 9:32 a.m. on July 2

sent it by e-mail to the Child Welfare Center. Subsequently, Applicant July 2,
on July 7 and July 8, he requested access to the audio recording from the Child Welfare Center, which
It was sent to the Applicant by e-mail on July 21, 2021.

                                                   On July 27, 2021, the Children's Welfare Center sent the audio recording by e-mail in the absence of jurisdiction
sent it back to the Applicant, who sent it again on July 29, 2021 to the Child Welfare
Center. The Child Welfare Center sent it back for the second time on August 2, 2021
the document to the Applicant with reference to the fact that he did not receive a request from the guardianship authority

in the case of the Applicant's minor child, and therefore has no jurisdiction. The Applicant finally
Government Office of Budapest Capital III. District Office BP-03/104/783-31/2021. considered
based on the order ordering the transfer, on August 4, 2021, the documents were again sent to the
For the Child Welfare Center.

In order to confirm the deletion of the audio recording, the Applicant dated April 8, 2022
sent a report to the Authority, in which it was recorded that the audio recording was
was deleted from its filing system and mail system on July 1, 2021.



III. Applicable legal provisions

CXII of 2011 on the right to information self-determination and freedom of information. law (a

hereinafter: Infotv.) According to Section 2 (2), the general data protection regulation is indicated there
shall be applied with additions in provisions. Article 2 (1) of the General Data Protection Regulation
according to paragraph 1, the regulation must be applied to personal data in whole or in part
automated processing, as well as the non-automated processing of that data
for handling, which are part of a registration system, or which are a
they want to make it part of the registration system.


Infotv. Validation of the right to the protection of personal data based on § 60, paragraph (1).
in order to do so, the Authority initiates an official data protection procedure at the request of the data subject and
may initiate official data protection proceedings ex officio.

Infotv. According to § 60, paragraph (2), the request to initiate the official data protection procedure a

It can be submitted in the case specified in Article 77 (1) of the GDPR.

Article 77 (1) of the General Data Protection Regulation: Other administrative or judicial
without prejudice to legal remedies, all parties concerned are entitled to file a complaint with a supervisory authority
authority - in particular your usual place of residence, place of work or suspected infringement
in the Member State where it is located - if, according to the judgment of the data subject, the personal data relating to him

handling violates this regulation.

In the absence of a different provision of the General Data Protection Regulation, data protection initiated upon request
for official procedure CL of 2016 on the general administrative procedure. law (a
hereinafter: Ákr.) provisions shall be applied with the deviations specified in Infotv.


 The Akr. According to Section 35 (1), the request is a declaration by the client with which an official procedure
conduct, or requests a decision from the authority in order to enforce his right or legitimate interest.

The Akr. According to § 62, paragraph (2), all evidence can be used in the official procedure,
which is suitable for clarifying the facts. It cannot be used as evidence by the authority,

evidence obtained by violation of the law.

The Akr. Based on § 62, paragraph (4), the authority freely chooses the method of proof, and a
evaluates the available evidence according to his free conviction.


                                                  5 According to Article 4, point 1 of the General Data Protection Regulation, personal data is the identified or
any information relating to an identifiable natural person ("data subject"); it is possible to identify the a
a natural person who, directly or indirectly, in particular an identifier, for example
name, number, location data, online identifier or physical, physiological,
one or more related to your genetic, intellectual, economic, cultural or social identity

can be identified based on a factor.

According to Article 4, Point 2 of the General Data Protection Regulation, data management is based on personal data
any operation performed on data files in an automated or non-automated manner or
set of operations, such as collection, recording, organization, segmentation, storage, transformation or
changing, querying, viewing, using, communicating, transmitting, distributing or otherwise

by making it available, coordinating or connecting, limiting, deleting, or
destruction.

According to Article 4, point 7 of the General Data Protection Regulation, the data controller is the natural or legal one
person, public authority, agency or any other body that is the personal data
determines the goals and means of its management independently or together with others; if the data management

its purposes and means are determined by EU or Member State law, the data controller or the data controller
EU or member state law can also determine special aspects for its designation.

Personal data management according to Article 5 (1) point a) of the General Data Protection Regulation
it must be carried out legally and fairly, as well as in a transparent manner for the data subject
("legality, due process and transparency").


Collection of personal data based on Article 5 (1) point b) of the General Data Protection Regulation
only for specific, clear and legitimate purposes, and they should not be treated with these purposes
inconsistently. ("goal-boundness").


Based on Article 5 (2) of the GDPR, the data controller is responsible for compliance with paragraph (1),
and must be able to demonstrate this compliance ("accountability").The general
Article 15 (3) of the data protection decree states that the data controller is the data processing
provides a copy of the subject personal data to the data subject, as it can be implemented in this way
and actual and most complete access to personal data.

The Authority is Infotv. 58 of the General Data Protection Regulation with regard to point a) of § 61, paragraph (1).

can apply the legal consequences according to paragraph (2) of Article

Pursuant to Article 58 (2) b) and i) of the General Data Protection Regulation, the supervisory authority
acting in its corrective capacity:
b) condemns the data manager or the data processor if his data management activities violated e
the provisions of the decree;

i) imposes an administrative fine in accordance with Article 83, depending on the circumstances of the given case, e
in addition to or instead of the measures mentioned in paragraph

Article 83 (1)-(2) and (5) points a)-b) of the General Data Protection Regulation:
(1) All supervisory authorities ensure that the provisions referred to in paragraphs (4), (5), (6) of this decree
administrative fines imposed on the basis of this article due to its violation are effective in each case,
be proportionate and dissuasive.

(2) Depending on the circumstances of the given case, the administrative fines are subject to Article 58 (2) a)–
must be imposed in addition to or instead of the measures mentioned in points h) and j). In deciding whether
whether it is necessary to impose an administrative fine, and the amount of the administrative fine
in each case, the following must be taken into account:

                                                   6a) the nature, severity and duration of the infringement, taking into account the nature of the data processing in question,
its scope or purpose, as well as the number of persons affected by the infringement, as well as by them
extent of damage suffered;
b) the intentional or negligent nature of the infringement;
c) mitigating the damage suffered by the data controller or the data processor

any action taken in order to;
d) the extent of the responsibility of the data manager or data processor, taking into account the 25 and
technical and organizational measures implemented on the basis of Article 32;
e) relevant violations previously committed by the data controller or data processor;
f) with the supervisory authority to remedy the violation and the possible negative effects of the violation
extent of cooperation to mitigate;
g) categories of personal data affected by the infringement;
h) the manner in which the supervisory authority became aware of the violation, in particular the fact that

whether the data controller or the data processor reported the violation, and if so, in what detail;
i) if against the relevant data manager or data processor previously - in the same matter -
one of the measures referred to in Article 58 (2) was ordered, the one in question
compliance with measures;
j) whether the data controller or the data processor considered itself approved according to Article 40
to codes of conduct or approved certification mechanisms pursuant to Article 42; as well as
k) other aggravating or mitigating factors relevant to the circumstances of the case, for example a

financial benefit obtained or avoided as a direct or indirect consequence of a violation
loss.

(5) Violation of the following provisions - in accordance with paragraph (2) - at most 20,000,000
with an administrative fine in the amount of EUR, and in the case of businesses, the previous financial year is a full year
shall be subject to an amount of no more than 4% of its world market turnover, with the provision that of the two
a higher amount must be imposed:
a) the principles of data management - including the conditions of consent - in accordance with Articles 5, 6, 7 and 9;

b) the rights of the data subjects in Articles 12–22. in accordance with article

Pursuant to Article 83 (7) of the General Data Protection Regulation, supervisory authorities Article 58 (2)
without prejudice to its corrective powers according to paragraph, each member state may determine the
the rules regarding whether the public authority or other public task based in the given member state
whether an administrative fine can be imposed on a provider, and if so, to what extent.


Infotv. Pursuant to Section 61 (1) point bg) in the data protection official procedure
in its decision, the Authority may impose a fine.

Infotv. Fine imposed according to Article 83 of the General Data Protection Regulation based on Section 61 (4).
the amount can range from one hundred thousand to twenty million forints, if it was brought in a data protection official procedure
budget body obliged to pay the fine imposed in the decision.

Infotv. On the basis of paragraph (2) of § 61, the Authority may order the decision of the data controller or

disclosure by publishing the identification data of the data processor, if
b) it was brought in connection with the activities of a body performing a public task, or
c) the severity of the infringement justifies disclosure.

Infotv. 75/A. According to §, the Authority in paragraphs (2)-(6) of Article 83 of the General Data Protection Regulation
exercises its powers taking into account the principle of proportionality, in particular by a

relating to the processing of personal data - by law or by the European Union as a mandatory law
in the case of the first violation of the regulations specified in the act, the violation
for its remedy - in accordance with Article 58 of the General Data Protection Regulation - primarily the
takes action with the warning of a data controller or data processor.

                                                   7 XXXI of 1997 on the protection of children and guardianship administration. law (hereinafter:
Gyvt.) According to § 39, paragraph (1), the child welfare service is one that protects the interests of the child
special personal social service, which is the methods and tools of social work
it is used for the child's physical and mental health and upbringing in the family
promotion, prevention of the child's vulnerability, the created vulnerability

its termination or the return of a child removed from his family.

The Gyvt. Based on point b) of § 39, paragraph (3), the task of the child welfare service is the child
in order to prevent its endangerment, the investigation of the causes causing the endangerment and
making a proposal to solve them.


The Gyvt. 40/A. Based on § (1) and (2) point b), the family and child welfare center is independent
as an institution, or as an independent institutional unit from an organizational and professional point of view a
children related to official measures within the framework of child protection care
carries out protection activities, in the framework of which:
ba) initiates the child's protection or, in case of a more serious risk, a
the temporary placement and education of a child,

bb) prepares a proposal for taking the child into protection according to the degree of vulnerability,
and for the provision of family allowance in kind, the child's compulsory schooling
to promote its fulfillment, to remove the child from the family, the future care
to its place or to change it, as well as to omit preventive protection of the child,
ordering, maintaining and terminating.

149/1997 on guardianship authorities and child protection and guardianship procedures. (IX.10.)

Pursuant to point b) of § 8, paragraph (2) of Government Decree (hereinafter: Child), the guardianship authority initiates
the procedure, if it is carried out by the family and child welfare service in the case of child endangerment, a
family and child welfare center or the Gyvt. body defined in paragraph (1) of § 17,
initiated by a person.

The Gyvt. Pursuant to § 135, subsection (1), point a), the official tasks and duties ensuring the protection of children

a body exercising powers is entitled to enforce the rights specified in this law
for the purpose of processing the data specified in paragraph (2).

The Gyvt. According to § 135, paragraph (2), the bodies specified in point (1) are eligible
b) * the parent, legal representative, host parent
ba) * personal identification number and social security identification number,

bb) relating to your financial situation, workplace, education and relationships,
bc) related to child rearing, so especially to his lifestyle and educational behavior
concerning
bd) relating to your state of health,
be) concerning his criminal record,
bf) * concerning the circumstances of his victimization, the Ást. Section 16, paragraph (2), points a)-c).
for the treatment of your specific data.



ARC. Decision

The Applicant requested that the Authority establish that the Respondent handled it without authorization and

forwarded his personal data to the Children's Welfare Center and unlawfully refused
your access request.

IV.1. The legality of the handling and transmission of the audio recording

                                                  8IV.1.1. According to Article 4, point 1 of the General Data Protection Regulation, it is the voice of a natural person
personal data, the transmission and storage of the audio file containing the audio recording is the general rule
according to article 4, point 2 of the data protection decree, it is considered data management.


According to the document attached by the Applicant, on May 19, 2021, he registered the […]
sent by email on May 14, 2021, entitled "support of abuse.mp3"
audio file. The audio recording containing the voice of the victim and the Applicant is the Applicant and the
it is classified as the shared personal data of the victim.

The Applicant, as a family and child welfare center, within the framework of child protection care
performs a public task related to the protection of children related to official measures,
during which the Gyvt. On the basis of § 135, subsection (2), point b), parents are entitled to raise children

to manage your related data, especially regarding your lifestyle and educational behavior.

The Respondent later considered that the handling of the audio recording was illegal, as Gyvt.
according to or other official procedure was not necessary.

Because in the guardianship proceedings, or for the purpose of initiating the guardianship proceedings, one of the parents
the audio recording submitted as evidence by - in the same way as the document or the statement - the document material

are part of, therefore the Data processing of the Respondent was lawful according to the Authority.

Based on the above, the Authority determined that the child was the Applicant of the audio file
handled it in the course of fulfilling its public duty related to the investigation of the causes of its endangerment,
and it was forwarded as part of the documents by the competent Children's Welfare Center
for, therefore the Respondent did not violate Article 6 (1) of the General Data Protection Regulation
paragraph, since for its management until the existence of its competence, after that
according to Article 6 (1) point (e) of the General Data Protection Regulation

had a legal basis. For this reason, the Authority rejects the request for unlawful data transmission
rejected the directed part.

According to the Authority's point of view, after the transfer of the documents on June 17, 2021, jurisdiction
in its absence, the further processing of this audio recording by the Requested has become pointless, therefore, because of the transmission
did not take action until July 1, 2021, or until July 2, 2021, the Applicant's personal
audio recording containing your data between the transfer of the documents and the deletion of the audio recording on July 2, 2021

handled it without authorization during the period, thereby violating Article 5 (1) of the General Data Protection Regulation
b) and Article 6 (1). For this reason, the Authority considers the request illegal
approved the part aimed at establishing data management.

IV.1.2 According to the constant and consistent practice of the Authority, the data controller is responsible for what he has done
for the legality of data management. According to Article 5 (2) of the General Data Protection Regulation,
essentially articulating the data controller's objective responsibility and increased due diligence requirements
arising from the basic requirement of accountability, the data controller is obliged to do so

confirmation that the conditions for the legality of data processing - from the start of data processing -
they exist continuously. The data controller can only reasonably trust that in all respects
meets the legal requirements for data management, if it is able to fulfill its obligation to certify this
to do, and provides sufficient certainty for the Authority, the trial court, and also for the data subject
able to demonstrate the existence of these conditions.

It follows that if the data controller cannot prove that the data subject has objected

its data management would have met the data protection requirements during the examined period, it does not
fulfills the basic requirement of accountability, thereby violating general data protection
Article 5 (2) of the Decree. For data controllers, it is from the planning of data management

                                                  9 from the start of data processing until the deletion of personal data
they must perform an operation in such a way that they can prove how they answered at any moment
and data protection regulations. The principle of accountability is, therefore, not just a process in general
can be interpreted at the level, all specific data management activities, a specific stakeholder
also applies to the management of your personal data.


Since the purpose of the data management has ceased, the Requested party is justified in deleting the audio material
performed, but during the procedure he was unable to properly confirm the date of deletion to the Authority,
because he attached to the Authority a protocol prepared after the Authority's inquiry,
in which you have marked a delete date when the audio file has not actually been transmitted by the
For the Child Welfare Center. Taking this into account, the Authority ex officio established that a
With this behavior, the respondent violated Article 5 (2) of the General Data Protection Regulation
the principle of accountability according to paragraph



IV.2. Fulfillment of the Applicant's stakeholder request

Inspection of the documents created at the child protection institution, Gyvt. 136/A. based on § a
the parent exercising parental custody, the child's legal representative and the limited
customer procedural license for a child who is capable of acting and who has reached the age of majority.

With regard to data management, the data subject has the rights granted in the general data protection regulation

in the exercise of rights, pursuant to Article 15, you have the right to request access to the data relating to you, this
essentially means information about data management. General data protection during access
a document copy can also be requested based on Article 15 (3) of the Decree. However, this is a copy of the data management
within the framework of a given information, it may only contain parts relevant to the data subject, to another person
no relevant data. The acting authority to provide a copy ensuring the visibility of the data subject
can be obliged by referring to the above provision, however, depending on the content of the document, this is the most
in this case, it is not equal to the complete document copy.

On June 14, 2021, the Applicant exercised its right to inspect documents at the registered office of the Respondent, 21
made a copy of the document. The occurrence and content of the information provided during document review a
Acknowledgment of receipt of the copies of documents issued during the document inspection, confirmed by the applicant's signature

was made. It was then that he became aware that […] he had attached an audio material. Since the document review
this audio material was not made available to him, he requested that it be replaced and sent to him
to. This request of the Applicant does not qualify as a violation of Article 15 of the relevant data protection regulation
stakeholder request.

In its requests of June 17 and 18, the Respondent requested the general data protection regulation
sending a copy of the audio material from the Application, which requests are subject to data protection
are considered an access request according to Article 15 (3) of the Regulation. The Applicant 2021.

in his answers written on June 18 and July 1, he rejected these requests citing that
the audio is not part of the documentation, and the documentation was forwarded by the Children's Welfare Center
for, subsequently deleted from his electronic system.

According to the attached documents, the Applicant dated June 24, 2021, 658/68/2021/ÓCSTGYVK.
handed over the documents created in the case of the Applicant's minor child with case transfer form no
Children's Welfare Center, but the audio is only dated July 1, 2021, 658/70/2021/
OCTGYVK. on July 2, 2021 as an attachment to his letter no

deleted an e-mail containing an audio recording from your mail system. So the audio recording is a
The Respondent was available at the times when the Applicant had access
submitted his requests.



                                                  10 Based on the above, the Authority established that since the Respondent was the Applicant on June 17 and 18
he was in possession of the audio recording at the time of submitting his application, so the Applicant has a copy of it
should have made available. By the fact that the Respondent did not fulfill the Applicant
data subject's request, violated Article 15 (3) of the General Data Protection Regulation.


2021.
on June 18, he replied that he did not receive audio material and on July 1, 2021, that the
audio recording is not part of the document. With these misleading information, the Applicant as
prevented a data subject from exercising his rights. Because it is about the fact of data management and its importance
did not provide the Applicant with the data management by providing untrue information about his circumstances
the transparency of its process and misleadingly claimed that the audio recording was not
part of the documents, did not act fairly during data management, violated the general
data protection regulation Article 5 (1) point a) for transparent and fair data management

relevant provisions.

In his statement to the Authority, the Respondent himself admitted that the June 2021
in their response letters, they denied the Applicant's requests with unjustified reasons, when they referred to
that in the absence of jurisdiction, the audio recording was handed over to the Child Welfare Center. The Applicant hereby
on the contrary, he considers what he wrote in his answers written in July 2021 to be a well-founded justification, according to which a
audio recording due to unlawful data processing Article 5 (1) b) of the General Data Protection Regulation

point, so it cannot be made available to the Applicant.

However, the Respondent informed the Applicant on July 1, 2021 that it had canceled
falsely stated the admission, a significant fact from the point of view of the case, since it was still on July 2, 2021
handled it.

IV.3. Extension of the Applicant's request


In the letter received by the Authority on January 3, 2022, the Applicant requested that the audio material
regarding its transmission, the Authority should extend the procedure to [...] and examine who
who made the audio material, who and how it was stored before transmission to the Requested Party,
why you transmitted the audio material without your consent, and to whom and when you transmitted it
audio in the time since recording.

The Authority examines this request of the Applicant in a separate procedure.


V. Legal Consequences

V.1. The Authority condemns it on the basis of Article 58 (2) point b) of the General Data Protection Regulation
the Applicant because he violated Article 6 (1) of the General Data Protection Regulation, Article 5
(1) points a) and b), Article 5 (2) and Article 15 (3).

V.2. The Authority ex officio examined whether a data protection fine against the Application was justified
imposition. In this context, the Authority is in accordance with Article 83 (2) of the General Data Protection Regulation and Infotv.

75/A. considered all the circumstances of the case based on § In doing so, the Authority as a significant circumstance
took into account the fact that the Respondent's untrue statement about the cancellation of the recording, and the
He deliberately obstructed the applicant with his deceptive behavior during his access requests
the Applicant in exercising his rights. The Authority also considered as a special circumstance,
that the Respondent, due to its core business, should have taken particular care to ensure that
show an impartial, unbiased attitude in the event of a dispute between the two opposing parties.

At the same time, the Authority took into account that the Authority significantly exceeded the 150-day period in the procedure

administrative deadline, and that within the framework of the requested social and child welfare service
including child welfare services, as well as being socially disadvantaged or for other reasons
                                                  11 provides care for needy persons. He also took into account that the Respondent himself
admitted that he had wrongly claimed that the audio recording was not part of the record.

Because of all this, the Authority waived the imposition of a fine and decided to apply a warning.


However, the Authority assessed the non-disclosure of personal data management as such a serious violation of law,
that Infotv. Based on points b) and c) of § 61. (2) the Respondent considers this decision to be justified
disclosure by publishing your data.

VI. Exceeding the administrative deadline

During the procedure, the Authority exceeded Infotv. One hundred and fifty days according to paragraph (1) of § 60/A
administrative deadline, therefore the Ákr. Based on point b) of § 51, the Applicant is entitled to HUF ten thousand.


The Authority pays ten thousand forints to the Applicant - according to his choice to be indicated in writing -
paid by bank transfer or postal order.

VII. Other questions

The competence of the Authority is set by Infotv. Article 38, Paragraphs (2) and (2a) defines it, the jurisdiction of the country
covers its entire territory.


This decision of the Authority is based on Art. 80-81. § and Infotv. It is based on paragraph (1) of § 61. That's the decision
Acr. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. § 112 and § 116 (1)
against the decision on the basis of paragraph and paragraph (4) point d) and § 114 paragraph (1)
there is room for legal redress through an administrative lawsuit.

The rules of the administrative trial are set out in Act I of 2017 on the Administrative Procedure
hereinafter: Kp.) is defined. The Kp. Against the decision of the Authority based on Section 12 (1).

administrative proceedings fall under the jurisdiction of the courts, the proceedings are governed by the Kp. § 13, paragraph (3), point a) aa)
on the basis of subsection, the Metropolitan Court is exclusively competent. The Kp. Section 27, subsection (1), point b).
in a legal dispute in which the court has exclusive jurisdiction, legal representation is mandatory.
The Kp. According to paragraph (6) of § 39, the submission of a claim is an administrative act
does not have the effect of postponing its entry into force.

The Kp. Paragraph (1) of Section 29 and, in view of this, CXXX of 2016 on the Code of Civil Procedure. law
604, electronic administration and trust services are general

CCXXII of 2015 on its rules According to Section 9 (1) point b) of the Act, the customer is legal
representative is obliged to maintain electronic contact.

The time and place of submitting the statement of claim is set by Kp. It is defined by § 39, paragraph (1). The trial
information about the possibility of an application for keeping the Kp. It is based on paragraphs (1)-(2) of § 77. THE
the amount of the fee for an administrative lawsuit is determined by Act XCIII of 1990 on fees. law (hereinafter:
Itv.) 45/A. Section (1) defines. Regarding the advance payment of the fee, the Itv. Section 59 (1)

paragraph and § 62 paragraph (1) point h) exempts the party initiating the procedure.

The Akr. According to § 132 of the
enough, it is enforceable. The Authority's decision in Art. according to § 82, paragraph (1) with the communication
becomes permanent. The Akr. Pursuant to § 133, enforcement - if it is a law or government decree
does not provide otherwise - it is ordered by the decision-making authority. The Akr. Pursuant to § 134 of
enforcement - if it is a law, government decree or local government in the case of municipal authority
does not provide otherwise - the state tax authority undertakes it.


dated: Budapest, according to the electronic signature
                                                   12Dr. In the absence of President Attila Péterfalvi:


                             Dr. Győző Endre Szabó
                                 vice president





















































                13